Feeds

Fighting the army of byte-eating zombies

Internet Security Threat Report

  • alert
  • submit to reddit

High performance access to file storage

Being an intellectual dilettante, the fields of Systems Theory and Knowledge Management interest me greatly. One of the key principles of those fields is the DIKW Hierarchy first developed by Russell Ackoff, the idea that human minds (ideally) interact with the world and progress through what they find in a hierarchical process, from Data to Information to Knowledge to Wisdom (Ackoff also adds Understanding, but not everyone does).

This makes sense to me, and it helps me think about my own day-to-day education so I'm always asking myself some pretty important questions: How valuable is this data? What can I gather from this data? How does this information work together? Why is what I'm observing happening? Finally, what can I do in the future to either repeat this, if it's positive, or reduce the likelihood of its recurrence, if it's negative?

If you think about it, the DIKW Hierarchy also defines the job of security pros. Security professionals are in the business of:

  • Gathering data (logfiles, of course, but also visual inspections, asking questions, reading listservs and RSS feeds)
  • Turning that data into information (figuring out what is happening to whom, and where and when it's happening)
  • Applying information to create knowledge (how is this happening)
  • Synthesizing knowledge into wisdom (what can we do to make sure we're safer? what are best practices?)

Recently Symantec released their latest Symantec Internet Security Threat Report, and it is a document that all security pros ought to read. It's free (although you do have to register to get it), it's detailed, and it's full of data, information, and even some knowledge. Let's take a look at some of the more interesting data points in the document and see what we can gather from those. (Full disclosure: SecurityFocus is owned by Symantec, so I'm discussing a document written by a parent company. But trust me, this is worth your time, and I'd be writing about it regardless of its source.

A new virus every hour

"Over the past six months, Symantec documented more than 4,496 new Windows (particularly Win32) viruses and worms, over four and a half times the number as the same period in 2003."

Whoa. I'm no mathematician, but that means we're seeing a new virus or worm every hour of every day. Of course, not all of these are Sasser or Blaster or CodeRed, but still. That number should get your PHB's attention. Walk in and say, "PHB, we've been at work 8 hours today. During that time, 8 new viruses and worms have been created. When we come in tomorrow, 16 more will have been created. 24 hours in a day, 24 new viruses and worms." Let that one sink in.

Then quote that number to the people whose machines and networks and data you're tasked with protecting. Oftentimes what we do doesn't really sink in with quote-unquote normal users. I'll bet that this will. It's concrete, it's easy to understand, and it will hopefully make them realize why they need to be hyper-vigilant about updating AV databases and not clicking on every damn attachment they get in their mail.

An army of byte-eating zombies

"Over the first six months of 2004, the number of monitored bots rose from well under 2,000 computers to more than 30,000."

They're out there, waiting. Too many to overcome. Stupid, unthinking, with just one purpose: to overwhelm you, to make you one of them. A large and growing threat for which you must prepare (yes, I saw Dawn of the Dead again recently - the good one, from 1978).

I think most people can understand bots and the dangers they pose. In fact, I think the idea of bots both intrigue and horrify people when they hear about them. The idea that someone can remotely control a huge army of machines, with the so-called owners of those machines not even aware that the machine they use is not really theirs any longer - that's amazing to non-technical users. But when you explain the consequences of a couple of hundred machines working in concert to further the ends of a criminal, or a couple of thousand ... well, that's pretty scary. And that 30,000 number is just the ones we know about.

If you want to purchase an IDS or invest in greater vulnerability alerting, this number may help you.

No, you can't run KaZaA

"Peer-to-peer services (P2P), Internet relay chat (IRC), and network file sharing continue to be popular propagation vectors for worms and other malicious code."

Look, I use P2P ... on Linux. And when I used P2P apps on Windows, I knew not to use the ones that come loaded with ten kinds of spyware, and I only shared one little folder on my hard drive, and I knew to watch out for executables, and I scanned everything I downloaded. Most people have no idea. They just go download KaZaA, or whatever else their friends are using, and they don't pay a bit of attention to what they're sharing or what they're downloading. Gotta get that new Justin Timberlake song!

At home, P2P is cool. At work, P2P has no place ... unless you've set up Groove or some other corporate-approved app that is used solely for business purposes. IRC at work? Not for most people (programmers, maybe). Network file sharing? A huge problem, but necessary, so it is tightly controlled.

Again, the numbers in the report will help justify your actions to those who pay the bills. Use the report. That way, it's not you that's the bad guy for taking away P2P and file sharing: it's those killjoys at Symantec who explained that bad guys use those apps to get into our network and do bad things.

It ain't lil' Johnny anymore

"The rise in targeted attackers for e-commerce ... may indicate that the motivation of attackers may be shifting from looking for notoriety toward seeking illicit financial rewards."

It seems that while script kiddies are still a problem - and will always be a problem - they are fading as a threat before a bigger, badder worry: organized, professional criminals who know what they're doing and know what they're after. It's never a good thing when your computers or network gets taken over by a young punk, but there's usually a limit to what he wants: to show off, to perhaps take something, or even, in the best circumstances, just to poke around and learn. Sometimes, of course, our young punk engages in criminal activities, but often they're stupid or clumsy.

Now, though, we've really got problems. The professionals smell blood, and they're after far more than props from their pals. In fact, these guys don't want to show off. They want to stay as incognito as possible so they can steal ... well, everything. Money, identities, credit card numbers, you name it.

When talking to your bosses - and your users - I don't recommend using "hackers" anymore, as in "We're facing threats from hackers". Instead, I'd use "organized crime". We're facing a radically different threat, so it's time we started talking like it.

Time to exploit

"Over the past six months, the average time between the announcement of a vulnerability and the appearance of associated exploit code was 5.8 days."

And now we reach the crux of the matter. Given that (a) we have a new virus every hour, (b) an army of bots, (c) popular software increasingly used as an attack vector, and (d) the increasing involvement of organized crime in security attacks, then it's no surprise that the time we have to prepare for each new attack is small and getting smaller.

Six days between vulnerability and exploit. Who can prepare for that? How many vulnerablities are you watching? How many can you, or your team, watch? Automation is an answer - for instance, I was heartened to learn that a major anti-virus vendor now has its software default to checking for updates every four hours (just a few years ago, it checked every week) - but it's only one answer. I write a lot about ways to get your users - and the bean counters - involved in security. Now, more than ever, we're going to have to redouble those efforts.

There's plenty more in the Symantec Internet Security Threat Report that I haven't covered - a lot more. Hopefully, the five data points I've pulled out of that very useful document will provide us with information, knowledge, and maybe, if we're all lucky, some little bit of wisdom. We're going to need it.

Copyright © 2004, SecurityFocus logo

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Related stories

Rise of the Botnets
McAfee app raids Mac users' inboxes
McAfee to eradicate app assassin bug

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.