[iwar] [fc:How.Often.Hackers.Attack,.And.What.They're.After]

From: Fred Cohen (fc@all.net)
Date: 2002-07-13 22:18:24


Return-Path: <sentto-279987-4976-1026623838-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 13 Jul 2002 22:20:09 -0700 (PDT)
Received: (qmail 5181 invoked by uid 510); 14 Jul 2002 05:16:41 -0000
Received: from n14.grp.scd.yahoo.com (66.218.66.69) by all.net with SMTP; 14 Jul 2002 05:16:41 -0000
X-eGroups-Return: sentto-279987-4976-1026623838-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.194] by n14.grp.scd.yahoo.com with NNFMP; 14 Jul 2002 05:17:18 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_7_4); 14 Jul 2002 05:17:17 -0000
Received: (qmail 53540 invoked from network); 14 Jul 2002 05:17:17 -0000
Received: from unknown (66.218.66.218) by m12.grp.scd.yahoo.com with QMQP; 14 Jul 2002 05:17:17 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta3.grp.scd.yahoo.com with SMTP; 14 Jul 2002 05:17:16 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g6E5IPL27802 for iwar@onelist.com; Sat, 13 Jul 2002 22:18:25 -0700
Message-Id: <200207140518.g6E5IPL27802@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 13 Jul 2002 22:18:24 -0700 (PDT)
Subject: [iwar] [fc:How.Often.Hackers.Attack,.And.What.They're.After]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

<a href="http://www.internetweek.com/story/INW20020711S0001">http://www.internetweek.com/story/INW20020711S0001>
Internet Week
How Often Hackers Attack, And What They're After

By Tom Smith

Attack activity against corporate networks went up significantly in the
first half of 2002 when compared with the second half of 2001, but the
good news is that the incidence of highly sophisticated attacks was low
between January and June this year.

Those are some of the key findings in a new study by Riptech Inc., a
provider of security monitoring services. The findings are based on
events and attack attempts tracked by Riptech among 400 of its
customers. The company said the companies it selected for the study
represent a cross-section of its clients by company size, vertical
industry, public/private, and other variables.

The findings, therefore, are likely to be a good indicator of the
experiences of most big companies. Riptech does caution, however, that
since all the companies whose experiences factor into the data are users
of security monitoring services, they tend to be closer than most to the
leading edge in deploying security technology. "These companies have
made the decision to be our customers, so they tend to be more
security-aware," said Elad Yoran, executive vice president at Riptech,
Alexandria, Va.

There's one important exclusion from most the findings: Riptech tracks Ð
but didn't count Ð worm activity among most of the attack figures it
reported, because worms typically account for a disproportionate share
of activity. The company did gather some data on worm activity, however:
worms accounted for 44 percent of overall attack activity in the
preceding six months, compared with 63 percent during the second half of
2001. A likely explanation, according to Yoran, is that there was no
particularly significant worm released in the year's first six months,
while last year witnessed the release of major worms such as Code Red.
"Companies in general have done a reasonably good job of patching their
systems to protect against worms," Yoran added.

Among the 400 companies whose experiences make up the Riptech data, the
average company experienced 32 attacks per company per week, a 28
percent increase vs. 25 attacks per company per week in 2001's second
half. Riptech's Yoran said several factors are likely playing into this
heightened amount of malicious activity: the sheer growth of the
Internet and the number of users with Internet connections. By default,
more users mean a greater number of potentially malicious users. In
addition, the Internet makes it easier to access and exploit tools for
launching attacks, and those tools are becoming ever easier to use,
Yoran said.

Despite the increased activity, the number of attacks that are
considered highly aggressive or sophisticated was less than 1 percent.
The percentage of companies experiencing at least one attack posing a
severe threat was 23 percent, a sharp decrease from the 43 percent
experiencing severe attacks in the second half of last year. Riptech
noted this could be an outcome of the strong security posture that's
typical of companies using security monitoring services. Riptech also
cautioned that this can't be viewed as all good news, since nearly a
quarter of companies faced a serious potential security breach.

When highly aggressive attacks occur, they are more than 26 times more
likely to have severe effects than attacks that are classified as
moderately aggressive, so even the small percentage of such attacks
remains cause for concern.

Riptech's data includes several other important findings for security
and IT managers. The top 20 "scans" -- attempts by hackers to gain
information about systems or networks as a precursor to launching an
attack -- were headed by File Transfer Protocol scans. FTP is one of the
most commonly used protocols for moving files from system to system
across a network, including the Internet. Riptech's analysis suggests
that hackers would look to exploit FTP to compromise a system supporting
the protocol, or to "borrow" an FTP server for uploading and storing
pirated software or music files.

The second-most common scan during the six-month window involved
Microsoft SQL databases. This activity increased dramatically as an
outcome of the SQL Spida worm that was released in May. According to
Riptech, that worm prompted a 500-fold increase in Microsoft SQL scans.

Among other important findings from the study:

Roughly one in three attacks was targeted at a specific company. Nearly
two in three, or 63 percent, were opportunistic, or aimed at finding and
exploiting a vulnerable organization over the Internet.

The highest percentages of total attacks, highly aggressive attacks, and
severe attacks all took place on Wednesday, while attack activity
dropped off significantly on weekends. “It seems counter-intuitive. I
guess hackers are people too and tend to follow a normal routine,” Yoran
said. "This doesn't mean you can watch any less on weekends or at
night."

The highest average attacks by company were experienced, in order, by
power and energy, financial services, and high tech firms. Manufacturing
and media/entertainment were the lowest on this scale.

By far the highest percentage of hackers -- more than 63 percent -- used
some version of the Microsoft Windows operating system. The next highest
number, 12 percent, use Unix.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Save on REALTOR Fees
http://us.click.yahoo.com/Xw80LD/h1ZEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT