Cracks in the Firewall

Thanks to sophisticated new attack methods, computer security has to go beyond the old standby of merely keeping intruders out

By Alex Salkever

Is your firewall toast? A new report by Web security giant Internet Security Systems (ISSX ) suggests it certainly could use a few upgrades and some additional help.

The company combed through data collected from the logs of thousands of security devices it monitors for businesses ranging from mom-and-pops to multibillion-dollar global conglomerates. The conclusion: Perimeter defenses such as firewalls are not enough to ward off increasingly sophisticated worms and viruses.

Sure, ISS is more than happy to sell you a host of new security products. But the issues raised by its survey -- a comprehensive look at the state of Web security -- are quite revealing. The study, released on Apr. 3, found that 70% of all intrusion attempts now target port 80. Each computer has thousands of ports used for different services. Firewalls control, depending on your preferences, which ports are open or closed. Port 80 is now used on virtually every computer for Web surfing, so it's wide open. Shielding port 80 would gum up Web traffic as requests for info and responses from Web servers got backed up in a domino effect.


  This explains why intruders increasingly play off this connectivity to target systems that require a certain degree of openness to function as a business tool. "The [pre-Internet] computing technologies were designed to keep people out. The Internet is all about letting people in. That's a different security scenario," explains Joe Duffy, national security practice manager for PricewaterhouseCoopers.

Other insights can be gleaned from ISS's inaugural quarterly report. Until recently, the most common type of Internet attack was "denial of service," whereby malicious hackers break into computers connected to the Net and command them to fire incessant data requests at a Web site. That shuts off access to the site and can damage it.

Now a new, more sophisticated types of attack predominate, says the ISS study -- "hybrid" attacks. They involve pieces of automated software that might try multiple avenues to break into a system, such as e-mail, Web servers, and known vulnerabilities in operating systems. Sometimes, the goals are hidden. A good example: Code Red, which sought to insert itself into as many open Microsoft Internet Information Services (IIS) servers as possible and then tried to launch an attack on the White House Web site.


  The first widespread hybrid attacks came last year with so-called worm-viruses such as Code Red and Nimda. Others are appearing with frightening regularity. "We started getting these multidimensional threats wrapped in a single box. It's like the Unabomber putting a box on your doorstep. There's a bomb containing a nuclear device, a biological weapon, and a chemical weapon all in one package," says Tom Noonan, CEO of ISS.

These types of intelligent, multifaceted cyberthreats are changing the way companies plan security for their networks. "Nimda was very interesting from a security perspective because we talk about virus detection and intrusion detection. But just detecting isn't sufficient any more," says Wyatt Starnes, CEO of Tripwire Security Systems. "In the case of Nimda, by the time it was detected, it had already executed. And by then it had pretty much trashed the system file structure."

Tripwire and other companies have taken the cue and adjusted their products to reflect the new reality. According to Starnes, his software has morphed from an "intrusion-detection system" aimed at detecting hackers as they attack to an "integrity assessment software" that can detect untoward changes in files and quickly restore them to normal. Other companies, such as Foundstone, are focusing on "security assessment products" that do spot checks on company networks to make sure they're not at risk.

600,000 LOG-INS?

  Another approach is keeping closer tabs on who should be on the networks. PricewaterhouseCoopers' Duffy tells the story of a major national clothing retailer that came to him for help when it wanted to move all of its human resources functions online.

The trouble was only 20,000 of the company's 300,000 employees had log-in privileges. To link everyone online, the retailer would have needed to increase the number of people using its network fifteen-fold. Then Duffy discovered that the company, like many mass-market retailers, had annual turnover of 100%. That meant it would have had to provide upward of 600,000 log-in credentials a year -- a thirty-fold increase.

"You have a cost for security that's going to go through the roof. Any benefit you get in HR would be offset by the army of administrators," says Duffy. The solution: PwC put in software from a company called Oblix that allowed the retailer to automate the assignment of log-in privileges.


  Now, when part-time store clerks get hired, they receive network access only to the programs needed to administer their benefits. The software also removes employees' network privileges when they leave the company.

Of course, all of these new approaches remain in the earliest stages. And no one is advising companies to abandon firewalls, which remain the foundation for defending any company's network. Companies such as Check Point Software Technologies (CHKP ) and NetScreen (NSCN ) have enhanced firewalls to make them far more effective against the newer, multifaceted Web attacks.

Here's the rub: In the Internet Era, firewalls seem increasingly permeable. And businesses would do well to look at ways to watch and control more rigorously what's happening inside the perimeter rather than put their stock in blocking out barbarians with a firewall.

Salkever covers computer security issues weekly in his Security Net column, only on BusinessWeek Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.