Security Threats To Business Are On The Rise

A report by Internet Security Systems says the number of security incidents and confirmed attacks against businessses rose 84% in the first quarter
The number of security incidents and confirmed attacks detected by businesses skyrocketed by 84% in the first three months of the year according to a report made public on Monday by Internet Security Systems Inc.

And that's the good news.

In the same time frame, said ISS's quarterly "Internet Risk Impact Statement," the total number of reported security events, which range from relatively minor activities such as automatic probing to full-scale onslaughts by worms, jumped tenfold over the previous three months.

Blame the worm, said ISS.

"The large increase in mass mailing, highly persistent worms and security events indicates that this year will be challenging for security officers and administrators around the world," said Chris Rouland, the director of ISS's X-Force security research section.

ISS pointed out that worms increasingly are able to cause dramatic damage worldwide with a minimum of effort on the part of the attacker. While SQL Slammer--a worm unleashed on unpatched Microsoft SQL Server 2000 system that succeeded in infecting more than 200,000 machines in just 10 minutes--is the most notable, a host of other worms are in the wild and causing trouble. The ISS report identified such new worms as Code Red.F, a variant of Code Red II, which was discovered last month and can install a back door on vulnerable systems, giving access to attackers.

But the scariest conclusion from the ISS report is that hackers are catching up with enterprise security defenses and the research conducted by vendors such as ISS, Network Associates, and Symantec, which companies rely on sniff out attacks. ISS's diagnosis of the last three months, when the number of threats outpaced vulnerabilities, show that attackers aren't waiting for security flaws to be made public, but are actively seeking out holes they can exploit.

A good example of this disturbing trend was the recently uncovered vulnerability within a .dll component of Microsoft's IIS Web server. While ISS (as well as numerous other security firms) documented the vulnerability on March 17, it was only after the flaw had been exploited by intruders. Such "zero day" attacks, so called because there is literally no time between an attack and the discovery of the vulnerability, are especially threatening. In another example, a weakness in the popular freeware Sendmail E-mail server was attacked within 24 hours of its discovery.

"It is increasingly dangerous for systems to remain unprotected while connected to the Internet," the ISS report said. "Administrators must maintain a constant watch over malicious code, immediately update their threat protection, and provide for rapid, timely patching."

Among ISS's other findings:

- Friday is the most active attack day, and Friday and Saturday account for a third of all security events. It's no coincidence: company security and network centers are typically running, if at all, at reduced levels on the weekend. The Slammer attack, for instance, began late on a Friday. - The top destination for attack remains port 137 (Windows NetBIOS). - Cyberterrorism anxieties aside, the vast bulk of attacks originate close to home; more than 86% of all security events were traced back to North American IP addresses.