In recalling some of the IT security breaches, viruses and attacks of last year, most experts concur that 2001 proved to be one of the most active for computer-related crime.
"The year 2001, was, to paraphrase Arthur C. Clarke, a security odyssey," Mikko Hypponen, manager of F-Secure Corporation's anti-virus research division, noted in a recent news release.
According to F-Secure, over the course of the last 12 months traditional viruses evolved into something a bit more deadly to computer systems everywhere. Worms like Code Red seem to be foreshadowing what may become the more frequent use in 2002 of hacking techniques that take advantage of server and other system vulnerabilities. Such worms render traditional anti-virus solutions pretty ineffective, notes Hypponen. "To combat these new types of combined hacking and virus attacks the data security industry needs to combine functionality from traditional anti-virus programs and distributed firewall systems, providing protection against viruses, hacking and the combinations of these," he states.
Nimda and its widespread wrath should be kept in mind, as well, since this worm used web sites, email systems and Microsoft application vulnerabilities to spread. In using various methods to proliferate, Nimda, according to F-Secure, took one day to infect 2.5 million computers. The damage done by worms like Nimda and BadTrans could have been avoided had companies taken a more proactive stance. For instance, in addition to keeping anti-virus solutions up to date, Microsoft patches could have been downloaded to plug the holes the worms were exploiting.
To top these examples of real and most likely more readily occurring nasties, the Cutter Consortium Business Technology Council warns of mass hacking for 2002. Similar to weapons of mass destruction, mass hacking attacks could cause Internet downtime of an "epic scale," note Tom DeMarco and James Bach, fellows of the consortium. Indeed, the group indicates that viruses are nowhere close to being the most dangerous threat to IT systems. Rather, malicious hacking activity carried out by large groups using zombie computers, a range of ploys and extensive planning and coordination could prove the most damaging to Internet business.
"There are more than 100 million computers attached to the Internet," the council notes. "Instead of using his own system to attack or probe his victims, the modern mass hacker dips his ladle into that vast ocean of other people's computers, co-opts them and uses them to launch the main assault."
Counted among these and other threats are those that involve stealing data, usurping customer identities, spamming, sending out questionable content and a host of other computer-related attacks/mistakes/worries. And, of course, one of the sometimes overlooked problems is that of the internal user - whether a malicious attacker or simply an untrained user not versed in handling, sharing or accessing important data.
If 2001 and its horrible events, including Sept. 11, did anything for security overall and computer security more specifically, it was to increase the awareness that protection from physical and cyber harm is requisite. As most seasoned IT security pros know, acknowledging this need is half the battle. Now, 2002 will hopefully be filled with more zealous infosecurity action - the stuff that moves beyond awareness, planning and a little firewall or anti-virus solution deployment.
To get moving in this direction, Rick Shaw, owner of CorpNet Security, released the Digital Human Performance Protection Guide shortly after Sept. 11. Some of the steps he recommends companies undertake include the following:
- Provide security awareness training to employees, being sure to "empower and reward" them to find and react to both physical and infosecurity risks.
- Along these lines, companies should monitor this awareness training and modify policies to be sure that all employees understand their roles in keeping the company safe and sound from attacks of the cyber or physical kind.
- Update patches on servers and operating systems and harden server configurations to avoid worms and other 'Nimda-like' threats.
- IDS and anti-virus signatures should be updated every day - not every month or even every week. Making these updates occur automatically will ensure this happens consistently.
- Get incident response procedures in place and educate employees about them.
- Monitor the network perimeter all the time to keep chance openings closed. In doing this, companies will keep up on new threats and make note of any changes to the network, such as when new applications are added.
- Test disaster and cyberattack recovery capabilities, as well as backups, to keep business going even when disaster strikes.
- Information should be classified and employees trained on what data is "sensitive, proprietary or confidential, to prevent privacy and 'social engineering' threats."
- Conduct background checks on employees, contractors or other partners and vendors - especially those who have the ability to access that classified data.
- Be smart about disposal of information "to prevent 'dumpster diving' and 'refuse accidents.'"
Taking into account the sophistication and the frequency of cyberattacks in 2001, one cannot help but predict that 2002 will be no better and may prove to be much worse for legitimate computer and Internet users. It is now a matter for those that have been or could be victimized to arm themselves against computer attackers.
As F-Secure's Hypponen says, "It is sensible to assume that the number of sophisticated malicious code attacks will increase." He notes that they are being executed by pros. Whether these savvy individuals comprise terrorist groups, organized crime rings or intelligence communities is beside the point. "The bottom line," says Hypponen, "is that we are seeing the first signs of the type of fundamental vulnerability that a fully computerized society and economy will have to live with."
Illena Armstrong is U.S. editor of SC Magazine.