Steep Rise In 'Net Viruses, Software Security Flaws

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The number of viruses and other types of attacks making rounds on the Internet, and the number of security vulnerabilities
discovered in software, climbed dramatically in 2001, according to newly issued statistics by the Computer Emergency Response Team
Coordination Center (CERT/CC).

CERT’s statistics, issued Friday, indicated that the number of incidents rocketed from 21,756 reported in 2000 to 52,658 reported in
2001. For comparison’s sake, CERT said there were 9,859 reports in 1999, 3,734 in 1998 and six in 1988. To be clear, an incident may
involve one site or thousands and may take place over a long period of time.

“The increase [in incidents] we can basically attribute to an increased sensitivity and an increased awareness as to what
constitutes an incident,” said Chad Dougherty, Internet security analyst at CERT.

Dougherty noted there was also an increase in large scale malicious code incidents — like Code Red, Nimda and Sircam — in 2001.

“It does appear that intruders are getting more sophisticated,” Dougherty said. “In the Nimda worm, you saw a lot of techniques that
other malicious code attacks had used. Intruders are starting to target pieces of software and technology that are most widely
deployed.”

And intruders that are targeting popularly deployed software and technology are finding cracks that allow them to worm their way
into systems. CERT said there were 2,437 vulnerabilities reported in 2001, up from 1,090 in 2000 and 417 in 1999. Both Code Red and
Nimda targeted Microsoft Corp.’s Internet Information Service (IIS) Web server software, which had a large share of the
vulnerabilities reported in 2001.

Dougherty said that the increase in vulnerabilities reported also has to do with awareness; there are more people looking for them
these days. But he also noted, “It really drives home the point that sites need to be aware of patches that are available from their
vendors.”

He added, “It reinforces what we’ve been saying all along: apply the patches and only enable services and technologies that sites
need to run.”

But that’s just one aspect of decreasing risk. As the number of patches needed to keep a system secure continue to climb, Dougherty
said it may be time to look for software with fewer vulnerabilities.

“One piece of the puzzle for reducing risk is to have software with fewer vulnerabilities out of the box — software that is more
secure by default,” he said.