While most corporate IT shops routinely spend a good amount of their budgets and energy protecting the perimeter, they may be missing the intruders that already are inside on the network.

That's the warning coming from Misha Govshteyn, chief technology officer for Alert Logic Inc., a Houston, Texas-based security company that provides both products and services.

IT managers tend to be fastidious about repelling attacks from the perimeter, he says, setting up intrusion detection systems, firewalls and anti-virus software. But all the while they're guarding the gates, the intruder may already be inside.

The problem, he says, is the botnet -- a network of computers infected generally with worms and Trojans. The infections leave the computers vulnerable to being remotely controlled by the virus writers. The hacker tries to cultivate as many infected machines as possible, building a virtual army of zombie machines -- also referred to as a botnet. Once this botnet is in place, the hacker can use it to send out spam or launch denial-of-service attacks.

But each of these zombie machines also can be used to let the hacker infiltrate further into the network that the infected computer sits on, picking up critical corporate and personnel information.

Govshteyn talks to Datamation in a one-on-one interview about how intruders are getting into the network, what they're doing once they're there and how to find them if they are already there.

Q: You say there's a new trend here. What is happening?
There are a number of solutions out there that protect internal networks. People have spent a lot of money protecting the perimeter and the desktop. This is the third wave of protection. I think this needs to be done at the network level. If you ask most network administrators, what's going on on their networks once it gets past their perimeter, they say it's too hard to monitor. They need a way to do this cost effectively.

Q: What do you mean they're getting into the network by going around the perimeter?
Security is getting better so the threats are changing. We're doing a better job at protecting the perimeter so they're going around the perimeter. Look at the latest FBI/CSI report and you'll notice that 95 percent of all companies have firewalls and anti-virus, yet 50 percent report security breaches. If all these companies have solutions in place yet they're still being breached, then it's because the threats are changing... Instead of breaking in through the firewall, they wait for a worm to get in and then they take over that machine.

Q: Wouldn't protecting against worms and Trojans be part of the perimeter security?
No. You're not breaking into a server. You're breaking into a client directly. To me the perimeter protections are systems that sit and filter Internet traffic. Desktop traffic is more of an internal defense.

Q: People are pretty well aware of the threat from worms and Trojans. What is it that we're missing?
We track a lot of worm infections. One of the latest trends that people aren't concerned about, and they should be, is the vast rate of botnet infections. Look at what you can do with a botnet connected computer. Once an attacker gets access to that computer, they can upload code to it, they can force that computer to connect back to them. They can use it as a launch point for attack.

Q: Aren't the big botnets generally used to send out spam?
Most people don't realize how they're used. Mostly people think botnets are used for spam. Yes, that's how attackers make money. But a lot of times they use them to compromise systems internally, as well. A lot of monitoring dollars are spent on the perimeter but internally there's very little monitoring and protection going on... We've seen in our clients... a machine suddenly wakes up in the middle of the night and starts to explore other machines on the network. In a lot of cases, we let them know their machines are being controlled by a botnet. We look for behaviors. We look for signs that these machines are being compromised and we look for communication channels, communications through IRC that shouldn't be happening. A lot of times these botnet connections are made through chat applications.

Q: What kind of internal attacks are you talking about?
They could launch an automated attack, uploading some script to the computer and let it run automatically. It could start scanning computers and attack their vulnerabilities. A computer in accounting will have a much easier time attacking another computer in accounting because there's no firewall in between them. This is an easy attack once someone is inside the network. It doesn't raise a lot of alarms... I think a lot of times financial information is exposed. A lot of times when critical information is lost we don't know how it happened. There's a very good chance that it's happening through a botnet computer.