In-Depth

From One Security Nightmare To Another

Security managers have boosted antivirus and firewall protection, but enterprises may need to switch gears as new regulations target how enterprises handle personally identifying data

The oldest enemies often seem to be the worst.

To wit: Despite the prevalence of host-based and network-based methods for arresting antivirus, IT managers’ most-prevalent fear continues to be viruses and worms. The second-worst threat is employees using resources in unapproved ways, followed by regulatory non-compliance and the effects of spam.

Those results come from a January 2005 survey by Forrester of 200 “technology decision-makers” at North American companies.

Given these worries, companies are responding in multiple ways, notes Forrester analyst David Friedlander. “Companies are deploying client and gateway antivirus programs, personal and network firewalls, anti-spyware, and host- and network-based intrusion detection systems (IDS) or intrusion protection systems (IPS).”

In particular, desktop security is getting a boost. For example, 65 percent of organizations plan to further implement enterprise anti-spyware tools; 80 percent say they currently use anti-spyware tools. In addition, 42 percent of companies will strengthen endpoints by unrolling desktop firewalls, and 31 percent will also add host-based IDS or IPS to their desktops.

Of course, from cost, management, and efficiency perspectives, targeting individual desktops may not give the greatest return on investment. As Forrester notes, “Network and gateway security is still one of the best ways to protect the corporate network— it is the organization’s first line of defense to keep malicious code out of the network.” Expect spending to follow suit, with 58 percent of companies implementing network firewalls this year, 43 percent unrolling antivirus in a gateway, and 35 percent implementing network-based IDS or IPS.

Given the perceived threat from spam, 53 percent of organizations will bolster content filtering and spam-control tools.

Identity Theft Ranks Low

Of the nine threats organizations were asked to rank, 68 percent characterized viruses and worms as one of their top-three threats. Given the attention paid to those threats, however, and the installed base for antivirus software—nearly 100 percent of all corporate desktops, according to most research firms—organizations may be neglecting other security threats.

For example, on the list of nine concerns organizations were asked to rank, note the one ranked last: identity theft. Only 12 percent of respondents characterized it as one of their top-three threats. Given that digital identity theft is a relatively new problem, could the its low ranking reflect that organizations don’t fully understand the threat, or that there’s no easy to install, off-the-shelf software for mitigating it?

To be sure, the threat of identity theft doesn’t affect all industries equally. Yet given the recent high-profile cases of information theft or loss, such as from ChoicePoint and Bank of America, companies may want to revisit their security policies for preventing identity theft. In particular, any organization that buys, sells, or uses consumers’ sensitive information, or which is a bank or other financial organization, get ready for more regulations.

Banks Get New Notification Regulations

Already, for example, thanks to newly issued guidelines, banks must tell customers when they’ve had a security breach involving customer information. The guidelines, known as “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” were released by the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

According to the guidelines, “When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.”

In addition, “If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.” Law enforcement agencies with active criminal investigations may, however, delay that notification so as to not disrupt the investigation. Regardless, the financial institution must also notify federal regulators.

Congress Gears Up

Beyond banks, other industries are under threat of impending legislation. Currently only California requires disclosure when its residents’ information is lost or stolen. On the heels of the theft of information from ChoicePoint, however, and the fact that ChoicePoint notified over 13,000 California residents that their information was stolen, another 19 states’ attorneys general requested ChoicePoint also notify their residents, even though no law required it to.

Expect that to change, and for the momentum from recent identity-theft attacks to result in new legislation, predict numerous security experts. While such legislation may start at the state level, experts predict Congress will create a country-wide notification law, so companies don’t have to navigate different laws for every state. Of course, for people whose information has been stolen, that might be seen as a small price to pay.

Related Articles

Social Engineering Bypasses Information Security Controls
http://www.esj.com/Security/article.aspx?EditorialsID=1308

Microsoft Update Onslaught Targets Spyware, Viruses
http://www.esj.com/news/article.aspx?EditorialsID=1284

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles