Security Trends Today: New Threats, New Defenses
The year 2005 was an exciting time for information security. In the same year that businesses and individual users alike saw millions of personal records stolen, the introduction of phishing and pharming, and multinational corporate espionage rings, there also was an increase in companies that employ chief security officers or chief information security officers and continued integration between physical security and IT security.
With so much happening and changing in the world of information security, it can be difficult to know whether or not progress has been made. In an effort to shed light on the various events of 2005, let’s take a look back at some of the trends that helped shape information security and the associated risks.
Users: More Exposure, Larger Threat
Years ago, systems administrators tended to assume that all end users needed assistance when performing even the most rudimentary modification or fix to their workstation. It was not unusual for users to seek assistance when they needed to reset their password or install a new program on their computers.
Nowadays, users typically have the capability and knowledge needed to install new software and hardware or even find workarounds to technical problems on their own.
What is the reason for this overnight technological maturity? Gadgets. Users have become technically savvy because they love their gadgets. Electronic gadgets such as iPods and conveniences like Internet banking are not just for geeks anymore. Users are more technically savvy because of their exposure to technology.
The extent of this embrace of technology can be demonstrated in the numbers. According to Forrester Research, more than 50 percent of Americans own cell phones. PEW Internet states that 18 percent of Americans bank online. Forrester Research shows that 8 percent of Americans own PDAs. And according to Wired magazine, 7.5 percent of Americans own iPods.
The impact of these gadgets and conveniences on corporations, and public and private organizations lies in the fact that many of these devices and technologiescan potentially involve a connection to the corporate network. Basic security measures are typically put in place to ensure that users do not introduce vulnerabilities to the corporate network, but basic security measures only go so far. Whereas less technically mature users would simply have abided by basic security measures set forth by their employers when they only impacted Internet surfing, these same users might take greater chances and even circumvent security controls to ensure they can enjoy their gadgets or online convenience at work.
Users have gone so far as to reinstall peer-to-peer (P2P) programs, rename executables and exhibit dangerous behaviors such as clicking on embedded links within instant messages. The result of these user behaviors is a sharp increase in the risk to corporate networks and sensitive data. As technological gadgets and online amenities such as Netflix.com, blogging, fantasy sports and podcasting increase, so will the exposure of corporate networks and sensitive data.
Whether users are technically savvy or not, they are increasingly a target of attackers. Attacks on hardened systems, firewalls or protected networks are yielding less success than before. Targeting authorized users through social engineering, sophisticated schemes, scenarios and other dangerous activities has become the method of choice. The recent wave in identity theft highlights the susceptibility of users through phishing attacks and social engineering tactics.
In a phishing attack, the perpetrator sends out seemingly legitimate e-mail using a well-known Web site to try to collect the victim’s personal or financial information. For example, you might receive an e-mail that appears to come from your credit card company asking for your social security number. The need for users to stay connected even when they are on the road has made them susceptible to the increasingly hostile wireless hotspots and the always-dangerous public-access computers. As long as businesses fail to adequately arm and educate their users, attackers will continue to steal sensitive information from both end users and the organizations they work for.
Outsourcing Security: Access to Expertise
In the past, the protection of corporate assets has been seen as the last function you would want to hand over to outsiders. There have always been times when outsourcing certain processing or operational functions has been demonstrated to deliver a positive ROI. However, the outsourcing of compliance projects, system testing, security product selection and end-user training has long been avoided, because these are activities that organizations like to keep in-house. However, these attitudes are changing.
As information security regulations, their applications and their interpretations become more complex, internal expertise is harder to find. In fact, it is nearly impossible to have internal experts who are experienced in applying information security regulations and standards to multiple organizations. Security consultant firms are filled with engineers who have already gone through the learning process of applying these regulations. These experts can provide streamlined processes, explain lessons learned and offer comparisons between the organization they’re consulting with and its peers. Such experience is rarely found in-house.
Oftentimes, organizations find that they require specialized assistance, such as computer forensic analysis, common criteria assistance or secure code analysis. Specialized experience such as this cannot always be found within the organization’s workforce, and many businesses look to outside firms for the required expertise. In many cases, the knowledge is required on such an infrequent basis that it would not make sense for the organization to maintain a staff of internal resources with the same skills.
As a result, there has been an increasing willingness among businesses to outsource elements of their information security programs. According to CSO magazine, in 2003, only 73 percent of corporations stated that they would be willing to allow outsiders to test their network security. In 2005, 86 percent of corporations said they would consider outsourcing security.
Even though some information security functions could be outsourced within many corporations, there is still a need for internal direction and guidance. Security outsourcing should only be performed when it makes sense to do so. Most organizations will continue to have a need for a strong information security leader to construct, maintain and oversee a security program that adequately protects corporate assets.
Legislating and Standardizing Security: The Security Program Patchwork
In February 2005, ChoicePoint admitted that it had been duped by a criminal enterprise and disclosed 145,000 personal records. ChoicePoint first disclosed this breach only to California residents since it was the only state in the United States that required such a disclosure. By July 2005, 35 states had introduced similar legislation, and 17 of those states have enacted such a law.
This is just one of many challenges to organizations’ information security that have been brought about by legislation in the past year. The HIPAA Security Rule became effective for all covered entities on April 21. The Sarbanes-Oxley Act became effective for “non-accelerated” corporations (those with less than $75 million market capitalization) on July 15. In addition, both the Junk Fax Protection Act and the Real ID Act were signed into law this year.
In the standards arena, the year 2005 saw many changes as well. The ISO’s security standard 17799 was updated and revised in its 2005 release. The credit