- Related Stories
-
Terrorism threat to Net overblown
November 23, 2005 -
Latest Sober threatens e-mail gateways
November 23, 2005 -
HP adds 60-day Symantec protection to PC lineup
November 16, 2005 -
Symantec beats the research drum
November 15, 2005
(continued from previous page)
"We profile the threat by finding out where it's being launched from, who it's being aimed at and what it's trying to achieve," Ogden said.
On a wider network
The Security Operations Center's Winchester facility is part of Symantec's global network of information monitoring stations. Customer data is monitored in five centers. The other four are located in Sydney, Australia; Munich, Germany; Alexandria, Va.; and San Antonio.
The security operation centers work closely with Symantec's seven security response centers, located around the globe, in locations including the U.S., Canada, Ireland, Japan and Australia. Where the primary role of the operations center is to identify attacks against customers, the response centers work on a higher level and collate information from a wider variety of sources.
Along with monitoring viruses directly detected by customers, Symantec scans 25 percent of global e-mail traffic for malicious code. It has a number of "honeypot" e-mail boxes, which are accounts provided by ISPs. They are not used, so anything that ends up there is usually spam, Trojan horses, viruses or other forms of malicious software.
An attack quarantine system linked to the honeypot network captures such malicious code. "It is a virtual network that simulates servers, and so looks like a real network," said Art Wong, vice president of security response and managed security services at Symantec.
Symantec maintains a list of all the vulnerabilities found across its network, called Bugtraq. Wong said that it's both a clearing house and a database of vulnerabilities. This list is shared with other security vendors to speed up the process of issuing patches.
The threat of botnets
As a leading security vendor, Symantec is well-positioned to identify future threats. Some of the biggest offenders on the radar at the moment are botnets, which are extensive networks of compromised computers controlled by hackers. These botnets are usually used to launch distributed denial-of-service attacks, which effectively flood Web servers or e-mail boxes with traffic.
The growth of botnets is a major problem, with a 100 percent increase in the U.K. since 2004, according to Symantec. The company believes that right now, the U.K. contains the highest number of botnets in the world.
"Just over a third of the botnets we've seen are in the U.K.," said Wong, quoting figures from Symantec's Internet Security Report VIII, published in September 2005. This is higher than the U.S., which has traditionally had more botnets.
The high incidence of botnets in the U.K. probably has to do with the recent explosion in broadband usage and the fact that most U.K. home users wouldn't know if their computer was compromised, Wong suggested. "Maybe there's a slightly lower awareness level in Britain of botnets," he said. "The IP addresses could come from legitimate machines that have been compromised by hackers. Maybe the machines don't have patches, or are not running up-to-date anti-malware products. Plus, if you have 10,000 machines in a botnet, it's difficult to track back to each IP address."
Taking control
On average, it takes eight minutes for a new machine to be compromised when hooked up to the Web for the first time, according to Symantec tests on a Microsoft Windows PC not running XP Service Pack 2 or antivirus software.
There is a particular danger for businesses using the same network as a compromised machine, because once one machine has been infected behind the firewall, hackers can use it to infect others. "If attackers manage to infect a machine within an organization, they can profile additional machines within that subnet. Executable code can be injected onto other machines to profile the users," Ogden said.
See more CNET content tagged:
Symantec Corp., agent, workstation, attack, monitor
Is this really practical or just for show?
One thing I'm still wondering is, how comes Symantec (and all others) could not detect the Sony Rootkit while it was reportedly infecting around 500000 machines and had done so for months.
The article defines emergency as "Emergency: There is a possibility of code being deposited on vulnerable machines". So did Symantec do as they say "If the situation is critical or an emergency, we pick the phone up and say to the customer 'You could be under attack,'" or did they rather phone Sony/BMG to work out an arrangement ?
Who else have such deals with Symantec ? Who else is authorised to exploit vulns and get away with it ?
Maybe it takes more than a cold war bunker to hide their dirty secrets ...
So your point is . . . ? ? ?
"If anyone gets past that, there's one last line of defense to deal with. "That's when I appear with a baseball bat," said Gordon May, Symantec's facilities manager."
Anyone who knows anything about British culture will find this comment hilarious.
(hint...it's about FIREARMS!!!)
I think I giggled for 10 minutes.
- What I have
- by n3td3v November 29, 2005 10:37 AM PST
- 1. Banks of monitors for news tv channels world wide
- Like this Reply to this comment
-
(11 Comments)2. Security news wire on Google Groups for e-mail based news.
3. Political radio phone-in discussion listened to at times of breaking news.
4. Two computers. one for visiting sites , other for software development and web development, with server facing the internet for honey potting.
5. Key word user name accounts on corporate I.M to honey the latest I.M phishing and virii threat.
6. Key word user name accounts on corporate E-mail to honey the latest Mail phishing and virii threat.
7. Connections to IRC, internet forums, mailing lists and interpersonal friending of suspected malicious users.
8. Connections to indivudal employees connected with big corporate web sites to feed back infos between each other.
9. A general internet presence under the "n3td3v" alias to let the internet and security community know of current feeling on news sites.
10. Propaganda mailings sent to corporations with recommendations of vulnerabilities and exploit and incident found to be current on the vendor's network and/ or software.