Fighting the army of byte-eating zombies
Internet Security Threat Report
Being an intellectual dilettante, the fields of Systems Theory and Knowledge Management interest me greatly. One of the key principles of those fields is the DIKW Hierarchy first developed by Russell Ackoff, the idea that human minds (ideally) interact with the world and progress through what they find in a hierarchical process, from Data to Information to Knowledge to Wisdom (Ackoff also adds Understanding, but not everyone does).
This makes sense to me, and it helps me think about my own day-to-day education so I'm always asking myself some pretty important questions: How valuable is this data? What can I gather from this data? How does this information work together? Why is what I'm observing happening? Finally, what can I do in the future to either repeat this, if it's positive, or reduce the likelihood of its recurrence, if it's negative?
If you think about it, the DIKW Hierarchy also defines the job of security pros. Security professionals are in the business of:
- Gathering data (logfiles, of course, but also visual inspections, asking questions, reading listservs and RSS feeds)
- Turning that data into information (figuring out what is happening to whom, and where and when it's happening)
- Applying information to create knowledge (how is this happening)
- Synthesizing knowledge into wisdom (what can we do to make sure we're safer? what are best practices?)
Recently Symantec released their latest Symantec Internet Security Threat Report, and it is a document that all security pros ought to read. It's free (although you do have to register to get it), it's detailed, and it's full of data, information, and even some knowledge. Let's take a look at some of the more interesting data points in the document and see what we can gather from those. (Full disclosure: SecurityFocus is owned by Symantec, so I'm discussing a document written by a parent company. But trust me, this is worth your time, and I'd be writing about it regardless of its source.
A new virus every hour
"Over the past six months, Symantec documented more than 4,496 new Windows (particularly Win32) viruses and worms, over four and a half times the number as the same period in 2003."
Whoa. I'm no mathematician, but that means we're seeing a new virus or worm every hour of every day. Of course, not all of these are Sasser or Blaster or CodeRed, but still. That number should get your PHB's attention. Walk in and say, "PHB, we've been at work 8 hours today. During that time, 8 new viruses and worms have been created. When we come in tomorrow, 16 more will have been created. 24 hours in a day, 24 new viruses and worms." Let that one sink in.
Then quote that number to the people whose machines and networks and data you're tasked with protecting. Oftentimes what we do doesn't really sink in with quote-unquote normal users. I'll bet that this will. It's concrete, it's easy to understand, and it will hopefully make them realize why they need to be hyper-vigilant about updating AV databases and not clicking on every damn attachment they get in their mail.
An army of byte-eating zombies
"Over the first six months of 2004, the number of monitored bots rose from well under 2,000 computers to more than 30,000."
They're out there, waiting. Too many to overcome. Stupid, unthinking, with just one purpose: to overwhelm you, to make you one of them. A large and growing threat for which you must prepare (yes, I saw Dawn of the Dead again recently - the good one, from 1978).
I think most people can understand bots and the dangers they pose. In fact, I think the idea of bots both intrigue and horrify people when they hear about them. The idea that someone can remotely control a huge army of machines, with the so-called owners of those machines not even aware that the machine they use is not really theirs any longer - that's amazing to non-technical users. But when you explain the consequences of a couple of hundred machines working in concert to further the ends of a criminal, or a couple of thousand ... well, that's pretty scary. And that 30,000 number is just the ones we know about.
If you want to purchase an IDS or invest in greater vulnerability alerting, this number may help you.
No, you can't run KaZaA
"Peer-to-peer services (P2P), Internet relay chat (IRC), and network file sharing continue to be popular propagation vectors for worms and other malicious code."
Look, I use P2P ... on Linux. And when I used P2P apps on Windows, I knew not to use the ones that come loaded with ten kinds of spyware, and I only shared one little folder on my hard drive, and I knew to watch out for executables, and I scanned everything I downloaded. Most people have no idea. They just go download KaZaA, or whatever else their friends are using, and they don't pay a bit of attention to what they're sharing or what they're downloading. Gotta get that new Justin Timberlake song!
At home, P2P is cool. At work, P2P has no place ... unless you've set up Groove or some other corporate-approved app that is used solely for business purposes. IRC at work? Not for most people (programmers, maybe). Network file sharing? A huge problem, but necessary, so it is tightly controlled.
Again, the numbers in the report will help justify your actions to those who pay the bills. Use the report. That way, it's not you that's the bad guy for taking away P2P and file sharing: it's those killjoys at Symantec who explained that bad guys use those apps to get into our network and do bad things.
It ain't lil' Johnny anymore
"The rise in targeted attackers for e-commerce ... may indicate that the motivation of attackers may be shifting from looking for notoriety toward seeking illicit financial rewards."
It seems that while script kiddies are still a problem - and will always be a problem - they are fading as a threat before a bigger, badder worry: organized, professional criminals who know what they're doing and know what they're after. It's never a good thing when your computers or network gets taken over by a young punk, but there's usually a limit to what he wants: to show off, to perhaps take something, or even, in the best circumstances, just to poke around and learn. Sometimes, of course, our young punk engages in criminal activities, but often they're stupid or clumsy.
Now, though, we've really got problems. The professionals smell blood, and they're after far more than props from their pals. In fact, these guys don't want to show off. They want to stay as incognito as possible so they can steal ... well, everything. Money, identities, credit card numbers, you name it.
When talking to your bosses - and your users - I don't recommend using "hackers" anymore, as in "We're facing threats from hackers". Instead, I'd use "organized crime". We're facing a radically different threat, so it's time we started talking like it.
Time to exploit
"Over the past six months, the average time between the announcement of a vulnerability and the appearance of associated exploit code was 5.8 days."
And now we reach the crux of the matter. Given that (a) we have a new virus every hour, (b) an army of bots, (c) popular software increasingly used as an attack vector, and (d) the increasing involvement of organized crime in security attacks, then it's no surprise that the time we have to prepare for each new attack is small and getting smaller.
Six days between vulnerability and exploit. Who can prepare for that? How many vulnerablities are you watching? How many can you, or your team, watch? Automation is an answer - for instance, I was heartened to learn that a major anti-virus vendor now has its software default to checking for updates every four hours (just a few years ago, it checked every week) - but it's only one answer. I write a lot about ways to get your users - and the bean counters - involved in security. Now, more than ever, we're going to have to redouble those efforts.
There's plenty more in the Symantec Internet Security Threat Report that I haven't covered - a lot more. Hopefully, the five data points I've pulled out of that very useful document will provide us with information, knowledge, and maybe, if we're all lucky, some little bit of wisdom. We're going to need it.
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.