Information Risk Management Plc. - IT Security Trends for 2006

IT Security Trends for 2006

1. Executive Summary

2006 looks set to be an interesting year for IT security. Companies are now being driven by new requirements for risk analysis and compliance. This will have a knock-on effect into many areas of IT, including network design, application security and threat response. Those companies that can respond quickly and demonstrate a high level of understanding of risk management through the use of IT security will stand to benefit the most.

The banking and finance sector will continue to be the driving force behind advancements in IT security. The wide scale rollout of strong (two factor) authentication for the use of online banking will inevitably spread to all areas of e-commerce.

The challenge to install the ethics of good IT security governance in all companies is a difficult one, but that does not mean we should give up. The financial implications alone should make all companies take note. Increased government awareness and legislation will re-enforce this.

The fight is not yet lost, but we do risk losing if the issues of IT security are not taken seriously and thoroughly understood. IT departments must play their part in highlighting these issues to senior management who in turn have a duty of care to seek the right advice and put in place the correct controls to minimise the risks.

2006 is set to be the year of IT compliance. Rather than seeing this as another overhead, companies should embrace the positive benefits that can be gained through improved procedures and better controls.

2. Economic Outlook for the United Kingdom

While the economy does not have a direct link to the trends in the security market, it does affect buying power and customer confidence. These are areas that traditionally drive forward development, as customers demand more features and new products. A lack of confidence in the economy will discourage users from placing new orders, reducing revenues which will lead to cuts in development budgets for new products.

The economic outlook for the UK in 2006 is probably the most uncertain for over a decade. The early signs of a recession are evident in the slow down of consumer spending and the housing market. The UK is almost certain to miss government targets for inflation in 2005 and the Bank of England is likely to continue to cut interest rates in the next 12 months. However, there are signs of recovery in some of the UK 's major trading partners (especially Germany ) and there is some growth in UK manufacturing. This may be enough to maintain confidence and resist a slide into recession.

The IT security sector is split between the large global corporations, such as Check Point, Netscreen and Nokia, producing hardware and software and at the other end of the scale, a smaller number of specialist security consultancy firms offering advice and solutions. In between, sit the large consultancy and outsourcing firms. Some firms will clearly see the changeable trading conditions as a chance to consolidate the business and reduce their costs by merging operations.

The conclusion is that 2006 will prove to be an uncertain year for many firms and retailers. The trading conditions are likely to lead to further mergers in the IT security sector.

3. New Threats

IT security will remain a constant fight between the security vendors and the hackers and criminals who seek to circumvent their products. 2006 is expected to be no different. However, a number of new threats are emerging that suggest that areas of the hacking community are becoming more organised. Evidence from law enforcement agencies suggests the involvement of organised crime and the motivation for attacks is now increasingly financial and targeted against specific companies.

Firms can expect to face a number of different attacks over the next 12 months including:

• Crossover viruses

• Trojans / viruses

• Targeted attacks

• Extortion attempts

• Voice spam

3.1 Crossover Viruses

The ever-increasing use of mobile devices represents a serious threat to the corporate network. Up to now, use of these devices has been relatively uncontrolled. Few corporations have successfully tried to standardise on the number and type of mobile devices and then restrict how they are connected to business PCs and laptops.

Crossover viruses are a product of the mobile age. Operating systems such as Symbian are extremely powerful and this can be leveraged to write a virus (or act as a means of storing code) that is capable of transferring between a PDA or mobile phone and a laptop or PC. It is also possible for viruses to be passed in the opposite direction. Given the lack of anti virus software on the vast majority of mobile devices, this would appear to be a bigger threat.

The first crossover virus was detected in September 2005. 'Cardtrp' spreads via Bluetooth and MMS (Multimedia Messaging Service). If the phone has a memory card it sends a copy of a Windows virus known as 'Wukill' onto the card. When the card is inserted into a PC the virus appears as a legitimate file icon. Once opened the code installs a backdoor on the PC and begins to collect passwords which are then sent on to collection server.

Cardtrp was fairly simple by modern virus standards. Many anti virus vendors considered it to be little more than a proof-of-concept exercise. Businesses should expect to see many more types of these viruses, at a much more sophisticated level throughout 2006.

3.2 Trojans / Viruses

There have been huge steps made by the IT security industry to improve the quality of anti virus software. It is almost unheard of to find any corporate network without basic anti virus software today. However, the threat will continue to be present, but we will see a change in the type of infections. Attacks may well be aimed at a specific industry or individual company.

New types of viruses are being discovered all the time. Just as crossover viruses have begun to emerge, so to have cross-site scripting (XSS) viruses. Up to now, XSS has never been utilised to generate viruses. However, this is now changing. These new viruses are platform independent and not affected by normal firewall configurations. XSS viruses could have a significant impact for Internet users, including the delivery of distributed denial of service (DDOS) attacks and the distribution of browser exploits. The increasing use of web browsers to be application front ends and their general level of sophistication makes this a particularly worrying threat.

So-called 'zero day' attacks, where networks are infected with viruses before anti virus software vendors have had a chance to patch their products, will mean that companies continue to look to products that can protect against these threats. Signature-based intrusion detection systems are already deployed to try to counteract the problem. How successful they are depends on the product design, the configuration of the device and the quality of the attack signature files used.

Despite the misgivings and well documented short comings of IDS, we would expect to see an increased level of deployment, to the point where they are considered 'de-facto' for perimeter security, just as firewalls and anti virus software have become.

Every company must look at their policies and systems used to combat this problem. It was reported that the United Kingdom has one of the highest levels of Spyware infection (source: Webroot, reported by the BBC on 20 October 2005 ) in the world, beaten only by Thailand and the United States . This is not a statistic that we should be proud of. Businesses and individuals must recognise and understand the threats that these programs represent. Ignorance is no longer an acceptable excuse.

3.3 Targeted Attacks

The increasing sophistication of security software and a better educated workforce is leading to a change in the way that hackers attempt to gain access to corporate systems. With financial gain being the primary motive, companies should expect more sophisticated attacks.

The quality and sophistication of the attack may well improve, but the traditional method of delivery by email or website is expected to remain, largely because they have been so successful from the hacker's point-of-view. High-volume fraud is now thought to exceed £1 billion a year. As long as there are substantial financial gains, the threat from trojans and viruses will remain.

2006 is likely to see the emergence of viruses and remote trojan programs which are custom written for individual organisations. Companies must also be aware that if a hacker is prepared to go to the trouble of writing a customised virus, then they will try harder to ensure that it reaches the target network.

Attacks however, may not always be through sophisticated trojan programs. Key logging, one of the earliest forms of hacking is still used extensively. Key logging can be delivered as software or as a hardware device attached to or actually in the keyboard. The recent high-profile attack on Sumitomo Bank demonstrates that this technique is both popular and highly effective.

The delivery of these customised viruses and the affect that it could have means that much more attention should be paid to the design of internal networks and the security systems deployed (both physical building security and IT security) and the staff that are employed. Improved employee screening and security awareness training are essential to tackling the problem. Treating the internal network and its users as a trusted environment can no longer be seen as an acceptable policy for corporate security.

3.4 Extortion Attempts

Once again, the involvement of organised crime is thought to be behind the rise in online extortion. There have been isolated cases of sites, especially in the online gambling industry, being targeted by hackers threatening to launch DDoS (Distributed Denial of Service) attacks, taking website offline and shutting down trading operations. There is a view that this is a problem that affects only the online gaming industry. However, this is short sighted. These attacks represent a significant threat to all on line retailers. Once an attack has been found to be successful against one area of commerce, it is only a matter of time before its spreads.

Precise figures for the number of attacks that have already occurred are difficult to come by because many companies do not wish to publicly admit to being attacked. The negative effect on their image and the fear of attracting further attacks compels many to keep their silence.

Businesses must ensure that they have effective business continuity plans in place that allow them to have alternative trading methods for websites and e-commerce sites. Regular testing of these plans is also essential.

Protection against DDoS attacks is still lacking for the majority of companies. Many of these attacks are launched against email systems and not necessarily against the website itself, although the end result is the same. Once again, a reappraisal of traditional IT security will be required to counter these new threats.

3.5 Voice Spam

The explosion in VoIP (Voice over Internet Protocol) services, aimed at both the individual (Skype being probably the most well known) and the deployment of corporate systems will inevitably lead to new forms of spam attacks.

In many respects, the introduction of VoIP has taken the industry almost full circle. Without the use of strong encryption, a VoIP call is no different to an unsecured analogue line. Analogue lines were susceptible to interception and disruption through a range of attacks (the so-called 'coloured box' attacks). VoIP vendors will need to address these issues quickly.

Just as web users can be plagued by pop-up advertisements and spam email, it is expected that VoIP services will be the next target. Users could find calls redirected or hijacked by advertisements. As 2006 will be a year of huge growth for VoIP applications, it will also be the year of voice spam.

There are a number of firms that are now offering specific security solutions for VoIP traffic and equipment. Proper protection will be essential for the widespread acceptance of digital voice services. VoIP will have to achieve the same level of performance, quality and reliability currently enjoyed by analogue PBXs.

Voice spam is a very obvious hurdle that VoIP will have to overcome. How quickly an effective solution to this problem is produced, will have a huge impact on the public's perception of VoIP services.

4. Industry Trends

Just as we can expect the type of attacks to change in the next 12 months, there are a number of initiatives and trends which we expect to have a significant impact in 2006. These include:

• Identity management

• Economic value of IT security

• Changes in corporate network design

• Compliance / risk management

• Application security

4.1 Identity Management

Consumer confidence in online security is essential to promote the continued growth of web-based shopping. Traditionally, advancements have been driven by the finance and banking sector. This is set to continue. However, the United Kingdom still lags behind the rest of Europe in the rollout of secure authentication (source: APACS) and 2006 will see the adoption and implementation of a variety of solutions.

Many banks have been conducting extensive trials of hardware-based token systems for the consumer roll out of two-factor authentication. The natural progression of token authentication from corporate networks, where it is mainly used for remote access, to customer authentication, has been predicted for some time. Many banking organisations have been waiting for official reports on the subject from industry bodies such as BACS Payment Systems Ltd, before committing to the use of hardware tokens. Delays in producing the report mean that many organisations will now roll out these devices in 2006 ahead of the final report.

There is a danger that a number of different systems will be adopted which may hinder the widespread use of such tokens. It appears inevitable that the use of hardware tokens will spread from simply authenticating users to their online bank accounts to actually being used as part of the buying process for online shopping. If traders have to implement complex payment systems to cope with the various token authentication systems, then this will limit its appeal, despite the improved trading security that it offers.

2006 will certainly see the first widespread rollout of these devices for banking customers. It will be several years, however, before we see the emergence of industry standards to control the use of hardware tokens in conjunction with general online trading. The ultimate aim for the user will be to obtain a single form of secure authentication for multiple vendors, but we don't expect to see this happen in 2006.

Identity management will also be a core issue for corporate network design, which is discussed later in this paper.

4.2 Economic Value of IT Security

Spending on IT in general, has seen a steady increase over the last decade. IT budgets and in particular, IT security now represents significant expenditure for the vast majority of firms. It is becoming increasingly important to be able to describe the return on investment (ROI) that a company can expect from IT security.

Once the ROI is understood, business can expect to see IT security become a major part of the corporate risk and compliance function. The impact of compliance issues will also see the profile of IT security rise further.

Reasonable IT security practices should be seen as a benefit to the company and not just a 'black hole' in the corporate budget. As the profile of IT security rises, it will be up to the professionals involved with IT security to ensure that the positive benefits are understood and communicated to the whole company.

4.3 Changes in Corporate Network Design

Working habits and technologies are constantly evolving. In excess of 1 million people in the UK now work from home on a regular basis. The trend will continue for the foreseeable future. This is one of the main reasons driving a fundamental change in network design. The best example of this has been the development of de-perimeterised network design.

These changes in network design will not occur overnight and the first step towards de-perimerterisation will be a re-evaluation of internal network security. Once the concept of a large trusted internal network is removed, segmentation will lead to the deployment of advanced IDS and departmental anti virus servers and firewalls.

Risk and compliance objectives will force companies to identify and secure their most critical systems. Given the current size and complexity of many corporate networks, this is a huge task. One way to achieve this is to reduce the size of the internal network to include only the most critical servers and applications and surround them with a layered security model.

Completing auditing and compliance requirements then becomes a much simpler task. Everything outside of the critical systems is treated as an external machine. This could include the mobile workforce and even entire company offices. Strong network access controls, identity management solutions and audit trails will be needed to ensure that access to the core critical systems is restricted to those that need it.

Given the potential advantages to be gained from a de-perimeterised network, we expect significant growth in the number of companies evaluating or adopting such a design.

4.3 Compliance / Risk Management

The impact of legislation such as Sarbanes-Oxley and Basel II, have been well documented. However, although they do not affect every business, they have served to highlight the importance of good corporate governance within IT security. 2006 should also see the introduction of the European equivalent of Sarbanes-Oxley. How big an impact this will have on European business is as yet unknown .

However, regardless of the impact of the new legislation, the ability to demonstrate that your business follows strict procedures for ensuring privacy of data and has implemented a comprehensive business continuity plan for example, will be viewed as effective way to improve the company image.

Beyond this, IT security will have to align itself with the goals of the business. Completing IT security compliance initiatives in isolation will not be successful. Integrating fully into the corporate business model will be essential.

Understanding the true cost of IT security 'incidents' (whether this is a hacking attempt, or the leaking of confidential data) and being able to relay this to the rest of the business will also be a key requirement.

We expect 2006 to be the year when risk management and compliance becomes the major topic of concern for IT security departments across all areas of business.

4.4 Application Security

Application security has always been an important issue, but the emergence of de-perimeterised network designs is likely to highlight its significance. Application security can take many forms, but we would expect to see more application firewalls being used as part of a multi-layered IT security solution.

Improved application security may also be prompted by the increase in risk and compliance requirements. Audit and risk management functions normally demand the retesting of applications and infrastructures following major changes.

Companies that have invested heavily in centralised systems will want to be assured that they are as secure as possible. Built in application security will be a major part of this and those companies that can demonstrate effective solutions will benefit the most.

5. Summary

2005 has been a good year for the hackers and criminals. There have been many well documented failures of corporate IT security design. This has served to dent consumer confidence in using online services.

If this is to change then businesses and individuals must start taking the issue of IT security more seriously. Ignorance is no defence. The goal of a 100% secure network and architecture is unachievable as long as people are involved in the use and provision of IT security. It is possible however, to vastly improve the current situation.

It is clear that many companies simply do not understand the threats to their business. They are content to allow attacks to happen to someone else in the hope that it will not happen to them. The time for reacting poorly to IT security breeches has ended. The time for a professional, proactive approach is now.

Author - Chris Leppard - IRM Plc Technical Liaison Officer