The stark reality is that network security in this Internet age
is a race. This race starts every time a new virus, worm or
vulnerability is discovered; and only finishes when either an
organization’s network is protected or compromised.
These are the only two possible outcomes; you win or you lose,
there are no silver medals. And the IT departments around the
world are finding themselves increasingly under pressure, as new
viruses and worms such as Klez.h, Netsky.q, MyDoom.a, Bagle.z,
Slammer, Sasser and the current plague of Zafi.b, seemingly
breach networks with ease.
The “arms race” is currently being lost because most of the IT
world is still looking to out-of-date technology to protect
themselves. The vast majority of the anti-virus systems out
there, use “PULL” technology, in order to obtain the latest
anti-virus signatures. The simple fact is that even if network
security is updated once a day like clockwork, because there are
new viruses, worms and vulnerabilities appearing all of the
time, within just moments of that daily update, the system can
(and most likely will) be vulnerable once more.
There is simply no way that an IT manager, or even two or three
skilled people working in an IT department, can provide this
type of 24/7 update service for their organization.
Most anti-virus vendors still use this ineffective “once a
day,” or even “once a week” update model, despite their
marketing claims of so called “live,” or “active,” or
There are already nearly one hundred thousand known computer
viruses, and each month over a thousand new viruses, worms and
“Trojans” are added to the mix.
Of course, not every one of these viruses and worms is destined
to be as “successful” as Klez.h, Netsky.q, MyDoom.a, Bagle.z or
the current plague of Zafi.b; but at the moment a new virus or
worm is first discovered, it is almost impossible to know for
sure which will be a major problem, and which will be no more
than a mere curiosity.
A variety of factors will come into play that governs the
success of the virus, worm or trojan.
The virus writer needs to get his or her virus to
“critical-mass” before the major anti-virus companies can get a
virus signature out, installed on their customers’ computer
systems, and protecting them. To achieve this, many virus
writers are turning to Spamming techniques, ensuring critical
mass within moments of launch. “Blended” technology is also
being used to further improve the virus’ or worm’s chance of
success. Rather than depend on just mass mailing emails, for
example, certain worms (such as variants of Netsky) may well
attack users via certain open and unprotected network ports, to
exploit known vulnerabilities in popular operating system
If a worm is able to reach critical mass quickly, and takes
advantage of a wide spread vulnerability, the result is often
hundreds of thousands of computer systems around the world,
being infected in just moments.
A classic example of the speed with which viruses spread is the
SQL Slammer worm. On 25th January 2003, at 05:29:36GMT, we
detected and blocked the first probe to UDP port 1434 in Korea.
In Japan, Thailand, Germany, Switzerland, Australia, England,
Saudi Arabia, similar probes were being reported worldwide in a
matter of seconds. Within three minutes, we had detected and
blocked probes to that port throughout the world.
This means that effectively within three minutes of its
release, the worm had probed every single active Internet host,
and detected and infected every single active and vulnerable
server. Probe rates were as high as one probe per IP address per
second in Korea and Australia.
If you are connected to the Internet, you are at risk, pure and
simple. And if you think that having a firewall and an
anti-virus program installed is enough to protect you, then you
need to think again – and fast.
The speed of the Internet has made “friction of distance”
In the face of the onslaught from malware, protection needs to
move with the times. Firstly, networks require blended
protection, which includes firewall, VPN (Virtual Private
Networking), IDP (Intrusion Detection and Prevention),
anti-virus, anti-SPAM, content filtering and company policy
management; just having parts of the jigsaw is not enough.
Secondly, these systems need to work seamlessly, with
zero-latency between the intrusion detection and the firewall.
Thirdly, all of these systems need to be updated in real-time,
using state-of-the-art PUSH technology, not the PULL technology
Last but not least, systems need to include the latest
heuristic technology, and not rely too heavily on pattern
recognition alone, as we see more and more zero-day high speed
attacks across the Internet. A high quality anti-virus heuristic
engine, such as the one from Kaspersky, can actually block up to
92% of known viruses, even without have any signatures