Net Vigilance: Keeping an eye on things
The small-town days of the Net, when you might have left your virtual front door unlocked, are long since gone. Today, "hactivism," the sport of vandalizing Web sites to promote a political cause, has become a catchphrase among security experts. Denial-of-service attacks are a daily occurrence, and e-mail-borne virus epidemics make the evening news.
But the most publicized incidents are only the tip of the iceberg: In the last 12 months, 64 percent of organizations have experienced unauthorized use of computer systems, according to the spring 2001 survey by the Computer Security Institute and the FBI. Most security experts think attacks and intrusions are going to get worse. "A year ago, we were living in fear of devastating attacks that could bring us down," said Phil London, president and CEO of Mazu Networks, which sells a networking device to mitigate attacks. "Now we're saying, 'This is happening right now.' "
To counter the growing threats, corporations are bulking up their data security war chests. A recent Gartner report said businesses today dedicate an average 0.4 percent of their annual revenue to security initiatives — a figure expected to increase tenfold by 2011, when security expenditures will account for 4 percent of annual revenue.
E-businesses understand they must dedicate significant resources to securing their networks, or face the unfortunate consequences. And it's no longer enough to just seal up the holes; you need someone standing watch 24/7 just in case they begin to leak — or in case someone tries to punch a hole through the wall. Vigilant I-managers cannot afford to do less.
Now, a new breed of security intelligence professionals is helping businesses cope in an era of chronic threats. Security intelligence firms such as AtomicTangerine, iDefense and Vigilinx work with customers to identify not only the internal vulnerabilities of their networks, but also the external risks they wouldn't have known they were running until it was too late. These companies have security pros working around the clock, combing chat boards, message groups, hacker Web sites, political Web pages and a host of other places, looking for evidence that an attack is being prepared against a certain company.
"When you think about it like medieval times, inside the castle you had protection around the crown jewels, and then you had a layer of security around the drawbridge and in the moat," said Karen Worstell, president and CEO of AtomicTangerine. "There's now a service that's out there scanning the woods for infidels, finding out, 'Who are the Huns coming your way?' "
Security intelligence services are different from managed security services, which take operational responsibility for securing a customer's Web site or a network — and not every corporation is comfortable with that. Rather, security intelligence services feed information to a company's in-house security personnel, who take action when necessary.
Such services are already popular among political targets, such as government-affiliated banks or public cause organizations. And intelligence is expected to be one of the fastest-growing sectors of the security industry: A new report from The Yankee Group projects the market for security intelligence services to explode from $3 million in 2000 to $300 million by 2005.
The rise of security intelligence services indicates that e-businesses are finally turning their full attention — and their budgets — to security. Industry analysts and consultants have long bewailed that companies often consider security only as an afterthought. "It's been kind of like putting the cart before the horse," said The Yankee Group's Zeus Kerravala. "But over the last few years, customers have had a lot more things to pay attention to, like Y2K [year 2000] and building out an Internet infrastructure."Conceptually, Internet security intelligence services are modeled after the government's military intelligence-gathering apparatus. "The government understands how intelligence works and how it feeds into operational decision making," said Brian Kelly, CEO of iDefense. When it comes to intelligence, the "private sector doesn't think about it as much," Kelly said — a situation that gave birth to companies such as his.
IDefense turned heads in April when it predicted and tracked numerous hack attempts against U.S. corporations as a result of the controversy over a U.S. spy plane that made an emergency landing on Chinese soil April 1.
Luckily for companies attacked during the China-U.S. diplomatic skirmish, most of the hacks were Web site defacements, a relatively inexpensive exposure to alleviate — especially when compared to the latest fad in hacking, distributed denial-of-service (DDOS) attacks.
DDOS attacks, and the ease with which they can be launched, have changed the way corporations approach Internet security. A DDOS attack can quickly overwhelm a Web site with hundreds or thousands of simultaneous requests. Beforehand, hackers would have loaded software on unprotected PCs across the Internet that render them "zombies" to be used as agents in an attack, which also masks the identity of the original hacker.
"The main concern I have is how readily available various exploitations are," Kelly said. "Ten years ago, a hacker had to be pretty sophisticated in understanding network technologies and be proficient in programming scripts."
Today, hacking scripts are not only readily available on the Internet, they also have graphical user interfaces and are frighteningly simple to operate. What's more, DDOS attacks typically were only launched against large organizations, but now small businesses and even individual users are being attacked. Recently released products from Arbor Networks, Asta Networks, Captus Networks and Mazu purport to handle the problem by detecting the offending traffic and blocking or limiting only those requests, but these solutions have yet to be proven in wide-scale deployments.
Security intelligence services claim they are able to provide early warning of impending attacks. Just before Christmas 1999, for example, Atomic Tangerine's security team began noticing discussions among hackers about how they were going to "take down the Internet mall" — Internet retail stores — at the apex of the retail sales cycle, Worstell said. As events unfolded, Worstell sent messages to colleagues to check out the message boards where these discussions were taking place, which, she admitted, was probably a mistake, because then the hackers noticed a spike in traffic. "We were watching them, and then suddenly they were watching us watching them," she said.
AtomicTangerine analysts then witnessed an interesting change of heart, as hackers agreed they didn't want to ruin Christmas because it could create a lot of negative sentiment about hackers. They decided to hold off all attacks until February 2000, Worstell said, which was the month several major sites, including eBay and Yahoo!, were taken down by DDOS attacks.
Most of what the security intelligence services do, however, is grunt work: scouring the Internet for the latest security holes and patches that match the software that specific customers are operating. With daily reports of security vulnerabilities in software ranging from Microsoft Windows to Linux servers, it's very difficult for systems administrators to know exactly what's out there, The Yankee Group's Kerravala said."The chasm that's been growing between the technical skills of the administrator and sophistication of the technology has been getting bigger and bigger over time," he said. "The only way to keep up is to outsource responsibility to another company."
Offerings such as Vigilinx's Security Intelligence Service aim to provide a comprehensive report on the problems and fixes, if available, tailored to a specific organization. "Vendors provide pieces of information, but most organizations don't have a resource arm to look across multiple channels for the fixes they need," said Mike Assante, Vigilinx's vice president of intelligence. "We monitor that external landscape, look and analyze that information, validate and verify it, put a risk associated with it and turn that around to the enterprise."
However, no company should rely exclusively on an outsourced security intelligence service, said Jim Magdych, senior research manager of Network Associates subsidiary PGP Security. A business should ideally employ a trained security administrator who knows the network, is up-to-date on current threats, and knows what to apply and when, he said.
"Nobody knows your organization like someone who works there," Magdych said.
Organizations such as the government-funded Computer Emergency Response Team Coordination Center at Carnegie Mellon University, as well as private vendors such as PGP Security, provide companies with free alerts when they find security vulnerabilities. In many cases, companies such as Vigi linx will package that information and sell it as part of their security intelligence services.
For Chris Joy, vice president of global information technology security of the Dresdner Kleinwort Benson Bank investment bank in London, tracking the endless stream of security alerts was a major headache. Joy's crew subscribed to more than 30 information sources and had to read them daily, keeping track of which fixes were implemented and which ones weren't.
"We had to cut down on the time we used to sift through this," Joy said.
Besides the time sink, Joy was finding much of the data he was getting was outdated, incomplete or even inaccurate. So he began using the Vigilinx service, which provides all the data in one report, as well as advice on actions to take.
"We want to know what problems exist in the technology that we use, even when it's a problem that there's no vendor patch for," Joy said. "We're a global organization, so when a patch does comes out, we want to know where it is and go get it."
IDefense's Kelly said security intelligence services offer more than just alerts — they recommend ways to address specific security incidents. For example, an organization in the U.S. might get a warning from its service at 3 a.m. that there's an e-mail virus spreading in Europe. If no update has been prepared by its antivirus software vendor, that organization can at least make arrangements to temporarily shut down its U.S. e-mail servers before people get to work, thus preventing the virus from spreading.
Of course, most of these steps only pay off when the organization has already put basic security measures into place. The knowledge that some teen-ager in Pakistan plans to hack your site doesn't provide much benefit when someone in the mailroom has had unfettered access to the payroll file for months.
So how prepared are e-businesses to handle the onslaught? Not very, according to those people whose job it is to assess businesses' security preparedness. "The reality is that it's worse than most people think," said Sunil Misra, managing principal of Unisys' Worldwide Enterprise Security Practice. "Senior management would be surprised at how fragile the infrastructure is that they're working on."
The most common security problems Misra finds are misconfigured systems. Devices such as firewalls aren't installed properly or don't have the latest patches, or remote access through that firewall isn't blocked correctly. In other cases, default system passwords haven't been changed, or modems remain active on connected PCs that can be dialed into and become susceptible to control by a hacker, who can then get on the network.
Peter Browne, Predictive Systems' vice president of security consulting, said modern hackers still take part in what's called "war dialing," named after the 1983 film WarGames, in which Matthew Broderick's character would call every phone number in an exchange until he reached a live modem.
Frequently, Browne said, it's too late to stop some of the damage when a security consulting team begins to assess a corporate network. "In many cases, we have found that other people have been there ahead of us and compromised those systems."
One of the reasons some business networks are ill-prepared is that administrators may have no good way to measure exactly how secure they are. "The problem in the industry is there is no one system that allows you to qualify exposure to differentiate between how exposed one company is compared to others," said George Kurtz, CEO of Foundstone, a managed security services provider that offers risk assessment to businesses. Kurtz and Stuart McClure, Foundstone's president and chief technology officer, co-wrote the security handbook "Hacking Exposed" with Joel Scambray.
Foundstone has developed a 100-point scale for rating a company's exposure to unauthorized access, with 100 being the most secure. "In general, any enterprise system is hard-pressed to get above 70 or 75," Kurtz said. "We just finished a large enterprise that got a 5. When we went through the process, we found many of their servers were already hacked."
If anything has surprised Kurtz about organizations he's advised, it's how unconcerned some are about securing their data. "There are many companies that know they're exposed and put their head in the sand," he said. "There are others that have looked at their operation, and from a risk perspective, they're willing to take it. That's a really short-sighted view on trying to protect yourself."