Viruses are able to infect corporate computer systems faster
than ever before.
There has been a surge in viruses, worms and other malicious code
plaguing networks throughout the UK during the past year. According
to a PricewaterhouseCoopers report for the Department of Trade
& Industry, 72% of UK businesses received infected e-mails or
files during 2003.
Some 33% of large businesses received more than 100 separate
viruses during the year. These infections happened despite the fact
that 99% of large businesses are running anti-virus software. The
risks to businesses are huge, so it is important to understand how
to protect networks from the "threats of the future" that are upon
us now.
Security threats come in three categories. Simple first-generation
threats are generic virus-type attacks spread by users opening
infected e-mail and inconspicuous file attachments.
More sophisticated second-generation threats pose bigger problems.
Created with automated tools, these worms attack vulnerabilities
without human interaction. Replication, identification, and
targeting of new victims is automatic.
The third, blended threats, are common, and incorporate viruses,
Trojans and automation. Recent active worms include Slapper
(September 2002), SQL Slammer (January 2003), Blaster (August
2003), Witty (March 2004) and Sasser (May 2004).
These worms have already shown the characteristics of
third-generation threats, which systematically pre-identify new
vulnerable targets and use multiple attack vectors to maximise
damage before anyone has had a chance to patch.
SQL Slammer rapidly hit more than 75,000 hosts running Microsoft
SQL Server. It was the fastest-spreading worm ever, infecting over
90% of vulnerable hosts in 10 minutes. Blaster infected more than
100,000 systems an hour at its peak, taking advantage of a hole in
DCom's RPC interface. And Sasser struck just two and a half weeks
after Microsoft released its monthly patch update.
A third-generation threat has five characteristics:
Pre-compiles targets for hyper-propagation;
Exploits known vulnerabilities and enables targeted use of obscure
vulnerabilities;
Targets multiple attack vectors on weaker network entry points,
such as wireless links and virtual private networks;
Uses overt or covert active payloads capable of targeting specific
industries or companies;
Attacks inside perimeter defences such as firewalls and intrusion
detection systems.
These new threats are emerging faster than ever. In the past, the
discovery/attack lifecycle was a year or longer from the advent of
discovering a vulnerability to widespread exploitation.
SQL Slammer happened six months after discovery, Slapper was six
weeks, and the Blaster and Nachi worms came three weeks after news
of the vulnerability. The Witty worm struck just one day after the
vulnerability was announced.
Attacks are also being targeted with precision. The Witty worm
struck only computers running firewalls from Internet Security
Systems. About 12,000 vulnerable hosts were compromised within 45
minutes.
There is a new generation of automated security threats exploiting
vulnerabilities faster than any possible human response. The timely
and complete detection of security vulnerabilities and rapid
application of remedies is the most effective policy IT directors
can put in place to thwart automated attacks and preserve data
security.
Gerhard Eschelbeck is chief technology officer
and vice-president of engineering at Qualys
A strategy to protect against
threats
Implement a programme to enable rapid and
consistent distribution and application of patches
Conduct regular security audits of networks and
systems. Audits identify vulnerabilities to measure compliance and
match them with appropriate remedies
Keep anti-virus software up-to-date to prevent
widespread virus outbreaks
Perform ongoing evaluation and update security
policies to address the changing risk profile.