Events of 2006 gave the industry a glimpse of what to expect in 2007 in the ever-changing IT security landscape.
ComputerWorld Canada asked industry experts to look back and beyond for trends that shaped and will shape the business.
First to make it to the list of the most significant events of the past year was the alleged pretexting activities involving Hewlett Packard. HP investigators reportedly used pretexting methods to obtain confidential phone records of journalists and HP board members from certain telecom firms, in the course of probing incidents of corporate data leakage at HP.
Pretexting is a form of social engineering scheme where the attacker presents himself under false pretenses to a would-be victim, typically over the phone, to obtain certain information that would not otherwise be available to the attacker in normal circumstances.
“I found [the HP controversy an] extremely significant (event) in 2006 because it really brought the issue of social engineering into the forefront and it showed it for the problem that it was,” said James Quin, senior research analyst at Info-Tech Research Group in London, Ont.
The fact that this happened to high-profile tech companies and telcos is an indication that social engineering can victimize even the most technically savvy organizations.
And if events of 2006 are any indication, the new year will see more breaches accomplished by targeting people rather than the technology, according to Bruce Cowper, senior program manager for security initiatives at Microsoft Canada.
The technologies to combat attacks on IT systems are well established in the market, and organizations are generally capable of applying these tools to protect their infrastructure and business, Cowper said. So attackers are shifting their focus on the human element and the motivation is typically for financial gains.
“Looking forward to the next year, we are going to start to see a lot more attacks that occur within the phishing realm and also (attacks) aimed at (system) configuration — looking at mistakes that people can make when setting up the tools,” explained Cowper.
Organizations may not be the only ones preparing for the advent of Microsoft’s new Vista operating system, which should be hitting the market in early 2007. Attackers might be prepping as well, albeit wickedly, dreaming up ways to poke holes at the new operating system, explained Symantec Corp.’s director of emerging technologies, Oliver Friedrichs in Cupertino, Calif.
Although Vista is a significantly more secure operating system than Windows XP, it is not a security solution by itself and malicious code will always be around, said Friedrichs. He admitted, however, that certain types of attacks “will be largely reduced.”
Look out for much stealthier and stickier types of malicious code in 2007, cautioned the Symantec executive. “What we have seen in 2006 is that threats have gotten much tougher; they are more hidden in your system; they are harder to detect and they are harder to remove.”
These types of threats are expected to increase and intensify in the coming years. Symantec also expects these attacks to go beyond the operating system and into virtual layers of the processor, especially as AMD and Intel begin embedding virtualization capabilities into their microprocessors, said Friedrichs.
The realization that people can be a target and become a vehicle for launching security breaches has led many organizations to direct a portion of their IT spending on education, said Joe Greene, vice-president of IT security research at IDC Canada. Investments on employee education are expected to continue in 2007. “One of the things that keep managers up at night is their employees — both executives and staff — not following security policies. So there has been greater emphasis on education and [ensuring] that they have the necessary IT security policies and procedures in place,” said Greene.
Learning their lessons from 2006, companies will put more resources on strengthening the security of their branch offices and their mobile workers. The past year was rife with news of lost or stolen mobile devices exposing a great deal of confidential, personal information.
“Companies will have to start to really take a close look at their branch offices, their people who telework and their mobile security,” said Green. “People are getting access (to the corporate network) wirelessly and there are certain vulnerabilities there.”
The past year saw the “virtual non-existence” of any significant virus threats, said Info-Tech’s Quin. “We are at the point where viruses are no longer that big threat they once were.”
Organizations got better in dealing with worms and viruses through multilayered protection said McAfee Canada general manager Danielle Fournier. “I do not think that [worms and viruses] are [as much of a] priority as they used to be.”
Because many organizations already have the necessary tools to combat worms and viruses, they are now shifting their attention to “alternative risks” that can also potentially compromise corporate security, explained the McAfee executive.
In 2007, companies will be focusing on internal risks or threats that emanate from inside the organization, such as preventing data leakage and implementing internal security audits.
“You can lock your doors and your windows, but if your backdoor is wide open, which are your applications and your database, you’re internally going to be far more at risk than externally,” Fournier said.
2007 tech trends in information security
Unified security management
Organizations are starting to look for greater manageability with their security products, said IDC Canada’s Joe Greene. Tools that will allow them to manage all of their security devices from one location will be a hot item in 2007.
As more mobile devices become business tools that can hold significant amount of corporate data, organizations will focus on strengthening their mobile security postures, said Microsoft Canada’s Bruce Cowper. Drive encryption, remote wipe and remote management capabilities, as well as identity management and authentication are some of the technologies that enterprises will be looking to acquire in 2007.
Info-Tech analyst James Quin believes spending on security basics like antivirus, antispyware and firewall technologies will plateau in 2007. Organizations will instead invest heavily on secondary security products like intrusion detection systems, encryption tools and authentication technologies to complement standard security devices and enhance protection, he said.