Even with the considerable growth of interest in information security and privacy in the past year, threats have continued to multiply, attacks are getting more sophisticated, end-users are still making silly mistakes, and information security remains shockingly under-funded and under-staffed.
But despite a smaller budget when compared to other business expenditures, more was spent on information systems security products in 2004 than 2003. But this means things are getting more and more complex – and complex systems often introduce additional weaknesses and vulnerabilities.
Just as in 2003, Microsoft seemed to miss the mark with its latest attempt to address the inherent security problems of rising IT complexity – Windows XP Service Pack 2 – its most significant piece of security software so far.
Some of the biggest challenges of 2004 have centered around the operational stresses resulting from the ways in which organizations' reacted to worms, says Marcus Ranum, CSO at Tenable Network Security.
He believes that the corporate IT managers finally started to "get it," and now many are looking at their internal compartments and service controls to achieve an adequate level of security.
This may be just one reason for what some have seen as an increased investment in IT security. Pamela Fusco, CISO of pharmaceutical giant Merck, has found 2004 to be a growth year from an information security perspective, with Merck's investment in information security coming to fruition.
Fusco credits much of this success to the executive backing that provided her with an appropriate budget and staffing to get the job done. She admits that she feels lucky to have received this level of support, given that many CISO's do not have such a luxury.
For her, the major investment in security this year focused on methodologies to ensure that security is handled correctly and in a structured format.
This way, security products are not merely rolled-out, but are deployed in a manner that makes sure that they work in the way they were intended to.
Everyone knows by now that email is an insecure medium. This is due to the fact that SMTP, the protocol underlying email, never had security built into it.
But the intrinsic insecurity of email was dealt a double-blow in 2004 with the never-ending plague of spam and its new bastard child, phishing.
Pete Lindstrom, research director of Spire Security, says that while viruses are still a huge epidemic, "phishing is particularly difficult, because it usually has two victims – the individual and the institution. The individual loses their identity, while the institution is also victimized because it is spoofed."
The difficulty here is that only the big players (such as eBay, AOL, financial institutions, and so on) are savvy enough to solve the problem, and have the funds needed to do so. This effectively means that phishing becomes an automated social engineering attack that hits the small guys hardest. Lindstrom notes that there are several potential solutions to address the problem, with the three most effective ones being spam filters, client-side URL identification, and authentication tokens.
Still, most businesses are not doing enough to secure their systems against cyberthreats such as identity theft and phishing scams, warns Bill Conner, CEO of Entrust. He gave testimony before a U.S. House Government Reform Subcommittee on Technology and Information Policy, which outlined the real risks of identity theft and phishing and noted what could be done to address them.
"ID theft and phishing threaten not only to undermine trust in business and the internet, but also to disrupt the U.S. economy," says Conner.
"The fact is that nine percent of U.S. online consumers have experienced identity theft, and phishing attacks are growing at some 50 percent a year."
But these are not isolated problems that can be tackled by themselves, he believes, they are part of the broader cybersecurity challenge.
Other security issues
While he agrees that phishing attacks are on the rise, Dan Hubbard, head of Websense Security Labs, says other more sophisticated computer crimes are rising, with attackers combining a range of technologies in order to get around security controls.
For instance, websites have increasingly become points of attack, as have instant messaging and the P2P networks. A combination of technologies, such as blacklisting sites, and end-user awareness offers the best defense.
This is likely to be one of the many reasons why executives trying to build security are voicing more frustration.
According to Adam Shostack, CTO of Reflective Corporation , the trick to overcoming such irritation, which sometimes leads to miscommunications with vendors, "is not teaching old executives new tricks, but learning to talk their language. It means not only ROI, but a consistent ROI, or even better, an Economic Value Added (EVA) analysis."
It is all about adding security to the sort of balanced scorecard used in purchasing decisions, he believes. By reducing all that complexity into a few five-point scales, and comparing product 'A' to product 'B,' frustrations will be reduced and communication will be a breeze.
Plugging holes in bad code
Writing secure software emerged as yet another security challenge of 2004.
"It is not simply the lack of securely written software, but rather that this insecure code has huge repercussions on our nation's critical infrastructure," says Ron Moritz, chief security strategist at Computer Associates.
Moritz feels that one component of improving this situation is to retrain software engineers, both those practicing the craft and those moving through university programs today.
"There is growing concern over the view that U.S companies are now 'less trusted' than European and other non-U.S. companies over supplying compliance-related software," explains Moritz.
Microsoft initiated its very public Trustworthy Computing program in 2002. Other software companies like Computer Associates and Oracle have also been actively engaged in this cultural revolution. But there is still a need for organizations to emphasize secure software development processes for internal development efforts, insists Moritz.
Companies must also ask their vendors to disclose secure coding practices used to deliver secure commercial software. By demanding secure code from their external suppliers, they will initiate a trickle-down effect on their own operations and behavior.
Patching holes in the meantime
Companies, especially in the financial arena, faced other operational problems in 2004. Warren Axelrod, security director at Pershing, notes that firms generally reacted, and sometimes overreacted, to notifications about vulnerabilities and the occurrence of security incidents. The challenge, he believes, was to institute a far more proactive approach to patching vulnerabilities and respond to actual incidents.
For his company, such a proactive approach has been executed through a number of initiatives.
First, the patching program has become routine, with responses to warnings about vulnerabilities and the potential for exploits now following a standard set of efficient procedures.
Second, the security incident response has also matured into a predetermined sequence of actions.
And finally, the rollout of more effective security technologies has strengthened the defense-in-depth posture by layering defensive and protective tools at every level – from desktop and remote portable devices to strategic central computer systems. Increasingly, such tools can be used to detect and isolate problems more rapidly, with the goal of considerably reducing or eliminating the impact of zero day exploits.
During the 16 years she has worked in the IT security industry, Oracle's CSO Mary Ann Davidson says the ability of competitive vendors to work together is one of the more recent and important changes. Increased efforts on the part of vendors to solve the issues through teamwork are likely to have a palpable impact on the industry, especially since the various security systems companies deploy can prove complex and difficult.
One such initiative is the National Cybersecurity Partnership, which was started in December 2003, and has resulted in a number of practical guidelines for customers. Such help has become even more meaningful, given the rising regulatory requirements that companies are facing.
Regulations for verticals across the board can make the security practitioner's job easier. For example, when there is a specific legislative requirement, it is less of an uphill battle for security people to get management support, says Davidson.
On the other hand, while legislative remedies are one more solution to the security problem, she feels that "big buyer is better than big brother."
She says she would like to see organizations using their buying power in order to improve their security postures, rather than merely react to legislative mandates dictating that they boost their security. Having buyers demand greater security will certainly have greater long-term benefit than any directives from Washington, DC.
The business of security
Gregg Moskowitz, senior research analyst with Susquehanna Financial Group, says that while "2004 did not represent an explosion in the number of deals compared to the previous year, merger and acquisition activity in security was clearly very significant over the past 12 months."
The past year has seen notable deal activity in managed security services and consulting, with the VeriSign acquisition of Guardent, and the recent formation of CyberTrust from Betrusted and TruSecure.
Other significant activity included the purchase of anti-spam company Brightmail by Symantec, and of the access/identity management company Netegrity by Computer Associates.
Moskowitz also states that "in the past few months, leading security vendors have recognized the importance of bolstering their consulting expertise to better address large-scale implementations and the increasing complexity of security architectures.
"For example, Symantec acquired LIRIC Associates and announced the acquisition of @Stake, while McAfee acquired vulnerability management/ consulting vendor Foundstone."
Kevin Trosian, a technology equity research analyst with Wedbush Morgan Securities, believes the lack of outbreaks during its second half of the year reveals one of the most dominant trends. "With the adoption rates of perimeter security technologies such as firewalls nearing 100 percent, the number of attacks is decreasing; but the severity and strength of these attacks have also diminished at large companies, because of the heightened perimeter security focus and implementation."
Trosian notes that new trends to watch include the growing focus on internal security controls, driven by legislation such as Sarbanes-Oxley, and the spate of headlines about corporate governance.
The focus of IT has shifted to controlling employees from the inside, utilizing technologies such as identity management and web filtering, while revisiting tried and true technologies such as authentication.
These technologies are now moving up on the IT wish list, and there is an anticipation of a continued focus on implementing internal security controls.
Spire's Lindstrom feels that endpoint security, in particular quarantining and decontamination, will be big in 2005. "As ubiquitous, always-on computing really starts to happen, enterprises must evaluate the ways to control endpoints that are coming from all over, and protect their network," he notes.
By the end of next year, IT managers will be showing signs of understanding that spyware is also a problem, believes Tenable's Ranum. For now, he says the industry has failed to experience the fully converged spam/trojan/spyware malicious code suite, but the bad guys are certainly heading in that direction.
Plenty more targeted attacks are likely to hit in 2005, says Larry Dietz, director, worldwide marketing solutions and strategies at Symantec.
"Adversaries will employ a variety of techniques to attack very specific targets. Attacks will include vulnerability exploitation and diverse types of malicious codes. Malicious code will be merely the delivery vehicle for payloads designed to damage, disrupt or deceive the target. Social engineering will be employed if possible," he says.
And reaction time will continue to fall, he predicts, as attackers become more sophisticated and employ methods and techniques designed to take advantage of targets that have not yet implemented a combination of reinforcing security measures at multiple layers within the organization.
Pershing's Axelrod notes that in 2004, there has been a push in the financial services industry toward determining what needs to be done to enhance controls and monitoring for legal and regulatory compliance – not only of access from external sources, but also for employees, consultants, contractors, vendors and other visitors – and budgeting for those efforts.
However, he says the biggest challenge for 2005 will be to set priorities and obtain the human resources to make them happen.
The easier part, while not so simple, is to evaluate and select appropriate tools and technologies. More difficult is freeing the resources from other critical projects or otherwise acquiring the right individuals.
Axelrod says the focus is expected to change, from reducing the risks of unauthorized persons, particularly outsiders, accessing sensitive information, towards monitoring and controlling what internal, authorized persons can do.
There will be a shift away from the mechanics of security, as with firewalls, intrusion detection and prevention systems, and the like, to consideration of corporate risk and involvement with the business units, he continues.
Consequently, the challenge is to get business owners to participate in the security risk management process, take ownership of those risks they control, and agree to the efforts necessary to get the job done.
Ben Rothke, CISSP, is a senior security consultant with ThruPoint, Inc. He can be reached at [email protected]