'Arms race' in bid to protect information
When Michael Gazeley hears of incidents like the recent attack on the stock exchange website, his first reaction is usually one of surprise. Not at the gall or ingenuity of the perpetrators, but at the latest target's apparent lack of knowledge and preparedness.
Time and again companies commit the same mistakes. They assume that no problem so far means their systems must be secure.
They are ready to believe their in-house information technology team is on top of every development. They convince themselves that last year's investment will defend again this year's threat.
And, in a small or medium-sized enterprise, they take comfort from the thought that hackers, planters of viruses and assorted other 'bad guys' out there in the cyberworld are only interested in targeting the bigger organisations with an international dimension.
'It is very frustrating,' says Gazeley, managing director of Network Box, a Hong Kong-based provider of internet security services. 'We are protecting thousands of companies around the world from being attacked every second of every day, but some people in Hong Kong won't spend the equivalent of half a junior clerk's monthly salary to protect their business effectively.'
He says that, at his firm's Kwai Chung operations centre, monitors show in real-time where firewall probes and intrusion attempts are taking place. Most are automated background attacks searching for vulnerabilities that can then be used to build up botnets.
The malware writer is not looking to infect computers as a prank. The aim - for financial gain or political motives - is to put in a 'back door', leave it inactive, and then wreak havoc in a few months' time.
'In this way, someone can infiltrate your computer and use it to commit all sorts of crime, when you think the system is secure,' says Gazeley, noting that access gained via a small business or, say, a doctor's office can easily serve such purposes.
'The bad guys don't want to bring your system down. They want to use your CPU to attack someone else or store illegal [items]. It has gone way beyond the old style of hacking, which was just vandalism to crash your computer for the heck of it.'
Reflecting this, Gazeley has seen a marked change in virus writers' behaviour over the past 18 months. To find a way past the more common defences, they will test their latest creations by submitting files to popular internet portals that scan against about 60 antivirus engines. If maybe 12 of those identify a virus, the writers will tweak it and try again until it is blocked by none.
Then, within 30 seconds, they can send the new virus to their command and control centre - the previously hacked system - with just a few keystrokes while logged on using free Wi-fi at a local coffee shop. Potentially the doctor's office would be sending a zero-day virus multiplied millions of times around the world.
'That's why we have to be even faster,' Gazeley says. 'Security is like an arms race, and even if our team can write an antivirus signature in 45 seconds, that is not quite fast enough to keep up. Therefore, we introduced 'Z-scan', which reverse engineered the problem and has a solution sitting in the cloud.'
This technology acts as a decoy. It offers about 200,000 traps on the internet basically waiting to be attacked as the first victim of any new virus. To a hostile automated botnet mounting an attack, it typically looks no different from a vulnerable, unpatched system.
Describing the results as 'incredible', Gazeley notes it is now possible to react within about three seconds when a virus attacks a client. And, as the company's website shows, the worldwide security system may be 'seeing' and blocking more than 250,000 zero-day viruses at any one time.
'With defensive technology, you need to succeed every time and this has been amazingly effective,' he says. 'We run tests against traditional antivirus engines with one-hour responses, which public companies and banks still use to protect their systems and, in almost all cases, we find the effectiveness is just a few per cent. What does it take for these guys to get serious?'
A significant factor, Gazeley suggests, is that too many IT managers entrusted with systems security are complacent. They still fail to realise that, these days, virus attacks are not straightforward, but multipronged. Their assumption is that if the system has not actually crashed, everything must be fine.
But only half-jokingly, Gazeley says it is often harder to gain admittance to a company's office for a prearranged business meeting than it is to get into their server.
'For too many organisations in Hong Kong, protection is just a joke,' he says. 'Average companies with 30 to 50 people could secure the gateway and have multiple firewalls, antivirus, antispam and content filtering [for a few thousand Hong Kong dollars a month]. If you do business on the internet, you need the right protection, but our experience is that they only become serious after something bad has happened.'