In-Depth

Security: A Look Back and the Year Ahead

From smarter criminals to network access protection, IT is going to have its hands full in 2007.

• By Chris DeVoney
• 12/19/2006

Evolution marked 2006, both for corporations and for criminals. Many of the top issues of 2006 become trends for 2007. These are a few of the issues CSOs and IT managers have seen and will remain on their radar in the next year.

Top Issues of 2006

Issue #1: Regulatory Compliance

Although no single act or regulation significantly heightened consternation among senior IT managers in 2006, the collective impact of the key names (Sarbanes-Oxley, Gramm-Leach-Bliley), plain names (USA PATRIOT Act, privacy laws in many states), and an alphabet soup (HIPAA, OTS, OCC, SEC, FDA, DHHS, DHS, and EUDPA) reached a new stress-inducing and budget-busting high this year.

Adding to that strain on December 1 was one more set of initials, FRCP—Federal Rules for Civil Proceedings—which, for discovery purposes in a lawsuit, mandates electronic information, including any relevant all e-mail and instant messages, must be available. Since few IT managers are prescient, the usual recourse for an enterprise is to capture any bits moving around and through the company. What’s new in the amendments to the rules is the addition of instant messaging and handling procedures for backup media.

Fortunately, there’s synergy—many procedures needed to fulfill one regulation help with others. However, some reporting and auditing requirements are unique to each regulation, and the burden to IT departments remains significant.

The single biggest winner of the regulatory/compliance environment remains disk-drive and backup-tape makers, whose products archive the staggering amounts of data that companies must retain.

Issue #2: Phishing

Cyberfelons sitting at computers anywhere from Russian to China to the notorious Nigeria brought social engineering to new heights through ingenious use of disguised e-mail and bogus Web sites. Although no firm figure is available, the result of these 419 and similar scams defrauded American consumers of an estimated $500+ million. It’s not just a consumer problem; corporations, particularly banks, were on the hook for substantial portions of the losses.

Issue #3: Physical Losses

When physical media met physical adversity, reporters followed. The most noticeable event was backup tapes belonging to Bank of America going AWOL on their journey to the vaults at Iron Mountain. Given that every major data center sends backup media to offsite locations daily, several experts think that backup media may be performing a disappearing act every week somewhere in the U.S.

Two factors made the loss remarkable. First, California is one of 30 states whose laws mandate disclosure of any customer data breach. Second, the lost tapes contained information on 60 U.S. senators.

Two employer-owned notebook thefts from homes in the Washington, D.C. area garnered significant attention: a V.A. notebook containing information on over 75,000 clients, and an ING U.S. Financial Services notebook with information on 13,000 District of Columbia employees and retirees. The V.A. computer did a Houdini act and reappeared; the ING computer has not.

In the category of physical security, many companies spent significant parts of 2006 revising their disaster recovery plans based on the lessons learned from 2005’s biggest disaster, Hurricane Katina.

Issue #4: Education Has Its Problems

In December 2006, the University of California Los Angeles campus set in new record for an educational institution when it informed 800,000 current and former students, faculty, and staff that their names and personal information were exposed after hackers broke into a campus computer system starting in October 2005 and lasting until November 2006.

The number eclipsed football-rival’s Ohio State’s announcement in May 2006 of a breach effecting 173,000 individuals and cross-town rival University of Southern California’s 2005 announcement of a breach concerning 270,000 individuals.

Top Trends of 2007

Trend #1: Vista Security

There is little doubt Microsoft designed the latest version of Windows to be the most secure client the company has produced. Vista does have security improvements but hasn’t been battle tested, and several features need Longhorn, which won’t be available until late 2007. The first service pack, the benchmark that too many IT managers consider significant, won’t make its debut until Fall 2007, so although MS put the business edition underneath the 2006 holiday tree, most IT manager will unwrap their deployment plans around Christmas … Christmas 2007.

Trend #2: Network Access Controls/Network Access Protection

Whether it’s NAC (the acronym used by most of the industry) or NAP (Microsoft’s policy enforcement platform built into Vista and Longhorn), corporations are spending the dollars to provide admission control first to traveling systems then to all systems connecting to the network. Expect the complement of identification, authentication, quick virus/spyware health inspections, and end-point policy checks for the OS and applications.

The movement gained more attention in 2006 as over 40 percent of senior IT managers surveyed were considering or implementing NAC solutions. The root causes for the increased attention in 2007 is the even higher use of outsourcing/contractors and the increased regulatory compliance.

Trend #3: Better (Worse?) Criminals

A couple of smaller trends combine to a more serious problem. Cyberfelons are getting more imaginative, more skillful, and more patient. The tools are improving and nimbleness is often displayed. The stakes are less bragging rights by “0wning” systems or electronic vandalism and more for higher-stakes monetary gain. Although the CSOs have not yet seen meticulous planning rivaling Oceans 11, don’t bet the corporate jewels by underestimating their skills.

Trend #4: Targeted Attacks

When you couple smarts and patience, the rumblings have already started that some cyberfelons are targeting both specific applications and specific companies. Exploits for specific software, such as Apache Web servers or MS SQL Server, have been known for ages. The newer targets are traditional foundation software, such as Oracle server, and specific end-user companies such as banks, government agencies, and health care companies. The exploit stays in the grass and quietly mines until enough loot is readied for rapid cyber-getaway.

Trend #5: E-mail Offal

Although networks have long been overfed a diet of spam and phish for several years, the problem has reached productivity-annoying levels in 2006 and will be at gagging levels in 2007. Depending on the resource, spam/phish message account for 50 to 90 percent of all e-mail traffic and up to 40 percent of all Internet traffic. Set aside the network-choking aspects of this traffic; the productivity losses from thousands of employees taking multiple fractions of a minute each day to note and discard the electronic debris is literally in the multimillions per company.

The problem has been aggravated by two recent factors: large for-hire botnets whose distributed power generates millions of e-mails each hour, and the continued nimbleness of spammers to evade antispam filters by changing text and images. Industry efforts to force e-mail servers to require sender authentication, and legislative efforts to increase penalties or reach overseas felons, are likely to fizzle.