[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 22 August, 2003, 06:58 GMT 07:58 UK
Fighting viruses on the frontline
By Mark Ward
BBC News Online technology correspondent

For most people computer viruses, web worms and hacker attacks are an occasional nuisance that they encounter a few times a year at most.

Screengrab of inbox filled with Palyh virus, BBC
Some viruses try to trick people into opening them
It is rare that people have more than one personal encounter with a virus as anyone caught out once tends to work hard to avoid a second infection.

But for some security hi-tech workers the job of fighting off viruses and their malicious ilk is a 24-hour, seven-day-a-week task.

It is a job that requires constant vigilance and many security firms run network monitoring centres to keep an eye on their customers' networks and the shifting tide of computer vandalism and crime.

The operation centres are the frontline of the information war.

Attack pattern

Symantec's European network operation centre sits inside a underground bunker in the Wiltshire countryside.

Bunker staff sit in air-conditioned comfort beyond blast doors and have fuel and water to survive for days without aid should the need arise.

Jeff Ogden, manager of the European operations centre, says the number of potential security problems and the speed at which they are exploited is accelerating.

In 2002 the number of vulnerabilities found in software grew by more than 80%. Worryingly most of this growth was due to bugs rated as moderate or severe threats.

To make matters worse the time between vulnerability being discovered and exploited is shrinking.

Network cables, BBC
More networks means more ways for viruses to travel
Mr Ogden said three years ago the time delay between discovery and exploit was about 500 days.

"Now it is down to 40 days," he said.

Some are faster than that. The vulnerability exploited by the MSBlast or Lovsan worm was discovered less than 30 days before the worm appeared.

"Most of the threats are following technology so the problem is not going to get any easier for people," says Mr Ogden.

He says the number of attacks launched from a country are directly proportional to the broadband penetration.

South Korea, which has a very high proportion of broadband users, is rapidly becoming a locus of net attacks. Many of them are not launched by Koreans, instead they are carried out by proxy using PCs sitting on a broadband link that have been compromised by attackers.

Threat assessment

Symantec customers get attacked, on average, 35 times per week and 10-15 new viruses are discovered every day.

"This is not background noise anymore," said Kevin Hogan, head of the Symantec's security response centre in Dublin.

Many of the threats discovered are dealt with automatically as the viruses are simply variants that are easy to spot or copycat attacks.

Jeff Ogden, Symantec
Ogden: Threats follow technology
But life is also made difficult for Symantec staff thanks to what Mr Ogden calls "flash threats".

These malicious programs pop-up, spread with alarming speed and are almost impossible to defend against. All people can do is react.

The Slammer worm was a good example of a "flash threat" as it managed to reach almost all vulnerable machines on the net within 15 minutes of its first appearance.

Mr Ogden says Symantec's operations centres automatically grab information from 20,000 sensors on the networks it watches.

Now it has more than 30 terabytes of database to analyse to spot impending security problems or someone somewhere preparing to attack.

"It makes the data meaningful," says Mr Ogden, "if you look at 200 incidents you may never connect them together."

It is the job of the Symantec security team to work out what is happening and do something about it.

They use well-known tools such as Sam Spade to track down the source of an attack or simply analyse a virus to discover how it works, how to spot it and how to fix the problems it causes.

Mr Hogan said: "There's a common interest within the industry to try to deal with these things before they become a threat to customers or the rest of the internet."




RELATED BBCi LINKS:

RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific