Although attackers are becoming more persistent and malicious by the day, the defenses that security administrators are putting up around their networks appear to be working to reduce the number of intrusions, a new survey finds.
While the total number of attacks over the first six months of this year was up 28 percent from the previous six months, the number of companies that were hit with at least one severe attack during that time fell 47 percent, according to a report due this week from Riptech Inc., a leading security monitoring company. The company defines severe attacks as a successful exploit of a vulnerable Web server or a compromise of a system by a worm.
Despite the fact that activity from worms such as Nimda, Code Red and SQL Spida accounted for 44 percent of all attacks during the survey period, fewer than 1 percent of respondents said they had suffered a severe attack from one of these worms.
Riptech executives said they believe several factors likely contributed to the decline in severe attacks and successful compromises, chief among these being the gradual accretion of defenses and security knowledge by network administrators.
“I think its the adoption of security products, patches and a general increase in the security posture of the community,” said Tim Belcher, chief technology officer of Riptech, based in Alexandria, Va., and one of the primary authors of the study. “The likelihood of compromise from worms is so low its classified as a nuisance.”
Other security experts, however, say these conclusions are specious.
“When there arent such epidemics—as there werent in the past six months—they conclude that things are getting better,” said Bruce Schneier, CTO of Counterpane Internet Security Inc., based in Cupertino, Calif. “But if you think about it, the reason there wasnt a Code Red-like epidemic has nothing to do with whether or not defenses are working. Its just that no one released a new worm.”
Others warned that Riptechs results dont offer a clear reflection of whats happening on the Internet. Under Riptechs methodology, a simple system scan by a worm is considered an attack, which likely skewed the activity data. In addition, Code Red and Nimda both targeted servers running Microsoft Corp.s IIS (Internet Information Services) software exclusively; and because IIS runs on just 29 percent of the Web servers on the Internet, according to a survey by Netcraft Ltd., these worms were never a threat to most production Web servers.
“I absolutely do not think serious attacks are waning,” said Jon Callas, a security expert in San Jose, Calif., who developed the OpenPGP standard and is a former senior scientist at Apple Computer Inc. “Part of it is this is really a rite of passage for some young people. Why would some kid in Korea feel bad about trying to break into a network in the [United States]?”
Riptech surveyed more than 400 of its customers around the world, who reported more than 180,000 verified attacks during the six months ended June 30.
And while much has been made in recent years of the impact of slow-reacting administrators to widespread infections such as Code Red, the report indicates a sea change in attitudes toward network protection.
For example, the low number of compromises from worms occurred despite the fact that the number of average daily Code Red scans detected was 50 percent higher last month than in January. This suggests that most of the vulnerable servers running IIS have been patched and are no longer open to Code Red attacks.
Network operators, meanwhile, said there doesnt appear to be any real drop-off in the intensity or volume of attacks. “Theres still a lot of probing going on,” said the director of e-business at a large East Coast credit union that asked not to be named. “The activity maybe has become more subtle, but Id still be concerned about the large numbers of zombies.”
Related stories:
- Hackers Attack Public, Private Sectors
- Ignorance: The Hackers Best Friend
- Trail of Destruction: The History of the Virus
- More Security Coverage