News

5 Threats from the Internet

• By Scott Bekker
• October 21, 2004

Through the company's managed services, threat management system and vast installed base of antivirus software, the security giant is perhaps uniquely positioned to give a global assessment. Symantec claims to have 20,000 server monitors in 180 countries and the company gathers data on malicious code from 120 million clients, servers and gateways that run its antivirus software.

Symantec highlighted five broad trends in the recent report covering the first six months of 2004.

1) The window for patching vulnerabilities is critically short. "Over the past six months, the average time between the announcement of a vulnerability and the appearance of associated exploit code was 5.8 days," Symantec's report stated. Exploit code makes it possible to scan widely for the vulnerability and exploit it quickly. As an example, Symantec cited the Witty worm, which appeared two days after the vulnerability it exploits was reported.

2) Remotely controlled bot networks are growing quickly, from well under 2,000 computers at the end of 2003 to more than 30,000 by June 30. Bots are the robot programs that run covertly on target systems. Designed to allow unauthorized remote control of target computers, they can be used in concert to conduct distributed-denial-of-service attacks. Symantec points out that the growth of the bot networks combined with the short vulnerability-to-exploit cycle makes for an extremely dangerous situation. "Once an exploit is released, the owner of a bot network can quickly and easily upgrade the bots, which can then scan target systems for the vulnerability in question."

3) Even Fortune 100 companies, with presumably the biggest IT budgets and some of the best IT talent, are spreading worms. Symantec observed that more than 40 percent of Fortune 100 companies controlled IP addresses from which worm-related attacks propagated. "This indicates that, despite the measures taken by organizations, their systems are still becoming infected," according to the report.

4) Symantec believes the percentage of targeted attacks against e- commerce quadrupled in the first six months of the year. By targeted, Symantec means the e-commerce operation was singled out and intended for the attack, as opposed to the unpredictable propagation of a worm or the broadly cast net of a scan. In the last half of 2003, 4 percent of attacks against e-commerce were believed to be targeted. In the first half of 2004, that figure had jumped four-fold, to 16 percent.

5) Custom Web applications remain largely unsecured, leaving the valuable and confidential data in human resource, business services and accounting applications vulnerable to Web-based attacks that don't require the compromise of a server. Symantec estimates that 39 percent of the disclosed vulnerabilities in the first half of the year related to Web application vulnerabilities. The security firm further estimates that 82 percent of Web application vulnerabilities are easy to exploit.

Symantec has a lot of software and services to sell, and the company's report certainly serves that end. But there are lessons to be gained from the company's vast collection of data. The points about the bot networks and the short window for exploiting vulnerabilities make a solid and quick patching process even more of a must than it already has been. The vulnerability of the Fortune 100 shows that everybody still has work to do. The more intense targeting of E-commerce and the gaping holes in custom Web applications give everybody a place to start that work.