Earlier this month Symantec Corp. released its semi-annual Internet Security Threat Report which noted, among other things, a 20-per-cent increase in blended threats, a decrease in the time between a vulnerability announcement and an attack specifically targeting it, and a 12-per-cent increase in Web application vulnerabilities.
While the latter’s increase can partially be attributed to more responsible disclosure procedures from application software vendors, it is the two former statistics that are more alarming, according to Symantec.
The decrease in time between the acknowledgement of a vulnerability and an attack specific to it makes patching more troublesome. The Blaster worm was released only 26 days after the well-known Microsoft vulnerability became public.
“Even 26 days for corporations may be difficult (to find time to patch all vulnerabilities), especially if they have thousands of systems,” said Michael Murphy, general manager of Symantec Canada in Toronto.
Murphy said that with about 70 new vulnerabilities a week, most systems administrators are overwhelmed in their attempts to patch all vulnerable systems. It is exceedingly difficult “to siphon through all the reports that deal only with the systems they deploy,” he said.
In fact, 39 per cent of targeted attacks occur within six months of a vulnerability’s publicity.
The concern over the blended threat (malicious code with multiple attributes of a virus, worm or Trojan) increase is due to their nature. Because they combine characteristics of viruses, worms and Trojans, blended threats are harder to stop, can cause extensive damage and spread extremely quickly. Theoretically at least, a hyper-virulent, active worm could infect all vulnerable machines in the world in a matter of minutes.
As such, Murphy warned that companies need to evaluate the repercussions of being vulnerable to attacks.
“You can’t be 100-per-cent secure,” he said. What is important is “how you react to those attacks. I think over time there will be a Scarlet Letter approach to companies who continually get impacted by threats,” he said. “People won’t want to do business with them.”
The report’s data is gathered from more than 20,000 sensors monitoring networks in over 180 countries from January to June 2003.