In a keynote speech that was webcast at last month’s Hack in the Box Security Conference in Kuala Lumpur, Malaysia, Bruce Schneier, chief technology officer of U.S.-based managed security services provider Counterpane Internet Security Inc., identified 10 trends affecting information security today.
1.) Information is more valuable than ever. For example, Amazon.com Inc. relies on information to make purchasing of books easier through its one-click purchasing system. Similarly, when Internet retailer Pets.com went belly-up, the company’s database of customers “was the only asset of value they had,” he said.
Information also has value for controlling access, such as single sign-on and authentication for users, and law enforcement, which uses information to help track criminals and gather evidence.
2.) Networks are critical infrastructure. The Internet was not designed to serve as critical infrastructure. “It just sort of happened,” Schneier said, noting that hasn’t stopped more critical systems from migrating to the Internet.
The Internet helps companies run more efficiently and eases communication between people, but there are real economic risks involved. “If the Net goes down, or part of the Net goes down, it really affects the economy,” he said.
3.) Users do not necessarily control information about themselves. For example, Internet service providers have control over records the Web sites that users visit and email messages they send and receive. Also, some mobile operators keep a copy of users’ phone books on their servers.
“There’s a lot of value in information about you,” Schneier said. “But you have no control over the security of that information, even though it may be highly personal.”
4.) Hacking is increasingly a criminal profession. Hacking is no longer for hobbyists. More and more, attacks are organized and led by criminals who are driven by a profit motive. “The nature of the attacks is changing because the adversary is changing,” Schneier said.
Extortion related to denial of service attacks and phishing attacks are two examples of criminal attacks. In addition, there is a black market for exploits that allow attackers to penetrate corporate IT systems.
5.) Complexity is your enemy. “As systems get more complex they get less secure,” Schneier said, calling the Internet “the most complex machine ever built.”
Advances in security technology simply have not kept pace with the Internet’s growth. “Security is getting better, but complexity is getting worse faster,” Schneier said.
6.) Attacks are faster than patches. New vulnerabilities and exploits are being discovered faster than vendors can patch them. In other cases, vulnerabilities in some embedded systems, such as Cisco Systems Inc. routers, cannot be patched, leaving companies vulnerable.
7.) Worms are more sophisticated than ever. They already contain vulnerability assessment tools, and are scanning corporate defenses for weaknesses and using Google Inc. for intelligence gathering. “This trend is a result of more worms being criminal.”
8.) The end point is the weakest link. “It doesn’t matter how good your authentication schemes are if the remote computer isn’t trustworthy,” Schneier said. In many cases, computers outside your company’s security are the weakest link. These computers are often infected with worms and spyware, presenting an opportunity for attackers.
9.) End users are seen as threats. Companies are increasingly developing software that is intended to defend against the end user, Schneier said, citing DRM (digital rights management) software as an example. “More and more we’re seeing security that doesn’t protect the user, but protects against the user.”
In at least one case, involving DRM software installed by Sony Corp. without users’ permission, the software caused damage to the end user’s computer. “Rules and regulation around this is going to be a big battleground,” Schneier said, predicting that a battle will be fought between PC software that is protecting the user and software that is designed to protect against the user.
10.) Regulations will drive security audits. There’s no shortage of regulations that detail how companies should handle data. Regulations such as the Sarbanes-Oxley Act will be the driving force behind corporate security audits.