Constant Growth and Complexity of Information Security Attacks

Security incidents that are related to malicious code (worms, viruses, and Trojans) have grown from slightly annoying to significantly damaging to business operations. A computer virus is a piece of malicious code that attaches to or infects executable programs. Unlike worms, viruses rely on users to execute or launch an infected program to replicate or deliver their payloads. A virus' payload can delete data or damage system files.

A Trojan (named after the Trojan horse in Greek mythology) is a malicious program disguised as something innocuous, often a utility or screensaver. Like viruses, Trojans rely on unsuspecting users to activate them by launching the program to which the Trojan is attached. Trojans have many functions; some delete or steal data, whereas others install backdoors that enable a hacker to take control of a system. Unlike viruses, Trojans do not replicate.

Early computer viruses were often contained to individual users' systems, resulting in only a small decline in staff productivity for a given day. However, present-day blended threats, such as Code Red and Nimda, present multiple security threats at the same time, causing major disruptions and billions of dollars of damage to enterprises. A blended threat combines different types of malicious code to exploit known security vulnerabilities. Blended threats use the characteristics of worms, viruses, and Trojans to automate attacks, spread without intervention, and attack systems from multiple points. Figure 1-3 puts things in perspective by illustrating the economics of these attacks over the past few years.

Figure 1-3
Worldwide malicious code impact.

These attacks now cause losses of billions of dollars each year, so businesses can no longer ignore the problem. The Love Bug Virus in 2000 had an impact of $8.75 billion alone, causing businesses to finally recognize viruses as a significant issue and to begin to broadly implement anti-virus solutions. This work has lowered the losses experienced since that year; however, the impacts continue to be significant.

Theft of proprietary information is also a major risk to information security. When intellectual property (IP) is in an electronic form, it is much easier to steal. If this information is stored on computers connected to the Internet, thieves can potentially steal it from anywhere in the world. According to the 2003 CSI/FBI Computer Crime and Security Survey, theft of IP remains the highest reported loss. Two recent high-profile examples include an operating system product for a major software company and a version of an operating system for a major networking company. The software company theft was from an authorized third party, whereas the networking company appears to have been compromised by an unauthorized intruder. These types of security problems will only get worse as the Internet continues to grow in usage and complexity.

Three major issues have fueled the growth in security incidents: the increased number of vulnerabilities, the labor-intensive processes required to address vulnerabilities, and the complexity of attacks.

Vulnerabilities are holes or weaknesses in systems that a hacker can exploit to attack and compromise a system. For example, a system administrator can forget to limit certain restricted privileges to authorized users only. This would be like giving everyone on your street a key to the front door of your house when you only meant to give one to your family members. Other examples include existing vulnerabilities resulting from defects in computer software. In these situations, the software vendor should have identified and resolved these weaknesses during the testing processes but overlooked them while under pressure to ship new products by a deadline.

The software industry's solution to these vulnerabilities is to provide fixes in the form of software patches that a company's staff must apply to "patch" the "hole." The process of testing these patches and applying them to your environment is labor-intensive. It is often quite difficult to address the highest-level vulnerabilities and the staggering growth of new vulnerabilities compounds this problem. Vulnerabilities reported in 2003 grew by 300% from those reported in 2000. Figure 1-4 summarizes the number of CERT reported vulnerabilities over the past few years.

Figure 1-4
Security vulnerabilities reported.

The complexity of security attacks has greatly increased over the past few years. The early viruses caused individual productivity issues, but they had nowhere near the impact of blended threats such as Code Red or Nimda. As we mentioned earlier, blended threats use a combination of attack vectors—five in the case of Nimda—to spread more rapidly and cause more damage than a simple virus. For example, Code Red infected 350,000 computers in just 14 hours. In January 2003, the Slammer Worm hit the Internet and had an even higher infection rate than Code Red, infecting 75,000 machines in less than 10 minutes of its release.

The fastest-spreading mass-mailing worm to date was MyDoom in January 2004. At the height of the outbreak, more than 100,000 instances of the worm were intercepted per hour. MyDoom relied on people to activate it and enable it to spread. Cleverly disguised as an innocuous text file attachment, unsuspecting users opened the attachment and launched the worm.

The rapid spread of these threats makes it increasingly difficult to respond quickly enough to prevent damage. Figure 1-5 provides a look at the evolution and growing magnitude of these threats over the past few years:

Figure 1-5
Worldwide attack trends.

The threats are expected to continue to grow in magnitude, speed, and complexity, making prevention and clean-up even more difficult. These factors contribute to the need for a proactive plan to address information security issues within every company.