Australian businesses are aware of at least some of the viruses and vulnerabilities which threaten the enterprise's IT security. But what happens when the threat is of a hybrid variety?

Companies are finding that IT security threats come in a wide range of flavours--85 percent of computer security practitioners surveyed had detected viruses within their organisations, according to a Computer Security Institute/FBI study released earlier this year in the US.

And the figures don't look rosier closer to home. This year's Computer Crime and Security Survey--conducted by security advisory AusCERT, Deloitte Touche Tohmatsu and the NSW police--found that 67 percent of respondents had suffered a security incident in 2002, twice the level of 1999.

But the question isn't if these threats exist, it's whether companies are understanding and protecting corporate assets adequately.

Australia's Computer Crime Survey found that businesses here are protecting themselves in a variety of ways. This included physical security (91 percent); password protection (100 percent); access controls (96 percent); firewalls (96 percent) and anti-virus software (99 percent).

Yet, surprisingly, only 48 percent used encrypted login or sessions, with 47 percent using encrypted files. Other authentication techniques used were biometrics (four percent), digital IDs (46 percent) and smart cards (36 percent).

However, the authors of the survey didn't believe this necessarily meant a deficiency in security within Australian organisations.

"Such technologies are only useful if there is a recognised need to provide strong protection (confidentiality and integrity) to network data and services," the survey stated. "And if they are implemented as part of an overall security policy framework which makes provision for monitoring and maintenance of this technology and the information systems they seek to protect."

What are hybrid threats?

The growing complexity of security threats creates new issues for enterprises to deal with as they try and protect themselves.

In 1999, AusCERT started to see a distinct trend in the hybridisation of viruses, according to the not-for-profit organisation's training and education manager, Mark McPherson.

McPherson believes the term has widened to include attacks where there's the ability of a particular attack tool to insert malicious code into a server and make that server in turn attack clients. "It's equivalent to what hackers may have had five years ago as a personal skill set, and it's transferred into software-automated attack tools," he said.

Hybrid threats are also known by other terms, for example security vendor Symantec refers to them as blended threats. According to information provided by Symantec, these threats are characterised by the fact they're multi-faceted in their operating methods and effects.

"Blended threats require comprehensive security solutions that provide multiple layers of defence and response, with triggers to pre-determined responses when threats are encountered," it states. "Comprehensive security solutions include the ability to secure all levels within the IT infrastructure (gateway, server and client) as well as the ability to apply complementary security functions in a synergistic fashion."

Symantec sees one of the most dangerous characteristics of a blended threat being that it exploits vulnerabilities, for example unauthorised administrative access to servers such as opening up the information stored on the server at the root level.

Exploiting known vulnerabilities such as buffer overflows, http input validation vulnerabilities and known default passwords are other threats the vendor cites.

Likewise, Dean Kingsley--partner of enterprise risk services at professional services firm Deloitte Touche Tohmatsu--sees hybrid threats as a challenge for corporates. "[It's] relatively undiscriminating, in terms of who it's attacking," Kingsley said.

"I think that generally organisations need to assume they face some level of threat from these automated attacks," Kingsley warned.

Examples of ways automated attacks could be set up, which Kingsley used, are by trying to bypass a firewall, exploiting open services on a Web server, or weaknesses in the way mail protocols are set up.

Among the counter measures enterprises Kingsley suggested enterprises could use are firewalls in serial, strong patching of any servers, and closing network shares.

Assessing the impact

AusCERT's McPherson said that there could be a financial impact if systems are taken offline, for example if the company is an e-commerce operator. There also may be the PR issue of having to explain what happened to partners and users.

However, it's not all doom-and-gloom. Although he admits that blended threats do pose quite a problem, McPherson doesn't see them as threatening as a hacker with a high-level skill set targeting a specific company. He said that often that a company which is hit by a hybrid attack may be a victim because its systems are vulnerable, which they can mitigate against by putting standards and approaches in place.

Michael Warrilow, senior consultant at industry analyst META Group, sees the growth of hybrid threats as an indication of the third generation of sophistication in technology attacks. Warrilow said that this meant that these attacks used everything that had gone before, and also incorporated newer techniques.

One new potential threat--which Warrilow believes illustrates the increasingly complexity of blended attacks are the Windows "shatter attacks".

According to META Group research this type of attack takes advantage of the lack of authentication of messages between Windows processes on the desktop, and the ability to trick the WM_TIMER service into executing an arbitrary memory address.

"This exploit is not easily automated, and so it will have some limited impact on users via viruses," the information from META Group states. "In addition, users that have up-to-date security programs--antivirus, firewall, intrusion detection/prevention--can further minimise the potential for damage."

Warrilow thinks that the greater the number of mechanisms which hackers use, the greater their chances for success.

Nor are any particular organisations exempt from potentially being the target of a hybrid attack. As the attacks become even more sophisticated it only increases the probability that they're going to get into more companies, warns Warrilow.

"The 80-20 rule of vulnerability management recognises that 80 percent of successful attacks utilise just 20 percent of a system's vulnerabilites," according to information provided by Symantec.

Are we coping?

It's all very well to know what the threats are enterprises are facing, but the question remains as to whether Australian businesses are adequately protecting themselves from the risks.

"In general, it's pretty standard procedure to protect yourself," said AusCERT's McPherson. He said it was about having a comprehensive security solution, with multiple layers of defence. "It's very hard to quantify how much you spend on prevention," he said.

He also suggested that IT departments needed to have a decent response procedure in place, which was both enforceable and practical. "If a problem occurs then [an enterprise] should have procedures in place to deal with it to minimise the damage," McPherson said.

But he admitted that it was very hard to quantify how much to spend on prevention, commenting that businesses might want to look at both worst and best case scenarios when making this decision. "What assets are you protecting and how do you mitigate that?," he asked.

META Group's Warrilow believes that enterprises can never have what can be described as perfect security, but that increasingly intelligent software was helping businesses deal with the threats which they faced.

"[Companies] need to have reasonable practices in place, and what can help them there are the relevant standards, and benchmarking themselves against the rest [of their] industry," he said.

Best practices, such as removing unneeded services, are among the suggestions from vendor Symantec on how to protect from blended threats.

"For services that are needed, software patches should be installed as soon as possible after discovery of a vulnerability," it states. "Recognising that services are an exposure because they are listening on a TCP port is important, and elimination of unneeded services can dramatically reduce system vulnerability from know exploits and future, undiscovered vulnerabilities and exploits."

Security evolves over time--it's not a set-and-forget environment--and companies need to take a common sense approach, rather than spreading this fear of doom and gloom, META Group's Warrilow said.

It's not always an easy task for IT departments to put the necessary security in place either. As the AusCERT and Deloitte Touche Tohmatsu computer crime survey points out, effectively managing computer and network security is a complex and challenging task, even for organisations which are appropriately equipped, experienced and resourced.

"IT managers and their staff have to work in an environment in which their organisations are becoming increasingly dependent on the network infrastructure to support critical business services and, therefore, must work under the pressure of higher expectations of uninterrupted availability and increased functionality," the report states.

According to the report, how access control lists, systems settings, firewall and IDS rules are configured and maintained can all potentially effect network security.

"System and network administrators must understand the plethora of rules and settings which exist and ensure all are set correctly at all times," it points out. "An incorrect configuration of the firewall rules, for example, may allow a hacker to transmit data to and from the network with minimal chance of detection."

Nor can technology alone thwart cyber attacks, warned Patrice Rapalus, director at the CSI in the US in a statement relating to the Computer Crime and Security Survey.

"There is much more illegal and unauthorised activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace," Rapalus argued.

How is your organisation protecting itself from hybrid security threats? Talkback below, or e-mail your comments to edit@zdnet.com.au

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.