The View From Symantec's Security Central

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A28625-2003Jan8.html

By Leslie Walker
walkerl () washpost com
Thursday, January 9, 2003

An ordinary office building on Route 1 in Alexandria offers a rare 
window into the Internet hacker wars and a few clues to why Uncle Sam 
wants more monitoring capabilities in cyberspace. 

Inside a cavernous room on the first floor there, security analysts 
for Symantec sit in long, curved rows 24 hours a day, working on 
computers and facing a wall of theater-size screens. Information 
displayed on the screens helps them keep tabs on whether any attacks 
are underway at any of the company's more than 600 corporate clients. 

Every five minutes or so, a giant, illuminated globe appears on the 
central screen and starts to rotate, displaying the locations 
worldwide where hackers are launching the most attacks. Symantec uses 
special technology to monitor a huge chunk of the public Internet 
along with the internal nooks and crannies of its clients' private 
networks, looking for telltale signs of computer break-ins. 

Its software constantly compares current hacker activity with a 
database of prior attacks, then displays in red the names of countries 
where an unusual amount of malicious Internet activity is originating 
that day. The rotating globe also displays the number of attempted 
break-ins against Symantec clients over the past 24 hours in the 10 
most active countries. 

On a recent Friday, the globe showed more than 16,000 attempted 
break-ins originating from the United States, which often ranks as the 
world's top launching pad for computer hackers. Brazil ranked No. 4 
with 722 attacks. South Korea, Japan, Germany and Taiwan also 
frequently appear on Symantec's top 10 list for malicious computer 
activity. 

Big numbers are par for the course at the Alexandria center, where 
analysts detect more than 15,000 discrete "security events" against 
Symantec's clients every day. About 4,000 are deemed real hacker 
attacks after further analysis, company officials said. 

"You can tell from these statistics that it's the Wild West out there 
on the Internet," said Grant Geyer, who supervises the 
12,000-square-foot facility. "Companies need to do whatever they can 
to protect themselves." 

The four-year-old operation, which includes special monitoring and 
"data mining" technology, was created by a local start-up called 
Riptech. Last year, California-based Symantec paid about $350 million 
to buy Riptech and three other electronic-security firms (Recourse 
Technologies, SecurityFocus and Mountain Wave) that had developed 
proprietary anti-hacker technology. Symantec merged Riptech's 
operations with its own and now has four similar centers -- in 
Britain, Japan, Germany and San Antonio. 

Symantec is known as the maker of the Norton anti-virus software that 
runs on many home computers. But like competitor Network Associates, 
it has been diversifying its security arsenal in an attempt to be at 
the forefront of an emerging industry -- managing cybersecurity on 
behalf of companies and governments. Mid-size companies typically pay 
Symantec $1,000 to $2,000 a month to monitor their networks. The firm 
has big clients, too -- including 55 of the Fortune 500 companies -- 
and does work for several federal agencies. 

The managed-security industry is complex and growing fast, especially 
as companies awake to the difficulties of interpreting the deluge of 
data on their computer networks. Not only is it hard to make sense of 
who's doing what on a firm's network, Web sites and wireless devices, 
but almost no company can see what is happening on other computer 
networks. One advantage managed-security firms have is a global view 
that lets them detect patterns. 

The Alexandria facility is a private, miniature version of the kind of 
public Internet-monitoring capability the Bush administration wants 
the federal government to develop to protect the nation's electronic 
infrastructure. The administration is readying for release in a few 
weeks a final draft of its national strategy for bolstering 
cybersecurity. 

Hacking -- unauthorized break-ins on private computers and networks -- 
is increasing dramatically as more computers connect to the Internet. 
So, too, is the distribution of computer "viruses" and "worms" that 
travel the globe via images, documents and plain-text e-mail messages. 
Riptech, one of the few companies that monitored global hacking, 
detected a rise in malicious computer traffic during the first half of 
last year amounting to an annual rate of 65 percent. 

One reason for the jump was the explosive growth in the distribution 
of point-and-click hacking tools online. At the same time, more 
critical commercial and government operations are moving online, 
presenting a greater number of tempting targets to cyber-crooks. The 
United States and other countries have passed laws criminalizing 
certain forms of electronic break-ins, but detection and prosecution 
remain a challenge because it's so easy to hide tracks in cyberspace. 
Even in Alexandria, Symantec's job isn't to catch the bad guys, nor to 
report them to law enforcement -- it's to thwart attacks and notify 
companies of problems. 

Natalie Smishko, 25, is typical of the analysts. Sitting in a raised, 
rotating cubicle with built-in computer monitors and its own heat and 
light controls, Smishko pores over logs in an attempt to separate real 
attacks from false positives. Symantec's software automatically 
collates data from multiple sources -- all the software programs and 
hardware devices that companies use to monitor their networks -- and 
presents it in a unified format. 

"In this case, an attack was launched against one of our clients and 
you can see where they scanned our protected network," said Smishko, 
pointing to a list of network locations that allowed her to click on 
any single address to get more details. 

Another view showed her all the computer ports the interloper had 
scanned to see if they were open. Drilling deeper, she could see 
where, if at all, the interloper entered the client's network. If data 
is transmitted, she can see that, too -- and not only when it is moved 
by outsiders. Symantec has caught insiders improperly sending 
pre-merger details and pre-earnings data and has reported those 
findings to the employees' bosses. 

In addition, Smishko can probe Symantec's database history to see if a 
hacker's style of attack -- the reconnaissance probes he runs, 
software he uses, ports he tries to enter and originating Internet 
addresses -- matches prior attacks. Spotting repeat offenders helps 
Symantec anticipate what might come next, as with attacks that 
happened on the financial sector last summer. 

During that time, analysts in Alexandria saw Bulgaria's name suddenly 
go red on their giant globe as the hacking activity originating there 
increased over a three-week period. The analysts determined that 
unidentified cyber-baddies were launching what appeared to be 
coordinated attacks against many of the largest financial institutions 
in the United States, several of which are monitored by Symantec. 

"We immediately gave a whole block of IP addresses [numerical 
addresses of specific machines hooked up to the Internet] to our 
clients and told them to block all traffic originating from those 
addresses," Geyer recalled. 

That doesn't mean the perpetrators were actually in Bulgaria. Serious 
attacks often are launched through "bot-nets," slang for networks of 
robots, typically compromised machines in the homes of unsuspecting PC 
users. Hackers take these computers over from afar and turn them into 
"zombies" that they control remotely and use to launch coordinated 
attacks. 

"It's not unusual for us to see a single home computer launch attacks 
against 200 of our clients on the same day," Geyer said. 

It's anybody's guess, of course, who will win this escalating global 
arms race between hackers and anti-hackers. But it's a sure bet that 
2003 will see plenty of new resources pour into the coffers of 
cybersecurity firms, bulking up the fledgling anti-hacking industry. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.