Spy vs. spy: companies are spending billions on network security, but staying ahead of hackers may be a pipe dream – techwatch

Esther Shein

ANY WAY YOU LOOK AT IT, 2003 was a real bad year for network security. Although corporate concern over cyber threats jumped dramatically, so too did the number of cyber attacks against companies and their machines. Indeed, security specialist MessageLabs reports that spam accounted for 50 percent of all business E-mail traffic in the United States in May, the first time that junk E-mail outstripped the number of legitimate electronic messages sent to corporations. And if much spam is relatively harmless, some is decidedly not. Digital pathogens such as SoBig, Mimail, and Yaha, which can infect employee computers and servers alike, all spread via E-mail. MessageLabs reckons that two-thirds of all spam is now being sent by open proxies–created in part by computers and other gadgets infected by viruses.

Fending off this red tide of malicious code won’t be easy. While research firm Meta Group Inc. reports that security made up 8.2 percent of corporate IT budgets last year (up from 3.2 percent in 2001), hackers are constantly looking for new ways to flank corporate defenses. Swen, a virus hidden in an E-mail, actually purports to be a security fix from Microsoft for MS Outlook and MS Outlook Express. The message window launched by the virus looks authentic, right down to the Microsoft logo and copyright.

“‘Malware’ is getting more prevalent, more effective, and nastier” notes Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., a managed security services company. “Hackers are getting better at what they do.”

They’re also getting better at making money off what they do. Experts say banks and other financial-services providers appear particularly vulnerable to hackers’ schemes. One variant of the Mimail worm, for example, targets customers of online payment system PayPal. The virus, which comes as an E-mail warning the receiver that an account is about to expire, actually takes the user to a bogus PayPal verification window. Once there, he or she is asked to enter credit-card numbers and other personal information. “Before, you wouldn’t make money off [malicious code],” says MessageLabs president Jos White. “But now there are blended threats between spam and viruses, and [hackers] can find out financial information.”

Further compounding the problem: companies are gravitating toward a handful of core applications, usually accessed via the very-public Internet. The combination is a hacker’s delight. “Eighty to 90 percent of the world is all using the same software,” explains White. “If someone finds a way to compromise that software in any way, everyone gets affected.”


Not exactly a thrilling prospect for companies that must resign themselves to a world filled with worms, evil code, and black-hat hackers. Certainly, the odds of warding off attacks are remote. According to a Yankee Group survey of 404 businesses, 83 percent of the respondents said their companies had been hit by viruses or worms last year.

Still, experts say corporate executives are not entirely helpless in the face of the onslaught. One ray of hope: makers of software are getting much more aggressive in combating code writers who target their programs. In November, Microsoft offered a $250,000 reward to anyone who could lead it to the authors of the SoBig and Blaster viruses, which exploit vulnerabilities in the company’s software.

Others say an overlapping approach to network protection can limit the damage from viruses. Lance Travis, vice president of research for AMR Research, in Boston, believes adequate security requires a combination of technologies, including firewalls, intrusion detection, intrusion prevention, and vulnerability testing. It also includes a little forethought. “[It’s important] to have a well-thought-out security policy that defines how you will secure things” says Travis. He advocates deploying best-of-breed commercial products. “Don’t put all your eggs in one security basket; he warns.

Surprisingly, many businesses fail to make full use of the security systems they already have in place. Typically, security programs provide audit information that can identify any problems a corporate network is experiencing, as well as specific times a network may have come under attack.

But Travis says a fair number of companies don’t review this information systematically. The hang-up? Data overload. “A lot of these tools, such as intrusion detection, will generate a lot of information that is extraneous,” he notes. “So you don’t get a single sheet of information but 10,000 sheets, and you have to figure out the top 20 problems.”


Hiring an outsourcer to monitor the status reports should solve the problem. Even then, observers say, businesses should carry insurance as a backstop to software. A number of carriers have bundled network-security features with their property coverage. Dave Prosser, a senior product consultant at The Hartford Financial Services Group Inc., says that company’s Property Choice policy offers financial protection for files destroyed by network viruses.

The policy also includes business-interruption coverage. While Prosser says insurance provides some peace of mind, he adds that there’s a pressing need to educate companies on security basics, such as backing up data on a regular basis. Asserts Prosser: “We need to spend more time providing materials and information to our customers on how to better protect themselves.”

That’s a tall task, more so as virus writers add new tools to their arsenal. MessageLabs’s White believes that combining spam with viruses–as with the PayPal seam–will be a popular tactic in 2004. Hackers have already given a name to the subterfuge, dubbing the mass distribution of “spoofed” E-mail messages with return links that appear to come from reputable businesses “phishing.”

With consumers and employees becoming more dependent on E-mail–and with a greater percentage of E-mail being compromised–phishing could become a royal pain to corporate managers. In truth, Counterpane’s Schneier does not foresee an end to cyber spying and hacking. “I see no reversing of the trend anytime soon,” he says. “It will take major changes in the way our society deals with computers and software. And I’m not sure society is ready to make those changes yet.”

VIRUSES, TROJANS, AND WORMS, OH MY Top 10 viruses of 2003.

No. of virus

Name interceptions Description

SoBig.F 32,432,730 “Re: Your Wicked Screensaver,” just one

of the spoofed subject lines that

identify this worm.

Swen.A 4,184,129 One strain masquerades as a Microsoft

security update, replete with Microsoft


Klez.H 4,006,766 Comes disguised as a free immunity tool

for–what else?–the Klez worm.

Yaha.E 1,920,424 One version offers free screensaver: once

installed, worm repeatedly tries to

contact a Website in Pakistan.

Dumaru.A 1,129,061 Another bogus Microsoft security patch,

this one E-mails itself to addresses

stored on victim’s computer.

Mimail.A 1,052,481 A later variant of virus scams credit-

card numbers off unsuspecting PayPal


Yaha.M 862,682 Anglofiles? Pop-up message reads “ini-

tialisation error.” Delivers DOS attack

against remote machine.

SoBig.A 842,729 Harvests E-mail addresses from victim’s

computer; “big@boss.com” sender the


BugBear.B 814,865 Among other things, BugBear sends print

jobs to all network printers and

captures victim’s typed keystrokes.

SirCam.A 511,578 Bilingual hackers? E-mail message of

virus, which deletes files and uses up

hard-disk space, comes in English and



COPYRIGHT 2004 CFO Publishing Corp.

COPYRIGHT 2004 Gale Group

You May Also Like

Magazine for Senior Financial Executives: Shanghai surprises – International Deals

Shanghai surprises – International Deals – Huayi Group becomes first Chinese state-owned company to buy controlling interest in U.S. based compa…

Magazine for Senior Financial Executives: Information, Please

Information, Please – Brief Article Julia Homer IN A CFO INTERVIEW THIS MONTH (“Guru of the New Economy,” page 76), Adrian Slywotzk…

With “performance” as its middle name can new software help companies link past, present, and future?

Quantum loop: with “performance” as its middle name can new software help companies link past, present, and future? Russ Banham BUS…

Magazine for Senior Financial Executives: Go-Go Gadgets

Go-Go Gadgets – high-technology Christmas gifts John J. Xenakis This holiday season, the latest technology gifts are faster, lighte…