Forewarned is Forearmed

By Tom Schmidt

As every enterprise knows, today's cyber threats are more sophisticated -- and dangerous -- than ever before. A quick look back at 2004 shows what we're up against:

• Phishing attacks on the rise According to the Anti-Phishing Working Group, phishing attacks jumped by 28 percent per month from July through November. These attacks use spoofed emails and fraudulent Web sites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, and social security numbers. According to a report from online privacy watchdog Truste, seven out of 10 people who go online have received phishing emails, and 15 percent of those have successfully been duped into providing personal information.
• MyDoom hits hard The mass-mailing MyDoom virus, launched in January 2004, became one of the fastest spreading programs to date. The virus traveled as an email attachment and infected PCs whose users opened the malicious file. When opened, the virus installed a stealth program on the victim's computer that opened up a software "back door." Attackers could then bypass the PC's security and turn the system into a proxy for any network-based attack.
• Bot networks pose an increasing threat Bots (short for "robots") are programs that are covertly installed on a targeted system. They allow an unauthorized user to remotely control the compromised computer for a wide variety of malicious purposes. Attackers often coordinate large groups of bot-controlled systems known as bot networks. These networks can be used to perform distributed attacks, including DoS attacks, against organizations' systems. Bot networks can also be used to update and distribute other forms of malicious code such as viruses, worms, and Trojans.

Of course, any discussion of cyber activity in 2004 must not omit one other disturbing development. Call it the new face of online fraud. Where hackers once sought notoriety by defacing or crippling a popular Web site, they are now motivated by profit. And, increasingly, they're finding the funding to carry out their scams. Organized crime rings are tailoring increasingly sophisticated scams to take advantage of organizations' perceived weaknesses. Indeed, some industry observers believe such groups are capable of launching a concerted cyber attack coupled with a physical attack. We've come a long way from the exploits of "script kiddies," and 2004 witnessed a discernable rise in deliberate criminal behavior directed at corporations.

Early warning

Given what we've experienced over the past year, it is essential that businesses and individuals collectively take action now to protect cyber space. Protecting cyber space calls for a holistic security strategy that includes the following four critical elements: an alert system that provides early warning against new and emerging threats; technologies implemented across all tiers to protect critical application data and devices; a plan to respond when the inevitable attack occurs; and a system to manage the ongoing process of securing the infrastructure. This section will discuss the first element, a cyber alert system. A cyber alert system should provide actionable information on how to protect the network environment against an impending attack. Moreover, this information must be customized so it is relevant to the environment and prioritized so it can be acted upon immediately. That's the definition of an alert system in a nutshell..

Managing an alert system, however, requires constant vigilance and a strict accounting of every change in the state of the network. It is an enormous undertaking, and it rarely falls within the core competency of an organization's technical staff. All too often in-house IT staff lack the resources and expertise to protect key information assets. For example, they may not have the ability to differentiate between real and unintentional attacks and, consequently, may inadvertently expose systems to these vulnerabilities.

Consider too that IT departments continue to be asked to do more with less, and to act more quickly and with greater impact on business success. The result is that limited IT resources must support an organization's primary business requirements, rather than staying up-to-date on the most current technologies and security threats.

Finally, experienced information security professionals are hard to find, expensive to hire, and difficult to retain. A high attrition rate among these workers can reduce a company's ability to consistently safeguard its information assets.

Calling in the experts

Fortunately, organizations that find the prospect of operating an alert system in-house daunting have a number of options. Increasingly, that means partnering with an experienced alert services provider to decrease the risk of cyber threats. Such a provider offers an organization several advantages:

• Awareness of the most recent security research and techniques Staying abreast of the latest protection strategies is too time-consuming for in-house staff and takes them away from other mission-critical activities. An experienced alert services provider will have a research organization dedicated to staying abreast of the latest cyber threats, vulnerabilities, hacker techniques, and security developments.
• 24x7 protection An alert services provider can offer around-the-clock coverage for an enterprise's most critical systems. This is especially important in an "always-on" business environment. A provider can watch a client's network and infrastructure to ensure protection during the hours most hackers are likely to attack.
• A cost-effective approach to security management By using an alert services provider, a company can avoid extensive personnel costs associated with hiring, training, and retaining security professionals. An alert services provider can also reduce total cost of ownership by allowing the transfer of personnel costs to a variable expense. In addition, managed alert services allow a company to better predict and manage its security-related budget.
• Security operations center capabilities The alert services provider you choose should have multiple security operations centers (SOCs) from which it can globally monitor issues across its customer base. These centers must be run 24x7x365 to ensure business continuity. They should also be staffed with a range of security experts that extend your in-house capabilities.

A vendor checklist

Key factors that organizations should consider when evaluating an alert services provider include:

• Vendor history This includes financial stability, years in business, managed services experience, principal customers, and reputation.
• Breadth of services This includes how new security services are implemented; technologies, strengths, and weaknesses in the security services arena; and expertise of staff.
• Organizational support Questions to ask: Do they have access to or own any SOC facilities? What are their staffing practices? How is their staff retained and compensated? How do they ensure client confidentiality?

Conclusion

2004 saw a steep rise in software vulnerabilities classified as moderately or highly severe. At the same time, the average time between the announcement of a vulnerability and the appearance of associated exploit code dwindled to a mere 5.8 days.

In such an environment, where threats are more sophisticated, more aggressive, and spread faster than ever before, organizations can benefit from the continuous monitoring of their security operations by an experienced alert services provider. After all, the best way to protect a network against any threat is to know about the threat and the vulnerability it exploits before an attack is launched.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.