December 25, 2005
2005 has been a banner year for cyber-villains. Thanks to hackers,
some of the United States. largest corporations, including financial
services giant Citigroup and media powerhouse Time Warner, had
sensitive data swiped from their supposedly secure databases.
Smaller companies weren.t immune this year either, with retailer DSW
Shoe Warehouse and credit card processor CardSystems, bought by Pay
Per Touch in October, both victims of cyber break-ins (see Credit
Cards Bar CardSystems ).
Data theft wasn't the only danger in 2005. An Internet worm, Zotob,
infected computers at media companies like CNN and financial behemoths
like Visa in August. And email nuisances, spam and phishing, were also
on the rise.
Will it get better in 2006? Not really, say security experts. In fact,
the threats may get worse. That's because just as security systems
become more sophisticated, the threats will become more complex and
innovative - all in an effort to stay a step ahead.
Looking forward, security experts see eight major trends in security
in 2006. Among them, voice spam is expected to become a growing
annoyance as VoIP applications become more widely used. Another
concern: cyber-criminals will exploit the low levels of security in
mobile communications to gain access to data in laptops and other
Here are the security trends to watch for in 2006:
Phishing, the practice of sending fraudulent emails to encourage users
to divulge personal or financial information, will increasingly target
customers of smaller organizations in 2006. Until recently, phishing
victims often received email purporting to be from large banks like
Citibank and Bank of America or sites like eBay.
But these organizations are deploying greater security measures to
combat phishing, forcing scammers to turn to smaller targets. Next
year's targets could include customers of, say, the local credit
union, security experts said.
Scammers will aim for residents of a specific town posing as a local
financial institution, local governmental organization, or university,
predicts Joel Smith, chief technology office for AppRiver, a Gulf
Breeze, Florida-based spam and virus filtering service provider (see
Worm Poses as FBI or CIA Email ).
"We are going to see more regionalized, localized targeting," he said.
"Scammers will look for subscribers of regional ISPs [Internet Service
Providers] and send them emails purporting to be from the local credit
For scammers, the upside with such targets could be a higher rate of
return. "Small organizations or targets from smaller cities may not
have been as exposed to the phishing spams as larger or
technologically savvy groups," says Mr. Smith.
Business Worm's Rise
Before Zotob struck, computer attacks were often directed at home
users. But this worm, which exploited a vulnerability in Microsoft.s
Windows operating system, affected businesses, marking the rise of
Internet criminals focused on financial gain (see Zotob Heralds
Business Worm ).
These attacks on businesses are expected to increase next year, said
Bruce Schneier, founder and chief technology officer for security firm
Counterpane Internet Security. These Internet criminals differ from
the hacker hobbyists who were content terrorizing home users in
several respects, he said.
"Hobbyist hackers looked for new and clever attacks, while criminals
will use whatever works," he said. "Hobbyists generally didn't care
who they attacked, while criminals are more likely to target
The big concern? This new breed of cyber-thieves will target
proprietary information like trade secrets, or personal data like
social security numbers that can be sold on online black markets.
For businesses, the spread of this new breed of worms will mean
they'll have to tweak security policies to institute new security
protocols that can react faster to threats.
Many of the data leaks in 2005 may have stemmed from poor security
measures. And while companies spend millions securing their networks
from intruders, they often ignore one of the most likely sources of
leaks: insiders or company executives who can inadvertently or
deliberately leak information.
Many companies that have off-site call centers managed by third
parties don't routinely review their systems to stop leaks, said
Joseph Ansanelli, privacy expert and chief executive officer of Vontu,
a San Francisco-based company that works to prevent data loss.
Often overlooked, the insider threat will grow in 2006, forcing more
companies to add a layer to their network that will monitor the
information accessed and distributed by employees (see Q&A: Security
Wonk Dan Verton ).
Increasing Network Control
The threat of crooked insiders and more stringent compliance
regulations will force companies to implement identity-driven networks
that control who uses a network. Driving the change is legislation
like Sarbanes-Oxley, which calls for specific security measures and
complete visibility into network users, devices, addresses, policies,
The basic network identity services that exist today cannot meet the
requirements, said Robert Thomas, president and chief executive
officer for network security company, Infoblox.
"The anonymity associated with conventional network deployments has
existed for years; however, the repercussions of that anonymity,
increasing regulatory compliance pressures, and security concerns over
the last year or two have dramatically raised the visibility around
these issues and call for a new approach," he said.
Wireless Security Focus
Hackers are finding it increasingly easy to steal information from
devices that contain people.s private data, as a growing number have
wireless capabilities, said security experts.
Wireless technologies like Wi-Fi may be more widespread, but many
users are still ignorant about the security measures they must use on
these networks to keep hackers at bay. Security experts see 2006 as
the year when threats on wireless networks will come of age.
As Wi-Fi moves to airplanes, trains, and other public locations,
cyber-criminals will seek to exploit the lack of knowledge about
mobile security measures to gain access to user information. One prime
target? Laptops carried by business users, said MessageLabs, which
provides email security and management services.
Increased Security Legislation
Over the last two years, a number of states have enacted laws similar
to one in California requiring companies to disclose security breaches
to protect state residents from identify theft. In 2006, a federal law
along these lines is a strong possibility, security experts said.
Other legislation in the federal pipeline includes a bill that would
set standards on what is spyware, how these programs should behave,
and what is deemed violations. Spyware are malicious programs that
sneak into users. computers and monitor their usage.
"The legislators will also continue to dictate what types of security
measures must be taken in order to prevent unauthorized access to
sensitive company information," said Vontu's Mr. Ansanelli.
Voice Spam Begins
The popularity of Skype and VoIP will lead to new forms of spam
attacks next year, security experts predict. As VoIP applications
become more widely used, there will be a rise in voice spam.
That's because VoIP services lack strong encryption and they can
become a target of scammers, said Information Risk Management, an
independent security consultancy firm.
"Just as web users can be plagued by pop-up advertisements and spam
email, it is expected that VoIP services will be the next target,"
said the company in a report. "Users could find calls redirected or
hijacked by advertisements."
Though there are some security solutions for VoIP traffic and
equipment, service providers will have to move in faster to nip the
problem in its early stages.
Selling to SMBs
Of course, all these new threats can mean new business for security
companies. Traditionally, security companies have focused on selling
their products to bigger players as large organizations have big IT
budgets that will let them spend on securing their networks. But as
smaller firms become the targets of security attacks, security
startups will pay more attention to them.
Companies offering managed security services, which involves
outsourcing the needs to specialists rather than doing it in-house,
will be best positioned to capitalize on this trend, security experts
In 2006, there's likely to be a spike in small and medium businesses
using managed security services hosted by security companies, said
Brad Miller, chief executive officer of Perimeter Internetworking, a
managed network security services provider.
This "enables SMBs for the first time to outsource their security and
receive pre-integrated services and continuous updates at an
affordable price," said Mr. Miller. "They did not have this option
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.