Staying ahead of the hackers

The RSA confab this week brings 10,000 security industry players together to discuss the topics ranging from cryptography and federated identity to ethical hacking and incident response. While a great deal of attention is paid to cybersecurity, the rate of attacks is accelerating. Considering that we are really at the beginning of the digital age, we are in for a few rough few decades as the security tools try to stay a step ahead of the hackers.

According to an Internet Security Threat Report released in February by Symantec, vulnerabilities in products increased 81.5 percent in 2002 from the previous year. Network-protection firm Internet Security Systems reported that the number of security events detected by companies in the first quarter of 2003 jumped nearly 84 percent over the preceding three months. Jan Hruska, CEO of anti-virus maker Sophos, claims that 1,000 viruses are created every month.

In addition, the cyberattacks are becoming more complex and sophisticated. Blended threats, which are multi-dimensional in their methods of attack and effects, pose the greatest problem, and have intensified in the last year. Worms are becoming more elusive to track because they can change behavior each time they execute. And, the smarts required to create a virulent worm or virus is decreasing. "This is a reflection of the fact that more [hacking] tools and techniques are posted on the Internet for anyone to use," said Robert Clyde, vice president and CTO of Symantec.

I talked with Jim Bidzos, chairman of RSA Conferences and former CEO of RSA Security, about the hot security topics bubbling up at the RSA conference. In fact, Bidzos is coming up with an "insecurity index" that looks at various areas to calculate an overall global security benchmark. He wasn't ready to reveal his precise index number and scale, but implied that it will be a classic seesaw battle between the good guys and the bad guys: "It's still one-upmanship between the security pros and the hackers," Bidzos said.

Bidzos noted that while IT jobs are decreasing, security jobs have grown slightly and the market for security products overall is on the upswing. I would surmise that these are good signs given that many companies have not adequately funded security initiatives.

What's difficult to overcome, however, is the lackadaisical attitude toward security that prevails in many corporate campuses, branch offices and departments. They may put time and effort into eradicating spam and have the obligatory firewalls, but lack a fully developed security strategy that provides insulation from the kinds of attacks that can affect business continuity. Certainly cost is an issue, but you can pay now or pay a lot more later. With the list of important security issues growing longer, delaying expenditures and staffing for cybersecurity could result in a real economic disaster for the unlucky, unwise companies playing the odds.

With hacking activity increasing, including malicious code that delivers nasty payloads, the odds are less favorable for those who wait to take action. The malicious code writers are mostly exploiting known vulnerabilities rather than finding new flaws.

The SQL Slammer worm infected 200,000 computers running Microsoft's SQL Server that didn't have the patch applied--a patch that had been available for more than six months. Most of the vulnerable systems were infected in the first 10 minutes after the worm had been dropped onto Internet.

It's incumbent upon software vendors to develop more bulletproofing techniques to reduce the holes that enterprising hackers exploit. Similarly, the IT departments are at fault for failing to apply patches or fixes for known problems. Some IT organizations are reluctant to add new code to their resource constrained environment, and don't want to go through a rigorous, and often costly, test phase.

"Software updates and changes are always a problem," according to Al Wasserberger, CEO of Spirian, a provider of software distribution solutions. "You are absorbing new code and need a defined set of best practices to test compatibility. It comes down to getting systems operating in a predictable, reliable fashion."

The SQL Slammer may have cost about $1 billion in lost productivity during its first five days, but that figure pales compared to the costs of employee breaches, such as espionage and theft of corporate data assets. Investments in employee background checks, internal auditing and policy-based identity management solutions should be a required for any at-risk corporation.

		Reader Resources Fighting Hackers ZDNet White Papers

The really bad news is that attacks like Slammer are mild compared to what's in store. "The landscape is shifting in containment timeframe," Symantec's Clyde said. "Today, threats might take months to days to hours to move across Internet. These are Class 1 threats, and we can respond in human time. But we are moving to Class 2 threats, where the containment time moves from hours to minutes, like the Slammer virus."

Clyde noted that we are just seeing the first glimpse of Class 2 threats, but Class 3 threats-attacking systems across the Internet in seconds rather minutes-will be greatly enabled by broadband and ubiquitous connectivity. A blended denial of service attack launched from 10 million machines could potentially shut down the business-to-business transactions of every Fortune 500 company, Clyde said.

"As we move up the threat scale, it is ever more difficult for humans to respond," Clyde said. "You need to have proactive protection. When you learn about a vulnerability, you need to anticipate techniques hackers would use and proactively defend ahead of the exploits."

As many security mavens are preaching today, we are moving from an era of intrusion detection to intrusion prevention or, as Clyde said, to proactive protection. The research firm Gartner describes an intrusion prevention security strategy as one that makes the inside of an enterprise "hard and crunchy," with an array of user access controls, network segmentation, firewalls, virus protection, data encryption, vulnerability scanning and remediation.

I'm not sure if a hard and crunchy center will keep the malicious code at bay, but a coordinated effort within the industry to build more secure software, automate the distribution of patches in a way that doesn't introduce incompatibilities, and proactively stay one step, or at least a few nanosteps, ahead of the hackers sounds like a plan. If the industry can't move more quickly in that direction, malicious hackers will gain a big advantage.

See our full coverage this week of the RSA Conference. We have the latest security news, commentary and interviews from the event.

Is your company investing in developing an intrusion prevention strategy? Leave a message in ZDNet's TalkBack forum or e-mail me at dan.farber@cnet.com.