If you thought computer security was bad in 2001, you're not going to enjoy 2002. That was the message from SecurityFocus Inc. co-founder and Chief Executive Officer Arthur Wong in a presentation he gave at the RSA Conference 2002.
The 11th annual RSA Conference, which ran last week, drew over 10,000 attendees to discover details about new security products, as well as hear speeches about topics such as cyberterrorism and cryptography, to say nothing of a couple early morning songs from the rock band Cheap Trick. Wong's message to attendees, however, was likely sobering.
Despite such major security incidents as the Code Red and Nimda worms, "2001 wasn't as bad as it could have been," he said in a presentation at the start of the show.
In 2001, about 30 new software vulnerabilities were discovered each week, Wong said, marking a decrease in a trend that had seen the number of new vulnerabilities doubling every year for much of the late '90s. Wong expects that 2002 will bring a return to old growth rates, predicting that 50 new software security holes will be found each week in the coming year.
Along with forward-looking figures, Wong also provided a glimpse into the raw number of attacks that companies faced in 2001. Wong's company, SecurityFocus, sells a security threat analysis and warning service which draws its data from the intrusion detection systems of about 10,000 companies in 150 countries on six continents. From those companies, Wong was able to present some interesting data.
In 2001, SecurityFocus customers experienced a total of more than 129 million network probes, often a precursor to a network attack. They also faced more 29 million Web-based attacks, over 6 million denial of service attacks and about 154,000 Windows-specific attacks, he said.
The company's data also showed that, in what was likely not a surprise to some, Windows in all its versions is attacked more than any other operating system, with over 31 million security incidents in 2001. Following Windows, all versions of Unix run by SecurityFocus customers were attacked 22 million times and Cisco Systems Inc.'s IOS operating system underwent over 7 million attacks, he said.
On the Web server front, Microsoft Corp. was again the most popular target. Microsoft's IIS (Internet Information Services), the software that was exploited to spread Code Red and Nimda, was attacked over 17 million times, Wong said. SecurityFocus customers running the open-source Web server Apache were attacked only 12,000 times, he said, meaning that IIS systems are "1,400 times more frequently attacked than Apache."
Despite the large gap between the rates at which different products are attacked, "there is no way that you can buy anything, subscribe to anything, and say you're 100 percent secure," Wong said. "Security is a process, not a product."
That process, he said, should involve a security monitoring service, such as that offered by his company.
"We spend too much time fighting the last war when we ought to be trying to figure out what the next war is going to be," he said.