How Often Hackers Attack, And What They're After

By Tom Smith

Attack activity against corporate networks went up significantly in the first half of 2002 when compared with the second half of 2001, but the good news is that the incidence of highly sophisticated attacks was low between January and June this year.

Those are some of the key findings in a new study by Riptech Inc., a provider of security monitoring services. The findings are based on events and attack attempts tracked by Riptech among 400 of its customers. The company said the companies it selected for the study represent a cross-section of its clients by company size, vertical industry, public/private, and other variables.

The findings, therefore, are likely to be a good indicator of the experiences of most big companies. Riptech does caution, however, that since all the companies whose experiences factor into the data are users of security monitoring services, they tend to be closer than most to the leading edge in deploying security technology. "These companies have made the decision to be our customers, so they tend to be more security-aware," said Elad Yoran, executive vice president at Riptech, Alexandria, Va.

There's one important exclusion from most the findings: Riptech tracks Ð but didn't count Ð worm activity among most of the attack figures it reported, because worms typically account for a disproportionate share of activity. The company did gather some data on worm activity, however: worms accounted for 44 percent of overall attack activity in the preceding six months, compared with 63 percent during the second half of 2001. A likely explanation, according to Yoran, is that there was no particularly significant worm released in the year's first six months, while last year witnessed the release of major worms such as Code Red. "Companies in general have done a reasonably good job of patching their systems to protect against worms," Yoran added.

Among the 400 companies whose experiences make up the Riptech data, the average company experienced 32 attacks per company per week, a 28 percent increase vs. 25 attacks per company per week in 2001's second half. Riptech's Yoran said several factors are likely playing into this heightened amount of malicious activity: the sheer growth of the Internet and the number of users with Internet connections. By default, more users mean a greater number of potentially malicious users. In addition, the Internet makes it easier to access and exploit tools for launching attacks, and those tools are becoming ever easier to use, Yoran said.

Despite the increased activity, the number of attacks that are considered highly aggressive or sophisticated was less than 1 percent. The percentage of companies experiencing at least one attack posing a severe threat was 23 percent, a sharp decrease from the 43 percent experiencing severe attacks in the second half of last year. Riptech noted this could be an outcome of the strong security posture that's typical of companies using security monitoring services. Riptech also cautioned that this can't be viewed as all good news, since nearly a quarter of companies faced a serious potential security breach.

When highly aggressive attacks occur, they are more than 26 times more likely to have severe effects than attacks that are classified as moderately aggressive, so even the small percentage of such attacks remains cause for concern.

Riptech's data includes several other important findings for security and IT managers. The top 20 "scans" -- attempts by hackers to gain information about systems or networks as a precursor to launching an attack -- were headed by File Transfer Protocol scans. FTP is one of the most commonly used protocols for moving files from system to system across a network, including the Internet. Riptech's analysis suggests that hackers would look to exploit FTP to compromise a system supporting the protocol, or to "borrow" an FTP server for uploading and storing pirated software or music files.

The second-most common scan during the six-month window involved Microsoft SQL databases. This activity increased dramatically as an outcome of the SQL Spida worm that was released in May. According to Riptech, that worm prompted a 500-fold increase in Microsoft SQL scans.

Among other important findings from the study:

• Roughly one in three attacks was targeted at a specific company. Nearly two in three, or 63 percent, were opportunistic, or aimed at finding and exploiting a vulnerable organization over the Internet.

• The highest percentages of total attacks, highly aggressive attacks, and severe attacks all took place on Wednesday, while attack activity dropped off significantly on weekends. “It seems counter-intuitive. I guess hackers are people too and tend to follow a normal routine,” Yoran said. "This doesn't mean you can watch any less on weekends or at night."

• The highest average attacks by company were experienced, in order, by power and energy, financial services, and high tech firms. Manufacturing and media/entertainment were the lowest on this scale.

• By far the highest percentage of hackers -- more than 63 percent -- used some version of the Microsoft Windows operating system. The next highest number, 12 percent, use Unix.