Commentary: Hacker attack stresses network security

By John Pescatore, Gartner Analyst

While statistical data on security incidents is always hard to come by, anecdotal evidence and reports from incident response teams document growth in targeted attacks. This means businesses need to continue to evaluate and update their security measures.

	See news story: Microsoft computer network hacked; FBI steps in

Although the vast majority of virus attacks don't lead to the same level of information compromise that Microsoft may have suffered, Gartner's analysis shows that attacks targeted at acquiring or destroying specific data are growing rapidly. These attacks include attempts to mine competitive information from poorly secured Web servers, Trojan-horse attacks like the QAZ virus and data-sniffing attacks.

Microsoft.com is one of the most frequently attacked Internet domains. Microsoft's internal security staff and its use of outside security service providers represent expenditures few companies are willing or able to make.

Therefore, the attack is particularly unsettling because it successfully penetrated a large company that emphasizes network security. However, the incident can also serve to help IT security officers reinforce the following:

•  A virus like QAZ usually comes via an infected e-mail attachment. Therefore, regularly updated mail-server antiviral protection is a wise step toward minimizing penetration and spread.
•  The increasing use of Web-based e-mail services, such as Microsoft's HotMail, can bring such attachments in via HTTP. Firewall-side antivirus software can check that method of entry.
•  A dangerous new path by way of which viruses can infect corporate PCs, particularly laptops, exists when cable and DSL Internet service is used for virtual private network (VPN) connections to corporate networks, which can bypass all server-side antivirus protections. Therefore, desktop antivirus signatures must be updated on a regular basis.
•  Gartner also recommends prohibiting split-tunneling on VPN connections or using personal firewall software on laptops that connect over cable or DSL service.

Once a Trojan virus like QAZ makes it onto a corporate PC, it often evades detection and then spreads. To combat this, businesses need software that detects the installation of unauthorized software or registry modifications and performs regular scans.

Because this type of virus communicates outside the corporation to receive data from the hacker, a business' firewall must block outbound communication on all ports that are not absolutely required. Regular firewall audits and the use of firewall reporting tools should be used to detect unusual protocols, ports or destinations.

To protect sensitive information located on servers, businesses must undergo a data-classification effort. The implementation of internal network security zones or stronger authorization methods (such as smart cards) are suggested tactics for protecting high-value internal information.

Many virus programs attempt to cover their tracks to evade an investigation, so businesses must protect their firewall and high-value server-log files. If a business detects the compromise, a decision must be quickly made as to the seriousness of the compromise and whether to involve law enforcement.

Therefore, an incident response process must be defined and roles assigned before disaster strikes.

The type of attack Microsoft appears to have suffered can happen to any company that has not taken the aforementioned steps. Increasing use of remote-access VPNs over cable and DSL, more open access to intranet data and application servers and a failure to keep security processes as current as security technologies can open huge holes in a company's security.

Because of limited budgets for security, businesses should focus their investments on protecting the corporate jewels and investigate outsourcing the day-to-day perimeter security functions to free up resources for increasing the level of security inside the firewall.

(For related commentary on outsourcing security, see TechRepublic.com--free registration required.)

Entire contents, Copyright © 2000 Gartner Group, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.