The stark reality is that network security in this Internet age is a race. This race starts every time a new virus, worm or vulnerability is discovered; and only finishes when either an organization's network is protected or compromised.
These are the only two possible outcomes; you win or you lose, there are no silver medals. And the IT departments around the world are finding themselves increasingly under pressure, as new viruses and worms such as Klez.h, Netsky.q, MyDoom.a, Bagle.z, Slammer, Sasser and the current plague of Zafi.b, seemingly breach networks with ease.
The "arms race" is currently being lost because most of the IT world is still looking to out-of-date technology to protect themselves. The vast majority of the anti-virus systems out there, use "PULL" technology, in order to obtain the latest anti-virus signatures. The simple fact is that even if network security is updated once a day like clockwork, because there are new viruses, worms and vulnerabilities appearing all of the time, within just moments of that daily update, the system can (and most likely will) be vulnerable once more.
There is simply no way that an IT manager, or even two or three skilled people working in an IT department, can provide this type of 24/7 update service for their organization.
Most anti-virus vendors still use this ineffective "once a day," or even "once a week" update model, despite their marketing claims of so called "live," or "active," or "automatic," updates.
There are already nearly one hundred thousand known computer viruses, and each month over a thousand new viruses, worms and "Trojans" are added to the mix.
Of course, not every one of these viruses and worms is destined to be as "successful" as Klez.h, Netsky.q, MyDoom.a, Bagle.z or the current plague of Zafi.b; but at the moment a new virus or worm is first discovered, it is almost impossible to know for sure which will be a major problem, and which will be no more than a mere curiosity.
A variety of factors will come into play that governs the success of the virus, worm or trojan.
The virus writer needs to get his or her virus to "critical-mass" before the major anti-virus companies can get a virus signature out, installed on their customers' computer systems, and protecting them. To achieve this, many virus writers are turning to Spamming techniques, ensuring critical mass within moments of launch. "Blended" technology is also being used to further improve the virus' or worm's chance of success. Rather than depend on just mass mailing emails, for example, certain worms (such as variants of Netsky) may well attack users via certain open and unprotected network ports, to exploit known vulnerabilities in popular operating system software.
If a worm is able to reach critical mass quickly, and takes advantage of a wide spread vulnerability, the result is often hundreds of thousands of computer systems around the world, being infected in just moments.
A classic example of the speed with which viruses spread is the SQL Slammer worm. On 25th January 2003, at 05:29:36GMT, we detected and blocked the first probe to UDP port 1434 in Korea. In Japan, Thailand, Germany, Switzerland, Australia, England, Saudi Arabia, similar probes were being reported worldwide in a matter of seconds. Within three minutes, we had detected and blocked probes to that port throughout the world.
This means that effectively within three minutes of its release, the worm had probed every single active Internet host, and detected and infected every single active and vulnerable server. Probe rates were as high as one probe per IP address per second in Korea and Australia.
If you are connected to the Internet, you are at risk, pure and simple. And if you think that having a firewall and an anti-virus program installed is enough to protect you, then you need to think again - and fast.
The speed of the Internet has made "friction of distance" evaporate.
In the face of the onslaught from malware, protection needs to move with the times. Firstly, networks require blended protection, which includes firewall, VPN (Virtual Private Networking), IDP (Intrusion Detection and Prevention), anti-virus, anti-SPAM, content filtering and company policy management; just having parts of the jigsaw is not enough. Secondly, these systems need to work seamlessly, with zero-latency between the intrusion detection and the firewall. Thirdly, all of these systems need to be updated in real-time, using state-of-the-art PUSH technology, not the PULL technology of yesteryear.
Last but not least, systems need to include the latest heuristic technology, and not rely too heavily on pattern recognition alone, as we see more and more zero-day high speed attacks across the Internet. A high quality anti-virus heuristic engine, such as the one from Kaspersky, can actually block up to 92% of known viruses, even without have any signatures installed.
About the Author
Simon Heron, technical director at Network Box (
www.network-box.co.uk)
