IT Security: Bad in 2003? Worse in 2004?

As difficult as 2003 was for businesses battling waves of security problems, next year promises to be just as bad, perhaps worse, as additional threats develop from peer-to-peer file sharing software and spyware, an end-of-the-year analysis released Monday by TruSecure concluded.

Based on research conducted on malicious code from the WildList Organization -- a virus and worm clearinghouse that tracks malware actually out and in the wild on the Internet -- TruSecure's ISCA's Labs tagged 2003 as one hellacious ride.

"No doubt, 2003 was bad," said Bruce Hughes, the director of malicious code research at ICSA Labs.

The biggest news, he said, was the huge increase in what he dubs 'perimeter killer' worms, those which don't spread via the traditional method of e-mail but instead directly attack networks through software vulnerabilities and open ports to the Internet. The best examples in 2003 -- SQL Slammer, Blaster, and Nachi -- knocked out thousands of servers and workstations during the year. The number of such worms increased by 200 percent from the start of 2003 to its conclusion, according to Hughes' research.

Although mass-mailed viruses and worms like Sobig will continue to increase, albeit at a relatively slow-paced rate, most enterprises are blocking their payloads at the gateway by refusing to allow executable file attachments through to end users. Not so with consumers, who will still struggle with these more-or-less traditional security threats during 2004.Instead, it's the perimeter killers which pose the greatest threat to corporations in the coming year, said Hughes. "We'll definitely see another big event in 2004 that causes at least a billion dollars in damages," he said, alluding to other Slammer- and Blaster-sized attacks still to come.

Like other security analysts who have probed the year's threat patterns, Hughes sees the incredibly shrinking span between a vulnerability and a developed exploit as another of this year's trends likely to be observed again and again in 2004.

Hughes predicted that these so-called 'zero day' attacks -- called that because of the ability of an exploit to appear before a vulnerability is even known, much less patched -- will increase in 2004.

"There are so many vulnerabilities in Linux, Microsoft, and Internet Explorer that haven't been patched yet," he said. "And these are only those we know about. There are a lot more we don't know about. Some hacker is going to release exploit code ahead of the patch and create significant damage to those unprepared."

Other threats which will plague users in 2004, he predicted, will come from peer-to-peer (P2P) file sharing software, and spyware, utilities for tracking Web usage that often piggyback on free-for-the-downloading software.Hughes sees peer-to-peer software, such as KaZaA, as being particularly troublesome in 2004. After analyzing hundreds of the most popular files shared on KaZaA -- including 'cracks' that allow users to break copy protection on commercial software -- he discovered that 45 percent actually contained viruses, worms, or Trojan horses.

"Unfortunately, P2P is almost impossible to block," Hughes said. "They're actually designed to get past firewalls."

He recommended that companies not only implement policies restricting P2P use on the enterprise network, but audit the enforcement of those policies and spend time educating workers about the danger this software poses. "It's not just the security concerns companies should worry about Recording companies are also coming after corporations for illegal file sharing." The fact that exploits using P2P as an exploit vector climbed by 133 percent during 2003 is an indication that file sharing is a developing security threat, Hughes said.

Spyware, although under the radar at most enterprises, will also be of concern in 2004, Hughes said. "Some users see spyware as an okay tradeoff for getting free software," he noted, "but we're seeing spyware today changes home pages, changes DNS records." Spyware, he said, is only marginally more benign than viruses, and with the lines between the two continuing to blur, companies should be on the watch in 2004 for even more malicious tweaks by this kind of behind-the-scenes software.

Bad in 2003? Worse in 2004? There is a glimmer of hope, said Hughes. He pinned his on the partnership between government and the private sector in bringing virus writers to justice. "The government is getting more and more serious and Microsoft is putting out bounties on hackers," he said. "If they catch someone important, like the author of Blaster or Sobig, they're going to make an example and throw the book at him."