Think back to the virus scene five years ago and it's easy to see how quickly the threat has become more serious in a short period of time.
With such a rapidly evolving threat landscape, predicting the future is nearly impossible, but some things do seem certain, Graham Cluley, senior technology consultant at Sophos told SCMagazineUS.com in an email.
New reports and surveys have been released making predictions for the upcoming year. A report from Sophos forecasts the main threats for 2009, a survey from Lumension Security concludes the risks associated with outsourcing will be tremendous, and another survey from Application Security discusses database security concerns.
What seems certain, concludes the Sophos report, “Security threat report: 2009,” is that the variety and number of attacks will continue to escalate, compromised PCs will remain the primary source of spam, and web insecurity and SQL injections will remain the primary distribution method of malware.
Infected web pages are cropping up three times as fast this year as compared to last, while the number of infected web pages increased from one every 14 seconds in 2007 to one every 4.5 seconds in 2008, according to Cluley.
“There's a real challenge in how businesses big and small will manage this problem and ensure that their web sites are properly secured and hardened from SQL injection attacks,” he said.
In addition, malicious emails with a greater proportion of legitimate looking attachments, or web links aiming to infect unpatched users, are likely to be sent. Data leakage and identity theft resulting in decreased customer trust and loyalty will continue to pose problems for enterprises, Cluley said.
On the bright side – security software is getting better and more proactive.
For enterprises, Cluley recommended dealing with the security risks with a tiered defense against attacks, including up-to-date anti-virus software, firewalls, security patches and policy control and user education.
Forecasts for 2009 vary between IT operations and IT security
IT security professionals think outsourcing will be the biggest cybersecurity threat of 2009, an issue that is related to the current state of the economy, concluded the “2008 Security Mega Trends Survey,” conducted by Lumension Security and the Ponemon Institute. The survey compiled the responses of 825 IT operations professionals and 577 IT security professionals who were asked about the major threats going into 2009.
Those in IT security have a different view of the threat landscape for 2009, compared to those in IT operations, but both groups think outsourcing is going to be the biggest risk. Security threats associated with outsourcing include sensitive or confidential information not being properly protected, and unauthorized parties gaining access to private files.
Because of the state of the economy, companies are considering outsourcing in order to reduce costs. Only 12 percent of respondents said their company would decrease the practice, Ed Brice, senior vice president of worldwide marketing for Lumension, told SCMagazineUS.com.
“I guarantee we will see more data breaches as a result of outsourcing in 2009 than we have seen in the past,” Brice said.
This view is reflected in the survey results. Both the IT operations and IT security groups surveyed believed outsourcing would be the biggest threat going forward, but their view of the threat landscape was not entirely in agreement. Those in IT security thought data breaches and access to cloud computing posed the second and third greatest threats for 2009. IT operations professionals, however, thought increasingly sophisticated cybercrime resulting in information loss was second. Cybercrime targeting mobile devices came in third.
The reason for the differences could be that IT operations might be asleep at the wheel, or it could be a little bit of hype on the part of IT security professionals — it's job security for them to say the sky is falling, Larry Ponemon, founder of The Ponemon Institute, told SCMagazineUS.com.
One of the takeaways of the survey is that IT security and IT operations must take a holistic approach to cybersecurity, especially in the new economy.
“We have to bring technology and policy together to drive security. It's just a different environment,” Brice said.
Forecasts around database security
Another recent survey, “Database Security Controls,” released by Enterprise Strategy Group on behalf of Application Security, found that most users believe that database attacks will increase in 2009. ESG surveyed 179 IT decision-makers from North American enterprise organizations with 1,000 or more employees, and 73 percent forecasted an increase in attacks on databases.
More than half (58 percent) of those surveyed reported that the highest percentage of their confidential data is stored in databases. Only 15 percent said most of their confidential data is stored in file-servers, while 13 percent said web servers, nine percent said email servers, and five percent said general-purposes endpoints (desktops, laptops, PDAs).
This year, the number of data breaches reported was up significantly. In previous surveys, one-third of organizations reported a data breach, but this year that number was up significantly – to 41 percent in 2008, a trend that Application Security said is likely to increase in the upcoming year.
“Attacks on the database are going to increase in 2009, absolutely,” Tom Bain, director of marketing at Application Security, told SCMagazineUS.com. “We see the sheer number of data breaches growing. Almost 60 percent of respondents reported a data breach in the last 12 month.”