New I.B.M. Report Will Warn of Computer Security Threats

Kevin Moloney for The New York Times At I.B.M.'s Global Services network command center in Boulder, Colo., workers monitor a variety of threats to computer security.

ARTICLE TOOLS E-Mail This Article Printer-Friendly Format Most E-Mailed Articles Reprints & Permissions Product Reviews: Computers NYTimes.com's redesigned Technology section has product reviews from CNET and other expanded features. • Circuits | Product Reviews • How To's | Products for Sale TIMES NEWS TRACKER   Topics Alerts Computers and the Internet Computer Software Computer Security International Trade and World Market

.B.M. plans to begin releasing on Monday a monthly report of threats to computer networks in an effort to establish an indicator similar to the federal government's Homeland Security Advisory System.

The report, to be named the Global Business Security Index, is intended to give computing managers early warning of a range of computer vulnerabilities like attacks by malicious hackers, automated softwares, viruses and worms, as well as to gauge the impact of political upheavals and natural disasters.

The index will be generated from data gathered by 2,700 International Business Machines information security employees and a global network of about a half-million sensors - software programs and security hardware distributed to its customers and its own networks in 34 countries. The network of sensors routinely detects 100 million suspected or actual attacks against I.B.M. customers each month.

The index will be released on I.B.M.'s Web site and will be part of a broader service known as the I.B.M. Security Threats and Attack Trends, or STAT, report, which the company offers customers at a cost of about $10,000 a year. That service is also produced by I.B.M.'s Security Intelligence Services, a group that is part of its managed computing services unit and is based on a corporate campus in Boulder, Colo.

I.B.M. is not the first to provide computer security managers with intelligence data on network threats. Several such services of varying scope are available commercially. Symantec, an independent security services and software publisher, offers DeepSight Threat Management System, a sensor network that takes information from 20,000 corporate customers and millions of personal computer customers who use the company's antivirus software.

The service, which has been available for four years and costs about the same as I.B.M.'s STAT report, generates a color-coded threat level and displays a publicly available global map of incidents that have occurred within the past day.

"We alert customers to trends," said Alfred Huger, Symantec's senior director.

The I.B.M. service can also provide a first line of defense in an increasingly networked world where attacks tend be both instantaneous and huge, I.B.M. executives said.

"The security landscape today is totally different," said David Mackey, a former army intelligence analyst who now directs the company's Security Intelligence Services. "Customers want a holistic approach to security."

I.B.M. said Internet attacks directed at the networks the company monitors rose 27 percent in September over July and August. The most prevalent attacks currently come from computer worms - programs that are able to move automatically from computer to computer within a network. Many of the worms are targeted at a vulnerability in the Microsoft Windows operating system that was first disclosed in April.

The I.B.M. security executives said they had also seen a 15 percent increase in the past month in the percentage of network attacks against critical infrastructure providers - computer network sites that government agencies and companies use to provide essential services.

Although the overall increase is not major, attacks seeking vulnerabilities in Web server software have increased the most, Mr. Mackey said.

But Michelle Petrovich, a spokeswoman for the Department of Homeland Security, said, "We haven't seen any increase in activity that would indicate any widespread cyberthreat. "

Such attacks in the past have frequently been a preliminary indicator of a more concentrated strike against systems found to be vulnerable. But I.B.M. executives said that they had no corroborating information that would suggest that such a broad scale attack is being planned.

"A variety of attackers are using software tools to do reconnaissance against government agencies," Mr. Mackey said. He said it was not possible to learn the motives or whether there was a common attacker behind the infiltration that I.B.M. found.

As part of its index announcement, I.B.M. made available a year's worth of data on security trends that show distinct spikes in September of 2003 and March of this year.

Those dates correspond to attacks by computer worms, I.B.M. executives said.

Industry analysts who track the computer security industry said reports like those provided by I.B.M. and Symantec were useful to corporations attempting to protect themselves from attacks over the Internet.

"An early-warning-type system would be a benefit to an organization," said Allan Carey, a senior research analyst for International Data Corporation, a research firm for the computer industry. "It would give them time to create countermeasures."

At the same time, both industry analysts and the I.B.M. security intelligence executives noted that the industry was trapped in a cycle of disclosing network vulnerabilities and then racing to distribute patches before the security holes were exploited.

The I.B.M. executives said the window that organizations had to prepare for an attack was getting smaller. They said that the industry talked about "Microsoft Tuesdays," a reference to the day of the week that the software company, based in Redmond, Wash., tells its largest customers about newly discovered vulnerabilities.

"There is a time gap that occurs, and generally the awareness of a hole is made and all of a sudden it's a rush against time to fix the hole," said Gregg Mastoras, a senior security analyst at Sophos, an antivirus and antispam firm. "It's absolutely a vicious cycle and it's an issue for the industry."

Both the I.B.M. executives and other security experts said that they were seeing more sophisticated attacks and that the culture of the computer underground was shifting from bored teenagers to criminals attempting to steal information or money.

Mike Walter, a senior architect in I.B.M.'s Security Intelligence Service, said "sophisticated attacks generally happen on weekends," when networks are least guarded.

Special Offer: Home Delivery of The Times from $2.90/week.