[ISN] Toward a More Secure 2003

From: InfoSec News (isnat_private)
Date: Thu Jan 02 2003 - 07:59:05 PST

  • Next message: InfoSec News: "[ISN] Un-Wired"

    By Alex Salkever 
    DECEMBER 31, 2002 
    The challenges to info-tech security will surely be daunting, and
    companies' efforts to stay safe will have to keep increasing
    With holiday cookies and sweets still being shared around offices
    everywhere, security is the least of concerns these days as most
    businesses are thinking merry, not wary. So what better time to
    examine the year ahead for what to expect in terms of computer
    security? First, 2003 will surely pose some pretty daunting challenges
    to chief security officers and the organizations they protect. At the
    same time, improvements in software and technology will elevate
    computer security to another level. Here's a quick rundown of what to
    Spam becomes an even bigger headache
    According to e-mail security-service provider Message Labs, spam's
    growth rate will continue be faster than that of legitimate e-mail --
    and in terms of sheer volume, spam will eclipse the legit stuff. That
    will make the spam torrent more burdensome and harder to control.  
    Companies that haven't invested in antispam software will need to do
    so, pronto, or have their employees waste more and more time simply
    hitting the delete key.
    Part of the bargain will be businesses accepting the fact that some
    messages will get tossed out with the trash, as antispam programs are
    hardly perfect. Still, it's better than being up to your eyeballs in
    smutty missives and come-ons for investment scams from randomly
    generated e-mail addresses.
    Instant messaging succumbs to spam, too
    Once a relative haven, instant messaging has recently become a target
    for spammers seeking new outlets. According to e-mail consultancy
    Ferris Research, IM spammers works off lists of addresses freely
    traded on the Internet. They usually send a message to someone on live
    IM asking them to visit a Web site that sells smut, bogus software, or
    often legitimate products being marketed in unfortunate ways.
    Since no IM spam-screening software is yet available, an IM user on
    the wrong list could spend a good chunk of time refusing invitations
    from IM spammers. That coverage hole will force many corporations to
    consider moving their IM users onto private messaging systems not
    accesssible to the public Internet.
    Hardware, hardware, hardware
    Security isn't shrink-wrapped anymore. Eighty percent of the licenses
    for expensive, high-grade firewall programs come on specially
    configured pieces of hardware designed to run this software. That's
    way up from a few years ago. And its only the start.
    From virtual-private-network servers to intrusion-detection systems to
    newer pieces of software designed to spot behaviorial aberations that
    point to a security breach, more and more products are moving from a
    piece of self-contained software that an IT consultant or your own
    systems administrator installs to a specialized piece of equipment
    built with security in mind. The upside? These systems are generally
    easier and cheaper to install and launch in a network. The downside?  
    Less flexibility for companies with special software needs.
    Safe computing outside the corporate perimeter Employees logging into
    corporate networks from home PCs over public broadband connections are
    now commonplace. As a result, security software and hardware that once
    did a fine job of guarding sensitive systems looks increasingly
    vulnerable. That's because all these remote networkers, be they
    employees or partners, are no longer snuggly inside the "official"
    data-security perimeter.
    Also, persistant worm-virus outbreaks, such as Nimda, explain why more
    and more corporations are going through the considerable hassle of
    putting security software -- firewall, intrusion detection systems,
    antivirus software -- on every desktop machine. Companies with
    end-to-end protection remain in the minority, but they won't be for
    long as it becomes easier to link up fleets of desktops with central
    control consoles that not only talk to the big, heavy-duty security
    appliances but also to the thousands of small programs guarding the
    road warriors' machines.
    Identity theft goes berserk online
    Call in the copycats. When well-organized ID thieves convinced a clerk
    at a Long Island (N.Y.) software company to give them access to tens
    of thousands of credit reports using his company's password, they
    illustrated how the Net makes the part of ID theft that was hard until
    now -- accumulating the information -- much easier. With widely
    available credit reports such an integral part of American business,
    it's hard to imagine how the credit agencies can quickly and simply
    limit access to the reports without impeding the flow of commerce.
    With easy access to credit reports available to thousands of people
    throughout the U.S., expect blockbuster ID thefts in 2003 and beyond.  
    Whereas credit-card numbers were traded freely on the Internet in the
    past, now the bad guys will trade entire personal dossiers. And fixing
    the problem will be much harder because it's pretty easy to screen out
    someone who has picked up one of your credit-card numbers but much
    harder when it comes to a rogue who has that, your bank-account
    number, you social security number, and the last five addresses you
    have called home.
    Of course, this little list is just the beginning. I haven't even
    touched on still-early trends such as merging physical and online
    security: Companies are starting to look at guarding these assets in
    coordination because often computer-security breaches start with
    physical breaches.
    Likewise, more and more businesses are installing software that tracks
    theft of sensitive, high-end intellectual property. Once hamfisted,
    the second generation of these systems works much better, according to
    Gartner security analyst John Pescatore. Both of these are topics I'll
    explore in depth during the next few months as their markets and uses
    All told, computer security remains one of the more dynamic areas of
    the moribund IT sector. And it'll get only more interesting in the
    coming year.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:50:13 PST