Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Don't Panic. Plan: Page 4 of 8

A whopping 82.53 percent of all attacks originated on North American computers, according to ISS' "Top Attacking Regions From October 28, 2002, to December 31, 2002". Perhaps it's the high U.S. per-capita connectivity rate or the number of unpatched and unmaintained systems on campus and broadband networks that are used as relay points by attackers trying to cover their tracks. The truth is there's no way to tell if the attacker is sitting at the keyboard of the attacking computer or if he or she is hopping through multiple systems.

You could try to track the attacker by starting at the system that's directly attacking you, asking the person who administers that system to track the attack to the next hop, contact that administrator, get him or her to track the connection to the next hop, and so on. Of course, you will have to deal with multiple languages, convince others to help you, hope they have the technical experience to ferret out the next hop, and so on. Unless you're planning to prosecute the attacker and are willing to call in the feds, this is a fruitless pursuit.

A large number of tools attack well-known vulnerabilities for which patches or workarounds are available. It's not uncommon to find two- to three-year-old vulnerabilities in systems on the Internet. Let's face it: There are so many vulnerabilities that it's hard to avoid some weaknesses in a system. Roughly 3,920 new vulnerabilities were discovered between January 2000 and March 3, 2003, according to data from the ICAT Metabase. Of that total, nearly 1,400 remote vulnerabilities are classified as high severity, meaning an account can be had on the target and the target can be taken over (see "Local and Remote Vulnerabilities by Severity Since 2000").

The overwhelming loss type with a high severity classification is security protection (see "Loss Type by Severity Since 2000,"). Security protection is defined by ICAT as giving the attacker privileges he or she is not allowed to have according to your access-control policy. Security protection can be subclassified as "obtain all privileges such as root or administrator," and "obtain some privileges," which corresponds to access less than root or administrator. It's not surprising that security protection has the highest number of vulnerabilities because the goal of most attacks is to get shell access via a command prompt or by executing commands through a vulnerable application on the remote system. Once shell access is gained, you can kiss your protection good-bye.



Local & Top Attacking Regions / Attatck Destination By Sector
click to enlarge

The types of vulnerabilities indicate where the bulk of vulnerability searching is focused and where weaknesses can be found: Error classes are designations indicating the type of error condition. Input validation, design and boundary errors (see "Vulnerabilities by Error Class,") make up the lion's share of vulnerabilities as classified by Bugtraq's Security Focus team. Input validation describes a vulnerability where input is not validated as syntactically correct or the application doesn't correctly handle extraneous or missing fields. As more applications are ported to a Web model, we expect to see more input validation-class attacks. In contrast, boundary errors are buffer overflows where an attacker exploits a programming error that allows the attacker to execute code. Design errors are more difficult to correct and range from poorly implemented algorithms to shoddily designed user interfaces.

Using ICAT or Bugtraq, you can get a feel for known vulnerabilities and, provided you keep current with patches and subscribe to vulnerability mailing lists or your vendors' security lists, you can mitigate the risk of connecting to the Internet (for a review of patching products see, "PatchLink Helps Keep Windows Closed"). Although there are many rumblings of zero-day exploits--malicious attempts to take advantage of a flaw before the vendor issues a fix--there are few identifiable examples. The best you can do is keep your systems patched, implement appropriate security measures, and root for the good guys.