Gonzalo Talamantes and Bryan Sowell are hardly surprised by conclusions Symantec Corp. reached in a new threat report. They know it's getting harder to defend networks against the rapidly evolving perils of cyberspace.
That's not to say these IT professionals weren't sobered by the Cupertino, Calif.-based antivirus giant's findings. The gist is similar to other recent reports: Attackers are getting smarter and money is their chief motivation.
"Attackers are launching increasingly sophisticated attacks in an effort to compromise the integrity of corporate and personal information," Arthur Wong, vice president of Symantec Security Response and Managed Security Services, said in a statement.
Talamantes, technical services manager of information systems for Chicago-based Oil-Dri Corp., said by e-mail that his company has battled
"The problem is growing as the Internet community becomes more diverse and computer savvy," he said. "The current environment with the old infrastructure of the Internet combined with a single OS platform is disastrous for business and private data. There are millions of unprotected home computers which can be hijacked very easily for malicious purposes."
Sowell, authentication services engineer for a large Fortune 500 company, said the report highlighted one big problem for businesses. "The fact that attacks against Web applications are on the rise is more troublesome since developers should be well aware of the risks of insecure front ends by now."
Symantec report summarized
Between July 1 and Dec. 31, 2004, Symantec's research found, among other things, that:
Threats to confidential information are rising. "Malicious code created to expose confidential information represented 54% of the top 50 malicious code samples received by Symantec, up from 44% in the first six months of the year and 36% in the second half of 2003," the report said.
Phishing attacks are getting worse. Symantec's Brightmail AntiSpam filters blocked about 33 million phishing attempts per week, up 366% from the average of 9 million per week the previous July.
Attacks against Web applications are increasing. Web applications are a big concern because attackers can use them to access confidential information without having to breach individual servers, Symantec said. Nearly 48% of all vulnerabilities it tracked were in Web applications, up from the 39% documented in the previous six-month period.
Windows systems are being targeted by multiple malware variants with growing frequency. Symantec documented more than 7,360 new virus and worm variants targeting Windows -- an increase of 64% over the previous six-month period.
Severe vulnerabilities found more often. Symantec documented more than 1,403 new vulnerabilities -- more than 54 per week, or almost eight per day. "Of these, 97% were considered moderately or highly severe, which means that successful exploitation of the vulnerability could result in a partial or complete compromise of the targeted system," the report said.
Common attacks, common vectors
For the third straight reporting period, Symantec found that the Microsoft SQL Server resolution service stack overflow attack was most common, used by 22% of all attackers. The TCP SYN flood denial-of-service attack was the second most common, launched by 12% of attackers.
Symantec's forecast for the future reflects Talamantes' concerns:
"The use of bots and bot networks for financial gain will likely increase, especially as the diverse means of acquiring new bots and developing bot networks become more prevalent," the report said. "Malicious code targeting mobile devices is expected to increase in number and severity. With many groups researching vulnerabilities in Bluetooth-enabled devices, the possibility of a worm or some other type of malicious code propagating by exploiting these vulnerabilities increases."
The dissolving perimeter
Symantec's findings make sense to Paul Brady, president and chief operating officer of Cambridge, Mass.-based Mazu Networks. Mazu reached similar conclusions after surveying IT professionals from 229 U.S. enterprises, each with more than 1,000 employees, for its Internal Threat Report.
Mazu's research showed that while companies have made significant investments in perimeter security, almost half of respondents said they've fallen victim to a worm
"Once upon a time you could set up a perimeter defense and keep people out, but the perimeter is dissolving," Brady said. "Security spending is out of alignment. The lion's share of spending is at the perimeter. If 90% of your assets are at the core, you need to balance that spending."
That means investing in tools to defend the network against those you have to allow inside the perimeter. "The internal threat is not always malicious," he said. "You have a growing number of employees and contractors working outside the perimeter on laptops and cell phones, bringing infections back to the core. You need to invest in devices that will protect the network core from this changing threat landscape."
That changing landscape is also evident in reports recently released by the Honeynet Project and Research Alliance and Reston, Va.-based security firm iDefense.
Researchers with the Honeynet Project and Research Alliance said they were able to track more than 100 botnets in four months and that some of the larger zombie networks were comprised of up to 50,000 hijacked machines.
The conclusion: More than a million computers are under the control of attackers and in most cases users have no idea their machines have been compromised. These machines are being used for a variety of malicious exploits, an increasing number of them financially motivated.
iDefense said that of 27,260 attacks it monitored last year, more than 15,000 were designed to covertly steal information or take over computers for criminal purposes, including identify theft and fraud.