11:25 AM
Connect Directly

The Threats Get Nastier

IT threats are growing in number, sophistication, and ill intent. Think you've got them under control? Just wait till tomorrow.

Business-technology folks would love to believe their IT systems are well-protected, not only from the destructive worms and viruses that speed across the Internet but from the increasingly sophisticated attacks that target people and their valuable data. But the ready-for-anything attitude that's prevalent among IT pros is misleading and even dangerous. Sure, IT defenses may be stronger than ever--but the threats are more perilous, too.

InformationWeek Research's U.S. Information Security Survey 2005, conducted in July and August in partnership with management-consulting firm Accenture, reveals an IT populace that believes it has the situation under control. When asked if their organizations were more vulnerable to malicious code attacks and security breaches than a year ago, only 16% of survey participants say things have gotten worse.

Then came Zotob, a run-amok worm that reminds everyone that malicious software is never more than a few keystrokes away. Just two weeks ago, Zotob and like-minded "bots" worked their way across the Internet, infecting Windows 2000 PCs at more than 175 companies, including Caterpillar, General Electric, and UPS. They dug their way into the operating system's Plug and Play feature, and they included code that opens an Internet Relay Chat channel back to designated servers, from which the worms can download additional code to further compromise a machine or turn it into a zombie capable of spamming or denial-of-service attacks. Cable-news channel CNN, a victim of Zotob, took the threat so seriously that it sent an E-mail alert to subscribers of its breaking-news service, generally reserved for major events such as suicide attacks in Iraq.

chart: Attack Concerns

Outsourcing Security

Most companies aren't planning to take any major leaps in outsourcing security tasks. Sixty-five percent expect to spend the same amount of money on security outsourcing this year as they did last year. Just under a third plan to spend somewhat or significantly more.

Is information security included in your organization's overall IT budget?


How will spending on information security in 2005 compare with 2004?




don't know

The much-talked-about lull in worm attacks--it had been more than a year since Blaster and Sasser ripped through business networks--shouldn't be interpreted as an "all's clear" sign. The miscreants apparently were using the time to plan their latest business-interrupting charade. The reality is that cyberattacks are shifting from adolescent, attention-seeking mass nuisances to professionally executed, targeted probes for financial gain.

"It's definitely profitable for those who are involved in it, because of the way that the Internet is built with anonymity everywhere, trillions of dollars of value just floating all over the place, generally clueless users, few laws and even fewer law-enforcement officials, no borders, no boundaries," says Marcus Sachs, who runs the U.S. Department of Homeland Security's Cyber Security Research and Development Center and is deputy director of the Computer Science Laboratory of nonprofit research-and-development organization SRI International. "It's like the perfect storm for the criminal world."

Our survey, completed on the Web by 2,540 business-technology and security professionals in the United States, shows that the IT community recognizes the ugliness of the situation, even if it overestimates its readiness. Of those respondents who believe their companies are as vulnerable, or more so, than a year ago, 78% point to the increasing sophistication of threats as the cause for their anxieties. Other top concerns are that there are more types of attacks, they're growing in volume, and they're increasingly malicious in nature. The SANS Institute identified more than 422 new Internet security vulnerabilities in the second quarter, an 11% increase from the first quarter and a 20% jump from the same period a year ago.

Should vendors be held legally and financially liable for security vulnerabilities in their products?


yes, unless they prove state-of-the-art development practices


How rigorous are your organization's current practices concerning the security of customer data?

extremely rigorous

fairly rigorous

not very rigorous

chart: Security Fallout

Here's how the hackers, crackers, and crooks have raised the stakes: Computer attacks have become multimodal in nature. Worms no longer merely infect an operating system and shut it down--like Zotob, they carry instructions that open holes for other points of entry, exploiting specific vulnerabilities for specific purposes. In addition, virus writers have begun mimicking hackers in their use of rootkits, code that intercepts system functions, to hide their work from detection. And phishing is yesterday's sport; pharming is the more dangerous spin-off that aims to confuse your customers into revealing sensitive account information.

InformationWeek Download

In the face of the onslaught, many businesses (51%) plan to increase spending on IT security in 2005, with enhanced application security (40%), better access controls (31%), and secure remote access (28%) at the top of their to-do lists. And 56% of survey respondents report that the need to comply with government regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act has led them to take a more-structured approach to information security.

"I think we have a posture in dealing with the threats that face us that's working," says Kent Podvin, director of IT with Capital BlueCross. "We have a good proactive scenario ... whereby we keep things properly patched."

The last major virus outbreak at Capital BlueCross was three years ago, prompting the health-insurance provider to sign up for Cybertrust Inc.'s security services. More recently, the company invested in encryption software from Pointsec Mobile Technologies AB to protect its laptops, PDAs, and cell phones, as well as identity- and access-management software from Sun Microsystems.

chart: Security Hurdles

What are the biggest security challenges facing your company?

Managing the complexity of security

User awareness
Preventing breaches

Note: Multiple responses allowed.

There are hundreds of stories like this across the business landscape--companies accelerating security spending, plugging holes, and reinforcing their network perimeters. Environmental consulting firm Geologic Services Corp. has deployed access-management software from Positive Networks Inc. to authenticate and verify security settings and users before allowing network access, along with antivirus software from Kaspersky Lab Inc. "I think it's manageable," Sean Lawless, Geologic's technology systems manager, says of the security threats. "I don't see it spinning out of control."

But it may be a false sense of information security. As evidenced by this month's Windows 2000 worm outbreak and an alarming series of customer-data breaches, including backup tapes lost in transit, the bad guys are laughing at the business community's efforts at improvement. Compromised databases, especially those involving customer records, represent a worst-case scenario. "Our biggest concern is someone accessing customer data and fear about the company's reputation," says Bob Graham, senior VP at Farmers and Merchants Bank, a $3 billion bank with 120,000 customers. "Our tagline is that we're 'California's strongest bank.' We wouldn't want an article about lost customer data."

Is your organization more vulnerable to malicious code attacks and security breaches than it was a year ago?


What type of security breaches or espionage have occurred in your organization in the past year?


chart: Security Fallout

Dollar Losses

Companies struggle to estimate losses attributed to information-security breaches or espionage.

A third of respondents say they don't know the total value of losses they suffered because of attacks in the past 12 months. Two in five sites report losing less than $100,000 to information-security breaches in the last 12 months. Another 6% of respondents estimate financial losses in the $100,001 to $500,000 range and 3% put losses at $500,000 or more.

The first half of 2005 has seen too many headlines on that very problem, ranging from Bank of America Corp.'s embarrassing admission that it lost backup tapes with the Social Security numbers of 1.2 million federal employees to a security lapse at CardSystems Solutions Inc. that may have exposed data on millions of payment-card accounts. From January through June, there were more than 50 serious data breaches at businesses, government agencies, and universities, affecting more than 50 million identities, according to data compiled by the Privacy Rights Clearinghouse.

Our survey shows that relatively few companies, only 6%, say customer records have been compromised, which pales in comparison with those encountering viruses (67%) and worms (49%). But that's assuming companies are aware that breaches have occurred and are honest enough to admit it. The real number may be higher. And businesses need to get on top of the situation. California law requires companies doing business in the state to disclose any security breaches that involve personal information, and similar measures in other states and at the federal level are likely.

The University of California at San Diego has already been through the drill. After discovering that personally identifiable information stored on a school computer had been compromised, it notified owners of the information about what happened, even though there were no signs of data exposure. Since then, the university has thrown more resources at computer security, says Jim Madden, director of network operations. It's mandating minimum standards for PCs on its network, including requiring up-to-date patches; has added network firewalls; and is working to educate--or, as Madden puts it, "scare"--users about online risks. Next, it's planning to add firewall modules to cordon off sensitive computing activities, install intrusion-detection and security-log-analysis systems, add new tools to enforce security policies, and increase staff. "We see considerable management and client interest in keeping secure where there has been antagonism in the past," Madden says.

But as the threats get more sophisticated, conventional security technologies face a challenge keeping up. "Current malware trends are clearly undermining traditional approaches to IT security," says Alastair MacWillson, managing partner of Accenture's Global Security Practice, pointing to the proliferation of instant messaging and wireless devices as giving perpetrators more points of attack. Most IT managers are committed to improving the safeguards, but budget constraints and other demands often get in the way, he says.


  • Only 16% of respondents say their companies have become more vulnerable to attacks and security breaches, according to InformationWeek Research's annual Information Security Survey.

  • Security threats are growing in number, and they're increasingly targeting people and their data.

  • Business spending on IT security has increased, with top priorities including enhanced application security, better access controls, and secure remote access.

  • In mid-July, the Department of Energy Computer Incident Advisory Capability issued a warning about a rise in targeted attacks conducted via E-mail. Because the malicious code is aimed at only a few select victims, it's less likely that antivirus vendors will develop stopgaps based on the "signature" of the attack, the Energy Department warned.

    The idiosyncrasies of such attacks make them harder to prevent. "If you're just targeting a company here, a company there, or a consumer here, a consumer there, they're impossible to detect with traditional mechanisms," Gartner analyst Neil MacDonald says.

    In addition to viruses and worms--which topped our list of reported breaches--phishing (25%), denial of service (20%), and Web-scripting-language violations (12%) accounted for the most common types of security threats and espionage during the past 12 months. Hackers and virus writers are mostly to blame, but they're not the only ones suspected of wrongdoing. Survey respondents also fingered unauthorized employees (22%), former employees (12%), and organized crime (8%) as suspected sources of break-ins.

    Phishing schemes, which use E-mail to trick people into sharing personal information, and pharming, where PC users are unknowingly directed to a fraudulent Web site, are among the fastest-growing problems. Gartner estimates phishing attacks grew by 28% in May, compared with a year earlier. And phishing will only get worse, according to the Anti-Phishing Working Group, an industry association. The group warned in a June report that phishers are moving away from social-engineering trickery and toward automated information capture using Trojan programs and exploits, describing the new approach as "the way of the future." It argues in favor of the term "crimeware" to describe programs aimed at committing financial fraud.

    Spyware seems tame by comparison, but it's bad enough. Nearly nine in 10 respondents to our survey indicated spyware was a problem at their companies. "Spyware is a nuisance, clogging our network and impacting the productivity of our users," says Frans Nio, director of global information security at Dole Food Co. During a check of computers in one of the company's divisions, Nio discovered that 10 spyware-infected PCs were putting a huge strain on a network shared by 800 PCs. "Fifty percent of the total network traffic was junk just from those 10 PCs," he says.

    So companies continue to wrestle with the small stuff, even with nastier malware and ill-intentioned intrusions on the rise. "What I expect are more malicious attacks for more money," says Jason Jeffords, director of security services at Dartmouth College.

    Still feel like you've got things under control? Let's see what tomorrow brings.

    -- with Martin J. Garvey

    More stories on InformationWeek Research's
    U.S. Information Security Survey 2005

  • Sidebar: A New Type Of Worm

  • Sidebar: Source Of The Problem

  • Report: U.S. Information Security 2005

  • Tool: Compare Your Security Practices

  • Behind The Numbers: Security Conforms To Regulatory Compliance

  • We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Email This  | 
    Print  | 
    More Insights
    Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service