A pioneer in early-warning computer security, Alfred A. Huger, senior director of engineering at computer-security giant Symantec (SYMC), spends just about every day watching the Web for trouble. His company, SecurityFocus, is now owned by Symantec and was one of the first to track viruses as they spawned, from Net-monitoring labs stretching from Calgary, Canada, to Dublin, Ireland. Huger and his team of "bug trackers" provide data on impending virus threats to corporations around the world.
Recently, BusinessWeek Correspondent Brian Grow spoke with him about the evolution of early-warning computer security and how it's becoming increasingly important as cyberspace becomes a more dangerous place. Here are edited excerpts of their conversation:
Q: What was the genesis of SecurityFocus?
A: We were looking at the vast amount of [computer] vulnerabilities that were being identified on a fairly regular basis -- and nobody knew when they were coming. So, we built a sensor system across the Internet that performs data-mining. We worked in an alert system and added analysts on top. The result: If you and I share the same attacker, then we can share information [about that attack]. Our advantage is that we have access to the information from our databases.
Q: How did your DeepSight early-warning technology play out when the Sasser virus hit?
A: We have analysts working 24/7, spread from Calgary to Dublin, Tokyo, Santa Monica, and Sydney. Sasser took advantage of a vulnerability in the LSASS [local security authority subsystem service] in some Microsoft Windows software. The problem was, everbody out there called it something different. Our analysts saw a petrochemical company in the U.K. and a big corporation in the U.S. with the same vulnerability. Their job is to find those vulnerabilities that are likely to become worms and give companies as much lead time as possible [to patch them].
The LSASS vulnerability was announced on Apr. 13. We began warning clients about it on Apr. 15, and two days later began shipping them patches. On Apr. 29, we saw active use of the LSASS vulnerability [by hackers], and Sasser actually hit on May 1.
Q: What are the telltale signs that allow you to track when an virus attack might be coming?
A: You're making a judgement call from previous experience. But usually it's a first-tier piece of software [such as Windows], which is easier to exploit than, say, Unix. When a worm is written by a hacker, they need to break into lots of computers. The more normality that they have [like Windows], the better. Or the software is easily available over the Internet. Or it's remotely exploitable -- it doesn't require any identification like a username and password. We also look at code to see if [the virus writers] are using the same signature.
Q: Why are early-warning systems gaining in popularity?
A: People are sick and tired of being hit blind. The window [between a vulnerability being announced and a virus attack] is shrinking dramatically, and the skills of the people writing worms has gone up dramatically. You can now go to Barnes & Noble (BKS) and buy a book called The Shellcoder's Handbook. It's about how to write exploits that then become worms. You can see it also in commercial enterprises: People are making their bread and butter by writing exploits.
Q: How dangerous are viruses becoming?
A: When Sasser hit, we went to Threatcon 3 [on a scale of 1 to 4], and everyone was in the office. If we get to Threatcon 4, then the Internet is melting. A virus that was Threatcon 4 would look alot like what we have now, but it would contain a destructive payload such as formatting hard drives. So far, very few virus writers have tried to destroy computers. It's that one last taboo that they haven't crossed.