Security Threats Won't Let Up - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
03:55 PM

Security Threats Won't Let Up

Attacks on business networks are expected to grow As use of spyware increases. The good news? As risk increases, companies are paying attention.

Last year was a bad one for information-security professionals. This year is likely to be even worse.

Hackers, viruses, and worms provided a constant threat in 2003. The year started off badly in January when the Slammer worm in about three hours infected hundreds of thousands of systems running Microsoft SQL Server. The trouble continued in the spring when the Bugbear virus hit hundreds of thousands of systems worldwide. More problems arose later in the year when in the same week a blackout struck the Northeastern United States and the Blaster worm attacked hundreds of thousands of systems. And those were just the highlights. There were tens of thousands of threats that affected individual businesses in various ways, depending on what systems and applications they had deployed and what kinds of security systems and practices they had in place. Nobody was immune.

The numbers tell the story of a serious and growing threat. In 2000, the CERT Coordination Center, a government-funded security group, recorded 21,756 security-related incidents. In 2002, it reached 82,094 incidents. In the first three quarters of 2003, the number of incidents totaled 114,855.

chartFour out of five businesses were hit by a virus or worm in 2003, according to a survey of 404 security decision makers by the Yankee Group. Denial-of-service attacks were the second-most-common security incident, hitting about 40% of those surveyed.

The problem will get worse and continue to eat up substantial amounts of companies' IT budgets. More than half of those surveyed by the Yankee Group expect their security budgets to increase during the next three years, while only 8% expect security spending to decline. Some of that money will be used to patch security holes in desktop software. Patching a desktop can cost from $189 to $264, the survey says.

Security analysts and vendors predict that 2004 will bring thousands of new viruses and worms and a huge increase in the use of spyware. They also say that spammers will increasingly adopt tools used by virus writers, adding to the volume of spam and the problems it causes for corporate networks. In addition, few security experts expect to see anything close to a letup in the 50 or more security-related software vulnerabilities discovered each week.

Spyware ranges from software that collects information on a user's Web-surfing habits (called adware) to more insidious applications that hackers use to collect every keystroke--passwords, credit-card numbers, financial data, and other personal information--that a user types. Often, adware is installed when users download freeware or shareware from the Internet but don't bother to read the license agreement that states the snooping software is being installed. The more dangerous kinds of spyware can be clandestinely inserted into a victim's system.

Even the most security-conscious businesses can find themselves at risk if, for example, a mobile user's notebook is infected with spyware and then the user logs on to the corporate network. "The issue gets serious when it comes to telecommuters using home PCs, which may not have antivirus and firewalls installed," says Scott Blake, VP of information security at security firm BindView Corp. "The corporation has no control over what software they install on their home PC."

The bad guys are getting very sneaky, says John Pescatore, VP and research fellow at Gartner. Increasingly, employees may log on to their corporate networks from a coffee shop or a hotel room and see a screen pop up that appears to be a legitimate message from the hotel or coffee shop they're patronizing. But it's not. It's a fake message designed to get users to download a malicious Trojan or spyware application. "Is it spyware or just a pop-up ad? How will you know?" Pescatore asks. "This technique of collecting financial information, passwords, and being part of identity theft is going to be a growing problem. We're going to see more real spyware attacks."

It's already under way. In July, one person pleaded guilty in federal court to installing key-logging software at several Kinko's Inc. locations in Manhattan. For more than a year, he collected the keystrokes of the customers of the printing and copying chain, including passwords and user names, and used that data to fraudulently open bank accounts. A Boston College student was caught using a similar application to steal student passwords and other information from more than 100 PCs at the campus.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll