Viruses behave in a number of different ways. The Netsky virus, for instance, is typically hidden in an e-mail attachment and is launched when the user opened the attachment. Once active, Netsky set up its own e-mail protocol, looked for e-mail accounts on the hard drive, and mass-mailed itself to these accounts. Another virus named MSBlaster appeared on August 13th, 2003, and quickly wormed its way through the Internet, infecting hundreds of thousands of computers in a day through vulnerability in Windows operating systems. Once on a PC, the virus instructed the computer to take part in a Distributed Denial-of-Service (DDoS) attack on the windowsupdate.com Web site. (A DDoS attack occurs when hundreds of computers are used to access a single Web site, thus making it inaccessible.) Other viruses known as "bombs" lay dormant in a computer until a specific date was registered on the computer's clock. Still other viruses disabled any virus removal program on the computer, making the virus very difficult to remove.
People have all sorts of reasons for creating and sending viruses. Some viruses are written as pranks. Others are written by political activists or terrorists. Still other viruses are intended to injure specific corporations. According to McAfee, one of the largest makers of anti-virus programs, in October 2004 more than 780,000 computers became infected with the top ten most prevalent viruses. WildList Organization International, an organization that tracks the number of computer viruses circulating around the world, reported that there were roughly 360 viruses in play in October 2004.
How Viruses Hurt American Businesses
Each year, ICSA Labs, a division of TruSecure Corporation, releases its "Computer Virus Prevalence Survey." In 2003 the survey cataloged computer virus trends and incidents in three hundred large organizations with a combined total of 962,278 desktops computers, servers, and perimeter gateways. The report revealed these organizations had 2.7 million encounters with viruses in 2003, which represented 201 encounters per one thousand machines per month. (An example of an encounter would be an employee receiving an e-mail attachment with a virus.) These encounters resulted in the infection of an average of 108 of the sites per month. Though the rate of infections appeared to plateau after the turn of the century, more infections occurred in 2003 than in any previous year. (See Figure 4.5.) The survey defined a virus disaster as an incident that affected more than twenty-five machines in an organization or caused significant damage within the organization. Nearly one-third (ninety-two) of all the organizations revealed they had experienced a virus disaster over the survey period. When asked if the virus problem in general was better or worse, a little more than half (154) of the organizations surveyed responded that it was "much worse."
Some viruses were encountered more than others. The viruses that the ICSA Labs survey respondents encountered the most was the Yaha virus, with thirty-two encounters per month. This was followed by the Klez virus, the Mimail virus, the BugBear virus, and the SirCam virus. Employees encountered more than 88% of the viruses in e-mail attachments. Internet downloads accounted for the second largest number of viruses (16%). Figure 4.6 is a chart showing how viruses were distributed from 1996 to 2003. As the graphic shows, viruses delivered through floppy disks have dropped dramatically since the mid-1990s, while viruses contracted by e-mail have skyrocketed. The viruses that do the most damage, however, are not necessarily the ones that were encountered most often. The survey participants reported that the viruses most responsible for their latest disasters were the Blaster worm, the Slammer worm, and the Sobig worm. Blaster alone infected 129,087 computers in twelve organizations, according to the survey.
Virus disasters have cost the companies involved in the ICSA survey a great deal of time and money. Eighty-two
FIGURE 4.5
of the survey participants that reported virus disasters also reported that servers were involved in the disaster. Although the average downtime for a server was seventeen hours, five organizations reported that their servers were offline for more than one hundred hours. The 2003 respondents spent an average of eleven person-days and $99,000 to clean up a typical virus disaster, an amount that was $18,000 more than it had been 2002.
While the number of viral infections per year seemed to be leveling off in 2003, the viruses themselves were more damaging, in part because the new viruses spread faster. In the early 1990s file viruses sometimes took months to propagate via floppy disk. The Slammer virus, which was released on January 25, 2003, spread around the world in ten minutes, knocking out five of the thirteen Domain Name System (DNS) root servers and impacting everything from ATM systems to air traffic control systems. The quicker a virus moves, the less time the makers of antiviral software have to create a defense against it. Without a defense, the virus can attack computer systems unchecked.
Computer Emergency Response Team (CERT)
The Defense Advanced Research Projects Agency (DARPA, formerly ARPA) formed the Computer Emergency Response Team (CERT) in 1988 only two weeks after the Morris worm was let loose on the Internet. The headquarters for CERT, the CERT Coordination Center (CERT/CC), is located at Carnegie Mellon University in Pittsburgh, Pennsylvania. The purpose of the organization is to identify threats to the Internet as a whole. CERT/CC also coordinates the actions of the private and public sectors when major Internet incidents occur. In 2003 the USCERT was formed by the Department of Homeland Security to work with the CERT Coordination Center in identifying threats to the Internet and U.S. national security.
FIGURE 4.6
While CERT does issue alerts on viruses that affect home users, CERT is more concerned with the big picture. They provide emergency incident response for network access ports (NAPs), root DNS servers, and other components that make up the Internet's infrastructure. They also coordinate responses to large automated attacks against the Internet, such as the Slammer virus, and monitor threats to U.S. government computers. The organization also analyzes virus code to come up with solutions to thwart them.
For years CERT has published a list of vulnerabilities and incidents reported to them. Most incidents were not garden-variety viral e-mail attachments, rather they were deliberate attacks by hackers and other criminals against computers at corporations, academic institutions, and government agencies. Table 1.2 in Chapter 1 shows the number of incidents reported to CERT between 1988 and 2003. Only six incidents were reported in 1988 when the organization was formed. The number of incidents had grown to 2,412 in 1995 and to 137,529 incidents in 2003. Incidents typically occur when vulnerabilities—weaknesses in computer software and systems—are exploited by cyber criminals. The MSBlaster worm exploited one such vulnerability in the Microsoft Windows program. The vulnerability enabled the creator of the worm to use other people's computers to launch a DDoS attack Microsoft's Web site. Table 4.5 displays the number of legitimate vulnerabilities reported to CERT from 1995 through the first three quarters of 2004. Between 1999 and 2002 the number of major vulnerabilities in Internet and computer systems shot up dramatically. In 2003, however,
TABLE 4.5
| Computer security vulnerabilities reported, 1995–2004 | |||||
| Total vulnerabilities reported (1995–2004): 16,726 | |||||
| SOURCE: "Vulnerabilities Reported," in Cert/CC Statistics 1988–2004, CERT Coordination Center, Carnegie Mellon Software Engineering Institute, January 24, 2005, http://www.cert.org/stats/cert_stats.html#incidents (accessed February 18, 2005). Reproduced by special permission of the Carnegie Mellon Software Engineering Institute. | |||||
| 1995–1999 | |||||
| Year | 1995 | 1996 | 1997 | 1998 | 1999 |
| Vulnerabilities | 171 | 345 | 311 | 262 | 417 |
| 2000–2004 | |||||
| Year | 2000 | 2001 | 2002 | 2003 | 2004 |
| Vulnerabilities | 1,090 | 2,437 | 4,129 | 3,784 | 3,780 |
the number of vulnerabilities dropped by 8%, and they remained at about the same level in 2004. These numbers seemed to suggest that software designers and computer manufacturers were becoming better at catching vulnerabilities in 2003, although computer hackers and criminals were continuing their attacks.
E-crime Survey Results
In 2004 CERT began publishing an annual "E-crimes Survey Watch" to obtain a more detailed picture of how ecrimes affected companies in the United States. The survey polled five hundred organizations of all sizes and asked them about the problems they faced with regard to computer crimes in 2003. The CERT definition for an electronic crime is "any criminal violation in which electronic media is used in the commission of that crime." Over 30% of those surveyed reported security budgets of $1 million or more on computer systems security. Coincidentally, 30% said that they experienced no electronic crimes. Nearly 45% replied that they were victims of between one and fifty crimes, and the rest reported they experienced more than fifty crimes. Table 4.6 reveals that most organizations saw hackers and current and former employees as the biggest threat to their security. However, as can be seen in Table 4.7, the types of electronic crimes experienced the most by survey respondents were viruses and denial of service attacks. Unauthorized access to computers by insiders (current or former employees) came in fourth, with 36% of survey participants reporting the crime. Of those companies that reported e-crimes by insiders, 73% said the person was a current employee not in a management position. Unauthorized access by someone with little or no connection to the company was reported by 27% of respondents. The survey suggests that when it came to e-crime in 2003, companies had more to fear from current employees than from random computer hackers. With regard to preventive measures, Table 4.8 reveals that most organizations believed firewalls and encrypted data to be the most effective barriers to preventing e-crime. Manual patch management of system vulner-abilities,
TABLE 4.6
| Computer security threats organizations fear most, 2003 | |
| (base: 500) | |
| Note: percents may not sum to 100 due to rounding. | |
| SOURCE: "Greatest Cyber Security Threat in 2003," in 2004 E–Crime Watch Survey, CSO magazine/U.S. Secret Service/CERT Coordination Center, Carnegie Mellon Software Engineering Institute, May 25, 2004, http://www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf (accessed November 19, 2004). Reproduced by special permission of the Carnegie Mellon Software Engineering Institute. | |
| Hackers | 40% |
| Current employees | 22% |
| Former employees | 6% |
| Current service providers/contractors/consultants | 3% |
| Customers | 2% |
| Foreign entities | 2% |
| Competitors | 2% |
| Terrorists | 1% |
| Former service providers/contractors/consultants | 1% |
| Suppliers/business partners or information brokers | <1% |
| Don't know | 20% |
TABLE 4.7
| Types of electronic crimes reported, 2003 | |
| (base: 342) | |
| Note: percents may not sum to 100 due to rounding. | |
| SOURCE: "Types of Electronic Crimes," in 2004 E–Crime Watch Survey, CSO magazine/U.S. Secret Service/CERT Coordination Center, Carnegie Mellon Software Engineering Institute, May 25, 2004, http://www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf (accessed November 19, 2004).Reproduced by special permission of the Carnegie Mellon Software Engineering Institute. | |
| Virus or other malicious code | 77% |
| Denial of service attack | 44% |
| Illegal generation of SPAM email | 38% |
| Unauthorized access by an insider | 36% |
| Phishing | 31% |
| Unauthorized access by an outsider | 27% |
| Fraud | 22% |
| Theft of intellectual property | 20% |
| Theft of other proprietary info | 16% |
| Employee identity theft | 12% |
| Sabotage by an insider | 11% |
| Sabotage by an outsider | 11% |
| Extortion by an insider | 3% |
| Extortion by an outsider | 3% |
| Other | 11% |
| Don't know | 8% |
wireless monitoring, and monitoring employees' keystrokes were considered the least effective.
The Computer Crime and Security Survey, conducted by the Computer Security Institute (CSI) and the Federal Bureau of Investigation (FBI) in 2004, presented similar findings to CERT's "E-crimes Survey Watch." One big difference between the two surveys was that the FBI survey included the theft of computer merchandise. Figure 4.7 lists multiple e-crimes that have plagued the respondents of the survey for the last five years. Viruses by far topped the list with 78% of respondents reporting a virus
TABLE 4.8
| Technologies effective against e-crime, 2003 | ||||
| Technologies effectiveness (percents based on those with technology in use) | Very or extremely effective | Somewhat effective | Not effective | Don't know |
| Notes: Percents may not sum to 100 due to rounding. | ||||
| The top five rankings for each column are provided (in parentheses). | ||||
| SOURCE: "Technologies Effectiveness," in 2004 E–Crime Watch Survey, CSO magazine/U.S. Secret Service/CERT Coordination Center, Carnegie Mellon Software Engineering Institute, May 25, 2004, http://www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf (accessed November 19, 2004). Reproduced by special permission of the Carnegie Mellon Software Engineering Institute. | ||||
| Firewalls | 71%(1) | 22% | 2% | 4% |
| Encryption of critical data in transit | 63%(2) | 19% | 5% | 13% |
| Two factor authentication | 56%(3-tie) | 16% | 8% | 20%(4) |
| Encryption of critical data in storage | 56%(3-tie) | 21% | 6% | 17%(5) |
| Intrusion detection systems monitored by automated systems w/built-in alarms | 51%(4) | 28% | 8% | 13% |
| Physical security systems | 48%(5) | 39%(1) | 9% | 4% |
| Intrusion detection systems monitored by person | 45% | 34%(4) | 11% | 10% |
| Role-based access control | 44% | 35%(3-tie) | 9% | 12% |
| Automated patch management | 39% | 32%(5) | 14%(4) | 16% |
| Information assurance technologies | 35% | 35%(3-tie) | 13%(5) | 16% |
| Anti-Fraud technologies working with ERP/account payable/billing systems | 33% | 30% | 7% | 30%(2) |
| Wireless monitoring | 26% | 31% | 20%(2) | 23%(3) |
| Manual patch management | 26% | 37%(2) | 23%(1) | 14% |
| Keystroke monitoring of individual users | 24% | 27% | 16%(3) | 33%(1) |
attack in 2004. Insider abuse of Internet access came in second with 59%. Denial of service, which often involved the use of a virus, ranked sixth with 17%. Table 4.9 shows that the number of total incidents originating from the outside and the inside have been roughly equal during the five years the survey was taken. As to total dollar amount, Figure 4.8 displays how much each type of computer crime cost 269 of the survey participants (out of a total of 494). Viruses and denial of service topped the list in 2004 with $55 million and $26 million in losses. By comparison, insider Internet abuse cost these organizations only about $10 million. Overall, however, the cost of computer crimes to companies in the survey dropped from $201 million to $141 million between 2003 and the 2004 survey. The FBI's report concluded that the level of computer crimes dropped between 1999 and 2004. Interestingly, the CSI/FBI survey found that many respondents did not report e-crime incidents to law enforcement agencies. The most prominent reasons given were that they believed the associated negative publicity would be detrimental to the company's image or stock value (51%) or because they feared a competitor would use knowledge of the vulnerability against them (35%).
User Comments Add a comment…