Security Costs Surge

November 2003

In August, e-businesses everywhere got a series of wake-up calls from the dark side of the internet. It was the season of the worm.

First came Blaster, a crafty, virulent piece of malicious code that sneaked through a security hole in Microsoft software. Unlike viruses that attach themselves to e-mails and become active when users open them, worms move stealthily through the innards of computer systems without any human intervention. All told, Blaster infected 336,000 computers within 24 hours, replicating itself in a further 30,000 computers every hour, according to the U.S. clearinghouse for computer security, the CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute in Pittsburgh.

Blaster was followed by Welchia, a supposedly benevolent bug designed to close the security hole that Blaster was exploiting. But the unwanted cure proved worse than the disease and, as a result, networks were slowed to a crawl. Meanwhile, the internet was being infested with a new epidemic in the form of SoBig.F, a virus that propagated itself through spam, getting into e-mail in-boxes and mailing itself to every address it could find.

These bugs were more than just a pain in the neck for a handful of geeks: They caused disruptions to everyday life. Trains stopped running on CSX Corp.'s freight railway network, one of the largest in North America. Air Canada was forced to delay and cancel some flights when Welchia hit its phone reservation computer system. And, among numerous other examples of computer failures around the globe, perhaps the most sensitive and potentially damaging was a nine-hour shutdown of the U.S. State Department computer system that checks the names of visa applicants against a list of 78,000 suspected terrorists.

All this serves as a reminder of how vulnerable our information systems are and the degree to which we depend on them. Richard Pethia, the director of CERT, told a U.S. congressional committee that Blaster has cost businesses an estimated $525 million (U.S.), and SoBig.F between $500 million and $1 billion (U.S.). Even more disturbing is the fact that these attacks expose a broader problem with internet security. "Our current solutions are not keeping pace with the increased strength and speed of attacks," Pethia explained, "and our information infrastructures are at risk."

Businesses are spending more than ever before on security technology, and the cost of security is eating up a greater proportion of corporate technology budgets, according to Gartner, Inc., which reports a 28%-a-year increase in security spending since 2001, even though technology budgets have grown by only 6% a year. Gartner predicts that 20% of enterprises will experience a serious internet security incident-excluding virus attacks-before the end of 2005.

The problem, according to Pethia and other experts, is that organizations rely more than ever on on-line collaboration with customers, partners and suppliers, while employees frequently connect to corporate computer systems from home computers or through wireless networks. As corporate computer systems open themselves up to outsiders, there's a danger of letting intruders in.

What makes the risk even greater is that many computer programs are designed to be collaborative, and will therefore execute commands that are sent in remotely. What's more, the hundreds of computer programs used every day in various aspects of e-business each contain millions of lines of code, written by pressed-for-time programmers who rush to meet deadlines. The result: CERT reports that an average of 4,000 vulnerabilities-flaws that could create security problems-are discovered in software programs every year.

Whenever vulnerabilities are discovered, software companies act with haste to develop patches of code that will close the hole. Until now, they've succeeded in releasing these patches a year or more before anyone develops a worm to exploit them, but the most recent worms were developed within just 30 days of the vulnerabilities being found. According to Jack Sebbag, Canadian vice-president and general manager for computer security and network management company Network Associates, Inc., "These guys are a lot quicker to exploit known vulnerabilities and-here's the scary part-they're also out there running all kinds of tools and code to see if they can find unknown vulnerabilities. These guys are good and they'll find stuff. They'll cause even more trouble."

When hackers discover vulnerabilities, they don't necessarily create viruses or worms that cause public mayhem, but will often use their knowledge for their own illicit purposes. For that reason, any company with information assets worth stealing should subscribe to a service that provides early warnings about all the known vulnerabilities.

Still, the largest threat of all arises when computer users and e-businesses fail to take measures to protect themselves. In almost all cases, the victims of worm and virus attacks could have protected themselves by installing patches and antivirus software that were available before the bugs attacked. As Ron Ethier, vice-president of technology at internet service provider Magma Communications Ltd., so succinctly puts it, "It's like everyone in your neighbourhood has their doors locked, but there's a criminal in the neighbourhood with a master key. Yet very few people change their locks.

Please click here for the source and continuation…

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion