"The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable."Sun Tzu, The Art of War
Cybercrime is on the rise, and it is likely to continue to grow as we continue into the information age. The Computer Crime and Security Survey recently released by the Computer Security Institute found that 75 per cent of the 530 survey respondents reported financial losses from hack attacks. The 223 respondents willing to quantify financial losses reported a total of U.S.$455,848,000 gone.
These figures represent only the tip of the iceberg. Few companies are willing to report cyberattacks of any kind, partly because to do so is to advertise vulnerability, and possibly open the way for further attacks. Resulting financial loss is even less frequently reported - for one thing, it doesn't look good to stockholders or board members. It also informs the attacker as to the extent of damage actually done, thereby actually providing a reward. In consequence, there are no reliable figures as to the total extent of loss due to cyberattack, but the amount would doubtless be shocking.
Among the types of attacks that may be identified are:
- unauthorized internal access
- theft of proprietary information
- telecommunications fraud
- viruses and worms
- insider network abuse
- denial-of-service attacks
- sabotage
- systems penetration
Not all result in direct financial loss, but cumulative cost is hard to calculate and likely to be significantly higher, since it must include the cost of systems downtime, lost business, recovery and preventive measures taken to combat the problem.
Advances in networking and the continued spread of the internet are adding to the ranks of malicious hackers as well as facilitating information flow. There are now threats from Russia, from Eastern Europe and from China, in addition to Western Europe and North America. More employees also have access to networks, leading to a greater internal threat.
As if this were not enough, attacks are becoming increasingly sophisticated and varied. It was once possible to distinguish between strategies designed to steal or divert data, corrupt data or programs, bring down systems, or make network components inaccessible. Today, there are viruses designed to bring down systems, steal data, and make network components inaccessible - all at the same time. What's more, some viruses are even able to change characteristics as they are propagated. Hackers are using viruses and replaced program components - called Trojan horses - as a means of breaking in, following up with more aggressive strategies for data theft. They are aided by a growing range of software designed specifically to facilitate attacks and to build and distribute viruses. This software is distributed freely over the internet.
Luckily, security and intrusion detection procedures and software are also growing in sophistication. Response time for threats affecting multiple sites has dropped from weeks to hours. Intrusion detection software, including filtering for possible viruses, is installed on critical systems within most corporations as well as at ISPs. System isolation strategies are being used more frequently, and hardware is now coming online that is designed to combat specific forms of attack.
However, despite these measures, system attacks are on the increase, and security is barely able to keep up. The main problem is not lack of available technology; it is generally failure to adhere to adequate security procedures, failure to properly install security measures, failure to monitor security systems and other procedural faults.
So, how do we cope with this increasingly sophisticated and widespread threat to critical resources? First, we need to develop a clear idea of the territory. To do this, let us first review the vocabulary that we will be using in this series.
Attack Terms
1. A denial-of-service attack (DoS) is an attack that somehow
prevents a network component or system from performing its
function.
2. A distributed denial-of-service attack (DDoS) is a DoS attack
undertaken simultaneously from many different systems, thus
making it more difficult to shut down.
3. A Trojan horse is a rogue program that takes the place of a
legitimate program and, when activated, opens the system to
attack.
4. A polymorphic virus is a computer virus capable of changing
'shape' in propagation, thereby becoming more difficult to detect.
Defense Terms
- A vulnerability analysis (VA) is an analysis of the security state of systems or network components based upon information collected at set intervals.
- An intrusion detection system (IDS) is a system that constantly monitors system and network events to detect signs of possible security problems.
- A demilitarized zone (DMZ) is a secure network area, isolated from the main network, in which resources accessed over the public internet are placed.
General Terms
- Signatures are characteristic data sequences indicating the presence of a security threat such as a virus.
- A false positive is an intrusion detection error, where a normal activity is mistaken as an attack. This is also called a type 1 error.
- A false negative is an intrusion detection error where an attack is mistaken as normal activity. This is also called a type 2 error.
- Port scanning is the process of examining a system or a network online to identify connected TCP ports for attack or defense purposes.
Knowledge is the first line of defense against any security threat. It is rightly said that to be forewarned is to be forearmed. In this series, you will learn to know the enemy and recognize common patterns of attack. Later, we will provide you with the seven steps that you must take to ensure that your data remains secure.
Darren Thomas is a security expert at NetIQ Corp (www.netiq.com)