In-Depth

In Brief

CSOs concerned by malware and regulations; top IM security predictions; Eudora vulnerability

• By Mathew Schwartz
• 02/09/2005

Malware and Compliance Lead CSOs’ Concerns

The leading issues facing chief security officers (CSOs) this year are inadequate budgets, viruses, and worms.

So say almost 90 CSOs, participants in the recent CSO Interchange conference in New York City. The conference was founded by Howard Schmidt, chief information security officer of eBay, and Philippe Courtot, CEO of audit and vulnerability management software provider Qualys.

Conference participants responded to a variety of survey questions. Among the more interesting results: just over half of CSOs say their security budgets increased last year, yet 84 percent still say their organizations under-fund security. Almost 70 percent are concerned with online fraud, yet many say their organizations haven’t taken steps to prevent it. Ditto for phishing attacks, with less than half saying their organizations are aggressively tackling the problem, and 54 percent saying their organization hasn’t increased defenses to resist phishing attacks.

Top security concerns—for 58 percent of attendees—include worms, viruses, and Trojan horse software, as well as meeting regulatory requirements. On the compliance front, 82 percent of respondents say top executives concern themselves with issues of data privacy, and an almost equal number say their company’s Sarbanes-Oxley reporting now includes security information.

Increasingly, it’s up to CSOs to manage how their organization will meet security-related compliance requirements. In fact today, “in most cases, the CSO is the individual responsible for bridging technical security issues with bottom-line business challenges,” notes Jaime Chanaga, the CSO of Geisinger Health System and a conference attendee.

With CSOs increasingly sitting at the senior-management table, their job responsibilities aren’t decreasing. Seven in 10 say their jobs have become harder over the past year. Furthermore 80 percent report cyber attacks are having an effect on their company’s bottom line.

- - -

Top 4 IM Security Predictions for the Year

What’s in store for instant messaging (IM) this year? Based on an analysis of attacks aimed at over 500 enterprises over the past year, IM security vendor Akonix released its top four IM predictions for 2005.

1. IM grows as an attack conduit. The quantity of viruses and malware distributed over IM has increased over 300 percent per year for the past three years, and will continue to do so, says Akonix. With IM malware now hitting critical mass, the company predicts “the first widespread damage from a major IM attack will hit corporate networks worldwide” this year.

2. Record-keeping regulations enforced. Akonix predicts “the first major fine for failure to retain IM business records will be levied by the SEC.” In many industries, IM communications must be treated like e-mail, and archived accordingly.

3. Amount of spam over IM doubles. Spam will begin “to pose more than a nuisance for IM users.”

4. Enterprise and public IM networks link up. “The first authorized, truly cross-system connections will finally be delivered between enterprise IM systems and public IM networks.” Expect cross-network virus attacks to follow quickly.

While attacks via spam are nothing new, the volume of attacks is going to be more noticeable this year, says Akonix, given the continuing increase in IM use. By 2008, META Group predicts IM communications will be as prevalent as e-mail.

- - -

Eudora Vulnerabilities

The Windows version of popular e-mail program Eudora has multiple vulnerabilities reports John Heasman of Scotland-based Next Generation Security Software Ltd.

Versions of Eudora up to 6.2.0 are vulnerable to arbitrary code execution, he says. “The flaws permit execution of arbitrary code via previewing or opening a specially crafted e-mail, [or] opening specially crafted stationary or mailbox files.”

Vulnerability information service Secunia rates the vulnerability as “less critical.”

Upgrading to version 6.2.1 of Eudora fixes the problems. Qualcomm, which makes Eudora, also notes “this problem does not affect Macintosh Eudora.”

Next Generation Security Software says it will publicly withhold full details of the flaw for three months, until May, to allow Eudora users time to upgrade.