by Shon Harris, CISSP, MCSE

It is obvious that today’s attacks, malware, and various threats are only increasing in frequency, but the real danger is that they are also increasing in sophistication. Today’s malware usually uses several attack vectors. Attack vectors are routes or methods used to obtain access to computer systems in unauthorized ways. (The attack vector is different from the payload. A payload is the nefarious activity that the malware will carry out on a system once it gains access.)

Malware (a program containing sequences of steps to carry out attacks) has gone through three generations so far. The first generation is the viruses that spread through e-mail and file sharing methods that require human actions to trigger replication and spreading. Examples of this generation are LoveLetter, Fizzer, and Melissa.

The second generation is worms that exploit operating system or application vulnerabilities through automated means that do not require human interaction.

The third generation malware has been able to carry out even more damage in a smaller amount of time when compared to the malware that falls within the previous generation categories. This generation encompasses a combination of viruses, Trojan horses, and automation. Examples of these are the Blaster, SQL Slammer, Slapper, Sasser, and Witty worms.

As many of us know, malware is just one type of threat that organizations need to be concerned with. Another threat is hacker activity, which has increased in sophistication also, as shown in Figure 1. There are more and more individuals interested in carrying out hacking activity, whether or not they have the capability and understanding of how the mechanics of the attacks work. People do not need to know how to carry out actual attacks now that there are tools developed that allow them to just enter an IP address and push Start. These tools are created by people who actually understand the technicalities of how these diferent attacks take place. They just bundle the attack steps into a GUI-based or command-line tool that anyone can use, thus increasing the number of hackers we need to be concerned about.

Another issue that needs to be understood is how quickly these exploit techniques and new tools are being developed. The industry used to have two to six months after a vulnerability was discovered before an onslaught of exploit steps were developed by the hacker community. But today that time has been reduced to weeks and days. On March 19, 2004, the Witty worm was released just one day after the corresponding vulnerability was released publicly.

 As exploit steps are coming out more quickly, the window of opportunity of applying patches, hotfixes, or other countermeasures is decreasing. Today, many attacks and worms are being released before organizations even know about a new vulnerability. Figure 2 illustrates how this window of opportunity shrinking.

Another threat that most organizations have to be concerned with is the insider threat. According to PricewaterhouseCoopers and the Computer Security Institute, 70-80% of every company’s threats come from internal employees and contractors. This is because these individuals have direct and privileged access to the company’s most prized assets. Although these types of threats can be carried out with malicious intent, a majority of company losses are experienced through mistakes and lack of knowledge by these insiders. Figure 3 provides a breakdown of many of the threats companies face today, along with their corresponding loss potentials.

These threats are compounded by the complexity of today’s business environment and the types of entities that need various levels of access to company assets. In many organizations customers need access to their data and company data in ways that were not even dreamed of a few years ago. Much of this access is controlled through web servers that run software that is continually under attack. Companies have more and more remote users obtaining access from their home computers or laptops while they are on the road. Business partners need access via extranets that must be tightly controlled and monitored. And the most difficult group of individuals to properly control are the internal users who need access to company resources and data to carry out their daily tasks.

The combination of complex environments, access levels, applicatins, and threats can seem to be an overwhelming set of objects to properly maintain and secure. But with a clear-cut understanding of each of these items, proper planning, and a security program that is laid out and followed, it is just another item in life that can be easily dealt with.

Read Part 1 of Vulnerability Management Lifecycle.