In-Depth

Beyond Malware, SOX, and Data Breaches: The 2006 Security Forecast

Regulations, application vulnerabilities, data breaches, and evolved malware accounted for 2005’s top security trends. We look ahead to what’s in store for 2006.

• By Mathew Schwartz
• 12/20/2005

It seems there was no let-up for IT workers trying to protect company resources and users from a host of vulnerabilities. Among the notable trends we observed this year:

1) Data Breaches Reached Epidemic Proportions

At the beginning of 2005, it seemed to be the year of the ChoicePoint data breach, after the company announced it had allowed at least 145,000 Americans’ personal information to be compromised. Later data-loss incidents, however, quickly trumped that. Thanks to hackers, malicious insiders, and lost laptops and backup tapes, many organizations reported exposing quite a number of Americans’ identities to fraud, including Ameritrade (200,000 records), Bank of America (1.2 million), Bank of America (undisclosed), CardSystems (40 million), CitiFinancial (3.9 million), and Time Warner (600,000), and the University of Southern California (270,000). As a result, many states began implementing their own versions of the California SB 1386 law that initially blew the lid off of the data-breach problem.

2) Malware Evolved

Spyware is insidious enough, but get a few hundred thousand computers exploited by spyware, viruses, worms, or Trojan code together, and this group of zombie PCs—known as a bot network—really gets the party started. Bot networks can be used to launch devastating denial of service and phishing attacks, and to relay spam, to say nothing of harvesting sensitive information from the infected PCs themselves. They’re also rentable.

Thanks to security researchers, many bot networks get shut down soon after they open. Yet there’s an inevitable arms race: attackers increasingly design smaller, faster, and smarter exploit code, and maintain smaller bot networks to better evade detection.

3) Applications Became Favored Targets

Step aside, operating system (OS) and Internet service vulnerabilities—at least statistically speaking. This year’s SANS list of the most critical vulnerabilities revealed that in 2005, applications have become the most at-risk information security resource.

Thank the prevalence of vulnerabilities in applications for driving attackers to increasingly target them as the easiest way to hack into an enterprise. Security applications are also at risk, including antivirus and backup and recovery software, as are the operating systems that run security appliances.

4) Everything Became “Compliance Related”

Need to get an information security project approved? Label it compliance-related. That was one of the most interesting trends for 2005: how the compliance moniker garnered green lights for “compliance-related” IT projects.

Where such projects did involve compliance, of course just throwing money at the problem didn’t lead to effective, repeatable, economical, or long-term solutions. Still, after scrambling during the first year of Sarbanes-Oxley (SOX) compliance in 2004, by 2005 many organizations had implemented more secure, automated controls to ensure compliance.

Security Predictions for 2006

1) Security Spending Still Means SOX Spending

As with 2005, so with 2006. According to AMR Research, SOX spending will remain level from last year to this, with organizations spending a bit more than $6 billion on SOX in 2006. What’s interesting is the firm expects headcount-related budgets to fall by 8 percent from 2005 and technology spending to increase by 13 percent. (Consulting service fees will remain steady.)

In other words, expect further use of automated technologies, turning annual compliance efforts from one-off projects into sustained, repeatable initiatives that enable companies to wrest business benefits—finding redundancies, streamlining business processes—from their compliance work.

2) Vista: No 2006 Security Upside

Microsoft’s next-generation OS, Vista, is due by the end of 2006. According to Forrester Research, however, only a third of enterprises plan to begin—with emphasis on that word—rolling out Vista once it’s released. Will Vista include notable and desirable security improvements? Undoubtedly, but until organizations really make the push to implement Vista (which could take several years, at least), the new OS won’t noticeably improve enterprise security.

3) Customers’ Security Will Be Companies’ Problem

Companies have an increasing security mandate: don’t just appear secure; also secure your customers. In 2006, an increasing number of organizations will take more responsibility for their customers’ PC security.

Some companies already offer toolbars to block phishing attacks, and more banks are introducing two-factor authentication for accessing financial information online. Also witness a 2005 Federal Deposit Insurance Corp. (FDIC) Financial Institution Letter, “Best Practices on Spyware Prevention and Detection,” which explicitly recommends banks help consumers protect their PCs from spyware.

4) Useful Endpoint Security Gets Easier

With a 2005 Webroot study reporting adware or spyware infects 80 percent of enterprise desktops, organizations need a way to ensure such endpoints get cleaned before accessing the network. There’s been a lot of noise about endpoint security initiatives, including Cisco’s Network Access Control (NAC) and Microsoft’s Network Access Protection (NAP).

What’s been largely missing, however, is technology that automatically integrates, out of the box, network-access controls—quarantining and scanning all devices before granting network access—with the needed range of complementary security products, including on-demand antivirus and vulnerability scanning, and patch management. In 2006, expect such tools to appear, possibly even as enthusiasm wanes for the Cisco-preoccupied NAC, and Microsoft’s overly broad NAP.

Related Articles

Spyware Hampering Compliance Initiatives
http://www.esj.com/news/article.aspx?EditorialsID=1578

Attackers Shift Exploits to Applications
http://www.esj.com/Security/article.aspx?EditorialsID=1570