Hackers enjoy a bad patch
by David Neal, © 1995-2002 VNU Business Publications
Ltd. All rights reserved
Monday, 9th September 2002 - Experts say failure to patch systems
have allowed security breaches to surge
August was a record-breaking month for attacks on IT systems by hackers,
according to security firm mi2g, and 2002 is set to become the worst
year for digital attacks since its records began in 1995. mi2g said
the growing threat makes it vital for firms to regularly check the security
of systems and apply patches.
mi2g releases reports on a monthly basis as part of its Intelligence
Briefing papers. It said that worldwide there were 5,830 reported attacks
in August and the total for the year to date is over 31,000. In 2001 there
were just 31,332 attacks in total. mi2g predicted that for the whole
of this year there will be at least 45,000.
In a separate report published earlier this month, mi2g indicated
that Windows was the most vulnerable operating system and the one most likely
to be hacked.
The company said the number of attacks on Windows-based systems was steadily
rising, increasing by five percent in June and 12 percent in July. In comparison,
it found that attacks on Linux systems were falling, and in June they declined
by as much as 39 percent.
However, the targets and numbers of attacks continue to fluctuate. In April
and May, Linux systems were attacked in far greater numbers - 2,192 in April
and 2,057 in May - than Windows systems, which were attacked 1,677 and 1,991
In June and July this trend was reversed and Windows systems were compromised
more often than Linux platforms.
mi2g said that attacks on Linux systems were encouraged by exploitable
vulnerabilities being discovered in open-source third-party applications.
However, it added that poor administration may also contribute to the problem.
Ian Williams, security analyst at research company Datamonitor, said that
most attacks came about when vulnerabilities in particular systems were publicised.
"According to [security watchdog] Cert, around 95 percent of Web defacements
are due to the failure to patch known vulnerabilities. It wouldn't surprise
me if there is a strong correlation between the discovery and publication
of vulnerabilities and the systems that are attacked. Most [companies] simply
don't have the capability to effectively prioritise patches according to where
the greatest risk lies."
Mark Lillycrop, chief executive of research firm Arcati, agreed and warned
firms not to read too much into the fluctuating statistics. "Attacks are often
due to new flaws being publicised," he added. "There are some sad people out
there who like to take advantage of any new security weakness that comes to
light, and they tend to have a bandwagon effect."
A total of 27,273 successful attacks have been reported to mi2g so
far this year. Of these, 47 percent were against systems running Windows,
36 percent were against Linux-based systems and 17 percent were against various
other operating systems, including Unix, BSD, Solaris and AIX.