[ISN] Top Security Trends for 2006

[InfoSec News]

http://www.redherring.com/Article.aspx?a=15013&hed=Top+Security+Trends+for+2006&sector=Industries&subsector=SecurityAndDefense

December 25, 2005

2005 has been a banner year for cyber-villains. Thanks to hackers, 
some of the United States. largest corporations, including financial 
services giant Citigroup and media powerhouse Time Warner, had 
sensitive data swiped from their supposedly secure databases. 

Smaller companies weren.t immune this year either, with retailer DSW 
Shoe Warehouse and credit card processor CardSystems, bought by Pay 
Per Touch in October, both victims of cyber break-ins (see Credit 
Cards Bar CardSystems [1]).

Data theft wasn't the only danger in 2005. An Internet worm, Zotob, 
infected computers at media companies like CNN and financial behemoths 
like Visa in August. And email nuisances, spam and phishing, were also 
on the rise. 

Will it get better in 2006? Not really, say security experts. In fact, 
the threats may get worse. That's because just as security systems 
become more sophisticated, the threats will become more complex and 
innovative - all in an effort to stay a step ahead. 

Looking forward, security experts see eight major trends in security 
in 2006. Among them, voice spam is expected to become a growing 
annoyance as VoIP applications become more widely used. Another 
concern: cyber-criminals will exploit the low levels of security in 
mobile communications to gain access to data in laptops and other 
devices. 

Here are the security trends to watch for in 2006: 


Phishing Frenzy 

Phishing, the practice of sending fraudulent emails to encourage users 
to divulge personal or financial information, will increasingly target 
customers of smaller organizations in 2006. Until recently, phishing 
victims often received email purporting to be from large banks like 
Citibank and Bank of America or sites like eBay. 

But these organizations are deploying greater security measures to 
combat phishing, forcing scammers to turn to smaller targets. Next 
year's targets could include customers of, say, the local credit 
union, security experts said. 

Scammers will aim for residents of a specific town posing as a local 
financial institution, local governmental organization, or university, 
predicts Joel Smith, chief technology office for AppRiver, a Gulf 
Breeze, Florida-based spam and virus filtering service provider (see 
Worm Poses as FBI or CIA Email [2]).

"We are going to see more regionalized, localized targeting," he said. 
"Scammers will look for subscribers of regional ISPs [Internet Service 
Providers] and send them emails purporting to be from the local credit 
union."

For scammers, the upside with such targets could be a higher rate of 
return. "Small organizations or targets from smaller cities may not 
have been as exposed to the phishing spams as larger or 
technologically savvy groups," says Mr. Smith. 


Business Worm's Rise

Before Zotob struck, computer attacks were often directed at home 
users. But this worm, which exploited a vulnerability in Microsoft.s 
Windows operating system, affected businesses, marking the rise of 
Internet criminals focused on financial gain (see Zotob Heralds 
Business Worm [3]). 

These attacks on businesses are expected to increase next year, said 
Bruce Schneier, founder and chief technology officer for security firm 
Counterpane Internet Security. These Internet criminals differ from 
the hacker hobbyists who were content terrorizing home users in 
several respects, he said. 

"Hobbyist hackers looked for new and clever attacks, while criminals 
will use whatever works," he said. "Hobbyists generally didn't care 
who they attacked, while criminals are more likely to target 
individual organizations."

The big concern? This new breed of cyber-thieves will target 
proprietary information like trade secrets, or personal data like 
social security numbers that can be sold on online black markets. 

For businesses, the spread of this new breed of worms will mean 
they'll have to tweak security policies to institute new security 
protocols that can react faster to threats. 


Insider Threat 

Many of the data leaks in 2005 may have stemmed from poor security 
measures. And while companies spend millions securing their networks 
from intruders, they often ignore one of the most likely sources of 
leaks: insiders or company executives who can inadvertently or 
deliberately leak information. 

Many companies that have off-site call centers managed by third 
parties don't routinely review their systems to stop leaks, said 
Joseph Ansanelli, privacy expert and chief executive officer of Vontu, 
a San Francisco-based company that works to prevent data loss.

Often overlooked, the insider threat will grow in 2006, forcing more 
companies to add a layer to their network that will monitor the 
information accessed and distributed by employees (see Q&A: Security 
Wonk Dan Verton [4]).


Increasing Network Control

The threat of crooked insiders and more stringent compliance 
regulations will force companies to implement identity-driven networks 
that control who uses a network. Driving the change is legislation 
like Sarbanes-Oxley, which calls for specific security measures and 
complete visibility into network users, devices, addresses, policies, 
and activity. 

The basic network identity services that exist today cannot meet the 
requirements, said Robert Thomas, president and chief executive 
officer for network security company, Infoblox.

"The anonymity associated with conventional network deployments has 
existed for years; however, the repercussions of that anonymity, 
increasing regulatory compliance pressures, and security concerns over 
the last year or two have dramatically raised the visibility around 
these issues and call for a new approach," he said.


Wireless Security Focus

Hackers are finding it increasingly easy to steal information from 
devices that contain people.s private data, as a growing number have 
wireless capabilities, said security experts. 

Wireless technologies like Wi-Fi may be more widespread, but many 
users are still ignorant about the security measures they must use on 
these networks to keep hackers at bay. Security experts see 2006 as 
the year when threats on wireless networks will come of age. 

As Wi-Fi moves to airplanes, trains, and other public locations, 
cyber-criminals will seek to exploit the lack of knowledge about 
mobile security measures to gain access to user information. One prime 
target? Laptops carried by business users, said MessageLabs, which 
provides email security and management services. 


Increased Security Legislation

Over the last two years, a number of states have enacted laws similar 
to one in California requiring companies to disclose security breaches 
to protect state residents from identify theft. In 2006, a federal law 
along these lines is a strong possibility, security experts said.

Other legislation in the federal pipeline includes a bill that would 
set standards on what is spyware, how these programs should behave, 
and what is deemed violations. Spyware are malicious programs that 
sneak into users. computers and monitor their usage.

"The legislators will also continue to dictate what types of security 
measures must be taken in order to prevent unauthorized access to 
sensitive company information," said Vontu's Mr. Ansanelli. 


Voice Spam Begins

The popularity of Skype and VoIP will lead to new forms of spam 
attacks next year, security experts predict. As VoIP applications 
become more widely used, there will be a rise in voice spam. 

That's because VoIP services lack strong encryption and they can 
become a target of scammers, said Information Risk Management, an 
independent security consultancy firm. 

"Just as web users can be plagued by pop-up advertisements and spam 
email, it is expected that VoIP services will be the next target," 
said the company in a report. "Users could find calls redirected or 
hijacked by advertisements."

Though there are some security solutions for VoIP traffic and 
equipment, service providers will have to move in faster to nip the 
problem in its early stages. 


Selling to SMBs

Of course, all these new threats can mean new business for security 
companies. Traditionally, security companies have focused on selling 
their products to bigger players as large organizations have big IT 
budgets that will let them spend on securing their networks. But as 
smaller firms become the targets of security attacks, security 
startups will pay more attention to them.

Companies offering managed security services, which involves 
outsourcing the needs to specialists rather than doing it in-house, 
will be best positioned to capitalize on this trend, security experts 
said. 

In 2006, there's likely to be a spike in small and medium businesses 
using managed security services hosted by security companies, said 
Brad Miller, chief executive officer of Perimeter Internetworking, a 
managed network security services provider.

This "enables SMBs for the first time to outsource their security and 
receive pre-integrated services and continuous updates at an 
affordable price," said Mr. Miller. "They did not have this option 
before."

[1] http://redherring.com/Article.aspx?a=12823&hed=Credit+Cards+Bar+CardSystems
[2] http://www.redherring.com/Article.aspx?a=14592&hed=Worm+Poses+as+FBI+or+CIA+Email
[3] http://www.redherring.com/Article.aspx?a=13298&hed=Zotob%26nbsp%3bHeralds%26nbsp%3b%e2%80%98Business+Worm%e2%80%99
[4] http://www.redherring.com/Article.aspx?a=13472&hed=Q%26amp%3bA%3a+Security+Wonk+Dan+Verton+