Attacks may only be tip of the iceberg

Whether it is enterprises, or home users on their PCs, the attacks are coming.

“Personally, I anticipate that…we are going to see yet another massive denial of service (DoS) attack, which is going to be utilizing tools that are sitting stealth and clandestine right now on home users’ PCs.”

That, according to Mark Fabro, senior scientist and managing director at Waltham, Mass.-based Guardent Inc., is what we can expect by the end of this year or by the beginning of the next. Fabro made his statements following a seminar, The State of Information INsecurity, held last month in Toronto. He addressed both the good and the bad news surrounding information security, and tried to offer some solutions to the attendees.

Guardent, a digital security services firm which launched its Canadian operations in Toronto last July, hosted the event.

Encryption across the network, security within the organization, policy enforcement and awareness were all identified by those in attendance as security issues they are facing.

But right now, IS staff should be aware that the most prevalent types of attacks on Web sites seem to be the ones that require the least amount of skills to do.

“Graffiti-based attacks are the ones we see most often, because those are the ones that have obvious tactile repercussions,” Fabro said. “The attacks that we see, but don’t make it to the public domain, are very strong denial-of-service (DoS) attacks, above and beyond what was seen in the distributed denial-of-service (DDoS) attacks” on companies such as eBay.

He noted that most of the attacks going on right now are based from a cable or DSL environment. In fact, Fabro said that most of the large organizations that are experiencing attacks on a regular basis, when using their instant response mechanisms to trace the attack back down the line, will find that they end up at somebody’s house.

“This is a remark towards the level of skill that we are seeing now. We have people sitting in their basements launching these attacks at large organizations using scripts that have been pre-compiled,” he said.

But Matthew Kovar, a program manager at The Yankee Group in Boston, said that he is not sure where this information could be coming from.

“I’m not sure how they’re coming up with this leap of faith saying that these things are happening from DSL and cable,” he remarked. “There’s no way to track that, so I think that is an incorrect statement. That’s an access technology statement, and he’s making a very large leap of faith in that instance. I don’t believe that conclusion is warranted.”

He did say that if the question is, Do more people have the ability and access to hack?, then the answer is yes, and that the methods to initiate attacks are increasing.

Fabro said that organizations are experiencing weaknesses because they are just taking commercial products out of the box and deploying them without sanity checks. What needs to be done, he explained, are security checks that can help find out where exactly the holes and vulnerabilities are.

Information breach

While Fabro went through many examples of how simple it is for hackers and crackers to get into a system, he explained that all types of attacks can be summed up in three areas: confidentiality, integrity and availability.

“Anything that happens from an Internet security perspective or information security perspective is a breach of one of those three things,” he explained. “Either the information that was to be kept secret is no longer secret; that the information that was important to remain unchanged gets changed; or the information that is needed to have access to access is not available.”

Imagine the implications if a financial institution’s home page is changed, he offered. The message that is sent is an immediate breach of integrity, and the customer will not feel secure with that company anymore, he said.

Kovar noted that his firm released research that indicated the wave of Internet attacks that hit sites such as Yahoo Inc. and eBay cost the industry approximately US$1.2 billion.

“Vulnerabilities and threats to network infrastructure continue to increase at a geometric rate almost daily, in terms of the gross numbers of attacks that are out there,” he said. “The reality is that even though many organizations such as security professionals are aware of a lot of these attacks…the counter-measures are very rarely put in place in a timely fashion.”

Kovar said that even if companies are in a position where they are able to purchase the best security products, there is still that gap between trying to interpret the information that comes out and actually implementing it into a system. He added that there are very few enterprises that have the technical knowledge and the security professionals to be able to interpret a lot of the information that is coming out.

With the large attacks that happened at the beginning of the year, there really was no way to tell they were coming, or any way to prepare, he noted.

“One of the problems is that security in essence is somewhat of a reactive proposition, meaning that until something like this happens, and it’s all brand new, we don’t know what to do. These vulnerabilities and these threats will continue to crop up.”

Kovar said he doesn’t think we will necessarily see more attacks than there have been in the past. “I think they’re just hitting higher impact environments and they’re getting more press time,” he said.

While the more publicized attacks hit larger companies, small and midsized enterprises could still be targets. Kovar suggested that companies take a look at how much of their business is driven by the Internet. From there, decisions on how to deal with security can be made, such as hiring a third-party if the company can’t do it on its own.