Profit-motivated threats such as identity theft and spyware will dominate in 2005+, motivating antivirus vendors to expand detection and repair capability. Rapidly spreading worms and numerous new vulnerabilities and patches will continue to plague organizations that lack automated response procedures through 2008. Largely effective spam-filtering strategies will expand to cover wireless devices and instant messaging in 2005.We believe virus propagation will continue to be robust in 2005 but expect to see a decline in 2006 because of more widespread use, evolution of antivirus software, and shift in focus for budding virus writers.Text The number of virus outbreaks in 2004 increased by more than 25 per cent over 2003 levels. However, Global 2000 organizations with mature security organizations were able to defend their environments with a combination of antivirus technology and other technical and procedural controls. We believe virus propagation will continue to be robust in 2005 but expect to see a decline in 2006 because of more widespread use, evolution of antivirus software, and shift in focus for budding virus writers. During 2005, there will be an increased incidence of virus on mobile platforms such as smart phones, PDAs, and automobile onboard computers. Although rare, network worms will continue to be problematic for organizations that lack intrusion prevention, internal network isolation, or endpoint admission control (see Delta 2331).
Lack of consumer and small business virus defense provides excellent conditions for mass propagation, which is a virus’ primary design objective. During midyear 2005, we anticipate Microsoft’s introduction of low-cost antivirus for the consumer market that is simple to deploy and manage. Some vendors and pundits have derided Microsoft’s impending entry into the antivirus market, suggesting that it should focus its efforts on better software. Unquestionably, better software would help. Still, we would argue that no software is perfect; thus, there is always a need to protect users from new exploits, including those that are aimed at the gullibility of the user. The existing antivirus industry has been unable to convince almost 75 per cent of consumers to deploy their products, despite their availability. Therefore, we welcome Microsoft’s involvement and anticipate it will increase the penetration rate of antivirus software in 2006, thereby slowing virus propagation.
Although we do not expect all virus writers to abandon the intellectual pursuit of virus writing for the sake of it, we do expect a significant shift of this population toward more profit-motivated coding. As a result, the threat landscape will shift to more spyware-type software infections and identity fraud/theft in 2005 and beyond.
For most organizations, 2004 represented the year that spyware infections became a bigger problem than viruses (see Deltas 2962 and 2963). Indeed, clients have reported that spyware has increased from an insignificant help desk issue during 2003 to 20 per cent to 40 per cent of help desk calls during 2005. Ninety-five per cent of spyware is really adware, which is more of a productivity threat than a true security threat. Adware typically destabilize PCs, reduces employee productivity, and consumes valuable bandwidth and help desk resources.
Microsoft and antivirus vendors (e.g., McAfee, Symantec, CA, Trend Micro) have (finally) reacted to the adware threat and are now providing adware protections and clean-up utilities. In the case of antivirus vendors, such products are tightly bundled with their antivirus desktop products. By YE05, we expect antivirus vendors to dominate the enterprise adware market, while Microsoft will be the predominant choice in the consumer market.
During 2004, adware found its way onto the desktop primarily via stealth downloads that exploited holes in Internet Explorer. As the security loopholes that enable stealth installation are closed and advertisers become more sensitive to consumer concerns, we anticipate adware developers will shift their strategy from tricking users into downloading their products to producing software that is more valuable to users. Just as consumers are willing to allow sponsors to subsidize their TV shows, Web sites, and magazines, advertising-sponsored software will become common in 2006 and beyond. Although users may want advertising-sponsored utilities, enterprise IT may not. Consequently, more effective enterprise control of PC software will become critical, especially for laptops that are thus not continuously LAN connected and more difficult to manage.
Currently, software control is typically based on either a blacklist of undesirable software or a whitelist of acceptable software. Both of these approaches have their limitations. Blacklists require constant updates and fail to address the zero-day threat (e.g., the time between exploit and signature). Meanwhile, whitelists fail to accommodate the business need for agility and innovation or they increase IT administration burden. Intrusion prevention (IPS) software, designed to bridge the gap between these two approaches by estimating the intention of software based on its behavior, has failed to deliver high detection rates with low false positives without significant IT investment in administration (see Delta 2311). Although the accuracy of IPS will gradually improve during 2005/06, we also anticipate the introduction of what we are calling “gray” lists of software. These are lists or signatures of software that are developed by recognized software vendors and widely acknowledged to provide reasonable business utility.
Corporate networks will be increasing targets for identity theft during 2005 and beyond. Using social engineering and “phishing” e-mails, identity thieves can steal an employee’s LAN credentials and log onto networks using legitimate user passwords with little fear of setting off alarm bells. This trend has multiple implications for the enterprise security organization (e.g., insider theft protections, identity management, education). We expect this rising threat to result in adoption of two-factor (or stronger) authentication on clients. Already, PCs are beginning to ship with fingerprint readers (e.g., IBM ThinkPads) and USB keys, and one-time passwords are becoming more common. Managing such devices will have an impact on IT administration. In addition, we expect this threat, along with increasing regulation aimed at curbing it, will force more client-side encryption products. By 2008, we expect 75 per cent of laptops will have full-disk encryption.
The Convergence of Security and Operations
The prevailing feeling in most IT shops is that they are far too reactionary. Each new threat or patch causes a flurry of activity. The reality is that security is never perfect. IT organizations (ITOs) must embrace change and develop repeatable procedures to manage PCs and to react to security incidence (see GNS 1038). Concurrently, there is an increasing realization that traditional operational disciplines (e.g., configuration management, patching, software maintenance, secure disposal, acceptable usage) can have a significant impact on overall security posture. During 2005/06, we expect that current suites of client technical security controls (e.g., firewalls, antivirus, encryption) will begin to integrate with more traditional client operational controls (e.g., configuration management, patching, asset tracking). Such converged software suites will be augmented with a service or a subscription component that provides information on new threats, vulnerabilities, and software lists (e.g., white, black, gray). Segregated IT security and operational groups focused on clients will be challeng