Security in Review: Yesterday and Tomorrow
Will it be "same old, same old" in security for 2008?
- By Chris DeVoney
This year has been evolutionary, not revolutionary, for IT security. The main issues of 2007 are becoming the trends of 2008. Several issues, however, may light up IT's radar a little more than the year just past.
Top Issues of 2007
1. Regulatory and Compliance
In early 2007, the TLA-FLA-Key-Name alphabet soup of regulations and compliance threatened some IT managers' sleep and vacations. Some smart enterprises got smarter, not only with spending and budgets but by looking for consolidated solutions. Because most enterprises are beholden to major federal and state regulations, as well as local statutes, leveraging similar surveys, inventories, and audits across multiple compliance mandates just made good business sense.
Following compliance guidelines made monetary sense, too. Several surveys showed the best run companies had fewer compliance deficiencies, fewer data losses, and usually better stock performance when compared with enterprises where compliance was less diligent.
A coworker recently concluded humorously that the only certainties of life were death, taxes, and spam.
Enterprises are sharpening their spam-cutters and phish-knives for e-mail, but enough phishing attacks dodge the filters to pose a security threat to corporate networks. Consumers, on the other hand, are still being abused to the tune of an estimated $500+ million. In spite of education and awareness, there was little decline in that cost between 2006 and 2007; corporations shoulder much of the commercial loss—for example, in cases of credit card fraud when consumers are reimbursed.
Although spammers and phishers span the globe more broadly than an ESPN sports report, one of the world's largest organized cyberfelon groups, RBN, recently pulled up stakes in Russia and is using IP addresses traced to the Far East, particularly China.
3. Security Breaches and Physical Losses
Customer data plus adversity equals headlines. When hackers hit the corporate jewels, thieves sprint off with physical assets. When backup media disappears, the press puts it on the front page, and 34 states demand that companies crank up their disclosure machines and send notifications to every customer, employee, or partner affected.
Looking at information at the Privacy Rights Clearinghouse, you get a feeling for the stunning amount of lost consumer/customer data. The good news is the count is by records, not by persons; the actual number of those affected by the losses is somewhat less. The bad news is that the numbers may be low because some of those losing data did not report the number of records.
The statistics are not comforting:
- Total records hacked or stolen via the Web: 102 million
- Total records lost via stolen equipment, printouts, or media: 7.4 million
- Total records lost by businesses: 112.5 million
- Total records lost by colleges/universities: 907,000
- Total records lost by medical/medical-related entities: 1.1 million
- Total records lost by government agencies: 12.7 million
Grand total of all records lost (worldwide): 236.6 million
A single entity, TJX, accounts for approximately 80 percent of lost records by businesses and loss through hacked/Web bleeds.
4. Criminals vs. Organizations
Cyberfelons didn't simply get better at stalking and grabbing for the corporate crown jewels—they got organized. Several core groups, mainly overseas, are recruiting programmers, hiring mules, and laundering merchandize and payment card information with more finesse than seen by organized crime families in the last century. Well-financed and very, very patient, these gangs are as adept at walking though the front door to redeem their plunder as they are at breaking through the back doors at night.
Top Trends for 2008
1. Non-Compliance BitesNext year may be the first when not complying with regulatory requirements of both governmental and business contracts carries a penalty. The Department of Health and Human Services more than hinted that corporate pocketbooks for egregious HIPAA violations would feel the pinch. The stalwarts of the payment card industry (such as VISA) are moving the requirements of the PCI 1.1 standard down to the Tier II merchants, those with card transactions between one and six million dollars annually.
Although no one expects PCI or HHS to go for the maximum fines, a few checks written for such non-compliance is bound to raise eyebrows in the CxO suite and boardroom.
2. Network Access Controls/Network Access Protection
NAC will tiptoe further into the corporate network during 2008. With more employees moving from desktops to notebooks, increased regulatory compliance, and heavier use of outsourcing and contractors, IT will become even more receptive to automatic identification, authentication, quick health inspections, and OS/application policy-checks for end-points.
In homogeneous environments, Microsoft's major contributions to Network Access Protection (its version of NAC) should get trials and wider deployment with Windows Server 2008 (Longhorn) and the Vista desktop software (with its early-year release of Service Pack 1 surfacing in 2008).
With a year of seasoning under its belt and the release of Service Pack 1, Vista remains a more secure version than any of its Windows predecessors. IT staff should expect more attacks directed specifically at the OS. However, Vista won't take over the desktop as applications and cost drive the desktop lifecycle. Don't expect legacy OSs to ride off into the sunset by the end of the decade. Next year we'll see increased Vista installations in the enterprise, but legacy and its inherent security problem still rule.
4. Targeted Attacks
The targets in 2008 shift only slightly from what we've seen this year. The network borders aren't impervious, but the applications (such as Oracle or MS SQL, PHP-drive sites, or just lax security) allow hackers to drive semi trucks to haul off data. Financial service companies (banks, insurance, brokerages) and specific industries (such as healthcare) will also see more blended threats aimed specifically at their employees and their customers. 5. E-mail Garbage
Can you say "choking point?" The only trend you can expect is more spam and phish clogging our gateways. Industry efforts to force e-mail servers to require sender authentication remain on paper, and legislative efforts to increase penalties or reach overseas felons will remain laughable.
With so much data lost or stolen, and disappearing portable equipment or removable media, encryption remains the unplayed trump card that enterprises better start putting up their sleeves—before investing heavily in Pitney-Bowes for mailing data-loss disclosures. Expect more systems (particularly notebooks) to use encrypting disk drives and corporations to get more serious developing policies and procedures for protecting consumer and client information.