The state of security

Shortly after Google acquired the phenomenally successful video sharing website YouTube in October 2006, Nikesh Aurora, Google’s vice president of European operations, gave a presentation at the Institute of Directors in London. To the perplexity of delegates, Aurora played a brief clip of YouTube’s then most popular upload, a spoof music video in which a portly, male teenager, wearing what appeared to be a bed-sheet, lip synched unsuccessfully to a song by the Latino pop star Shakira.

The point, Aurora explained, was that this video, and sites that showcase others like it, represent what is now the next phase of the Internet: This is characterised by an unfolding “consumer revolution”, in which end users are increasingly appropriating Internet tools to fulfil a range of social and creative functions. This phenomenon – commonly referred to as Web 2.0 – is now extending to the enterprise, promising to radically reshape users’ expectations. Any businesses that fail to embrace these developments, Aurora argued, are destined to struggle.

However, while Web 2.0 promises to open up a new world of highly customisable enterprise computing, those executives tasked with ensuring corporate security will not be much encouraged by this news. For while the business hopes to exploit the promised benefits of Web 2.0, achieving this will require users to engage in a range of behaviours that will result in a raft of new security threats.

Information overload

It is the dissemination of information through collaborative tools and ‘social computing’ that form the greatest threat from Web 2.0, explains Ron Williams of security association, The Jericho Forum. “Collaborative networking is becoming significantly more pressured; acquisitions are bringing different populations of users into the organisation, and contractors are creating different collaborative tools for users to communicate throughout the business environment.”

The pressures of such strategic working practices makes “keeping control of the information, maintaining the integrity of the information, and keeping it available to the right people a challenge,” observes Dave Littlewood, principal network analyst at Somerset County Council.

As organisations struggle to maintain a grip on the ever-widening distribution of data, security specialists predict 2007 will be the year in which concealed, targeted attacks, tailored towards a particular victim – organisation or individual – will emerge as the chief security threat.

“The threats that are going to be talked about in 2007 are going to be very different to the threats talked about two years ago,” says Tom Noonan, CEO of Internet Security Systems, the intrusion detection vendor recently acquired by IBM. “We think about threats as loud and disruptive, and that knock the infrastructure out; that was the nature of threats as recently as two years ago. Quietly, however, organised crime syndicates have been working to build designer threats that are entirely driven by the economics of greed.”

Instead of bludgeoning users with blunt instruments such as worms and viruses, attackers are deploying sophisticated programs designed to compromise a target organisation’s ecommerce system or web application. Because these programs are designed to operate “under the radar”, says Noonan, it is likely the attacks will operate on a long-term basis.

And the targets are changing too: no longer will it be banks and online gaming businesses that bear the brunt of these attacks; pensions companies, healthcare organisations and government agencies will all be in the frontline too, says Noonan.

The diffusion of information through Web 2.0 technologies combined with these subtler forms of attack will make detection much harder for the security professionals.

Application assault

The dispersal of data is not, however, the only problem IT leaders face. According to Shlomo Kramer, CEO of data centre security provider Imperva, Web 2.0 is based on low-cost, lightweight consumer applications that are predominantly web-based and highly vulnerable – and that presents a significant threat to the business.

The first wave of these applications has crept into the enterprise as users have installed instant messaging clients or downloaded voice over IP products such as Skype. Both are growing in importance to daily business operations but the technologies remain largely unregulated, says The Jericho Forum’s Williams. “To say that [IM] has taken off is an understatement. Yet the policy and governance hasn’t caught up with that.”

Consequently, business leaders can expect to suffer “widespread targeted attacks towards that infrastructure,” in 2007, says Gerhard Eschelbeck, chief technology officer at anti-spyware vendor Webroot. Because such lightweight web applications are built with few integral security features, and are also subject to ongoing alterations, they are particularly susceptible to Trojans that attempt to take control of the operating system.

For business leaders with concerns over the security of VoIP implementations, the evolution of spam provides good clues to future risks, according to the global security research unit X-Force, set up by IBM Internet Security Systems. “Email and VoIP run on the same protocols,” explains Daniel Ingevaldson, director of technology strategy at X-Force. “That’s a scary prospect given 70-80% of emails are malicious. That’s like turning on the radio or television and finding nearly all the channels have been taken over by pirates.”

Many of the lightweight, consumer-friendly VoIP packages have no in-built security, a weakness already exploited by so-called ‘vishing’ attacks – the voice equivalent of a phishing attack in which a false caller ID is created in order to trick users into giving up confidential information which can then be exploited for financial gain.

In the consumer world, forward-thinking Skype users have responded by setting up private networks, where only invitees can access contact information. But in the corporate world, where VoIP applications are being downloaded without IT’s knowledge, there is little chance of enforcing such good practice.

And identity theft is not the most pernicious security breach predicted to follow in the wake of wide scale VoIP deployments. According to X-Force’s Ingevaldson, worms have already been identified that are able to penetrate VoIP and the session initiation protocol (SIP), which is widely used as a signalling protocol for VoIP. These worms, he explains, represent a significant future threat to the whole phone system. “VoIP is about real time. If the packets aren’t delivered then it isn’t going to work. So a big problem is denial of service, with storms of packets being sent that could bring down a network entirely.”

“Good IT security is about good governance. Training and awareness are a big part of this, because we don’t know what we don’t know.” – Howard Schmidt, TrustELI

Kicking back

So what can the business leaders do to protect their organisation against the next generation of security threats?

“Good IT security is about good governance,” says Howard Schmidt, chairman of security firm TrustELI and former White House, Microsoft and Ebay chief security officer. Too many organisations have neglected IT security training, he adds. “Employees are not aware of the risks that are out there.”

Service providers must also increase their efforts to combat Internet crime, says ISS’s Noonan. “I think 2007 will be the year that ecommerce wakes up to the fact that there’s a very serious problem associated with the customer’s security model. They are going to have to extend their security model out to their customer.”

Banking giant HSBC has already taken its first steps in this direction and is now imposing contractual ‘security duties’ on its online banking customers. Failure to meet these duties could potentially, in the event of an online fraud, result in reduced liability on the part of the bank.

Moving security features off the desktop and on to the Internet will also help protect business users, adds Schmidt. ‘On demand’ security providers, such as Postini, Internet Security Systems, and Qualys are predicted to grow in popularity. Such services are able to scale rapidly in response to threats, but do not require heavy up-front investment

Unlike internal security departments, ‘on demand’ security providers, which operate in the form of a software as a service model (SaaS), are able to scale with the growing threats but without incurring rising costs.

This does not however mean that businesses will invest less on security. According to a survey from infrastructure security provider Cisco Systems, the majority of IT decision makers are expected to increase security spending throughout the coming year, with 40% anticipating an increase in expenditure of more than 10%.

This continued commitment will no doubt be welcomed by security officers, many of whom are already overstretched. But money alone cannot solve the problem, says Chris Simpson, chief inspector at Scotland Yard’s ecrime unit. “The main threat is ignorance: it comes down to people who do not recognise the scale and diversity of the threat.”

Spam: Anyone for more?

SPAM has been a persistent irritant since email first became widely used, but until now it has been regarded largely as a benign nuisance. That perception is now rapidly changing.

“Spam has moved from being a nuisance to a real threat,” says Howard Schmidt, chairman of security firm TrustELI and the former White House, Microsoft and Ebay chief security officer.

The sophistication of techniques used by spammers has evolved rapidly in the last 12 months, as new methods of circumventing email filters have flourished. By the end of 2006, spam accounted for 86% of all email traffic according to web security vendor, MessageLabs.

Mark Sunner, CTO at MessageLabs, says this exponential escalation in junk email is due in large part to the creation of a new Trojan, dubbed ‘SpamThrough’, which represents a “milestone in botnet sophistication.” Highly robust, the SpamThrough controlling system is able to connect to any machine infected with the Trojan. These machines are already pumping out more than 10 times the amount of spam previously experienced, says Sunner, and it is still growing.

“Right now the spam Trojan isn’t being used anyway near its capacity, so the indications are it’s going to get worse. We estimate that by the end of 2007, spam volumes could be upwards of 90% [of all email traffic],” predicts Sunner.

For businesses that are heavily reliant on their email traffic, the problem is having a significant impact, clogging up inboxes and occupying storage space. This menace, explains John Askew, IT infrastructure supervisor at Carter Refrigeration and Retail Services, is now acting effectively as a denial of service attack.

In the last 12 months spam volumes at Carter grew so high that they began “regularly taking the network down for in some cases several hours at a time.” This became extremely costly for Carter, which uses email alerts to notify engineers of maintenance call-outs. “We were losing call-outs and data. If we don’t get an email and accidentally defrost £20,000 worth of chickens, we will get a bill to that effect.”

Like many organisations that now find managing email traffic in-house a near insurmountable task, Carter moved to third-party security provider Sophos, which stops spam at the email gateway.

Further reading in Information Age

Terrorism: IT’s response

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics