Hacking

Companies fear the public relations and share-value impact of disclosing a security breach. Perversely, revealing even an unsuccessful attack can be a public relations disaster. And once an organization announces that it has been attacked, it may suffer further attacks as a result of the news coverage.

For other crimes, we can use police statistics or insurance claims data to measure the change in risk over time. Currently, however, there isn't much of a market for cyberinsurance, so insurance data isn't available. Police data isn't much better because companies are hesitant to report computer crimes. Some distrust the police, believing them to have a low level of awareness of computer security issues. Laws like the Freedom of Information Act and the low rate of successful prosecutions add to this distrust.

But companies can't hide everything. The highest-profile attacks in the current environment are Web site defacements. A useful resource in this area is Attrition.org's Web site. Hackers notify this group when they deface a site, and Attrition.org makes a mirror copy of it as a record. This means it has accurate data reflecting trends in this area. And the current trend isn't good. Attrition.org's Web site is seeing about 30 defacements per day, an increase from 13 per day a year ago and two per day two years ago. And it doesn't look like this will improve anytime soon.

To supplement this data from the outside world, we also regularly examine data from our systems to ensure that our defense is properly focused. We have an intrusion-detection sensor outside the firewall that logs many attacks, and we also log a great deal at our firewalls. As an exercise, we recently analyzed a week's worth of data down to the last packet and noticed some remarkable trends. I hadn't looked at this data in detail for some time, and I was startled by what we found.

My company was an early adopter of the Internet, so we have a large address range. This means that if an attacker picks an address at random, we have a 1 in 65,000 chance that we'll be the target. We are a major financial organization, making us a possible target of choice for directed attacks.

So, given all that, how many attacks and probes do you think we detect? One per month? One per day? I thought the result would be something in the range of once per hour. My research uncovered a much higher figure: We detected 1.5 attacks every second.

Of the non-Web connections (such as Domain Name System, File Transfer Protocol or e-mail), 85% were unauthorized, consisting of attempts to gather information or compromise our systems. Our firewall or our intrusion- detection system blocked these unauthorized connections--no doubt a few of them were errors caused by people mistyping IP addresses. It's also possible that some much more competent attacks penetrated our outer shell.

The most popular attacks are those that use scanning tools to target known vulnerabilities. The top attacks in our sample week were DNS BIND buffer overflow probes (379,273), Back Orifice probes (64,932), WU-FTP buffer overflow probes (64,824) and NetBIOS share name probes (38,285).

From