An incident presents a higher level of the description of security policy violations. An incident is a group of attacks related to each other by several parameters, such as an attack target, an attack purpose and so on. It is this level where the "attack source" concept appears, which is missing in other models (Fig. 2.11).
Fig. 2.11. The "Incident" model
An incident can be implemented using a single attack, as well as by using several sequential or parallel attacks. The success of intrusion is determined whether the intruder has achieved the desired result or not. The attack fails if the intruder has not achieved any of his goals. However, the victim remains a victim, and some consequences and losses are possible even in this case.
As statistics have shown, the number of security incidents grows proportionally to the growth of the Internet. Table 2.6, created on the basis of CERT/CC data, illustrates this growth. Notice that the number of processed e-mail messages exceeds these numbers by several times.
Year | Number of incidents | Number of e-mail messages |
---|---|---|
| ||
1988 | 6 | 539 |
1989 | 132 | 2869 |
1990 | 252 | 4448 |
1991 | 406 | 9629 |
1992 | 773 | 14,463 |
1993 | 1,334 | 21,267 |
1994 | 2,340 | 29,580 |
1995 | 2,412 | 32,084 |
1996 | 2,573 | 31,268 |
1997 | 2,134 | 39,626 |
1998 | 3,734 | 41,871 |
1999 | 9,859 | 34,612 |
2000 | 21,756 | 56,365 |
2001 | 52,658 | 118,907 |
2002 | 43,136 | 95,163 |
An interest in e-commerce will only intensify this growth. Furthermore, another trend has been noticed. During the 80s and early 90s, external intruders attacked Internet hosts just to demonstrate their skills or from mere curiosity. Currently, most attackers want to achieve financial or political goals.
The skills and level of knowledge of the intruders has also changed. In the 80s, these were IT experts (Fig. 2.12) with a sound knowledge of the UNIX operating system, C or Perl programming languages, who created the source code of exploits themselves. More modern intruders, on the contrary, mainly employ ready-to-use GUI tools. According to the latest data, the number of such "hackers," or script kiddies, has reached 95%. Only a limited number of real hackers write exploits themselves. Currently, any user who has a computer with an Internet connection can attack a victim via the Internet and cause that person's hard drive significant damage.
Fig. 2.12. Complexity of attacks and intruder's skills
In the past, an intruder entered commands manually and could not access more than a dozen or hundred remote systems simultaneously. Now, you can attack thousands of remote hosts simply by pressing a key. In contrast to the past, currently it is rather difficult to detect an intruder who has penetrated your system. An intruder can penetrate a network, implement an attack and hide the traces of his or her activity within a few seconds. Denial of Service attacks were not popular in the past, and no one could have predicted that they would become a matter of any importance. Now, the situation has changed (for example, the DDoS attacks on the Amazon, eBay, CNN and other servers).