5 Threats from the Internet
- By Scott Bekker
- October 21, 2004
It's good to step back and get a sense of the landscape every once in a
while. Security giant Symantec Corp. offered an opportunity to do that
recently in its semi-annual document called the "Internet Security
Through the company's managed services, threat management system and
vast installed base of antivirus software, the security giant is
perhaps uniquely positioned to give a global assessment. Symantec
claims to have 20,000 server monitors in 180 countries and the company
gathers data on malicious code from 120 million clients, servers and
gateways that run its antivirus software.
Symantec highlighted five broad trends in the recent report covering
the first six months of 2004.
1) The window for patching vulnerabilities is critically short. "Over
the past six months, the average time between the announcement of a
vulnerability and the appearance of associated exploit code was 5.8
days," Symantec's report stated. Exploit code makes it possible to scan
widely for the vulnerability and exploit it quickly. As an example,
Symantec cited the Witty worm, which appeared two days after the
vulnerability it exploits was reported.
2) Remotely controlled bot networks are growing quickly, from well
under 2,000 computers at the end of 2003 to more than 30,000 by June
30. Bots are the robot programs that run covertly on target systems.
Designed to allow unauthorized remote control of target computers, they
can be used in concert to conduct distributed-denial-of-service
attacks. Symantec points out that the growth of the bot networks
combined with the short vulnerability-to-exploit cycle makes for an
extremely dangerous situation. "Once an exploit is released, the owner
of a bot network can quickly and easily upgrade the bots, which can
then scan target systems for the vulnerability in question."
3) Even Fortune 100 companies, with presumably the biggest IT budgets
and some of the best IT talent, are spreading worms. Symantec observed
that more than 40 percent of Fortune 100 companies controlled IP
addresses from which worm-related attacks propagated. "This indicates
that, despite the measures taken by organizations, their systems are
still becoming infected," according to the report.
4) Symantec believes the percentage of targeted attacks against e-
commerce quadrupled in the first six months of the year. By targeted,
Symantec means the e-commerce operation was singled out and intended
for the attack, as opposed to the unpredictable propagation of a worm
or the broadly cast net of a scan. In the last half of 2003, 4 percent
of attacks against e-commerce were believed to be targeted. In the
first half of 2004, that figure had jumped four-fold, to 16 percent.
5) Custom Web applications remain largely unsecured, leaving the
valuable and confidential data in human resource, business services and
accounting applications vulnerable to Web-based attacks that don't
require the compromise of a server. Symantec estimates that 39 percent
of the disclosed vulnerabilities in the first half of the year related
to Web application vulnerabilities. The security firm further estimates
that 82 percent of Web application vulnerabilities are easy to exploit.
Symantec has a lot of software and services to sell, and the company's
report certainly serves that end. But there are lessons to be gained
from the company's vast collection of data. The points about the bot
networks and the short window for exploiting vulnerabilities make a
solid and quick patching process even more of a must than it already
has been. The vulnerability of the Fortune 100 shows that everybody
still has work to do. The more intense targeting of E-commerce and the
gaping holes in custom Web applications give everybody a place to start
Scott Bekker is editor in chief of Redmond Channel Partner magazine.