Asmall door way in the hillside, in the middle of a hay meadow in Wiltshire, is the only outward sign of Symantec's internet security operations centre.
The facility is buried underground, under a metre and a half of concrete, in a former Ministry of Defence nuclear bunker. The walls are 46cm thick and the site is entered via an airlock consisting of four steel doors the thickness of sprung mattresses. There are no windows to the outside world and the bunker has its own power generator and air-filtration system, which would allow it to survive, sealed off, for 40 days after a nuclear attack.
It is from here that Symantec, the world's largest internet security company, monitors cybercrime 24 hours a day in 180 countries around the world.
The things that go on in the bunker have changed considerably in the four years of Symantec's occupancy, reflecting the rapidly shifting nature of cybercri me, which has become more targeted, more costly and far harder to detect.
In truth, the Symantec monitoring centre does not need quite the nuclear-level security it enjoys. The company has three other monitoring sites - in Munich, Sydney and Alexandria,Virginia - which are located in more conventional buildings. The UK operation could, in fact, have been housed in an ordinary office building.
But, explains Graeme Pinkney, threat analysis manager for Symantec Europe, being located in a nuclear bunker does solve some security and contingency planning problems that would have been harder to address elsewhere.
"An operation like this has to be 24/7 - you can't have any disruptions," he says. "Because of our remote location, we can't be taken out by fire, flood or other events."
The solidity of the Wiltshire site also gives customers more confidence, says Mr Pinkney, as the battle against cybercriminals has become a game of relentless vigilance and endurance.
The frantic fire-fighting days when large-scale attacks of fast-spreading viruses and worms such as MyDoom and Blaster threatened to disrupt internet communications across the world seem to be over.
The back-bedroom hobbyists who created these threats mainly for fun have been replaced by professional cybercriminals looking to steal data - such as credit cards or personal identity details - from corporate networks.
According to a reporton information security breaches from theDepartment of Trade and Industry last month, the number of businesses reporting security incidents has fallen by a few percentage points in the past two years, but the cost of attacks has increased by about 50 per cent.
In the UK alone, cyber-attacks are estimated to be costing businesses £10bn a year. A recent survey by the US Federal Bureau of Investigation estimated that cybercrime costs US businesses $62bn (£33bn) a year.
"People are hacking for fortune, not fame, these days," says Mr Pinkney.
Much like burglars breaking into a house, the new cybercriminals do not want to attract attention. Their hack attacks are small-scale, highly targeted and very hard to spot.
Viruses have therefore become more varied. According to the DTI report, in 2004 the Blaster worm alone accounted for more than half of the worst corporate security incidents. Last year, however, no single worm or virus had this kind of impact. Instead, a multitude of different variants of malicious code are peppering company networks.
In addition, there has been a huge rise in Trojans and spyware - malicious code designed to sit undetected o n computer systems. These can then collect information, such as the keystrokes a computer user enters for passwords and PIN numbers. Spyware was virtually unknown two years ago, but now accounts for about one in seven severe security attacks.
A security report earlier this week from the Sans Institute, the US-based security research organisation, also noted that companies were seeing an increasing number of "zero-day" incidents - attacks through previously unknown weaknesses in their computer networks. This suggests cybercrime has become so lucrative that hackers are now willing to invest more time and effort on researching new ways of getting in.
At the Symantec monitoring centre, work is just as painstaking. The team of cybercrime analysts watches customer networks for the minutest sign that something unauthorised might be going on. It may be an attempted connection to an unusual internet address, or through a port that is normally reserved for instant messaging rather than standard web browsing.
These movements are noted and examined, and if the team decides they are part of an attack, it raises the alarm with the client. The response time is usually about 10 minutes.
Information about new types of attacks is also passed on to a response centre in Dublin, where teams of engineers create new "signatures" - information on how to recognise viruses - and send these as updates to users of Symantec antivirus systems around the world.
The meticulous nature of fighting cybercrime makes activity in the bunker, for all its James Bond-esque trappings, surprisingly humdrum. The analysts, seated in a secure room that visitors are allowed to see only through a window, watch their screens, speak very little and take the occasional quiet coffee break.
The most dr amatic feature of the room is a large flat screen with a world map showing in real time where most of the cyber attacks are coming from. Mid-morning, parts of eastern Europe and the east coast of the US are glowing red with hotspots.
But without this screen, the work looks more like processing insurance claims than shadow-boxing with international criminals.
It is obvious that it takes a certain kind of mind to do this analysis.Jim Hart, head of the Wiltshire analyst team, explains with some animation how the team spotted a "bot-net" - an attack coming from a network of hijacked computers - last December, but most of the detail is unfathomable.
Lines of code scroll down the screen and Mr Hart points enthusiastically to various segments that were unusual and roused suspicion. For the outsider, it is a little like the scene from The Matrix where one of the über-hackers watches a torrent of incomprehensible code pouring down the screen of his computer and picks out out "blondes", "brunettes" and "redheads".
Symantec used to recruit many of its cybercrime analysts from the military - former RAF communications officers, for example, who had been used to monitoring code all day. Now, it tends to hire more computer security graduates. For any new analyst, however, there is a rigorous six-month in-house training programme before they are considered ready to go solo on cyber-patrol.
In spite of the time they spend underground looking at code, the good analyst should not be too introverted. In one corner of the analysis room, a television monitor shows a continuous feed of news. It is important to follow current events, says Mr Pinkney, as cybercriminals often use news headlines, say about bird flu or the World Cup, to entice people to open infected-mails.
A big news event - US soldiers capturing Osama bin Laden, for example - would cause a surprising number of people to let down their guard when deciding what to open and download on their computers, he says.
More widely, in the absence of recent headline-grabbing virus attacks, many businesses have become complacent about internet security.
However, buried deep within a hillside, a group of people are still keeping watch, and taking cyber-threats seriously enough to keep the emergency power generator and the airlocks in their bunker well-oiled, just in case.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment