IT Security: Expect More Misery in 2009
This year, the IT industry reached an inflection point, where more new malicious programs were created than useful ones. So says security solution provider Symantec in its latest report highlighting some of the top security trends in 2008.
The report also spells out what to look for in 2009.
"With today's threats growing in volume and severity, we see that there are several things to look for," said Zulfikar Ramzan, a technical director at Symantec. "The rapid explosion of new malware variants and the move towards targeted malware are certainly worrisome."
Symantec officials expect that the current recession and credit crisis, along with the rise of social networking and the use of mobile devices, will shape the types of security threats that we'll see in the near future. For instance, bank mergers and bankruptcies may provide occasions for compromising online security through phishing attacks (fake official-looking notices sent by e-mail).
This year's trends, according to the report, included malware variants, fake applications, Web-based threats, plug-in vulnerabilities, and data breaches.
Under the malware variant category, you find Trojan viruses, phishing and not so tasty worms and spam. In addition, the last quarter of 2008 saw the resurgence of the botnet bug. A botnet is a robot doing the bidding of hacker. It is malicious software that autonomously replicates itself on a network. Most botnet attacks occur on systems using Windows. They can be installed via worms, Trojan horses and other malware.
In the fake application category, you find vulnerabilities such as the fake security update, which may target users of Microsoft products. The fake security update routes users to a server not affiliated with Redmond to "patch" their Windows systems. According to Microsoft, in November alone, the Microsoft Windows Malicious Software Removal Tool eliminated fake security applications on almost one million PCs.
Web-based threats aren't so simple anymore. Trusted Web sites can contain embedded coding that reroutes users to an unfriendly server.
Plug-in vulnerabilities affect users of Windows Media Player, Apple's QuickTime, and Adobe Flash, among others. The bugs can crash a user's system.
Data breaches of enterprises large and small remained on the radar in 2008, as they did last year. These types of attacks are varied in nature, use different attack vectors, and grab headlines, as well as the attention of concerned IT pros. Victims include the grocery chain Hannaford Bros. and the Walter Reed military hospital, among others.
2009 Trends To Come
In 2009, computer users can expect to see more spam, possible security issues with virtual machines, and social networking-borne vulnerabilities added on top of 2008's list.
Microsoft's Bill Gates said that the spam problem would be "solved two years from now," but that was back in 2004, and it's still a problem. Symantec takes the view that spam will be as unavoidable as those weight-loss prevention ads and double-coupon notices that come unsolicited via snail-mail from your local post office.
A good spam filter can help, Ramzan said, "but it is also important to ensure that endpoints are protected with a comprehensive internet security suite that includes anti-virus, anti-spyware, and intrusion prevention capabilities among others," he added.
The jury is still out on whether virtual machines also require virtualized security on top of traditional security measures. Recent surveys have suggested that many IT admins don't trust the security of virtualized systems.
Expect to see more social networking sites as attack vectors in 2009. It's not uncommon these days to find malware on sites such as Facebook, Myspace or LinkedIn. Using a compromised account, hackers can send messages to everyone the user added to their social network. These "friends" will likely trust such messages, and this is how a Trojan horse or botnet can be released.
The Underground Economy
According to Symantec's research, a keystroke logger can be bought for $23. A hacker typically might pay $10 to have someone else host a phishing scam to avoid detection. A botnet of one's very own can be had for as little as $225. Industry-specific toolkits, such as those exploiting Internet banking site vulnerabilities, average $740 each.
The use of such tools for identity theft and credit card scams creates an industry worth a quarter of a billion dollars, according to Symantec.
Steps To Take
Symantec and other IT security pros suggest adopting security measures based on individual needs and assessed risk.
The main challenge for security administrators and CIOs will be enabling one enterprise-wide security policy that integrates a wide range of applications and hardware at various stages of obsolescence. A security policy involves employee education, data loss-prevention strategies and the use of encryption tools.
"There is no one silver bullet that can fully address an overarching security problem or group of problems," Ramzan said. "We believe in forming a defense-in-depth strategy."
-- Jabulani Leffall