Targeted attacks on the increase

A report on security threats released last week by the SANS Institute provides further evidence that cybercriminals are shifting to more targeted attacks and attempting to exploit zero-day flaws before software vendors patch them.

The report also cited a sharp increase in attacks against Web applications, Office installations and voice-over-IP systems. But overall, the trends suggest a switch from the “noisy” virus and worm attacks of the past to more covert attacks via Trojan horses and other malware, said Alan Paller, director of research at Bethesda, Md.-based SANS.

“There has been a large downturn in the number of alerts we have been pushing out” related to traditional security flaws, said Roger Cumming, director of the U.K.’s National Infrastructure Security Coordination Centre, which contributed to the SANS report.

Attackers are increasingly “moving toward developing exploit code with a specific purpose,” Cumming said.

The risks highlighted by SANS “are all up there” from a security threat standpoint, said Ahmed El-Haggan, CIO at Coppin State University in Baltimore. The school is assessing its exposure to such risks and has hired an outsourcing vendor to do vulnerability scans of its networks to protect them against zero-day threats, said El-Haggan.

‘Larger Chunk of Money’

The situation is similar at Medical Network One PC in Rochester, Mich. The bulk of the company’s security technology investments this year were on perimeter defense products such as intrusion-detection systems, said Marcin Czaban�ski, the company’s chief security officer. But zero-day and Web application threats also need close attention, he said.

Czabanski added that he expects Medical Network One to spend “a much larger chunk of money” next year on several major IT security projects, which he declined to specify.

Another report released last week, by Info-Tech Research Group in London, Ontario, forecast that U.S. companies will spend $61 billion on information security this year. Info-Tech surveyed about 1,000 IT managers, and the number of respondents who said they have increased their security spending this year was 10 times greater than the number who said their spending has been reduced, said Ed Daugavietis, a senior researcher at Info-Tech.

On average, the surveyed companies will spend 7.3% of their total IT budgets on data security this year, he said.

Last month, Forrester Research Inc. said its own survey of more than 1,000 IT managers showed that companies expect on average to spend about 7.75% of their IT budgets on security this year. That’s down from 8.9% last year, according to Forrester.

The problem with such numbers is that they don’t always capture the true nature of security spending, said Robert Garigue, vice president of information integrity at Bell Canada in Montreal. For instance, IT upgrades that improve overall security are viewed by some companies as being a security investment, while others may not budget it the same way, Garigue said.

He noted that Bell Canada has been increasing its investments in network scanning and monitoring, risk assessment and diagnostics technologies, and will continue to do so next year.