DIAGNÓSTICO DE LA COMPETENCIA ESCRITORA DE LOS ESTUDIANTES

Ethical hacking is exposing the risk associated with vulnerabilities. Of course, some of these are known to exist long before the test and once a system is found with one, it is a matter of exploitation. Therefore, the number, type, and computing services that are affected by known vulnerabilities is a great place to start analyzing just why ethical hacking is so popular.

Vulnerabilities, in the realm of technology, materialize in the form of viruses, poor programming and quality control, poor implementation, poor management, and the proliferation and growing sophistication of automated hacking tools.

Losses associated with viruses remain a pain for customers: 82 percent of respondents to the CSI/FBI 2003 Eighth Annual Security Survey cited viruses as their problem in the last 12 months. Although 99 percent of respondents use antivirus software, 47 percent reported losses of $27.3 million. Viruses and worms represent tremendous threats to the continued security of organizations even in the face of arguably comprehensive controls. In recent papers and articles, there is a clear association with the security state of a system (application, operating system, servers, etc.) and the proliferation and impact of viruses and worms, which are often based on vulnerabilities. Therefore, patch management and system hardening are becoming the next effective layer in a “defense in depth” security strategy. This begins to explain the popularity of vulnerability tools and services, such as penetration testing. Vulnerabilities are increasing in number and severity. The ability to manage your vulnerabilities and reduce overall exposure is key to the survival of any organization. To do so requires regular risk analysis and appropriate alignment of security man- agement to business needs and exposures. Considering that not all vulnerabilities can be identified, and the ones that can are not always avoidable (e.g., repairable), the effectiveness of a risk analysis in guiding security operational attributes is core to the overall protection of the company’s business. Demonstrated in Figure 2.2, from Symantec’s annual vulnerability report, the number and severity of identified vulnerabilities is climbing. This is a representation of the threats to organizations globally and the demand for maintaining a security posture.

In combination with Figure 2.2, Figure 2.3 shows that the new vulnerabilities identified are totaling numbers that represent an enormous challenge to companies on a monthly basis. Challenges for companies are gathering information relating to vulnerabilities, determining the impact within their environment, understanding the next steps to remediate, detecting what systems are affected, testing, distribution, and implementation and validation of the appropriate controls.

The eighth annual “Computer Crime and Security Survey,” written by Robert Richardson in 2003, was conducted by the Computer Security Institute (CSI) with the involvement of the Computer Intrusion Squad of the Federal Bureau of Investi- gation’s San Francisco office. The CSI/FBI report provides interesting trend analysis on the evolution and impacts of computer-related crime and the associated costs. The report’s goal is to quantify the scope of computer-related crimes in the United States. The CSI/FBI report includes the responses of 530 security practitioners working in U.S. corporations, government agencies, financial institutions, and universities. The number and diversity of the report’s sources are very comprehensive, including

FIGURE 2.2 Vulnerabilities Increasing in Severity and Volume (Symantec, 2003) © 2005 by CRC Press LLC Document Vulnerabilities 0 20 40 60 Jan-01 80 100

Feb-01 Mar-01 Apr-01 May-01 Jun-01 Jul-01 Aug-01 Sep-01 Oct-01 Nov-01 Dec-01 Jan-02 Feb-02 Mar-02 Apr-02 May-02 Jun-02 Jul-02 Aug-02 Sep-02 Oct-02 Nov-02 Dec-02

Month High Severity

Moderate Severity Low Severity

FIGURE 2.3 Number of New Vulnerabilities (Symantec, 2003)

© 2005 by CRC Press LLC

Document Vulnerabilities

Month 0

Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01 Jul-01 Aug-01 Sep-01 Oct-01 Nov-01 Dec-01 Jan-02 Feb-02 Mar-02 Apr-02 May-02 Jun-02 Jul-02 Aug-02 Sep-02 Oct-02 Nov-02 Dec-02

50 100 150 200 250 107 105 81 131 113 128 157 135 94 105 ₁₀₁ 131 219 132 166 229 235 208 223 221 210 237 192 192

information from nearly all industries, such as health care, retail, manufacturing, public utilities, transportation, high-tech, and telecommunications. As demonstrated inFigure 2.4, the costs of attacks can be staggering, even when only 47 percent reported financial losses. Although these numbers are significantly less than the previous two years, the ability to accurately calculate costs remains a challenge.

So who is causing the most pain? As depicted in Figure 2.5, attacks were grouped into five categories: hackers, disgruntled employees, domestic competitors, foreign companies, and foreign governments. What is interesting to note is respondents to the CSI/FBI survey cited hackers and disgruntled employees nearly equally as the source of attacks.

According to a 2002 Symantec report, 29.6 percent of all attacks worldwide originate from the United States, followed by South Korea with 8.8 percent and China with 7.8 percent. Although the United States represents the largest source of attacks, there are countries with enormous percentages of their population attacking networks and systems worldwide. For example, 26.2 percent of those in Israel’s Internet community are regularly hacking companies, followed by 14.5 percent of Hong Kong’s and 11.6 percent of Thailand’s. Finally, according to the report, 10 percent of South Korea’s Internet population is responsible for 8.8 percent of all attacks on all companies!

Attacks on networks can be collected into two groups: opportunistic and targeted (61 percent to 39 percent, respectively, based on Symantec’s 2002 report).

1. Opportunistic attacks are intent on locating any vulnerable system that exists on the Internet regardless of who owns the system or the specific function. In this situation the victim is not sought out but instead selected solely because of its vulnerability. Usually, these attacks are preceded by a broad scan across the Internet until the hacker identifies a system that has vulnerabilities to be exploited.

2. Targeted attacksare directed at a specific organization or entity regardless of the vulnerability. These attacks are based on finding vulnerabilities to exploit specific to that company. The target is identified in advance, with the deliberate intent of gaining access through a vulnerability. Symantec categorized targeted attacks based on two criteria: lack of preliminary scanning by the hacker and the focus on a single entity.

InFigure 2.6, we see that the Internet is increasingly the point of attack, followed by the slight decline in internal systems, and then by a growing remote access trouble. One could conclude that the growth of the Internet as the primary point of pain is due to the massive losses associated with malware, the proliferation of vulnerabili- ties, and the growing sophistication of hacker tools. Although cited as a much less significant point of problems, the increasing concern over remote access could be linked to the massive adoption of VPNs (Virtual Private Network) and expansion of the corporate roaming user population.

FIGURE 2.4 Report Costs of Computer Crime in 2003 (CSI/FBI 2003)