This year has been rough on business security managers, and next year won't be any better, according to an analyst who spoke on security trends during 2003 and beyond.
"We're in a for a repeat of this year" during 2004," says Vincent Weafer, senior director of Symantec's security response center. "We should expect two to four MSBlast-sized events in 2004 and a major mass-mailed worm or virus every month on the average."
There are lots of explanations for the hard times security professionals are enduring, but one of the most significant trends this year has been the rise in "blended" threats--exploits that use multiple modes of infection, ranging from hacking and computer worms to denial-of-service attacks and Web site defacements--to create a single, advanced assault that overwhelms defenses.
Older threats such as Code Red and Nimba, and newer ones like Sobig and MS Blast, Weafer says, are perfect examples of such assaults, which have been steadily increasing for the past three years but in 2003 really caught the attention of security professionals in their numbers and sophistication. "Such threats are likely to become the norm," Weafer says.
What makes blended threats so dangerous is that they're much more difficult to defend against than, say, a single-vector exploit that propagates via E-mail or can be stopped simply by plugging a port at the network firewall. "Yesterday's strategy of 'one threat, one cure' is no longer viable today," he says.
In response, businesses will have to implement a more-comprehensive, in-depth defense that goes beyond the traditional firewall and anti-virus protection and takes a more proactive approach. Such a defense should integrate early-warning intelligence on developing security threats, be composed of multiple layers--at the network edge, on servers, and on desktops--and must take into account the newer technologies, such as wireless and instant messaging, that have the potential to open up the company to attack.
But blended threats aren't the only reason security is the year's hottest topic among businesses and will continue to be next year. The numbers are also running against the good guys, Weafer notes.
Vulnerabilities tracked by Symantec, he says, rose from an average of 40 a week at the beginning of the year to 50 per week by November. Worse, an increasing number of those vulnerabilities can be exploited remotely—80% at the moment. This means that hackers can more easily insert malicious code and wreck havoc on systems.
Attackers have moved away from targeted assaults on the perimeter of the network, such as Web servers, and are focusing on the Internet to infect a growing number of desktops, laptops, and workstations. "That opens up far more possible targets, which are typically far less well-defended," he says.
Combine that with an increasingly robust set of hacker tools that are shared much more freely than ever before, and you have the recipe for a continued security crisis.
"There's far more knowledge now available [to hackers] about how to create exploits," Weafer says, "and so the level of technical knowledge necessary to generate an exploit is falling. Hackers are standing on each other's shoulders, just plugging in new code into old exploits and kicking it out."
That's one reason why the window between the disclosure of vulnerability and the release of exploit code--and then a self-replicated worm--continues to shrink. "The notion that a company has months or even a year to deploy a patch is simply gone," Weafer says.
Among the threats that Weafer sees developing in 2004 are Trojan horses that attempt to steal information, often for financial gain rather than simple notoriety, and "anything that targets a common service in Windows." File and print sharing services, as well as anything having to do with ActiveX controls, are areas to watch for vulnerabilities and thus upcoming exploits, he says.
"Any service that's turned on by default is a potential target," Weafer adds, citing a raft of recent Microsoft Windows services--such as its Workstation service and the Windows Messenger Service--as examples in 2003.
His conclusion: "This was a tough year in enterprise security."
And from all signs, 2004 won't be any easier.