In the wake of a massive DDoS (distributed denial of service) attack on major U.S. Web sites last year, users are clearly moving to outsourced MSS (management security services) for protection.
Users also got a reminder last week of the ever-present threat of these attacks when Microsoft Corp. acknowledged that it had been the victim of a DDoS assault that overwhelmed the company's Web site traffic routers, cutting off users for hours. The software giant said the attack was unrelated to other shutdowns.
Despite the severity of the DDoS attacks that crippled Yahoo.com, eBay, and Amazon.com at different times from Feb. 6 to Feb. 14, 2000, many companies still are not devoting the necessary funds to the problem, analysts said, and some users still have a lackadaisical attitude toward security.
"We see that at small to medium businesses," said Chris Klaus, CTO of MSS vendor Internet Security Systems Inc., in Atlanta. "Those companies are being used as launching sites for bigger attacks."
Citing a Forrester Research Inc. survey of 50 U.S. companies with US$100 million or more in revenue, an average of $239 per $1 million worth of revenue was spent on security in 2000, said Frank Prince, an analyst at the Cambridge, Mass.-based market researcher. By 2004, that figure may inch up to be $316 per $1 million.
Reasons for the small expenditures on security include lack of time, money, and personnel, Prince said. As a result of these shortfalls, many enterprises are turning to outsourcing options, Prince said. In fact, the same Forrester Research survey indicated that outsourcing was growing faster than internal IT security operations. But companies still spent more money on internal operations, Prince said.
Although interest in MSS is growing, there is not yet overwhelming demand, said Richard Hunter, managing vice president of consulting at Gartner Group Inc., a consultancy, in Stamford, Conn.
Demand is not at a level "to sustain multiple major players," Hunter said. "For enterprises, the most significant threats ... are internal threats. Managed network services [do not] address that problem."
Outsourcing to a MSS provider might open a company to vulnerabilities if that outsourcer's systems were breached, said Jesper Johansson, a professor of information systems at Boston University. "If [the outsourcer's] security is breached ... I could potentially own all their clients," he said. "The outsourcing companies have to be very, very vigilant."
Even so, the area is lucrative enough to attract new players and products to close the security gap.
The latest entry in the MSS game, OneSecure, will launch this week. Based in Denver, OneSecure Corp. is selling the idea of comanagement to users via its scalable platform and subscription-based managed services of firewalls, VPNs, remote access, and intrusion detection, said the company's CTO, Nik Zur.
Industry sources revealed that a Waltham, Massachusetts-based startup, Arbor Networks, will follow suit with the launch of its company and service offerings next Monday to coincide with the anniversary of the last year's DDoS attacks. The company will focus on providing managed services and DDoS protection for large enterprises, Web hosts, and ISPs, sources said.
At the ComNet Conference and Expo in Washington this week, Sunnyvale, California-based SonicWall will showcase its just announced SonicWall TotalSecure managed security service for small to midsize businesses to be offered through MyCIO.com and All Bases Covered.
Internet Security Systems (ISS) is targeting and partnering with Lucent Technologies, Qwest, Bell South, and Marconi to tackle security management in the vertical sector, Klaus said.
ISPs and hosts serve as a key focal point and conduit for potential DDoS or hacking activity. Last week, RipTech, based in Alexandria, Virginia, reached an agreement with Yipes.com to be the exclusive provider of around-the-clock management and monitoring for Yipes' new managed firewall offering, Yipes Wall.
RipTech offers security consulting, high-end penetration tests, policy development, and security monitoring via eSentry, its management application delivery model. CTO Tim Belcher said some customers do feel trepidation toward outsourced security.
"The idea of bringing in someone to guard the family jewels is a relatively new concept for IT managers who have historically run their shops in-house," Belcher said. "[But] companies have invested hundreds of thousands of dollars in security products, and nobody's watching them and they know it."
Prosecuting hackers, such as the teenager who pleaded guilty to paralyzing several high-profile Web sites last year, is complicated by problems the legal system has in applying current law to cyberspace and corporate victims who are loathe to admit security breaches.
The 16-year-old Montreal teen who last year used the handle Mafiaboy while lobbing DoS (denial of service) attacks at Amazon.com Inc., eBay Inc., and Yahoo Inc. for various periods of time between Feb. 6 and Feb. 14 is scheduled to be sentenced in April.
The judge in the case has broad discretion as to which sentence he imposes, from a fine of approximately $661 to detention. Some say the penalty is too small for the attacks, which the Royal Canadian Mounted Police and the FBI estimate to exceed $1.5 billion in damage.
Hackers who are often difficult to locate and prosecute end up getting "a slap on the hand for it," said Jesper Johansson, assistant professor of information systems at Boston University. "Legislators are mostly lawyers; they're not technologists. That makes it difficult for them to pass adequate laws," he said.
But Eric Friedberg, a former computer and telecommunications crime coordinator at the U.S. Attorney's office in New York and now a computer crime consultant at Stroz and Associates in New York, said hackers are sentenced based upon the financial losses they cause. Mafiaboy, a juvenile, did not receive as harsh a sentence as he would have if he were an adult. "The sentencing goal with regard to a juvenile is to achieve rehabilitation," Friedberg said.
Historically, law enforcement officials have been hampered in their efforts to track and prosecute cybercriminals because corporate America is afraid of exposing embarrassing breaches.
Hackers' camouflaged identities often confound prosecution. Even in cases where hackers can be traced, determining criminal intent is not clear-cut, said Mark Rasch, vice president for cyber law at Predictive Systems in Reston, Virginia. "Somebody who would never break into someone's hotel room would not think twice about reading someone's e-mail," Rasch said. "Society does not understand the parameters of what is rightful or wrongful context."
Tim Belcher, CTO of MSS (management security services) provider RipTech, in Alexandria, Virginia, said a mind-set exists that places responsibility for security vulnerabilities with the targeted companies. "There's a general mentality, deserved or not, that some of these billion-dollar organizations should have protected themselves better," Belcher said.