Any way you look at it, 2003 was a real bad year for network security. Although corporate concern over cyber threats jumped dramatically, so too did the number of cyber attacks against companies and their machines. Indeed, security specialist MessageLabs reports that spam accounted for 50 percent of all business E-mail traffic in the United States in May, the first time that junk E-mail outstripped the number of legitimate electronic messages sent to corporations.
And if much spam is relatively harmless, some is decidedly not. Digital pathogens such as SoBig, Mimail, and Yaha, which can infect employee computers and servers alike, all spread via E-mail. MessageLabs reckons that two-thirds of all spam is now being sent by open proxies—created in part by computers and other gadgets infected by viruses.
Fending off this red tide of malicious code won’t be easy. While research firm Meta Group Inc. reports that security made up 8.2 percent of corporate IT budgets last year (up from 3.2 percent in 2001), hackers are constantly looking for new ways to flank corporate defenses. Swen, a virus hidden in an E-mail, actually purports to be a security fix from Microsoft for MS Outlook and MS Outlook Express. The message window launched by the virus looks authentic, right down to the Microsoft logo and copyright.
“‘Malware’ is getting more prevalent, more effective, and nastier,” notes Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., a managed security services company. “Hackers are getting better at what they do.”
They’re also getting better at making money off what they do. Experts say banks and other financial-services providers appear particularly vulnerable to hackers’ schemes. One variant of the Mimail worm, for example, targets customers of online payment system PayPal. The virus, which comes as an E-mail warning the receiver that an account is about to expire, actually takes the user to a bogus PayPal verification window. Once there, he or she is asked to enter credit-card numbers and other personal information. “Before, you wouldn’t make money off [malicious code],” says MessageLabs president Jos White. “But now there are blended threats between spam and viruses, and [hackers] can find out financial information.”
Further compounding the problem: companies are gravitating toward a handful of core applications, usually accessed via the very-public Internet. The combination is a hacker’s delight. “Eighty to 90 percent of the world is all using the same software,” explains White. “If someone finds a way to compromise that software in any way, everyone gets affected.”
10,000 Sheets to the Wind
Not exactly a thrilling prospect for companies that must resign themselves to a world filled with worms, evil code, and black-hat hackers. Certainly, the odds of warding off attacks are remote. According to a Yankee Group survey of 404 businesses, 83 percent of the respondents said their companies had been hit by viruses or worms last year.
Still, experts say corporate executives are not entirely helpless in the face of the onslaught. One ray of hope: makers of software are getting much more aggressive in combating code writers who target their programs. In November, Microsoft offered a $250,000 reward to anyone who could lead it to the authors of the SoBig and Blaster viruses, which exploit vulnerabilities in the company’s software.