While viruses and denial-of-service attacks remain constant, hybrid threats such as Nimda are now the most significant online threat to companies, according to recent report.
A hybrid threat like Nimda spreads in multiple ways including as an e-mail attachment and by exploiting vulnerabilities in Web servers. They are especially dangerous to companies that have adopted the crustacean approach to security namely, a hard outside but a soft inside. Security requires a layered defense. "Some people think having a firewall is a silver bullet," said Dennis Treece, director of Internet Security Systems' X-Force Special Operations Group. "It isn't."
ISS collected attack data from 350 customers from Dec. 22 to March 21. The sampling represents a Dow Jones index for security threats, in other words. The company found an average of 4,500 Nimda attacks per hour. "It is not going away," Treece said.
ISS attributes some of the Nimda activity to the increase of home and small office use of DSL and cable modems. A lot of the attacks seem to be coming from the large commercial ISPs. Home and small office users usually don't have a lot of knowledge of security. They can be infected and don't know it, Treece said.
Companies need to make sure internal systems (including laptops) are patched. Internal firewalls are also important. There are also ways to block attacks when they are detected in one part of the network. Proper tracking and logging is a good way to know where infections come from, Treece said.
Yet all the preceding suggestions require staff time, something that a lot of companies may not have the resources for, Treece said. Just having firewalls in place isn't good enough. They need to be properly configured in the right spots, he added.
ISS found that about 70% of attacks focus on port 80, which is used by most HTTP Internet traffic. Most companies leave that port open. However, companies should consider whether they want to let "everyone in the world into their network," Treece said.
"You need to look at your firewall policies. Why are you letting people into your network?" Treece asked. A solution would be to restrict port 80, but leave port 25 open so people can send e-mail requesting access to the port, he said.