[ISN] Ten security trends worth watching

From: InfoSec News (alerts@private)
Date: Thu Oct 19 2006 - 03:17:28 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004219

By Sumner Lemon
October 18, 2006 
IDG News Service

In a keynote speech that was webcast at last month's Hack in the Box 
Security Conference in Kuala Lumpur, Malaysia, Bruce Schneier, chief 
technology officer of managed security services provider Counterpane 
Internet Security Inc., identified 10 trends affecting information 
security today.


1. Information is more valuable than ever.

For example, Amazon.com Inc. relies on information to make purchasing of 
books easier through its one-click purchasing system. Similarly, when 
Internet retailer Pets.com went belly-up, the company's database of 
customers "was the only asset of value they had," he said.

Information also has value for controlling access, such as single 
sign-on and authentication for users, and law enforcement, which uses 
information to help track criminals and gather evidence.


2. Networks are critical infrastructure.

The Internet was not designed to serve as critical infrastructure. "It 
just sort of happened," Schneier said, noting that hasn't stopped more 
critical systems from migrating to the Internet.

The Internet helps companies run more efficiently and eases 
communication between people, but there are real economic risks 
involved. "If the Net goes down, or part of the Net goes down, it really 
affects the economy," he said.


3. Users do not necessarily control information about themselves.

For example, Internet service providers have control over records the 
Web sites that users visit and email messages they send and receive. 
Also, some mobile operators keep a copy of users' phone books on their 
servers.

"There's a lot of value in information about you," Schneier said. "But 
you have no control over the security of that information, even though 
it may be highly personal."


4. Hacking is increasingly a criminal profession.

Hacking is no longer for hobbyists. More and more, attacks are organized 
and led by criminals who are driven by a profit motive. "The nature of 
the attacks is changing because the adversary is changing," Schneier 
said.

Extortion related to denial of service attacks and phishing attacks are 
two examples of criminal attacks. In addition, there is a black market 
for exploits that allow attackers to penetrate corporate IT systems.


5. Complexity is your enemy.

"As systems get more complex they get less secure," Schneier said, 
calling the Internet "the most complex machine ever built."

Advances in security technology simply have not kept pace with the 
Internet's growth. "Security is getting better, but complexity is 
getting worse faster," Schneier said.


6. Attacks are faster than patches.

New vulnerabilities and exploits are being discovered faster than 
vendors can patch them. In other cases, vulnerabilities in some embedded 
systems, such as Cisco Systems Inc. routers, cannot be patched, leaving 
companies vulnerable.


7. Worms are more sophisticated than ever.

They already contain vulnerability assessment tools, and are scanning 
corporate defenses for weaknesses and using Google Inc. for intelligence 
gathering. "This trend is a result of more worms being criminal."


8. The endpoint is the weakest link.

"It doesn't matter how good your authentication schemes are if the 
remote computer isn't trustworthy," Schneier said. In many cases, 
computers outside your company's security are the weakest link. These 
computers are often infected with worms and spyware, presenting an 
opportunity for attackers.


9. End users are seen as threats.

Companies are increasingly developing software that is intended to 
defend against the end user, Schneier said, citing DRM (digital rights 
management) software as an example. "More and more we're seeing security 
that doesn't protect the user, but protects against the user."

In at least one case, involving DRM software installed by Sony Corp. 
without users' permission, the software caused damage to the end user's 
computer. "Rules and regulation around this is going to be a big 
battleground," Schneier said, predicting that a battle will be fought 
between PC software that is protecting the user and software that is 
designed to protect against the user.


10. Regulations will drive security audits.

Theres no shortage of regulations that detail how companies should 
handle data. Regulations such as the Sarbanes-Oxley Act will be the 
driving force behind corporate security audits.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 19 2006 - 03:22:02 PDT