BOSTON -- Automated attacks against widely deployed systems and applications are increasing in number and sophistication, but the real threat will come with polymorphic worms that leverage both known and unknown vulnerabilities, carry active payloads and attack via instant messaging clients, wireless networks or VoIP.
"The biggest factor is that our networks are changing significantly," said Gerhard Eschelbeck, CTO of Redwood Shores, Calif.-based Qualys Inc. "In the past we were very much focused on perimeter security with a single access point. Intercommunication with business partners, VPNs and wireless access points are all contributing to make our networks more vulnerable."
These vulnerabilities, he said, arise from continued use of insecure protocols and services like Telnet, FTP and SNMP, known default settings, system design and setup and access control errors, software implementation flaws and a lack of input validation.
Also to blame, Eschelbeck said in a presentation at last week's ISSA conference in Boston, is the increasing complexity of networks and applications, a shortage of qualified security staff, increasingly sophisticated attacks, simple and automated attack tools designed for large scale attacks, and a difficulty in tracing attacks.
Threats have evolved from worms and viruses that require human interaction to spread via e-mail and file sharing (Melissa and Loveletter) to blended threats that leverage known vulnerabilities and may have automated or Trojan components (Blaster, which exploited the then three-week-old Microsoft DCOM RPC vulnerability). Future threats include using polymorphic techniques and encryption to prevent discovery, leveraging previously unknown vulnerabilities and targeting "new" technologies, such as instant messaging and VoIP.
"It's very hard for IT environments today to control the use of instant messaging," said Eschelbeck. "Very soon we will see attacks against the instant messaging infrastructure in the same ways we've seen attacks against the Windows operating system."
As far as VoIP goes, Eschelbeck said, there are fundamental security issues in the protocols it uses, flaws that can easily be exploited in a manner similar to Windows and Unix flaws today.
"Just as we've seen worms that can execute code on just about any operating system, we will see similar behavior on VoIP systems," said Eschelbeck.
At this point, Eschelbeck said, the only mitigation for these threats is the timely detection and remediation of security vulnerabilities. A proactive approach would include: identifying network topology and points of entry; identifying services, operating systems and applications; prioritizing critical vulnerabilities; and remedying vulnerabilities and verifying fixes.