Hot Security Issues for 2007

By Bob Weinstein

Security was a hot topic five years ago, but it's even hotter now. And that's because of two scary givens that ought to make everyone nervous: 

1. More and better technology has made companies, government and the average person more vulnerable than ever; and 

2. The bad guys are more sophisticated and smarter than they were a decade ago.

Put those two givens together, and it's easy to conclude that the world is a more dangerous place than it was in Grandma's day. The bad guys are not only capable of massive spam attacks and breaking through supposedly secure firewalls to steal money or documents, they can also destroy infrastructure and kill lots of people.

"IT managers are concerned about the lack of end-user awareness about the dangers posed by these types of vulnerabilities," says Atri Chatterjee, senior vice president of marketing at international enterprise security company Secure Computing, based in San Jose, Calif.

According to Chatterjee, the top five messaging security threats in 2007 are 1. zombies; 2. data leakage; 3. spam volumes; 4. image spam; and 5. e-mail-based worms and multiple payloads. Here's why:

• Zombies. With more than 450,000 unique zombies (PCs secretly under the control of hackers) appearing daily, the number of zombies participating in malicious activity will continue to increase. Search engines used "bots"--also called robots spiders and crawlers--to crawl net and index sites following the hyperlinks within the pages along the way. Cyber criminals, however, use bots to distribute computer viruses. It's estimated that bots send more than 70 percent of all spam. Bots will become harder to identify and shut down through traditional methods. That's because they'll be more intelligent about how they participate in malicious activity and evade detection.
• Data leakage. Many organizations focus on inbound messaging threats. However, some of the most significant damage to organizations is coming from within the corporate walls, through sensitive data leakage of protected information, intellectual property or trade secrets. Despite corporate polices and state/federal regulations, organizations are not doing enough to ensure that outbound messages do not include sensitive information. IT managers need to consider better measures to minimize this risk of data leakage. One approach is to employ sophisticated and automated technologies that can identify data leakage issues before sensitive information leaves the corporate walls.
• Spam volumes. Spam volumes will continue to grow. By the close of 2007, Chatterjee predicts that spam volumes will account for 95 percent of all e-mail. To reach this number, spammers will continue to use various tactics to deliver spam to desktops and evade detection at any point in the network.
• Image spam. It's tough enough halting traditional spammers. In 2007, image-based spam will pose new problems. It is already popular with fraudsters beyond spammers, such as phishers and Nigerian-spam scammers.
• E-mail-based worms. This year, more worms will be targeting data file formats, such as multimedia files (audio, video, graphics), and document and productivity applications (Word, Excel, PowerPoint). This is a new technique that harnesses applications that people use on a daily basis for both personal and business use.

Back to security basics

For Edward Morris, president and CEO of McLean, Va.-based IT security company Atlan Laboratories, the big issues for 2007 will center on security basics rather than online threats. A priority objective will be developing new security technology to protect Data at Rest (DAR). The importance of DAR was brought to the fore last year when a Veterans Administration laptop containing the personal records of 26.5 million veterans was stolen.

It's likely that similar unreported incidents have taken place. The government said it intended to do something about the problem last year. Now it's putting its money where its mouth is, putting forth what Morris calls a "massive RFP [request for proposals] to standardize full-disk encryption" (to prevent against future VA laptop debacles).

"When it comes to security, companies will be pouring money into enterprise tools to ensure safeguarding company IP and customer data in the face of fallible employees," says Morris. It also means new jobs for IT/system administrators with security skills. "The encryption needed to protect DAR dramatically alters the skills needed by the IT staff (an encrypted drive can keep a legitimate employee from accessing his laptop just as easily as it can prevent a thief from getting in), thus creating new jobs for IT security workers at the system administration levels."

David Botham, a top executive at security software company Optimus Solutions, in Norcross, Ga., expects to see a shift in the industry from companies deploying "bolt-on" technologies like firewalls, IDS, etc., to companies intent on finding the cause of the problem, which is application protection that solves the problem, as a way to protect corporate information. He likens it to a wall socket, because it is designed to help people use it safely.

"Computers need to be secured the same way," says Botham. "But most companies don't want to create secure applications because it is easier to fix security after the fact, rather than go to the trouble of finding the cause."

A vulnerable marketplace has put new demands on security professionals, observes Ed Moyle, manager of information security at CTG, a contract programming firm in Buffalo, N.Y. "Ten years ago, professionals on the technical side of security were expected to understand firewall and antivirus technologies," he says.

Today, they're expected to have a working knowledge of Web application firewalls, application analysis tools and many other new areas of security expertise, according to Moyle. A decade ago, companies were only interested in candidates with strong technical skills; today these same companies are looking for candidates with broader skill sets.

"Candidates are also expected to communicate well, both in writing and orally, and understand how the business operates," he adds. "We're also seeing developments that bridge the security and legal communities (for example, the role of both e-discovery and the crossover of copyright issues) as well as crossover between risk management--as it applies to a business--and risk management in an information security context."

New priorities for PMs

"For IT managers, however, the preventive steps are clear," asserts Secure Computing's Chatterjee. "Educate end users and protect them by detecting threats and taking action at the perimeter."

Security is no longer a black box science relegated to a corner of the IT organization and consisting of a small group of specialized computer scientists, says Chatterjee. "In many ways, knowledge of security technology and best practices is as imperative to an IT person as knowledge of the Web and e-mail."

In that context, Chatterjee outlines the top three things IT professionals and PMs need to be doing to build their security knowledge and their careers:

1. Understand today's Web and communication technologies, because securing them is an inherent requirement. For example, you must know how browsers and cookies work, how sites track visitors, how dynamic content behaves when accessed on a Web site and how e-mail and instant messaging are used by spammers and phishers. Taking classes and refresher courses are worth the time and money. Most companies will foot the bill.
2. Stay on top of news and information regarding IT. There are many sites and blogs that regularly publish information about current threats, how to guard against them, and what other companies are doing to increase security while maintaining productivity. Regular reading and learning are a necessity.
3. Focus as much on process as on technology. Security is not only a technology problem, it's a behavioral one also. This is where strong PM and organizational skills are required. "Instituting best practices and processes within an organization to ensure its security is far more important than buying the next mousetrap," says Chatterjee. "In order to be successful, an IT professional needs to be a good PM, organizer and businessperson."
   But Chatterjee considers the growth of jobs in IT security as "further up the food chain."

"Take the outsourcing trend, which farms out the work to cheaper labor (either on- or offsite)," he explains. "Monitoring networks, running regular backups and conducting maintenance upgrades, for example, are all activities that can be outsourced."

However, highly specialized work--such as setting policies for protecting data, designing the corporate gateway security infrastructure or establishing and monitoring processes for data access by remote employees--involves functions that require a specialized understanding and knowledge that needs to be tightly controlled by the organization, Chatterjee stresses.

To achieve that goal, experienced security professionals are essential. But the bad news for companies and government is that there aren't enough to meet the demand. Worse yet, next year the demand for renaissance security aces with strong IT and PM backgrounds will even be stronger.

It's no wonder headhunters are pulling their hair out trying to find talent with good security credentials. One of the best indicators of the catapulting demand for IT security pros is that the value of a government security clearance jumps every year.

Candidates with clearances can earn 20 percent more than their uncleared competitors, and generally enjoy greater job negotiating power. ClearanceJobs.com, a job site that matches candidates who have security clearances with companies and government agencies requiring them, recently reported that the number of candidates with "confidential" clearances increased more than 13 percent in the third quarter of 2006. "Secret" and "top secret" classifications require background checks by the Defense Investigative Service, but the "confidential" security clearance is easier to obtain.

This Article Reprinted Courtesy of http://www.gantthead.com