Nowhere is the security arms race more visible than at the firewall and the anti-virus gateway. These are the front lines in the battle against ever more devious ‘exploits’, the worms, Trojans, viruses and other malicious code that hackers use to try and crack corporate security.
Indeed, despite the intense publicity that many exploits generate, they continue to affect a worryingly high proportion of organisations. In the US last year, 85% of companies reported virus attacks and 40% claimed that they had been hit by denial of service attacks.
Furthermore, 70% of those attacked experienced systems vandalism and two-fifths were hit by some other kind of exterior attack, according to a survey conducted by the FBI and the Computer Security Institute (CSI). Not all were the work of mere ‘script kiddies’.
The combined cost of these attacks to the 223 companies willing to quantify their effect was just under $500 million. Yet most if not all of the companies surveyed had modern anti-virus software and firewalls in place. So how is this mayhem possible?
The answer lies in the complexity of modern systems. Today even small companies routinely rely on software that contains millions of lines of code and which, in the interests of efficiency, are purposely designed to interact with one another as seamlessly as possible and with minimal human intervention.
What is more, little thought is given about the security implications. “Application writers are often clueless about security,” says Fred Cohen, principal analyst at the Burton Group.
Inevitably some, if not all software products contain features that are ripe for “exploitation”. Often, those flaws are merely theoretical and difficult for a hacker to take advantage of in real-life. But all hell can break loose when a hacking outfit writes code that can automate the exploitation of those flaws – a so-called exploit.
The rise of the exploit has forced Microsoft to finally take security seriously. Independent code auditors such as AtStake have been brought in to identify flaws in the source code of Windows and other popular Microsoft applications and programmers have been switched to security.
Patch after patch has been issued in a bid to plug the many holes, large and small. But the initial result has only made matters worse.
The problem, quite simply, is that each warning and each patch also alerts the hackers to a potentially devastating security flaw. And while users can be slow to implement the patches – often for very good reasons – the hackers are getting faster and faster at writing their exploits. “It used to take a year for a virus writer to develop an exploit for a security vulnerability. Now it takes just a day,” says Cohen. That is faster than even the most efficient organisations can patch.
What is motivating the attackers? In many cases money. Quite simply, with the increase in home banking, hacking, virus and worm writing and spamming have come together to become a lucrative activity for criminal gangs, particularly in Eastern Europe – all it takes is for a few people to open a mass-mailed worm with a simple keystroke logger and the attackers can get rich overnight.
But at the moment, the only defence for organisations is to conduct regular vulnerability assessments, keep anti-virus and firewalls up to date, close all ports that are not being used, and to patch regularly – and fast.