Under Attack

There's bad news on the information-security front. Hackers and virus writers are gaining ground again. Despite more spending on security technology, attacks are up for the first time in three years and downtime has increased. Business-technology and security managers are growing increasingly frustrated with flawed software that leaves openings for worms and viruses and want software vendors held legally and financially liable for security vulnerabilities in their products.

Security breaches and malicious code are more of a threat this year than last year, according to 81% of the 7,000 business-technology and security professionals from more than 40 countries who participated in the InformationWeek Research 2004 Global Information Security Survey. "It's the sheer volume of virus and worm attacks" that has caused much of the damage, says Tamara Schwartz, applications manager for information services at logistics and package-delivery company United Parcel Service Inc.

The costs are high. Research firm Computer Economics calculates that viruses and worms cost $12.5 billion worldwide in 2003. The U.S. Department of Commerce's National Institute of Standards and Technology says software flaws each year cost the U.S. economy $59.6 billion, including the cost of attacks on flawed code.

As a result of the growing number of attacks, downtime is up. The number of companies worldwide that report downtime of four to eight hours because of attacks increased from 18% to 22% year over year. Those experiencing eight to 24 hours of downtime also rose from 18% to 22%. And the number of companies that say their systems were down for one to three days because of attacks increased from 7% in 2003 to 16% in 2004. More businesses are suffering. In 1998, 50% of those surveyed reported no attack-related downtime. This year, only 6% make such a claim.

"I don't think you can find a company, any company, that doesn't see a growing risk. Intrusions and incursions are up in every business," says C. Michael Armstrong, the former CEO of AT&T who's now chairman of the security task force of the Business Roundtable, an association of U.S. CEOs, and a director for Comcast Corp., a cable TV and Internet service provider.The problem is getting worse as the bad guys find more ways to infiltrate business-technology systems. As more businesses deploy peer-to-peer networks, instant messaging, wireless local area networks, and extended supply chains and provide an increasingly dispersed workforce with more mobile devices and ways to access systems remotely, there are more avenues than ever for hackers, worms, and viruses to penetrate computer systems and networks. "It's insane," says Randy Oehrle, network administrator for the city of Overland Park, Kan.

That helps explain plans to boost spending on security. Currently, survey respondents spend an average of 12% of their IT budgets on security, up from 8% in 2002, and roughly 60% plan to spend more dollars on security in the year ahead. Just 5% plan to decrease security spending.

Two major problems, according to survey respondents and interviews with more than a dozen security professionals, are flawed software applications and weak security tools.

The Business Roundtable, whose 150 members include General Motors, 3M, and Xerox, earlier this year called on the builders, buyers, and users of technology to focus more on security. The group, however, said the software industry had a special responsibility. Software vendors "have been strengthening their testing and they have escalated this as a priority," Armstrong says. Still, he doesn't believe that "the software providers are doing as much as they should be doing."It's an issue about which business-technology managers are increasingly passionate, and their frustrations bubble up when discussing the topic. "We get better communication about their security problems" than about their security improvements, says Diane Bunch, senior VP for information services at government-owned power utility the Tennessee Valley Authority, in an E-mail interview.

Many security tools are poorly designed and don't work well together, says Adam Hansen, manager of information security for law firm Sonnenschein Nath & Rosenthal LLP. "They're either incomplete, have flaws, or don't communicate well," he says. "Companies are buying each other up, but they don't integrate the apps well afterwards." His solution? "Those products aren't around here anymore."

In fact, some security tools are "insecure right out of the box," says Chris Hoff, chief information security officer and director of enterprise security services for Western Corporate Federal Credit Union. WesCorp is a financial-services cooperative that provides services to 1,000 corporate credit unions and has $24 billion in assets. WesCorp recently bought a security appliance that was configured so improperly that it created a security hole. "Security is such a hot item these days, and there is so much crap coming to market. It's just ludicrous," he says.

WesCorp scans its network and systems each day for the vulnerabilities that make attacks from hackers and worms possible, Hoff says. "We're never more than 24 hours out of date," he adds. Still, he doesn't rest easy. "You can never get too far ahead" of the attackers, he says.

Many security professionals use several layers of security and regularly add new types of tools to protect their systems. They're also trying to better understand which security threats are serious and need to be addressed immediately and which ones can be addressed later.

Most common antivirus and intrusion-detection systems use signature-based technology to recognize a threat by looking for a virus' fingerprint, or specific code. Those systems "do a good job, but they don't do a perfect job," says Michael Kamens, global network and security manager for Thermo Electron Corp., a $2.1 billion-a-year maker of electronic measurement and laboratory equipment (see story, p. 71). Thermo uses several layers of antivirus protection, including at E-mail gateways and desktop systems, but viruses still occasionally sneak through. "Isn't that disgusting?" he says.

One frustration many information-security managers feel is that security tools don't provide them with the right kind of information. If a software or hardware vendor rates a security vulnerability as a high risk, customers get flooded with warnings that systems need to be patched, regardless of how those systems are being used. What customers really want is to be able to understand the business risk of a threat so they don't spend a lot of time rushing to patch a relatively unimportant system, Hoff says. "I want to know how the investment division is doing versus other divisions," he says. "I want to be able to correlate vulnerabilities and see the actual risk [a threat] poses to the business."Businesses are turning to tools that help them do more. Advo Inc., a $1.2 billion-a-year provider of direct-mail services, is supplementing its open-source Snort intrusion-detection systems with Enforcer and Profiler from network-security software maker Mazu Networks Inc. "We didn't want to put all of our eggs in one basket," says Phil McMurray, IT security officer at Advo. Mazu's heuristics-based Enforcer helps protect Advo's network from distributed denial-of-service attacks, the No. 3 threat after viruses and worms. Some 18% of survey respondents in North America say they were hit with such attacks in the past year, as do 26% in the Asia-Pacific region, 10% in Europe, and 14% in South America.The Profiler application helps Advo better understand how the network is being used and lets McMurray tighten security policies. "The more detailed analysis gives us a better understanding of what our threats really are. Have we seen this before? How big is the problem? And it helps us watch for those problems from then on," he says.

Fewer than a third of companies worldwide, the survey shows, use security event-management applications. But those apps can pay off. Companies with sophisticated security programs that use those tools to correlate and monitor security-related activity occurring throughout their networks and systems are reaping the rewards.

Union Bank of California installed security-management software from ArcSight Inc. about 18 months ago to help correlate threats across its many applications and security devices. "We chose this path so we could remain vendor neutral. ArcSight has the ability to adapt and be nimble," says Bob Justus, senior VP of corporate information security and IS/IT contingency. The bank uses ArcSight to monitor events from many network devices, business applications, and security software, including routers, firewalls, and application event logs. "This allows us to show the value of the security program in a comprehensive way," he says.

Law firm Sonnenschein Nath & Rosenthal also uses a security-event manager, OpenService Inc.'s Security Threat Manager. It monitors the firm's security apps, such as firewalls and intrusion-detection systems, and it also uses data from vulnerability-management and antivirus applications. That helps the firm focus on what's important and determine whether "someone is beating on our door," says security manager Hansen. "I don't want to be alerted about a bunch of garbage."

Nearly a third of survey respondents say they're deploying technology to spot anomalous behavior on their networks and lock down their applications. And more are experimenting with new intrusion-prevention systems.They're also putting more pressure on software vendors by adding new requirements to contracts. "More people are requiring vendors to put in their contracts that the vendor is being diligent when developing security apps," says Michael Overly, a technology attorney with law firm Foley & Lardner. Such clauses require software vendors to promise that their products have undergone testing and a quality-assurance process. They also require that a software maker comply with best practices regarding security.

Around a third of all survey respondents say software vendors should be held legally and financially liable for software flaws. However, in the United States, 47% say vendors shouldn't be held legally or financially responsible if they can prove they have secure development practices in place. The bulk of worldwide respondents (68%) say they're "somewhat satisfied" with the security efforts of software makers, while 17% are extremely satisfied and 15% extremely dissatisfied.

Most security professionals say it will take time before applications are more secure. "You don't recover from years of code deployment that really didn't have the scrutiny from a security perspective," says Union Bank's Justus. "It's going to take a long time to catch up."That explains why enhancing application security is the highest tactical priority for this year's respondents. Some 45% in the United States list that as their top priority, compared with 54% in South America, 36% in Europe, and 40% in Asia-Pacific.

To ensure that his business applications remain secure, WesCorp's Hoff uses an on-demand vulnerability-scanning service from Qualys Inc. every day to find potential vulnerabilities. Hoff uses QualysGuard, along with open-source security scanner Nessus, open-source network- and security-auditing tool NMAP, and other tools from Sanctum Inc. and Internet Security Systems Inc. Before deploying QualysGuard, WesCorp's security team had to sort manually and prioritize reports of security vulnerabilities. "Once we weeded through the false positives and mapped it out, more than a week would go by," Hoff says. "It was very difficult."

Still, Hoff says, daily scans "are a control feature for us. It's a way to provide accountability." Fortunately, he says, "most of the time the report is a big fat zero."In addition to monitoring the security aspects of off-the-shelf commercial applications, businesses also are trying to improve the processes they use for internally developed code. Secure software development is a top priority at New Vine Logistics Inc., a back-end logistics company for the wine industry. New Vine recently used Fortify Software Inc.'s development application to create more-secure code. "If our system is compromised, it could affect dozens of companies," says Pierre Tehrany, VP of technology and product development. Fortify's software helps the company avoid such problems. "Fortify's software exposed a couple minor vulnerabilities that we fixed," he says. The result: "Our programmers become better programmers, and the code became more secure."

Tehrany says his customers want to make sure that their information, such as inventory and financial reports, and their customers' data are properly secured and that the security of New Vine's network is tight. "The way businesses do business today, they're integrated and dependent on each other," he says. "You can't do business without communicating with others, and that warrants a different type of security."

That type of security also involves deploying innovative applications designed to protect systems against costly worms such as Blaster, Code Red, Nimda, and Sasser. This class of worms rips through companies' perimeter defenses and racks up billions in cleanup costs. But deploying the right kind of security technology can help.

The government of Overland Park was hit last year by a worm infection--an unprotected system was connected to a wireless access point, and hundreds of desktops quickly became infected. To prevent a repeat, network administrator Oehrle looked at a security device called an inverted firewall from startup Mirage Networks Inc. that's designed to monitor and protect a network's interior rather than its perimeter. In the demonstration, he asked a technician to simulate an attack. "I couldn't blink fast enough before the device stopped it," he says.

Oehrle deployed the product, called Mi40, to protect 850 desktops. Then the Sasser worm hit in the spring. Overland Park weathered the worm unscathed."No problems," he says.On the way are more new technologies that may offer some hope in the battle against hackers, worms, and viruses. Major technology vendors, including Advanced Micro Devices, Intel, and Microsoft, support something called No Execute technology that aims to eliminate buffer-overflow attacks--the most common type of flaw that worms use to spread--at the hardware level.Several major security vendors, including Cisco Systems, InfoExpress, Sygate, and Zone Alarm, are working to make it easier to protect network "end points," where users connect to the network. Cisco, for example, continues to develop its Network Admission Control technology, which frisks systems to make sure their security is active and up to date before granting them access to the network.

Intrusion-prevention technology, offered by Cisco with its Cisco Security Agent and by McAfee Inc. (formerly Network Associates) in its IntruShield Network IPS and Entercept Host IPS, are drawing increased attention from business-technology managers, though many say they're not yet ready for widespread deployment. These systems work by spotting "bad" system or network behavior and blocking malicious activity.

New and better security tools are needed because threats continue to grow. Many security professionals worry that cyberterrorism could move from the realm of fiction to reality. "Terrorists may start to become more aggressive in the area of computer attacks," says Gerry Coady, managing director and chief architect for the strategic enterprise solutions group at Xcel Energy Inc., a major electric and natural gas provider.

The threat of state-sponsored attacks became real earlier this year when several foreign newspapers reported that the chief of the South Korean Defense Security Command said in a speech that North Korea is operating a hacking unit to steal information from government agencies and research centers in South Korea. "There's no question that [cyberterrorism] will become one of the ways industry and commerce is damaged in the future," Coady says.

That's why security experts say it will take a concerted and coordinated effort to win the security war. "It will take builders, buyers, and users" working together to keep IT security on track, says the Business Roundtable's Armstrong. "Right now, I can point to all three and show you things they could be doing better."Despite the pain caused by the onslaught of worms and viruses during the past year, UPS's Schwartz says there have been some benefits. With each new attack, "our defense level increases," she says. "We get smarter with each one, and each one gives us an opportunity to improve our process."

And business-technology managers will remain in a learning and improving mode as they wait for software applications and security tools to get better. Until then, businesses will continue to spend an increasing amount of time and money on security concerns.

Illustration by Christoph Niemann

Continue to the sidebars:

"Disclosure: Security Pros Want Flaw Information Sooner and
Outsourcing: Not When It Comes To Security, Most Say"