In what now seems like a more innocent era, attacks against computer networks a decade ago had names like smurf and teardrop. Hackers then typically targeted operating systems, Internet and e-mail servers, firewalls, and other vulnerable network components. Upstart hackers known as script kiddies were motivated by the challenge of taking down a network and earning a measure of notoriety.
Information technology security professionals responded by bolstering firewalls, reconfiguring and scanning networks, and stiffening perimeter defenses. The measures impeded the rash of computer worms that burrowed into networks and relied on unrestricted connectivity to spread.
“Most of the spending [on security] was at the network level,” said Mike Weider, chief technology officer at Watchfire, a Web application security company. “The mentality was on perimeter defense…to build the walls of the castle high.”
Realizing that hardened networks were increasingly difficult to breach using head-on attacks, hackers switched tactics. They turned their attention to finding application-level vulnerabilities. Bugs that reside in programs running on PCs and Web-based applications are as insidious as termites in a wood-frame house. When exploited, they do their damage from the inside out.
“The Internet came along, and applications that were on the inside [of an organization], we put them outside” via the Web, Weider said. “Hackers discovered that you could exploit vulnerabilities in the software applications that were put outside the walls and…steal data, perform fraud, deface Web sites or cause other malicious acts.”
Today, application-level attacks outpace attacks on networks by 3-to-1, according to industry sources. Even as organizations have fortified network security, the threat from application vulnerabilities has expanded.
“This problem has been steadily growing over the last 10 years and has reached a feverish pitch,” Weider said. “We’ve seen a huge shift in attack focus.”
The objective of hackers has also changed. “They are no longer just trying to get attention,” said James MacDougall, South Carolina’s chief information security officer. He said he has seen huge numbers of application-level attacks that seek to steal data or take over computers.
Digg
De.licio.us
Slashdot
Technorati
