[ISN] Server port 80 plagues Internet security

From: InfoSec News (isnat_private)
Date: Wed Apr 03 2002 - 23:20:58 PST

  • Next message: InfoSec News: "[ISN] Army official warns that hackers could infiltrate battlefield"

    http://www.infoworld.com/articles/hn/xml/02/04/03/020403hniss.xml
    
    By Sam Costello 
    April 3, 2002 2:16 pm PT
    
    THE INTERNET HAS become a riskier place for businesses since the fall
    of 2001 and doesn't look to be any more secure in the near future,
    according to security firm Internet Security Systems, which released
    its security incident figures for the first quarter of 2002 Wednesday.
    
    The Sept. 11 terrorist attacks on the U.S. have not prompted any
    obvious cyberattacks, ISS concluded.
    
    Overall Internet security has been hampered by a steady tide of denial
    of service (DoS) attacks, as well as the rise of hybrid attacks --
    attack tools that spread through multiple means, such as the Web,
    e-mail, file sharing and instant messaging, ISS wrote. Worms such as
    Code Red and Nimda are leading examples of hybrid threats, though
    there have since been a number of others.
    
    "Internet risk will continue to increase as long as fundamental
    Internet risk factors are not lessened in some way," ISS wrote.  
    "Attacks are now global in scope and round-the-clock in incidence."
    
    "There's no such thing as a low threat (level) on the Internet," said
    Dennis Treece, director of the X-Force Special Operations Group at ISS
    in Atlanta. "If you're going to connect to it, you better have a suit
    of armor."
    
    The company compiled its data from more than 350 high-volume intrusion
    detection sensors managed by the company around the world.
    
    One major risk factor that will be difficult to address is the way the
    majority of attacks are being perpetrated. The vast majority of
    attacks in the first quarter of 2002, nearly 70 percent, were launched
    on server port 80, the same port that Web traffic flows on, ISS said.  
    This poses a particular problem because curtailing access to port 80
    would also negatively affect Web traffic, the company wrote.
    
    However, companies can take steps to reduce their vulnerabilities over
    port 80, including turning off unused services, such as Web server
    software on a file server, ISS wrote.
    
    "Since almost 70 percent of malicious activity occurs as a result of
    entry through port 80, it is obvious and imperative that firewalls
    should be augmented with additional intrusion and defense technology,
    since firewalls cannot prevent this form of unauthorized access in
    their own right," the company wrote.
    
    Further underscoring the danger lurking on port 80, DoS attacks,
    hybrid threats and port scans, all usually conducted over port 80,
    made up more than 80 percent of all attacks in the quarter, ISS wrote.  
    DoS attacks are those in which applications or servers are flooded
    with traffic in order to deny access to legitimate users and are
    growing in number, though their growth rate has been dwarfed by that
    of hybrid threats and port scans, ISS said.
    
    Port scanning is a common activity engaged in by attackers before an
    attack is launched and is designed to discover details and
    vulnerabilities about networks.
    
    The volume of attacks against port 80 is "troubling because it's the
    wide-open door," Treece said. Many businesses that lack IT expertise
    have seen firewalls as silver bullets in the past because of their
    ability to block traffic, but as most firewalls allow connections on
    port 80, this data shows that firewalls are being marginalized, he
    said.
    
    The Nimda worm, which infected hundreds of thousands of computers in
    September 2001, is still widespread on the Internet, ISS wrote,
    despite there being a patch available from Microsoft to block it.  
    Nimda is "a dominant, expensive and enduring threat," ISS concluded.
    
    Despite multiple warnings on the potential for cyberterrorist attacks
    after Sept. 11, ISS did not see any indications of such attacks.
    
    "The events of 9/11 had no apparent effect on malicious Internet
    activity, but interest in security was up. Thus far, there have been
    no cyber attacks that we can relate directly to the physical attacks
    of 9/11," the company wrote.
    
    The Internet has not been attacked by terrorists because they "want to
    make use of the Internet, they don't want to hurt it," Treece said.
    
    ISS also counted 537 new security vulnerabilities in software for the
    quarter. Security vulnerabilities, and slowness to apply patches to
    fix those holes, have resulted in a number of serious security
    incidents, including the Code Red and Nimda worms.
    
    "The software community, including developers, vendors and users, is
    beginning to raise the profile of security within the development
    process. Improvements, however, will take time," ISS said. "As a
    result, the medium- and long-term risk assessment for the Internet
    remains significantly less than optimistic, with hybrid threats
    continuing as the most dangerous form of attack."
    
    ISS's full report can be found online at
    https://gtoc.iss.net/documents/summaryreport.pdf
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 02:09:28 PST