The phrase "Security is a process, not a destination" is one of our watchwords. It exhorts us to constant vigilance - to always look for the next threat and to out-think the attackers, but some recent events have reminded me that we must apply this at all levels: it is not just the specific threats that are changing, but the nature of the threats. They have also reminded me that things have not changed so very much.
November 2003 saw the 15th anniversary of the Morris Worm, which crippled the Internet at that time. The parallels with recent worms are remarkable: it targeted one of the commonest platforms on the Internet at the time (Unix on VAX and Sun hardware) and spread by exploiting various vulnerabilities, some of them known (but unpatched on many systems), and some "zero-day exploits". Nothing has changed, we still have difficulty making sure vulnerabilities are patched everywhere, and we still worry about critical zero-day exploits. The Morris Worm should probably be classified as the first "Blended Threat" that some vendors have been making so much of in the past couple of years.
Of course, everything has changed. In 1988, if you were in charge of a common, Internet connected system; you were almost certainly some sort of computing professional. Today, you would probably be a home user with little understanding of what happens when you click the mouse. One day, perhaps we will see Systems Administration taught alongside Reading, Writing and Arithmetic as one of the basic skills starting in Infant School; meanwhile we have to cope with the chaos. It is an issue for every organisation because attackers can take over and use some of the huge pool of vulnerable systems to DoS attack particular targets.
In evaluating how best to allocate our defensive resources we need to consider the motivation of the attackers, and this is an area where there has been a major change in the past couple of years. We are now facing more resourceful, more determined and more ruthless attackers. You might now be expecting a mention of the 'T'-word: Terrorists, but I do not see evidence that terrorists are getting involved in cyber-attacks. We have not seen a "Digital Pearl Harbour" and, from a purely information security perspective, the effect of a likely terrorist attack on most organisations is indistinguishable from a gas main explosion, or an earthquake. The new, ruthless attacker appears to be Organised Crime.
At the time of the Morris Worm, computer crime for gain was rare and probably involved an insider. The Morris Worm and much more recent worms and viruses, including Melissa and Loveletter were "Joyriding on the Information Superhighway" - they were not released with the idea of financial gain. As soon as people began to do e-Commerce, theft became a possibility - the Internet provides the getaway car. However, implementing reasonable protective measures encourages ordinary thieves to look elsewhere for an easier target.
A recent family of worms called W32/Mimail suggests something else: some variants launch Denial of Service attacks against various sites and others gather personal information, including online payment account details. The sites targeted for DoS attacks are varied: an online bank, a site trading in characters and equipment for online role-playing games, some anti-Spam sites and other online businesses. The gaming site reports that one of its major competitor's paid hackers to attack it, and the anti-Spam sites believe spammers initiated the attacks. There might be a pattern here: a group of criminals has designed their basic delivery mechanism, and are attaching specific payloads for each job. If that is the case, then the group appears to be involved in diverse crimes: fraud, identity theft, spamming. If they are opposed, such as by the anti-Spam groups, they do not fade away and look for easier targets, they hit back. Mimail might just be the latest stage in an ongoing campaign - the anti-Spam sites have seen escalating DoS attacks, and there might even be an element of inter-gang warfare: some reports suggest that one of the other online businesses was involved in trading illegally gathered credit card details and social security numbers. The site was not accessible at the time of writing, so the claims could not be verified.
This adds up to attackers that are more resourceful, more determined and more vengeful than we have faced before. On the other hand, it is also largely speculation based on incomplete facts. We do not know whether a single group released these variants of Mimail, and we do know that, in many other cases (the Blaster worm being a recent example), individuals with no relationship to the original writer produced the variants. Hopefully, the "e-Mafia" is just a fiction resulting from over-extrapolation from too little data.
On the positive side, two recent conferences have highlighted how more organisations in more countries are coming together to fight information security threats. In October 2003, China's National Computer Virus Emergency Response Centre, held the second China Information Security Executive Forum in Tianjin. For the first time, many of the speakers were from outside of China, some travelling from the UK and USA. Charles Ahn from Korea discussed the situation there, and Randy Abrams from the USA talked about his "Quadraped" system for automating anti-virus testing of software releases.
Chinese speakers included Shen Chang Xiang of the Engineering Academy of China, speaking on Active Defence; Du Yuejin of the National Computer Network and Security Management Centre, speaking about responding to Internet Worms; and Yang Yi Xian of the Beijing University of Posts and Telecommunications speaking about cryptographic techniques. There were over 100 attendees, and the forum ended on 21 October with a visit to the National Computer Virus Emergency Response Centre itself.
In November, the sixth Anti-Virus Asia Researchers Conference was held in Sydney, and thus became the first major anti-virus conference to be held in the Southern Hemisphere. The theme for the conference was Malicious Code and the speakers did not restrict themselves to viruses. Nigel Phair of the Australian Federal Police introduced the newly-formed High Tech Crime Centre and Yasuhiro Kitaura of Japan's Ministry of Economy, Trade and Industry discussed their Cyber-Security Policy. We do need global cooperation to counter the rising information security threats, and these conferences are a step in the right direction.