Prescription for protection

Communications News, Jan, 2004 by Arthur Wong

Network security threats from the Internet are becoming more sophisticated and more aggressive, according to Arthur Wong, a vice president at Cupertino, Calif. based Symantec Corp.--and they are spreading faster, where human reaction time may not be fast enough to counter them. In remarks before the House Energy and Commerce Subcommittee on Telecommunications and the Internet, Wong cited two key areas for attention: corporate IT security governance and user awareness. "Corporate IT security cannot continue to be an afterthought or add-on approach," he told the committee.

Wong's remarks:

"We are at an important juncture with regard to cyber security. The threats we are seeing today are more sophisticated, more aggressive and are able to spread more rapidly than ever before. Equally important, the time from the discovery of a new vulnerability to the release of an exploit targeting that vulnerability is rapidly shrinking.

"We are already beginning to see the early stages of what are called flash threats, threats that are near instant in their delivery. These are threats in which human reaction time is probably not fast enough. A good example would be the recent Slammer worm, which, at it's peak rate, infected 90% of the vulnerable systems in just 15 minutes. This speed of propagation, combined with the reduction of the time to exploitation, raises serious issues about the approach our nation is taking to protect our networks.

"Security is an evolving process and we must continue to be aggressive in educating the individual user about good cyber security practices. The time from vulnerability discovery to exploit is rapidly shrinking. For example, the SQL Slammer worm attack from January of 2003, exploited a vulnerability discovered about six months earlier. Just a few months later, that benchmark changed significantly with the release of the Blaster worm. This blended threat exploited a vulnerability just 26 days after disclosure.

"We have also seen that 64% of all new attacks targeted vulnerabilities less than one year old (according to Symantec's Internet Security Threat Report, a distillation of data from more than 500 Symantec managed-security customers). Moreover, of all the new attacks documented in the first half of this year, 66% targeted what would be classified as highly severe vulnerabilities. We documented over 1,400 new vulnerabilities, a 12% increase from last year. As (these trends) continue, we will need new security paradigms to appropriately protect our cyber-infrastructure.

IM, P2P BEING ATTACKED

"Early warning and alerting capabilities, strong patch management and solid internal processes to respond when a new vulnerability is discovered may be the difference between protecting critical systems and having them compromised.

"We are also starting to see the use of viruses and worms to attack newer applications, such as instant messaging and peer-to-peer networking. In fact, of the top 50 malicious code submissions we received in our laboratory during the first half of this year, 19 used peer-to-peer and/or instant messaging applications--an increase of almost 400% in just one year.

"So, the trends suggest that the overall rate of attack activity rose 19%. Companies experienced, on average, 38 attacks per week compared to 32 for the same period last year.

"Two key areas are important to improving cyber security of our IT infrastructure: corporate IT security governance and user awareness. Corporate IT security cannot continue to be an afterthought or add-on approach. It should be integrated into the overall management plan for an organization.

"A cyber security, plan should focus on the following areas: ensuring overall business continuity, adhering to regulatory compliance, enabling organizations for their 'e' initiatives, and establishment of a security policy and implementation plan. All of this must be done with a watchful eye on balancing risk and managing cost to ensure both system availability and security.

"In discussions with enterprise organizations, they cite three mare drivers of the need to look at security in a more holistic manner. They include the disappearing perimeter, the increase in threats and the lack of security expertise.

TOP-DOWN APPROACH REQUIRED

"IT security requires a new level of governance at the senior level. It requires a top-down approach that reaches across the organization's departments and functions. It requires the creation of a culture of security.

"IT governance must be a part of the overall governance of an organization. Doing so will ensure that IT is aligned with the organization to deliver value to its constituents, that IT resources are responsibly utilized and that IT risks are mitigated and managed appropriately. Taking this a step further, information security should also fit in this broader view. For example, information security reports should go to senior executives in an organization and information security audits should be part of the overall audit program.