The growing threats from terrorism and its cyber equivalent have been an unwelcome theme in 2002.
Adding to the ongoing problems of worms and viruses, organisations and governments post-September 11 are increasingly worrying about the risk of something happening for political ends.
While out-of-the-way New Zealand may seem safe from such threats, our government says it is taking the issue of potential infrastructure attacks seriously. This was one of the drivers behind forming the Centre for Critical Infra-structure Protection (CCIP) in August 2001 under the auspices of the GCSB.
CCIP manager Jay Garden notes that the 2002 Australian Computer Crime and Security Survey claims 67% of Australian and New Zealand respondents suffered a computer security incident over the past year. Sixty per-cent had come from the internet, with most in “a random and opportunistic manner”.
“[However] various rumours of the al Qaeda group or supporters planning attacks have appeared since the September 11 attacks.” He says the CCIP is assessing the level of risk from them on an ongoing basis.
In June the Department of Prime Minister and Cabinet issued the Security in the Government Sector (SIGS) manual, a set of policies and requirements for the protection of government IT systems and government-held information (www.security.govt.nz).
The government has also published standards for the protection of its internet-connected systems and security guidance for home computer users and, through the Secure Electronic Environment Project, in the areas of gateway-to-gateway secure email and the use of public key certificates for authentication, Garden says.
Back in the virus world, Garden says the introduction of new viruses into the wild does not seem to be abating. Sophos reported 817 new viruses in November alone. The distinction between worms and viruses has also blurred, Garden says. For instance, three common examples — Klez, Bugbear and Nimda — all mix elements of viruses with those of worms.
“Luckily, the majority of the most common viruses and worms today do not have damaging payloads. However, the downtime and clean-up costs when networks are infected with them has had a significant cost to the owners of those systems.”
Nick FitzGerald of Christchurch-based Computer Virus Consulting reports a small reduction in virus releases this year. He can see no good explanation for this, but says others claim more stringent computer crime laws may be the reason, greater post-September 11 patriotism or there being “no fundamentally challenging new targets for virus writers to knock over”.
Mass-mailer viruses like the Klez family are still common, comprising pretty much all viruses that have caused any noticeable rates of infection. There has also been a move away from VBA macro (Melissa) and VBS script mass-mailers to executable (Windows program) viruses, and particularly mass mailers.
“‘Damage’ is always a pretty hard issue to tie down,” FitzGerald says. “To many companies, having mail-bombed their clients and business partners with a new self-mailing virus causes much more damage in terms of loss of trust than the more readily financially quan-tifiable cleanup costs and possible short-term loss of profits while their computers are offline.”
While there have been no new types of viruses of any major consequence, FitzGerald notes two new trends.
First, viruses are increasingly using their own SMTP (email-sending) code rather than depending on the victim to be running a particular email client program. This makes it easy for the virus to hide where it came from, hampering the receivers ability to send message alerts. Second, viruses increasingly use security vulnerabilities. Hence, computer users, particularly those of Windows, he says, must ensure they patch their systems as soon as fixes become available.
Dave Waterson, head of Auckland-based antivirus software firm SentryBay, says viruses now often disable antivirus protection, use clever “social” engineering such as attractive subject lines, hide their source, change size and appearance and masquerade as greeting cards or patches from reputable companies.
They also encrypt their code so are more difficult to detect, activating on preview and plant more trojans and backdoors.
Waterson claims the release of trojans on the internet has increased from 12 a day during 1999 to about 135 today.
FitzGerald says far too many small and medium-sized firms believe that once they go online they can “set and forget”, but this leaves them a sitting duck. They should make sure their network configurations are not wide open. Most operating systems are “too generous” by a mile, he says.
However, increasingly organisations realise that the biggest security threat to themselves often comes from within.
Computer Associates security consultant Daniel Zatz says it is increasingly important to know why “Bob”, who normally works at his desk at 8am, is suddenly coming to work at 6am and working in another part of the building.
These are the growing issues of identity, access and threat management.
Consequently, companies like CA has developed systems to monitor who is working where and doing what, in addition to offering antivirus software.
Firms are increasingly developing IT security policies that are aligned with physical security as well — making sure someone does not enter a certain part of the building, for example.
A growing trend alongside has been the appointment of chief security officers, a person specifically responsible for IT and wider security. CSOs first appeared in the US, then arrived in Australia this year, though they are as yet thin on the ground in this country.