New I.B.M. Report Will Warn of Computer Security Threats
Kevin Moloney for The New York Times
At I.B.M.'s Global Services network command center in Boulder, Colo., workers monitor a variety of threats to computer security.
By JOHN MARKOFF
plans to begin releasing on Monday a monthly report of threats to
computer networks in an effort to establish an indicator similar to the
federal government's Homeland Security Advisory System.
report, to be named the Global Business Security Index, is intended to
give computing managers early warning of a range of computer
vulnerabilities like attacks by malicious hackers, automated softwares,
viruses and worms, as well as to gauge the impact of political
upheavals and natural disasters.
The index will be generated from
data gathered by 2,700 International Business Machines information
security employees and a global network of about a half-million sensors
- software programs and security hardware distributed to its customers
and its own networks in 34 countries. The network of sensors routinely
detects 100 million suspected or actual attacks against I.B.M.
customers each month.
The index will be released on I.B.M.'s Web
site and will be part of a broader service known as the I.B.M. Security
Threats and Attack Trends, or STAT, report, which the company offers
customers at a cost of about $10,000 a year. That service is also
produced by I.B.M.'s Security Intelligence Services, a group that is
part of its managed computing services unit and is based on a corporate
campus in Boulder, Colo.
I.B.M. is not the first to provide
computer security managers with intelligence data on network threats.
Several such services of varying scope are available commercially.
Symantec, an independent security services and software publisher,
offers DeepSight Threat Management System, a sensor network that takes
information from 20,000 corporate customers and millions of personal
computer customers who use the company's antivirus software.
service, which has been available for four years and costs about the
same as I.B.M.'s STAT report, generates a color-coded threat level and
displays a publicly available global map of incidents that have
occurred within the past day.
"We alert customers to trends," said Alfred Huger, Symantec's senior director.
I.B.M. service can also provide a first line of defense in an
increasingly networked world where attacks tend be both instantaneous
and huge, I.B.M. executives said.
"The security landscape today
is totally different," said David Mackey, a former army intelligence
analyst who now directs the company's Security Intelligence Services.
"Customers want a holistic approach to security."
Internet attacks directed at the networks the company monitors rose 27
percent in September over July and August. The most prevalent attacks
currently come from computer worms - programs that are able to move
automatically from computer to computer within a network. Many of the
worms are targeted at a vulnerability in the Microsoft Windows operating system that was first disclosed in April.
I.B.M. security executives said they had also seen a 15 percent
increase in the past month in the percentage of network attacks against
critical infrastructure providers - computer network sites that
government agencies and companies use to provide essential services.
the overall increase is not major, attacks seeking vulnerabilities in
Web server software have increased the most, Mr. Mackey said.
Michelle Petrovich, a spokeswoman for the Department of Homeland
Security, said, "We haven't seen any increase in activity that would
indicate any widespread cyberthreat. "
Such attacks in the past
have frequently been a preliminary indicator of a more concentrated
strike against systems found to be vulnerable. But I.B.M. executives
said that they had no corroborating information that would suggest that
such a broad scale attack is being planned.
"A variety of
attackers are using software tools to do reconnaissance against
government agencies," Mr. Mackey said. He said it was not possible to
learn the motives or whether there was a common attacker behind the
infiltration that I.B.M. found.
As part of its index
announcement, I.B.M. made available a year's worth of data on security
trends that show distinct spikes in September of 2003 and March of this
Those dates correspond to attacks by computer worms, I.B.M. executives said.
analysts who track the computer security industry said reports like
those provided by I.B.M. and Symantec were useful to corporations
attempting to protect themselves from attacks over the Internet.
early-warning-type system would be a benefit to an organization," said
Allan Carey, a senior research analyst for International Data
Corporation, a research firm for the computer industry. "It would give
them time to create countermeasures."
At the same time, both
industry analysts and the I.B.M. security intelligence executives noted
that the industry was trapped in a cycle of disclosing network
vulnerabilities and then racing to distribute patches before the
security holes were exploited.
The I.B.M. executives said the
window that organizations had to prepare for an attack was getting
smaller. They said that the industry talked about "Microsoft Tuesdays,"
a reference to the day of the week that the software company, based in
Redmond, Wash., tells its largest customers about newly discovered
"There is a time gap that occurs, and generally
the awareness of a hole is made and all of a sudden it's a rush against
time to fix the hole," said Gregg Mastoras, a senior security analyst
at Sophos, an antivirus and antispam firm. "It's absolutely a vicious
cycle and it's an issue for the industry."
Both the I.B.M.
executives and other security experts said that they were seeing more
sophisticated attacks and that the culture of the computer underground
was shifting from bored teenagers to criminals attempting to steal
information or money.
Mike Walter, a senior architect in I.B.M.'s
Security Intelligence Service, said "sophisticated attacks generally
happen on weekends," when networks are least guarded.