The latest Symantec Internet Security Threat Report (volume VI) was released this week, along with Six Secrets of Highly Secure Organizations by CIO, CSO, and PricewaterhouseCoopers. The Symantec report requires "registration," but in return you receive a hefty 50 pages or so of data (ignoring the blank pages, covers, etc.) Here are a few excerpts I found interesting:
"Over the past six months, the average time between the announcement of a vulnerability and the appearance of associated exploit code was 5.8 days... This means that, on average, organizations have less than a week to patch all their systems on which the vulnerable application is running.
Over the first six months of 2004, the number of monitored bots rose from well under 2,000 computers to more than 30,000.
Over the first six months of 2004, Symantec observed worm traffic originating from Fortune 100 corporations. This data was gathered not by monitoring the Fortune 100 companies themselves, but by analyzing attack data that revealed the source IP addresses of attack activity. The purpose of this analysis was to determine how many of these systems were infected by worms and actively being used to propagate worms. More than 40% of Fortune 100 companies controlled IP addresses from which worm-related attacks propagated.
In the first half of 2004, 39% of disclosed vulnerabilities were associated with Web application technologies.
Symantec expects that recent Linux and BSD vulnerabilities that have been discovered and used in proof-of-concept exploits will be used as exploit-based worms in the near future.
[Regarding appliances like SOHO routers, firewalls, and VPN endpoints,] as technical details of these devices have become public, attackers have modified the firmware to provide internal access and even allow attackers to monitor traffic on the network."
I recommend downloading and perusing the whole report.
The Six Secrets report confirmed a few of my opinions. For example, it seems the idea of a "return on investment" (ROI) for security still doesn't convince managers to pay for security:
"Negative factors (such as fear of litigation) remained the primary drivers of security spending. Positive factors (such as contributing to business objectives) were less common."
Paying for security is like buying insurance. Security is an exercise in cost avoidance. There is little or no "return" on an "investment" in security. Paying to prevent or mitigate intrusions as the money spent is not an "investment."
In short, the "six secrets" were:
1. Spend more
2. Separate information security from IT
3. Conduct a penetration test
4. Create a comprehensive risk assessment process
5. Define your overall security architecture
6. Establish a quarterly review process
CIO should have included a seventh step:
7. Maintain network and threat awareness
The risk equation is:
Risk = Threats X Vulnerabilities X Asset Value
Currently security folks spend time on vulnerabilities and assets, but hardly any on threats. How did this happen?
Organizations began their security evolution by looking at vulnerabilities, which launched the "vulnerability management" craze. At first every piece of infrastructure was considered "critical," which meant nothing was truly important. Once asset value was taken into account, assets were prioritized and vulnerabilities in the most critical assets were addressed first via patch management, access control, and other countermeasures. This process encompasses steps 3-6 above.
Unfortunately, far too many security experts ignore the third element of the risk equation -- threats. Of course there are vendors who sell "Threat Correlation Modules," but these have nothing to do with true threats. Remember a threat is a party with the capabilities and intentions to exploit a vulnerability. An intruder in Denmark with a hatred of Shell Oil and a zero day exploit for Apache is a threat to Shell Oil. A buffer overflow condition in Apache is a vulnerability for Shell Oil if it's running the affected software. A product which offers information on a vulnerability in Apache while identifying the Apache Web servers in an organization with that vulnerability is a vulnerability correlation product, not a "threat correlation module."
So how does an organization acquire the third piece of the risk equation -- threats? The answer is monitoring. I advocate network security monitoring, which is "the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions." Only by acquiring network awareness, primarily through monitoring for suspicious and malicious activity, can one identify and assess threats. Why spend time, people, and equipment securing a vulnerability in SNMP, for example, if hardly anyone is seeking to exploit it?
Until more of the security world realizes that network awareness is just as important as enumerating vulnerabilities and prioritizing assets, the adversary will have the upper hand.
If you'd like to know more about this sort of thinking, chapter 1 of The Tao of Network Security Monitoring addresses the threat equation, defines its components, and offers other commentary.