http://www.redherring.com/Article.aspx?a=15013&hed=Top+Security+Trends+for+2006§or=Industries&subsector=SecurityAndDefense December 25, 2005 2005 has been a banner year for cyber-villains. Thanks to hackers, some of the United States. largest corporations, including financial services giant Citigroup and media powerhouse Time Warner, had sensitive data swiped from their supposedly secure databases. Smaller companies weren.t immune this year either, with retailer DSW Shoe Warehouse and credit card processor CardSystems, bought by Pay Per Touch in October, both victims of cyber break-ins (see Credit Cards Bar CardSystems [1]). Data theft wasn't the only danger in 2005. An Internet worm, Zotob, infected computers at media companies like CNN and financial behemoths like Visa in August. And email nuisances, spam and phishing, were also on the rise. Will it get better in 2006? Not really, say security experts. In fact, the threats may get worse. That's because just as security systems become more sophisticated, the threats will become more complex and innovative - all in an effort to stay a step ahead. Looking forward, security experts see eight major trends in security in 2006. Among them, voice spam is expected to become a growing annoyance as VoIP applications become more widely used. Another concern: cyber-criminals will exploit the low levels of security in mobile communications to gain access to data in laptops and other devices. Here are the security trends to watch for in 2006: Phishing Frenzy Phishing, the practice of sending fraudulent emails to encourage users to divulge personal or financial information, will increasingly target customers of smaller organizations in 2006. Until recently, phishing victims often received email purporting to be from large banks like Citibank and Bank of America or sites like eBay. But these organizations are deploying greater security measures to combat phishing, forcing scammers to turn to smaller targets. Next year's targets could include customers of, say, the local credit union, security experts said. Scammers will aim for residents of a specific town posing as a local financial institution, local governmental organization, or university, predicts Joel Smith, chief technology office for AppRiver, a Gulf Breeze, Florida-based spam and virus filtering service provider (see Worm Poses as FBI or CIA Email [2]). "We are going to see more regionalized, localized targeting," he said. "Scammers will look for subscribers of regional ISPs [Internet Service Providers] and send them emails purporting to be from the local credit union." For scammers, the upside with such targets could be a higher rate of return. "Small organizations or targets from smaller cities may not have been as exposed to the phishing spams as larger or technologically savvy groups," says Mr. Smith. Business Worm's Rise Before Zotob struck, computer attacks were often directed at home users. But this worm, which exploited a vulnerability in Microsoft.s Windows operating system, affected businesses, marking the rise of Internet criminals focused on financial gain (see Zotob Heralds Business Worm [3]). These attacks on businesses are expected to increase next year, said Bruce Schneier, founder and chief technology officer for security firm Counterpane Internet Security. These Internet criminals differ from the hacker hobbyists who were content terrorizing home users in several respects, he said. "Hobbyist hackers looked for new and clever attacks, while criminals will use whatever works," he said. "Hobbyists generally didn't care who they attacked, while criminals are more likely to target individual organizations." The big concern? This new breed of cyber-thieves will target proprietary information like trade secrets, or personal data like social security numbers that can be sold on online black markets. For businesses, the spread of this new breed of worms will mean they'll have to tweak security policies to institute new security protocols that can react faster to threats. Insider Threat Many of the data leaks in 2005 may have stemmed from poor security measures. And while companies spend millions securing their networks from intruders, they often ignore one of the most likely sources of leaks: insiders or company executives who can inadvertently or deliberately leak information. Many companies that have off-site call centers managed by third parties don't routinely review their systems to stop leaks, said Joseph Ansanelli, privacy expert and chief executive officer of Vontu, a San Francisco-based company that works to prevent data loss. Often overlooked, the insider threat will grow in 2006, forcing more companies to add a layer to their network that will monitor the information accessed and distributed by employees (see Q&A: Security Wonk Dan Verton [4]). Increasing Network Control The threat of crooked insiders and more stringent compliance regulations will force companies to implement identity-driven networks that control who uses a network. Driving the change is legislation like Sarbanes-Oxley, which calls for specific security measures and complete visibility into network users, devices, addresses, policies, and activity. The basic network identity services that exist today cannot meet the requirements, said Robert Thomas, president and chief executive officer for network security company, Infoblox. "The anonymity associated with conventional network deployments has existed for years; however, the repercussions of that anonymity, increasing regulatory compliance pressures, and security concerns over the last year or two have dramatically raised the visibility around these issues and call for a new approach," he said. Wireless Security Focus Hackers are finding it increasingly easy to steal information from devices that contain people.s private data, as a growing number have wireless capabilities, said security experts. Wireless technologies like Wi-Fi may be more widespread, but many users are still ignorant about the security measures they must use on these networks to keep hackers at bay. Security experts see 2006 as the year when threats on wireless networks will come of age. As Wi-Fi moves to airplanes, trains, and other public locations, cyber-criminals will seek to exploit the lack of knowledge about mobile security measures to gain access to user information. One prime target? Laptops carried by business users, said MessageLabs, which provides email security and management services. Increased Security Legislation Over the last two years, a number of states have enacted laws similar to one in California requiring companies to disclose security breaches to protect state residents from identify theft. In 2006, a federal law along these lines is a strong possibility, security experts said. Other legislation in the federal pipeline includes a bill that would set standards on what is spyware, how these programs should behave, and what is deemed violations. Spyware are malicious programs that sneak into users. computers and monitor their usage. "The legislators will also continue to dictate what types of security measures must be taken in order to prevent unauthorized access to sensitive company information," said Vontu's Mr. Ansanelli. Voice Spam Begins The popularity of Skype and VoIP will lead to new forms of spam attacks next year, security experts predict. As VoIP applications become more widely used, there will be a rise in voice spam. That's because VoIP services lack strong encryption and they can become a target of scammers, said Information Risk Management, an independent security consultancy firm. "Just as web users can be plagued by pop-up advertisements and spam email, it is expected that VoIP services will be the next target," said the company in a report. "Users could find calls redirected or hijacked by advertisements." Though there are some security solutions for VoIP traffic and equipment, service providers will have to move in faster to nip the problem in its early stages. Selling to SMBs Of course, all these new threats can mean new business for security companies. Traditionally, security companies have focused on selling their products to bigger players as large organizations have big IT budgets that will let them spend on securing their networks. But as smaller firms become the targets of security attacks, security startups will pay more attention to them. Companies offering managed security services, which involves outsourcing the needs to specialists rather than doing it in-house, will be best positioned to capitalize on this trend, security experts said. In 2006, there's likely to be a spike in small and medium businesses using managed security services hosted by security companies, said Brad Miller, chief executive officer of Perimeter Internetworking, a managed network security services provider. This "enables SMBs for the first time to outsource their security and receive pre-integrated services and continuous updates at an affordable price," said Mr. Miller. "They did not have this option before." [1] http://redherring.com/Article.aspx?a=12823&hed=Credit+Cards+Bar+CardSystems [2] http://www.redherring.com/Article.aspx?a=14592&hed=Worm+Poses+as+FBI+or+CIA+Email [3] http://www.redherring.com/Article.aspx?a=13298&hed=Zotob%26nbsp%3bHeralds%26nbsp%3b%e2%80%98Business+Worm%e2%80%99 [4] http://www.redherring.com/Article.aspx?a=13472&hed=Q%26amp%3bA%3a+Security+Wonk+Dan+Verton+ _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Tue Dec 27 2005 - 01:06:30 PST