The Threats Get Nastier

The University of California at San Diego has already been through the drill. After discovering that personally identifiable information stored on a school computer had been compromised, it notified owners of the information about what happened, even though there were no signs of data exposure. Since then, the university has thrown more resources at computer security, says Jim Madden, director of network operations. It's mandating minimum standards for PCs on its network, including requiring up-to-date patches; has added network firewalls; and is working to educate--or, as Madden puts it, "scare"--users about online risks. Next, it's planning to add firewall modules to cordon off sensitive computing activities, install intrusion-detection and security-log-analysis systems, add new tools to enforce security policies, and increase staff. "We see considerable management and client interest in keeping secure where there has been antagonism in the past," Madden says.

But as the threats get more sophisticated, conventional security technologies face a challenge keeping up. "Current malware trends are clearly undermining traditional approaches to IT security," says Alastair MacWillson, managing partner of Accenture's Global Security Practice, pointing to the proliferation of instant messaging and wireless devices as giving perpetrators more points of attack. Most IT managers are committed to improving the safeguards, but budget constraints and other demands often get in the way, he says.

In mid-July, the Department of Energy Computer Incident Advisory Capability issued a warning about a rise in targeted attacks conducted via E-mail. Because the malicious code is aimed at only a few select victims, it's less likely that antivirus vendors will develop stopgaps based on the "signature" of the attack, the Energy Department warned.

The idiosyncrasies of such attacks make them harder to prevent. "If you're just targeting a company here, a company there, or a consumer here, a consumer there, they're impossible to detect with traditional mechanisms," Gartner analyst Neil MacDonald says.

In addition to viruses and worms--which topped our list of reported breaches--phishing (25%), denial of service (20%), and Web-scripting-language violations (12%) accounted for the most common types of security threats and espionage during the past 12 months. Hackers and virus writers are mostly to blame, but they're not the only ones suspected of wrongdoing. Survey respondents also fingered unauthorized employees (22%), former employees (12%), and organized crime (8%) as suspected sources of break-ins.

Phishing schemes, which use E-mail to trick people into sharing personal information, and pharming, where PC users are unknowingly directed to a fraudulent Web site, are among the fastest-growing problems. Gartner estimates phishing attacks grew by 28% in May, compared with a year earlier. And phishing will only get worse, according to the Anti-Phishing Working Group, an industry association. The group warned in a June report that phishers are moving away from social-engineering trickery and toward automated information capture using Trojan programs and exploits, describing the new approach as "the way of the future." It argues in favor of the term "crimeware" to describe programs aimed at committing financial fraud.

Spyware seems tame by comparison, but it's bad enough. Nearly nine in 10 respondents to our survey indicated spyware was a problem at their companies. "Spyware is a nuisance, clogging our network and impacting the productivity of our users," says Frans Nio, director of global information security at Dole Food Co. During a check of computers in one of the company's divisions, Nio discovered that 10 spyware-infected PCs were putting a huge strain on a network shared by 800 PCs. "Fifty percent of the total network traffic was junk just from those 10 PCs," he says.

So companies continue to wrestle with the small stuff, even with nastier malware and ill-intentioned intrusions on the rise. "What I expect are more malicious attacks for more money," says Jason Jeffords, director of security services at Dartmouth College.

Still feel like you've got things under control? Let's see what tomorrow brings.

-- with Martin J. Garvey