Web services pose security challenges

The increased use of videoconferencing and Internet-collaboration technologies, the rush toward Web services and an emerging class of malicious code that blends virus and wormlike capabilities represent some of the biggest security challenges for 2002, according to analysts.

As was the case last year, users can also expect to see a sharp increase in the number of macro and script viruses that emerge in 2002. However major anti-virus software programs should be able to handle most malicious software relatively easily.

“The bottom line of malware prevention remains the same: filter, patch strategically and update your anti-virus software,” said Roger Thompson, an analyst at Herndon, Va.-based security firm TruSecure Corp. “Use common sense to protect your network’s vulnerabilities.”

The rush by corporations to set up videoconferencing and Web seminar capabilities after the Sept. 11 terrorist attacks on the United States presents a particularly serious security risk for companies that aren’t careful, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

Users can expect to see at least one widespread attack this year that tries to exploit openings in enterprise firewalls created by the frantic push to set up these capabilities, Pescatore said.

The accelerating efforts by corporations to link their internal applications with those belonging to external partners and suppliers using technologies such as XML and Simple Object Access Protocol are another source of concern, he said.

Increasingly, companies are opening new ports on their firewalls to let outside applications talk with inside applications, “even though the security aspects of doing so are totally unproven,” Pescatore said.

“The rush toward Web services will result in glaring holes,” he said. “2002 is not the year to jump on Web services.”

Malicious code that blends virus and wormlike features and is designed to take advantage of multiple software vulnerabilities also poses a major threat, said Thompson.

One example of this emerging threat was last year’s Nimda worm, which wreaked havoc on enterprise networks around the world. Unlike previous-generation malware, Nimda spread via both the Internet and e-mail, taking advantage of multiple vulnerabilities.

Expect to see more sophisticated variants of Nimda this year, Thompson said. Dealing with them will require constant attention to patching and updating of anti-virus suites, he said.

Wireless security will also emerge as a major concern this year, said David Lelievre, a project manager at Clinton Township, Mich.-based application service provider Tweddle Information Services Inc.

“The wireless Internet will emerge as the leading trend for the next three to five years,” Lelievre said. “Security will have to be defined and established before the market hits full force.”

People should also expect a lot of vendor consolidation this year, especially in the managed security services arena, said Eric Hemmendinger, an analyst at Boston-based Aberdeen Group Inc.

Corporations that are getting into first-time relationships with security vendors need to pay special attention to the financial stability of the company and its customer base, he warned.

“We are going to see some very public debacles in the security space this year,” Hemmendinger said. “The caution here for users is you can’t afford not to do due diligence” before choosing a security vendor, he said.