Security 2006: Confidence crisis

The number of attacks decreased but the attacks became more and more intentional and serious. InfoWorld's survey shows the confidence crisis in IT security experts.

It is difficult to find a better example of the IT crisis as in the case of Brent Oxley, owner of HostGator hosting service company: his company's customer websites are redirected to black 'web addresses'. 'and drop the virus onto the end user's computer. Whenever Oxley's staff "cleans a computer, another machine in the network is" hit ". Oxley seems to be trapped in the hide-and-seek game, while also having to calm down the anger of customers and end users.

Bad direction

According to InfoWorld survey, only half of the people in charge of security issues for companies feel "somewhat confident" in their company's security system. The rise of malware and phishing has caused this "timid" mentality.

If in 2005, it was noted that the fun young hackers gave way to professional criminals, then in 2006 it showed the level of danger of organized crime. Sharper and harder to detect malware (malware), digging deeper into operating systems and applications to rummage through sensitive information. Even malware and phishing tools can be sold online. Often "blatant" criminals offer to take care of the security of a company whose network is under attack, of course there is a fee. Not only big companies but also small companies are attacked.

The attack on HostGator has many characteristic signs of increasingly sophisticated security threats today, and primarily exploits security vulnerabilities in Windows and applications. This is reflected in the survey results: 51% of participants said that the increasing sophistication of attacks was the top challenge for security, while 50% said that Trojans and viruses and other types of malicious code are the leading threats to network security.

According to Eric Sites, senior vice president of R&D at Sunbelt Software, Trojans have often loaded computers with very poorly written adware so they can easily hang up. They are annoying, but nothing compared to today's malware: stealing passwords, sending spam and joining a destructive network. The problem is worse: criminals have started organizing a 'virtual market' to trade passwords and other information collected through malware.

The number of reduction and severity increased

Security experts reported a modest reduction in their online attacks in the past 12 months, with each company averaging 331 attack attacks and 39 successes. There was an improvement compared to the average of 368 polls and 44 successes recorded in the last survey.

However, this does not prove that the network is more secure - according to Jon Ramsey, technical director of SecureWorks, which monitors Internet attacks. Although the number of general warnings decreased, but the number of serious attacks is increasing rapidly. The reason the number of attacks fell under Ramsey's argument was worrisome: hackers for profit motives did not want to waste time or use more sophisticated techniques.

Among successful attacks, the most common way is to impersonate a company's "identity" to trick customers - a common phishing attack technique. This is not surprising, as only $ 50 of phishing equipment can be purchased from the US $ 50 toolkit that makes it available to fake large bank websites. The worse the situation is, the phishing initially targets only big companies like eBay, now threatening small companies.

This year is the second year in a row that recorded a decline in the number of successful attacks exploiting operating system vulnerabilities. Only 23% of respondents said they were hacked, compared with 24% of 2005 and 40% of 2004. Similarly, reports of attacks exploited the weaknesses of web applications. , routers and other components of the network infrastructure are reduced or equal to the last year.

According to John Pescatore, vice president for Internet security at Gartner, software vendors seem to be aware that businesses appreciate the security features of the products they want to buy, so increasingly There are many vendors that apply security checks first.

Danger inside

Due to the attraction of money, employees in the company can become a threat if the company does not have a careful security plan. 42% of participants said their company did not have a clear written security policy (slightly improved compared to 46% last year).

It is worrying that 18% of the group with security policies do not train their staff how to do it. Pecastore said that while implementing security policies is labor intensive but not too expensive, and said on the website of SAN Institute (www.sans.org) there is also a free version of the security policy.

Failure to do or force employees to comply with the privacy policy explains the long list of prominent news regarding the infringement of personal information over the past year. One of those famous cases is a classified information laptop that involves about 26.5 million veterans in the US stolen at the home of a veteran's office worker. It is worth mentioning that this employee is not allowed to bring data home.

The fact that even with a strict security policy, it is not easy to force employees to comply. This is reinforced by survey data from Infoworld: only 55% of participants said they have implemented encryption software on PCs and handheld devices - a measure that can protect data when it falls into the hands of bad guy.

The threat from employees is really a concern for security experts, 56% think this is an important challenge for security. Some people are particularly concerned about the risk of 'psychological technology': criminals may entice or through a relative of an employee to extract confidential information.

Ranking threats to the security ofTrojans, viruses, worms and other types of malware50%Spyware45%Spam44%Employee error (accidently)39%Error of application37%Human data partner or partner steals37%Hackers36%Internal vandalism30%Wireless network30%Deploy new technologies (Eg: wireless network, remote access)27%Error of partner (accidentally)24 %Mobile devices (PDA, smartphone)24%Common hackers (not competitors, cyber-terrorists, employees or partners)20% Onlineterrorism19%Cannot meet mandatory requirements of government16%of competitor reconnaissance15%

Supervisory staff

Companies are currently looking for solutions against the risk of data theft staff. Along with anti-virus, firewall and VPN software that has been used for years to prevent hackers, IT professionals now need more products to help preserve information. 24% of security experts surveyed said they implemented employee monitoring solutions, another 8% said they plan to propose such a system next year, 44% have supervised or filtered email goes out, 8% said it will start doing so in the next 12 months.

For example, Jim Brockett, CIO of Washington Trust Bank, used a monitoring service of NexSentry to protect data from theft. This service notifies you whenever an employee copies information from a protected application (such as a bank database) and paste it into an unprotected application (such as a web browser or an email program). This solution also prevents the use of flash memory and other unauthorized USB devices.

When used correctly, traditional technology can also provide important weapons for the security war. But survey participants said they needed new technologies that could do more than scan for malicious code or detect probe attacks. 'We need to switch to behavioral surveillance, for example, when computers are activated at 3 am to send email,' said Dave Rand, technical director for Trend Micro's Internet content security division. .

Assuming security solution providers can develop such sophisticated products, will they be accepted in a market full of expensive security solutions. According to the survey, only 35% of participants expect their security budget to increase next year.

HostGator responds

Back in the case of HostGator, Oxley and his colleagues finally discovered hackers who broke through the defensive barrier through a flaw in the website management application. After getting inside, hackers use HostGator servers as a springboard to exploit another weakness and then infect more than 200 servers serving 500,000 domains managed by HostGator (they also target less Most 2 other host services, according to Oxley).

Although the case was finally resolved, Oxley, like many others, was still concerned: ' It is very likely that one morning we will wake up and witness a crippling attack. all hosting companies '.

Top challenges for securityEmployees underestimate the importance of security policy52%Increasing sophistication level of attacks51%Company leaders underestimate the importance of security policy44%Budget for buying essential security tools is less than40%Increasing the complexity of security solutions39%Increasing the number and complexity of traffic data in the network39%Unmanaged equipment and mobile users37%Network is always active35%Patchy nature of network security34%Allowing wireless devices in the company33%network configuration management31%No security professionals in the company30%difficulty in web application securitysoftware28%Integrated ca 3rd party on the network environment companies27%Obey the rules protect the privacy and security of the country25%Lets 'chat' in the company24% ofTerrorism on the Internet20%Outsourcing Security11 %

Nguyen Le