There is an old adage that implies that one can look to the future by examining the past. While I dont have a crystal ball for peering into the future of Internet security, I do have a rich history of data today that may hold some of the answers as to what well see tomorrow.
When I think about the future of Internet security, I cant help but be influenced and have my opinions shaped by the Internet Security Threat Report released last month by Symantec. The report – an analysis of more than 30 terabytes of attack data gathered in real-time from the worlds most extensive network of intrusion detections systems (IDSs) and firewalls – provides the Internet community with a deeper understanding of how Internet threats are evolving over time.
Two themes discussed throughout the report speak volumes about the current Internet security landscape and may provide a glimpse of what will emerge on the horizon.
- First of all, the discovery rate for new IT product vulnerabilities accelerated substantially over the past year. In fact, the total number of new, documented vulnerabilities in 2002 was 81.5% higher than in 2001.
- Second, blended threats have intensified and continue to evolve in many ways, posing the greatest risk to the Internet community. Three blended threats (namely Klez, Bugbear, and Opaserv) were the source of 80 percent of malicious code submissions to Symantec Security Response over the previous six months.
These blended threats are a problem now, and will certainly become a bigger problem in the future. Blended threats utilize multiple methods and techniques to spread rapidly across the Internet and cause widespread damage (denial-of-service attacks, hacking attacks, etc.)
A review of the major blended threats from the past several years reveals an interesting trend: all of them targeted known vulnerabilities. And some of these had been well documented for six months or more before the threat was created. Today numerous known vulnerabilities present targets for the next generation of major blended threat attacks.
Evidence suggests that the future of Internet security will present itself on four fronts:
Turn the page, and well look at each of these in turn.
& New Threats”> New Attackers
In the future, there will be a greater dependence on the Internet than ever before, and not just for e-commerce, but also for control of critical infrastructure (power generation, communications, transportation, etc.). While this will bring great efficiency, it also means that the downside of a severe attack on the Internet will be greater than ever.
Until now, “amateurs” – young people with no particular motivation or target in mind – have undertaken most of the highest-profile attacks on the Internet. However, I expect that over the coming year and beyond, we will see a rise in more professional types of attackers, targeting specific crucial online systems. This will potentially endanger not only the Internet, but also our national security, and ultimately our entire way of life.
In July 2001, Code Red spread to 250,000 systems within six hours and the worldwide economic impact of the worm was estimated to be $2.62 billion. Code Reds spread was fast enough to foil immediate human intervention and the ramifications were huge. And just think, the Slammer SQL worm a couple of months ago was even faster.
As attacks grow more professional in nature, I suspect well see an even greater increase in the speed and destructive capabilities of threats. For instance, we may see threats emerge that use advanced scanning techniques to infect all vulnerable servers on the Internet in a matter of minutes or even seconds.
Examples of this include Nick Weavers Warhol worm scenario or Silicon Defenses Flash worm theory:
- Warhol Worms: Through advanced scanning, Warhol worms would first start an infection using a list of about 50,000 sites, and then use coordinated scanning techniques to infect the rest of the Internet. In theory, these worms could spread across the Internet and infect all vulnerable servers in less than 15 minutes of “fame”. The recent Slammer SQL worm showed the first potential glimpses of a Warhol-type threat with its infection rate doubling every 8.5 seconds in the initial stages.
- Flash Worms: Flash worms would operate similar to Warhol worms, but in this case a determined attacker would begin the infection using a list of not 50,000, but all or almost all the servers open to the Internet. Rather than 15 minutes, such an attack could infect all vulnerable Internet servers in less than 30 seconds.
It is very likely that we will continue to see polymorphic and metamorphic worms, but on a much more complex level. These worms will use stronger techniques for encrypting themselves and because they change their pattern every time they run, it could take days or even weeks for researchers to analyze and create cures.
We will also see an increasing number of threats specifically targeted at disabling security software. An example would be retro viruses that attack antivirus software by deleting virus definition tables or memory resident scanners.
New Platform Vulnerabilities
Except for limited circumstances, Windows has been the primary conduit for Internet security attacks. However, there are several emerging platforms that could become targets for fast-moving threats in the future. All of these will need appropriate security sooner, rather than later:
Web services. In the coming years, we expect to see increased use of Web services (Java and .NET-based) by both enterprises and government agencies to manage supply chains and exchange business information. Appropriately targeted attacks on these systems could have severe repercussions to our economy.
Because Simple Object Access Protocol (SOAP) typically runs on top of HTTP and therefore inherits any bugs and security holes in HTTP implementations, new extensions will be used to add security enhancements. These extensions will provide a standard way to ensure integrity, nonrepudiation, access control and identity approval. Market research firm ZapThink estimates the market for XML and Web Services security is expected to grow from $40 million in 2001 to $4.4 Billion by 2006.
Instant messaging (IM). We expect to see significant growth of IM in both the consumer and corporate space. In fact, IDC estimates the number of corporate IM users will grow to a whopping 300 million by 2005. While IM systems have the ability to fundamentally change the way we communicate and do business, many of todays implementations pose security challenges. Virtually all freeware IM systems lack encryption capabilities, and most have features to bypass traditional corporate firewalls, making it difficult for administrators to control their use inside an organization. Many of these systems have insecure password management and are vulnerable to account spoofing and denial-of-service attacks. Finally, IM systems meet all the criteria required to make them an ideal platform for rapidly spreading computer worms and blended threats: they are quickly becoming ubiquitous; they provide an able communications infrastructure; they have integrated directories that can be used to locate new targets (i.e., buddy lists); and they can, in many cases, be controlled by easy-to-write scripts.
Wireless. Wireless Internet connectivity is still an emerging area. Ovum Research forecasts wireless Internet usage to climb to 484 million users by 2005. Often deployed with relatively weak security protection, mobile devices represent a highly attractive infection vector for future malicious code. As consumer wireless adoption grows, and as there is increased standardization on wireless Internet-enabled applications (e-mail, IM, etc.), the possibility of an “over-the-air” Code Red-type threat will grow. Such an attack could potentially interrupt not only data communications, but also voice communications for significant numbers of users.
We also expect to see increased deployment of WiFi (802.11x) technology within the enterprise over the coming years. Research firm In-Stat predicts that wireless-using workers in the U.S. will rise to more than 60 percent in 2004 and business spending on wireless devices will increase to nearly $74 billion in 2005. Given the great amount of visibility wireless vulnerabilities received over the last year, we expect that most enterprise and government deployments will employ some level of security. However, we do expect that a significant number of unauthorized (and likely insecure) corporate wireless networks will be exploited by hackers.
Broadband. More than 500 million people worldwide have Internet access at home, and approximately 60 million of them have a broadband connection. Research firm eMarketer predicts the number of broadband subscribers worldwide will rise to 117 million by 2004, while In-Stat sees 120 million by 2005. As the number of home broadband connections grow, we could see a blended threat spreading from the hundreds of thousands of corporate machines infected by Code Red to tens of millions of home machines. A blended DoS attack launched from 10 million machines could potentially take down the business-to-business transactions of every Fortune 500 company.
Peer-to-peer networks. Public peer-to-peer file sharing systems are becoming increasingly popular. Weve already seen some threats targeted at these systems, such as the W32/Gnuman worm that targeted Gnutella users and the W32/Hello worm targeting MSN Messenger. Frost & Sullivan estimates that enterprise users who have access to P2P network will top 6.2 million by 2007, up from 61, 410 at the end of 2001. Similar to IM, these systems are highly connected and provide “always-on” accessibility to the Internet. Unfortunately, they also circumvent security by decentralizing security administration and shared data storage, as well as provide ways around firewalls and Network Address Translation (NAT) devices. We will likely see further attacks against the more popular systems in the years ahead.
Linux. One subtle trend involves the recent increase in malicious code targeting Linux systems. In 1998 we saw the first widespread example of a successful Linux threat, the Linux.ADM.Worm. In addition to its worm-like characteristics, it also exploited a widely known vulnerability, causing the compromise of a large number of systems. Until recently, however, there were relatively few successful attacks on Linux. That changed in September 2002 when the Linux.Slapper worm emerged and caused significant outbreaks.
In addition to Slapper, a number of highly sophisticated Linux viruses have emerged in recent months; these have had relatively little real-world impact so far, but we may not be so lucky in the future. In particular, these threats demonstrated that malicious code writers are developing a higher level of sophistication – a more professional nature – in programming and an increased familiarity with the Linux operating system and its applications.
With the Meta Group projecting Linux penetration at as much as 45 percent of the market for new servers by 2006 or 2007, we will watch the Linux threat landscape carefully over the next few years.
Grid computing. Some vertical industries are increasingly investigating grid computing to solve some of their more difficult computational problems. Grid computing enables organizations to focus the resources of many computers in a network to a single problem at the same time. These are typically scientific or technical and require a great number of computer processing cycles or access to large amounts of data. Market research firm Grid Technology Partners estimates that the worldwide grid-computing industry will grow at a compound annual growth rate of 276 percent, topping more than $4.1 billion by 2005. In the coming years it is plausible that we could see attacks on such systems – their inherent connectedness and distributed model could allow a threat to spread very quickly and do great damage. Deployment of such systems is still relatively low, but this is an area that should be carefully monitored for the security implications.
Online gaming. Online gaming will continue to grow rapidly in the coming years. According to DFC Intelligence, a San Diego-based consulting firm focused on interactive entertainment and video games, 114 million people worldwide are expected to be playing online games by 2006, compared with the approximately 50 million playing today. Because these systems are similar to the “always on” connections of IM (in fact many allow IM-type communications between players) and their popularity continues to grow exponentially, they will be ideal targets for vulnerability scans and subsequent blended threat attacks.
New Solutions to New
New Solutions Many of todays security solutions are geared towards the detection of “known” attacks—attacks which researchers have previously analyzed. Furthermore, these systems often focus on detecting such attacks, but are less capable of mitigation and prevention. While reactive approaches like fingerprinting will never go away, proactive systems that provide first-strike protection offer hope against all categories of Internet-based threats.
The idea behind the first-strike approach is to detect and prevent malicious code before it ever reaches the lab for analysis. We expect to see new proactive technologies emerge in the coming years, including behavior blocking, anomaly detection and new forms of heuristics. These systems will be crucial for protecting against fast-spreading threats such as the Warhol and Flash worms described above.
Managing the Seemingly Unmanageable
Several years ago, security administrators could reasonably protect their networks from intrusion by installing a single firewall at their Internet connection. Then I Love You and Melissa were unleashed on the world, causing admins to rethink the traditional approach.
Today, consumers are more vulnerable than ever and corporate networks have become increasingly complex — supporting business communication with customers, suppliers, partners and remote employees. According to an FBI/CSI survey, 90 percent of respondents—primarily enterprises and government agencies—detected security breaches in the last 12 months. So the question today is no longer if an organization will experience a security incident, but when they will experience such an incident.
In the wake of threats like Nimda, Klez and most recently, Slammer, and as networks extend their boundaries into the outside world, security solutions must adapt and keep pace.
Deploying isolated tactical security products will not solve the complex security issues facing tomorrows Internet community. Going forward, organizations must employ a more holistic strategy—one that incorporates the core objectives of a comprehensive security environment.
Of primary importance will be the ability to see a comprehensive view of the organizations exposure and vulnerability to potential and actual risks, along with an early warning and alerting system. In addition, the infrastructure needs integrated security solutions to provide protection at all tiers, including the gateway, server and client.
To maintain continuous service – and keep the business running — organizations will need response frameworks that incorporate both technology and hands-on expertise to address security threats as they develop.
Finally, organizations will have to bring their alerting, protection and response systems together under a central, open security management system to ensure both reactive and proactive protection .
Robert Clyde serves as vice president and chief technology officer at Symantec Corporation. With more than 25 years of information security experience, Clyde is a recognized industry authority, serving on the board of the IT industrys Information Sharing and Analysis Center (IT-ISAC). He can be reached at [email protected].