Server port 80 plagues Internet security

[InfoSec News <isn () c4i org>]

http://www.infoworld.com/articles/hn/xml/02/04/03/020403hniss.xml

By Sam Costello 
April 3, 2002 2:16 pm PT

THE INTERNET HAS become a riskier place for businesses since the fall
of 2001 and doesn't look to be any more secure in the near future,
according to security firm Internet Security Systems, which released
its security incident figures for the first quarter of 2002 Wednesday.

The Sept. 11 terrorist attacks on the U.S. have not prompted any
obvious cyberattacks, ISS concluded.

Overall Internet security has been hampered by a steady tide of denial
of service (DoS) attacks, as well as the rise of hybrid attacks --
attack tools that spread through multiple means, such as the Web,
e-mail, file sharing and instant messaging, ISS wrote. Worms such as
Code Red and Nimda are leading examples of hybrid threats, though
there have since been a number of others.

"Internet risk will continue to increase as long as fundamental
Internet risk factors are not lessened in some way," ISS wrote.  
"Attacks are now global in scope and round-the-clock in incidence."

"There's no such thing as a low threat (level) on the Internet," said
Dennis Treece, director of the X-Force Special Operations Group at ISS
in Atlanta. "If you're going to connect to it, you better have a suit
of armor."

The company compiled its data from more than 350 high-volume intrusion
detection sensors managed by the company around the world.

One major risk factor that will be difficult to address is the way the
majority of attacks are being perpetrated. The vast majority of
attacks in the first quarter of 2002, nearly 70 percent, were launched
on server port 80, the same port that Web traffic flows on, ISS said.  
This poses a particular problem because curtailing access to port 80
would also negatively affect Web traffic, the company wrote.

However, companies can take steps to reduce their vulnerabilities over
port 80, including turning off unused services, such as Web server
software on a file server, ISS wrote.

"Since almost 70 percent of malicious activity occurs as a result of
entry through port 80, it is obvious and imperative that firewalls
should be augmented with additional intrusion and defense technology,
since firewalls cannot prevent this form of unauthorized access in
their own right," the company wrote.

Further underscoring the danger lurking on port 80, DoS attacks,
hybrid threats and port scans, all usually conducted over port 80,
made up more than 80 percent of all attacks in the quarter, ISS wrote.  
DoS attacks are those in which applications or servers are flooded
with traffic in order to deny access to legitimate users and are
growing in number, though their growth rate has been dwarfed by that
of hybrid threats and port scans, ISS said.

Port scanning is a common activity engaged in by attackers before an
attack is launched and is designed to discover details and
vulnerabilities about networks.

The volume of attacks against port 80 is "troubling because it's the
wide-open door," Treece said. Many businesses that lack IT expertise
have seen firewalls as silver bullets in the past because of their
ability to block traffic, but as most firewalls allow connections on
port 80, this data shows that firewalls are being marginalized, he
said.

The Nimda worm, which infected hundreds of thousands of computers in
September 2001, is still widespread on the Internet, ISS wrote,
despite there being a patch available from Microsoft to block it.  
Nimda is "a dominant, expensive and enduring threat," ISS concluded.

Despite multiple warnings on the potential for cyberterrorist attacks
after Sept. 11, ISS did not see any indications of such attacks.

"The events of 9/11 had no apparent effect on malicious Internet
activity, but interest in security was up. Thus far, there have been
no cyber attacks that we can relate directly to the physical attacks
of 9/11," the company wrote.

The Internet has not been attacked by terrorists because they "want to
make use of the Internet, they don't want to hurt it," Treece said.

ISS also counted 537 new security vulnerabilities in software for the
quarter. Security vulnerabilities, and slowness to apply patches to
fix those holes, have resulted in a number of serious security
incidents, including the Code Red and Nimda worms.

"The software community, including developers, vendors and users, is
beginning to raise the profile of security within the development
process. Improvements, however, will take time," ISS said. "As a
result, the medium- and long-term risk assessment for the Internet
remains significantly less than optimistic, with hybrid threats
continuing as the most dangerous form of attack."

ISS's full report can be found online at
https://gtoc.iss.net/documents/summaryreport.pdf



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.