Viruses are able to infect corporate computer systems faster than ever before.
There has been a surge in viruses, worms and other malicious code plaguing networks throughout the UK during the past year. According to a PricewaterhouseCoopers report for the Department of Trade & Industry, 72% of UK businesses received infected e-mails or files during 2003.
Some 33% of large businesses received more than 100 separate viruses during the year. These infections happened despite the fact that 99% of large businesses are running anti-virus software. The risks to businesses are huge, so it is important to understand how to protect networks from the "threats of the future" that are upon us now.
Security threats come in three categories. Simple first-generation threats are generic virus-type attacks spread by users opening infected e-mail and inconspicuous file attachments.
More sophisticated second-generation threats pose bigger problems. Created with automated tools, these worms attack vulnerabilities without human interaction. Replication, identification, and targeting of new victims is automatic.
The third, blended threats, are common, and incorporate viruses, Trojans and automation. Recent active worms include Slapper (September 2002), SQL Slammer (January 2003), Blaster (August 2003), Witty (March 2004) and Sasser (May 2004).
These worms have already shown the characteristics of third-generation threats, which systematically pre-identify new vulnerable targets and use multiple attack vectors to maximise damage before anyone has had a chance to patch.
SQL Slammer rapidly hit more than 75,000 hosts running Microsoft SQL Server. It was the fastest-spreading worm ever, infecting over 90% of vulnerable hosts in 10 minutes. Blaster infected more than 100,000 systems an hour at its peak, taking advantage of a hole in DCom's RPC interface. And Sasser struck just two and a half weeks after Microsoft released its monthly patch update.
A third-generation threat has five characteristics:
Pre-compiles targets for hyper-propagation;
Exploits known vulnerabilities and enables targeted use of obscure vulnerabilities;
Targets multiple attack vectors on weaker network entry points, such as wireless links and virtual private networks;
Uses overt or covert active payloads capable of targeting specific industries or companies;
Attacks inside perimeter defences such as firewalls and intrusion detection systems.
These new threats are emerging faster than ever. In the past, the discovery/attack lifecycle was a year or longer from the advent of discovering a vulnerability to widespread exploitation.
SQL Slammer happened six months after discovery, Slapper was six weeks, and the Blaster and Nachi worms came three weeks after news of the vulnerability. The Witty worm struck just one day after the vulnerability was announced.
Attacks are also being targeted with precision. The Witty worm struck only computers running firewalls from Internet Security Systems. About 12,000 vulnerable hosts were compromised within 45 minutes.
There is a new generation of automated security threats exploiting vulnerabilities faster than any possible human response. The timely and complete detection of security vulnerabilities and rapid application of remedies is the most effective policy IT directors can put in place to thwart automated attacks and preserve data security.
Gerhard Eschelbeck is chief technology officer and vice-president of engineering at Qualys
A strategy to protect against threats
Implement a programme to enable rapid and consistent distribution and application of patches
Conduct regular security audits of networks and systems. Audits identify vulnerabilities to measure compliance and match them with appropriate remedies
Keep anti-virus software up-to-date to prevent widespread virus outbreaks
Perform ongoing evaluation and update security policies to address the changing risk profile.
This was first published in May 2004