In early December, the New York Times ran a story headlined 'Thieves Winning Online War, Maybe Even in Your Computer', and began with the assertion: "Internet security is broken, and nobody seems to know quite how to fix it."
The article then went on to cite some mind-blowing statistics to substantiate the claim. For instance, according to the Georgia Tech Information Security Center, 15% of all PCs connected to the Internet have been turned into spambots, unwittingly spreading spam and malware to other users. With the world population of Internet users estimated to be nearing 1.5 billion, botnets consisting of several hundred thousand machines are becoming the norm.
This is hardly surprising. The Internet is used mostly by people who have little or no concept of the threats, and who will happily respond to 419 scams, phishing emails and unsolicited messages. They are easy prey for those who want to hijack their machines.
Driving botnets and malware is a growing criminal industry that thrives on a powerful combination of maximum opportunity and near-zero chance of detection and punishment. The Organization for Security and Co-operation in Europe (OSCE) suggests conservatively that the underground economy of credit card thefts, bank fraud and other scams robs computer users of an estimated $100 billion a year.
But does all this matter to the U.K. security professional whose job it is to guard the information and systems of his or her organisation? The Internet may be a dangerous place for the poorly trained and unwary, but when it comes to defending our own systems, is the situation really out of control?
Even the most optimistic voices in the security industry admit the situation is getting more difficult. The rise of the large-scale botnet, for instance, makes it hard for traditional defence mechanisms to operate. When spam and malware are being fired not from a single source, but from a vast, constantly changing army of machines, it becomes futile to try and block specific IP addresses.
Furthermore, as MessageLabs Inc. points out in its end-of-year report, "In 2008, spammers developed an affinity for spamming from large, reputable Web-based email and application services by defeating CAPTCHA techniques to generate massive numbers of personal accounts from these services. In January, 6.5% of spam originated from these hosted webmail accounts, peaking in September when 25% of spam originated from these sources, averaging about 12% for the remainder of the year."
CAPTCHA covers those techniques that webmail and social networking sites use to prevent automatic creation of accounts, usually sending a picture of a word or phrase for the user to enter in order to prove their credentials. But as MessageLabs has shown, the hackers have found ways around CAPTCHA, either by employing low-paid workers to register accounts, or developing software to crack the CAPTCHA codes.
Systems that work by blocking access to known URLs are similarly challenged. Security firm Sophos Plc said it discovers a newly infected Web page every 4 seconds. So any defence mechanism that works on a daily refresh of its database of dodgy websites is going to be hopelessly out of date. Many of the guilty websites will have been created and then taken down again before they are logged on the blacklist.
More worryingly, as Sophos points out in its own end-of-year report, the Web has become a major channel of attack for cybercriminals, replacing their previous reliance on email systems. "By exploiting poorly secured legitimate websites, hackers have been able to implant malicious code onto them, which then attempts to infect every visitor," it says. This means that companies run a double risk: their users may go to apparently respectable websites and become infected; while at the same time they may be compromised (through SQL injection, for example) and then start infecting every innocent visitor that comes to the site.
Secure coding techniques and thorough penetration testing can reduce the chances of that happening, but those are only available to larger companies who can afford such luxuries. "The problem is that even if they know they are infected, some companies don't know how to clean themselves up, or are re-infected as soon as they clean themselves up within a matter of hours. Simply removing the malware from your database doesn't fix the vulnerability," says Graham Cluley, senior technology consultant with Sophos.
Writers of malware are also getting cleverer as the rewards get higher. Self-modifying code and obfuscated code are creating new challenges for the AV industry, which can no longer rely on signature recognition to block malware, and needs to apply a much broader range of checks.
Cluley also warns that companies will need to do much more thorough patching of software in the future. "It goes beyond just keeping your operating system patches up to date," he said. "You need to keep Adobe Acrobat up to date too, and Microsoft Word. One of our predictions for 2009 is that we are going to see more attacks exploiting non-operating system vulnerabilities, and we are already seeing it with PDF files."
As Cluley said, while many people now know the dangers of opening an attachment with a .EXE suffix, they will be less wary of a PDF or Word file. "If the hacker has exploited a vulnerability in Adobe Acrobat, the PDF file may open perfectly well, but in the background it is installing malware on to your computer," Cluley says. "It can be a good idea to update things like Adobe automatically, but in a company you might not want to do it that way."
Despite the growing outside threats, however, the biggest dangers still come from within the organisation, according to recent research carried out by research firm YouGov plc for the network security vendor Clavister Ab. The report, published in early December, was based on the views of 212 private sector IT directors and senior managers.
In the opinion of 86% of the sample, the most likely cause of an IT security incident came from a company's own employees. The reasons for this included staff ignoring, not being made aware of or not being sufficiently trained on security policies, as well as making mistakes or committing industrial espionage.