Mark Vernon reveals the top five external threats to corporate IT systems and suggests that a layered approach to defence can help companies become more prepared for attacks
1. In terms of sheer frequency, the top spot on the list of security threats must go to viruses. According to a DTI survey, 72% of all companies received infected e-mails or files last year and for larger companies this rose to 83%. Worms and Trojan horses share the first prize in malignancy: the internet experienced three worms in only 12 days last summer, causing £1.8bn in damages, according to Symantec's Internet Security Threat Report.
2. The after-effects of viruses are so dangerous that they take second place. The vulnerability here is the back doors viruses leave in their wake, or the chinks in the corporate armour that later generations of code can exploit. For example, in January, MyDoom left a back door that was subsequently exploited by Doomjuice and Deadhat. Companies that failed to close the back door, as well as rid themselves of the primary attack, remained exposed.
Another related threat is the worms that turn PCs into remote mail servers and send cascading volumes of e-mails that cause denial of service attacks. These attacks are becoming more sophisticated.
"Most mass mail viruses require the recipient to open the attachment to run the malicious code," says Carole Theriault, security consultant at anti-virus company Sophos. "However, there are viruses that can take advantage of security flaws which means that only viewing or opening the e-mail is enough to launch the malicious code."
3. Hacks, and application-specific hacks in particular, have become even smarter. Many companies are alert to the threat posed by so-called buffer overflows, the techniques by which web servers are overloaded causing a denial of service attack. But the new kid in this category, and the one the security industry is talking about, is the more advanced SQL injection.
SQL injection forces a database to yield otherwise secure information by causing it to confuse classified data, such as passwords or blueprints, with information that is for public consumption, such as product details or contacts. It is hard to do but, according to the experts, there are plenty of hackers up to the task and plenty of customers ready to pay for the service.
"We see it all the time," says David Litchfield, founder of NGSSoftware. "It is behind breaches such as the half a million credit card numbers stolen by Russian gangs or details from the Drug Enforcement Agency being sold onto drug runners. These are documented cases. SQL injection is not getting the respect it deserves."
4. Phishing, or identity theft, is most commonly targeted at bank customers but everybody should be alert to it. The bank users receive an e-mail as if from the bank asking for their log-on and password and, according to risk specialist company mi2g, less than half of 1% of customers oblige, a significant figure if millions of e-mails are sent.
A more sophisticated version of phishing, cross-site scripting, is on the rise, where users are driven to an identical but fake version of the bank's website and are lured into handing over confidential information unawares.
5. Blended attacks are combinations of two or more of the above and are doubly alarming. The solution to protecting a company against these attacks is to combine the piecemeal security systems that protect against each kind of threat. But how secure are these security systems and who is winning, the attacker or the attacked?
Most of the measures companies can take to protect themselves are reactive, and anti-virus patches and firewalls are now, for the most part, implemented as standard. But these are responses to known attacks, rather than an anticipation of the unexpected. They do nothing to thwart the activities of worms that turn PCs into machines from which further attacks, such as mass e-mailing, can be launched. Nor can they deal with the more sophisticated hacks, such as SQL injection. To combat this level of threat, additional security must also be in place.
This security can be grouped in three layers. The first layer scans IT systems for suspect activities by using intrusion prevention technology and by monitoring anomalous requests. For example, SQL injection often works by sending unusually long search strings to database query tools.
"An intrusion prevention system that monitors traffic and watches for unexpected behaviour such as this should pick up the attempt," says Nick Garlick, sales director of Nebulas Security.
Alternatively, a denial of service attack might be thwarted if the security system recognises high levels of a particular sort of traffic before they become so high the network falls over.
Garlick also points out that testing new software adequately before it goes online is important. "The big issue is that coders tend to work to deadlines and do not think like security people," he says. "Build processes should also include penetration testing."
A second layer is added when defences are integrated. For example, if a virus is known to open up a back door, the anti-virus system should not only search for the virus but also for the back door. Alternatively, it must prompt the firewall to stop entry through the back door. This is a complex process to carry out across enterprise-wide IT systems, and so experts advocate the installation of security management systems.
"Suppliers are starting to develop the capabilities of systematic and effective patch management systems," says Jan Fundgren, a security analyst at Forrester. "When there is no 'all-in-one' solution, better enterprise security management is more likely to succeed." Compliance tools add another form of defence and can monitor how thoroughly systems have been patched against viruses.
The third layer is good risk assessment. Online systems inevitably bring a degree of vulnerability along with excellent business opportunities, so internet security should be built into the company's calculations. If the business can understand which systems are most vulnerable, protective measures can be taken to cut the risk. That is the essence of dealing with external security threats.
The threats you face
Viruses - damages worth £1.8bn in 12 days on the internet in 2003
Virus back doors - hidden after-effects with potentially devastating impact
Application-specific hacks - advanced SQL injection could be stealing your data
Phishing - duped end-users could lose faith in ITsystems
Blended attacks - criminals use multiple methods to beat even the best security.
This was first published in April 2004