Security Attacks More Varied and Aggressive, ISS Report Shows

Security incidents are up 15 percent, and the gap between vulnerability disclosure and exploit shrinks

Maintaining patches, proper device configurations, training users—enterprise security is already difficult. Now, there’s a new wrinkle: even less time to react to new threats.

According to new research from Internet Security Systems (ISS), hackers are launching attacks just days after vulnerabilities are announced. In addition, security managers face an increasing numbers of threats.

"The window of time between vulnerability disclosure and the release of a working exploit continues to shrink, leaving enterprises with even less time to learn about and prevent attacks," says ISS X-Force vice president Chris Rouland.

Those results come from ISS’s third-quarter 2003 Internet Risk Impact Summary Report, which details a rise in security incidents, new and more varied attack trends, increased vulnerabilities, and more worm and hybrid threats.

Other interesting results: since the second quarter of 2003, security incidents rose 15 percent and security events—“anomalous or suspicious network behavior”—rose nine percent. In the same timeframe, there were “725 new vulnerabilities, a decrease of two over the previous quarter, and 823 new viruses and worms, an increase of 26 percent over second quarter,” says ISS.

Overall, ISS characterized attack trends as “more varied and aggressive” for the quarter. Attackers had 218 new high-risk vulnerabilities—“those that allow immediate remote or local access, or immediate execution of code or commands with unauthorized privileges”—to target. The MS Blaster and Nachi/Welchia worms, for example, exploited well-known vulnerabilities and affected many an organization’s unpatched computers. The number of worms and hybrid threats grew quarter-to-quarter from 725 to 823.

The biggest problem, however, is that the time in which companies must respond has grown shorter. “This trend was observed when two days after Cisco announced an operating system vulnerability, exploit code was released, leaving virtually no time for patching,” says ISS. As a result, “enterprises also remain at risk for ‘zero-day’ attacks, or attacks against software vulnerabilities not yet known by software vendors.”

What to do? "Security solutions must be proactive if they are to remain ahead of new threats,” says Rouland. “We also recommend minimizing vulnerabilities as hackers will continue to target known weaknesses in popular software.”

Link to Q3 2003 IRIS Report:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.