Consortium to Fight Malicious Code

Leading Internet security companies are banding together to fight malicious autoexecutable applications such as ActiveX and Java applets. With the help of the International Computer Security Association (ICSA, Carlisle, Pa.,, 13 of these companies have formed the Malicious Mobile Code Consortium (MMCC), with more companies expected to join soon.

The MMCC’s mission is to protect resources from deliberate and accidental Internet-borne attacks, and to provide companies with the tools they need to remain safe from debilitating attacks on their computing resources.

Finjan Inc. (San Jose, Calif.,, a mobile code security company and a member of the consortium, says the group will be instrumental in addressing the needs of today’s Internet-connected corporate customers. "Awareness about the threats of Internet mobile code like Java and ActiveX helps corporate customers prevent damage," said Bill Lyons, president and CEO of Finjan.

The consortium, which is funded by its members, hopes to accomplish this through corporate and consumer education, development of product certification standards and testing, raising public awareness regarding security options, and providing a venue for the exchange of information and ideas.

Chris Christiansen, program director at International Data Corp. (Framingham, Mass.,, says the MMCC is a responsible industry response to a complex issue. "We believe that malicious mobile code represents an impending threat to secure computing, and we are currently conducting research which explores the ramifications of mobile code attacks," he says.

According to Dave Harper, product manager for ICSA, 6 percent of companies surveyed have reported malicious attacks. "The threat by mobile malicious code has been established," he says.

Although ICSA and the 13 companies which have joined forces with ICSA say that Internet security is a big concern for their customers, a survey by NetVital Technologies Inc. (Clearwater, Fla.,, a company that focuses on corporate solutions, would refute that as erroneous. According to a March NetVital survey of 584 MIS managers and IT professionals, these Internet security-related issues rank as a "low concern."

NetVital’s summary reads, "Contrary to media reports about e-commerce security concerns, this [focus] group is just not concerned about Internet Services and Web-based financial transactions." The summary adds, "Browser-, e-mail-related and physical attacks, employee Web accesses, outside hackers and exotic bandwidth attacks are a minimal concern."

Just 2 weeks before making this announcement, ICSA released an insurance component to its Internet security assurance service, TruSecure. Now, if a company is subjected to malicious Internet attacks while using TruSecure, whether or not they result in business loss, they will collect $20,000 per incident. ICSA admits that 100 percent security is unattainable but that using TruSecure "dramatically reduces" security threats by simply helping clients identify their vulnerabilities and re-engineering their security processes.