Ex-cybersecurity czar Clarke issues gloomy report card
If current trends continue, Clarke told attendees at Gartner's Symposium/ITxpo 2003 here this week, the cybersecurity situation isn't just going to get worse. It's going to get exponentially worse.

Noting that the conference's location (Disney World) might be appropriate because "only in fantasy land can everything you have be secure," Clark identified five trends that don't bode well for those trying to deal with cyber attacks.

The first of these trends has to do with the number of software vulnerabilities. After assimilating data from sources such as Bugtraq, the SANS Institute, and the vendors themselves, Clarke said the number of announced vulnerabilities has doubled every year for the last three years. "At this point," said Clarke, "we're now seeing as many as 60 new vulnerabilities per week."

A second trend that closely tracks the first, according to Clarke, is the number of patches for those vulnerabilities, which also has doubled every year for the past three years. Patch management is a road full of potholes.

"No sooner do the patches get applied, then they have to apply another one," Clarke said. "CIOs want these patches applied but have no idea what the effect of the patch will be on their systems, so they're reluctant to put them on quickly. Also, they want to wait until they have a bunch of patches first, and then test them before deploying them. But, during the wait period, they're vulnerable and some have been successfully attacked in that window."

The third trend Clarke is watching is what he called the "time to exploit." This is a measurement of the elapsed time between the moment a vulnerability is announced and when the corresponding exploit makes its first appearance on IRC or some other chat room. Said Clarke, "It's gone from months to weeks to days, and now it's about six hours.

Clarke's fourth trend is the rate of propagation of the attacks. "In July 2001, Code Red was a big deal" said Clarke. "I was the White House cybersecurity guy at that time and we knew something was going on, but we didn't know what. We knew it was a big threat, though. So, we reached out to all the security-related agencies--the NSA, CIA, FBI, even the private sector--and by 4pm on that day, we had broken the code and knew what was going to happen: At 8pm Eastern Time, 300,000 machines were going to launch a distributed denial of service attack (DDoS) on the White House's domain."

To mitigate the attack's impact, he asked the major Internet backbone providers to black-hole all traffic destined for whitehouse.gov. "So, when the tsunami hit the edge routers, it just died," said Clark.

Comparing Code Red to the Slammer worm, which originated from South Korea, Clarke said, "We saw the same phenomenon earlier this year. It involved 300,000 computers from five continents, but instead of taking a day, it all happened in 14 minutes. So, when you combine the six hours of vulnerability-to-exploit with the 14 minutes it takes to complete an attack, not only are "they" evolving, but reaction time is shrinking. Bottom line: If you don't have defenses already set up to deal with problem, you will be a victim."

http://techupdate.zdnet.com/Clarke_issues_gloomy_report_card_.html