With phishing scams masquerading like the flu and malware attacking from new fronts such as Websites, USB keys and mobile devices, IT security professionals are expected to be human firewalls. Throw in the need to regulate compliance over new and encrypted communication channels like IM or P2P, plus the security concerns of Vista and its easy to see why IT security management is getting tougher. Richard Cullen, distinguished engineer (who researchers emerging security threats and methodologies) from security software vendor SurfControl explains the concerns of today's IT security professional.
What has changed in the IT security landscape over the last 3 years? 18 months? Are the threats that enterprise firms face cyclical?
The threat landscape has changed dramatically over the past couple of years. Malware attacks are now commercial ventures, with well organized cyber-crime gangs harnessing the power of vast botnet armies to launch spam, phishing, DDOS and malware attacks.
These botnet armies fuelled a massive spam spike this year, with volumes doubling since July, and our threat analysts also saw e-mail borne threats mutating at a much faster rate. We used to see new variants emerge after a couple of days; now it can be a matter of hours.
For Aussie businesses, it means spam is not going away any time soon. We've seen different techniques come and go - it was Nigerian scams in 2004, and this year image and stock spam took centre stage - but spam itself will remain a threat.
What are current hot issues for IT security professionals?
Ensuring that organizations are fully prepared with tools, policies and procedures in the face of the changing threat landscape is a problem that is getting more difficult.
On top of that, the workplace is changing rapidly. As the workforce has gone mobile, the traditional network security perimeter has disappeared. Employees now connect to the internet from home, hotels, airports and coffee shops, as well as wirelessly within the office. Mobile devices like Smart Phones, iPods and USB memory sticks have also introduced additional risk of data theft and threats like spyware.
The communication mechanisms are changing too. Many users, especially younger people, use Instant Messaging applications rather than e-mail or phone for business and personal communications which opens a new channel of communication for employers to manage.
Add the requirements for legal compliance and data storage into the mix and it's easy to appreciate the challenges that IT security professionals now face.
Which technologies and security risks do you expect to dominate over the next year?
In 2007, we'll start to see more organizations outsourcing their IT security. Smaller organizations are already turning to outsourcing to extend their resources and core competencies, and there are management benefits for larger businesses too.
We are going to see threats continue to gain in sophistication too. We will see more blended threats using malicious websites, and more phishing attacks that look virtually indistinguishable from the real thing.
If people policy and procedures are the hallmarks of IT security, what do Australian organizations commonly get right? What do they get wrong?
It's important that organizations recognize how the threats have evolved and don't become complacent. Since the spam epidemic hit a few years ago, most organizations deployed some form of anti-spam filtering solution. Spam is no longer the whole story. It's essential to think about all the vulnerability points in an organization, from web-based email to USB drives.
Will Vista have a significant impact in the security market? Is it secure enough to ward off malicious coders?
Organizations will be wary about rolling out Windows Vista. It's unlikely we will see wide-scale deployment at least until the first service pack is released. Nonetheless, it will start to appear in organizations as new machines arrive pre-installed. Although Microsoft is highlighting the security advances made in Vista, the new operating system will be an immediate target for hackers looking for bugs and exploits.
Industry is well aware of a spate of data breaches over the past few years. Does this relate to organizations using outdated or non-existent policies or not waking up to how valuable their data is? In short, are CRM (customer relationship management) systems to blame or have they been implemented poorly?
Insiders are four times more likely than outsiders to be the cause of a data breach and the number one cause of data breaches is employee error - attaching the wrong document to an email or accidentally selecting the wrong recipient.
Intentional data theft is less easily controlled. One UK survey found 70 percent of office workers had stolen corporate IP from their employer when they left a job.
Up-to-date usage policies can definitely help, however when it's so easy to click and send, SurfControl recommends implementing security solutions that enforce outbound data protection policies, safeguarding employees and protecting the organizations assets and data.