2005: The Year in Enterprise Security
A look back at the trends that defined enterprise security in 2005.
So, here we are at the start of a new year. And what has this past year brought us? A few things have changed compared to last year's review and some things havent. Hows that for a generalized statement?
Two things still stand out as highlights (or lows) for the past year: phishing and the lessons taught by Katrina.
Assault on Private Data
Phishing and pharming, or more specifically identity theft, were made headlines early in the year. They continue plague many financial institutions and e-commerce websites. The number of phishing attempts or variants continues on an upward trend. December 2004 came and went with 8,829 reported incidents to the Anti-Phishing Group, while last month (December 2005) that number is 15,820, with some time still on the clock. People are either becoming more aware of the problem, and thus reporting it more, or there are more actual phishing variants out there.
But even if you did manage to avoid traps like phishing and pharming, you still could be susceptible to credit card information theft due to incidents like those with ChoicePoint, Bank of America and Lexis-Nexus. As I write this, Ford Motor Co., is in the process of notifying 70,000+ of its present and past office workers that their personal data may have been compromised due to a laptop theft in November. The importance of identity and protecting it will certainly be a key resolution for 2006 for many enterprises.
And it should be, given how robust the Internet is today. Yet, we still have some e-commerce sites using insecure ordering forms. For instance, I recently went to place an online order and was rather shocked that this major company, in Canada and using a major search engine to host their store, didn't employ any encryption at all as I was about to enter my credit card info for a gift certificate.
Recovery Wasn't a Given
You would have thought that after 9/11 companies would have realized the importance of using things like warm/hot sites and remote backups. But Hurricane Katrina highlighted many of the flaws in existing disaster recovery and business continuity plans. For those that have them.
Many still don't even have daily backups that can mitigate relatively minor problems caused by user error, never mind large scale planning. Many enterprises seem oblivious to the fact that if a disaster did occur they'd go bankrupt in seconds because they didn't take the time to plan and deal with things in advance. Mother Nature has never been known to ask permission before unleashing her fury.
Those incidents aside, there wasn't much else other than the usual viruses, botnets and other malware running around (spyware). I still contend one of the funniest stories was that of the hacker who broke into US military in hopes of finding proof of hidden UFOs and such. He definitely wasn't in it for the money. When we look at 2005 it was in many respects a continuation of 2004. Except there was more SOX to worry about, and that's becoming rapidly a procedural exercise for many administrators.
That all said, what does 2006 hold for us?
A Look Ahead
Well, 2006 is the Year of the Dog but I think the bite will be just as good as the bark (sorry, had to toss it in).
2006 should also be the year of backup development and disaster recovery planning. 2005 highlighted those issues and many companies are seeing how devastating it can be if they dont prepare. Options such as hot sites, remote journaling and backup as well as dual-center operations will be the items to look into.
2006 will also be the year of virtualization. The battle between VMWare and everyone else, specifically Microsoft, is starting to heat up. Companies are beginning to realize that virtualization of their many servers into one central location and minimize hardware costs means they can put more money into disaster recovery and backup options.
The New Year will continue to put security on the forefront, in a general sense and career wise. Companies are integrating more security, well beyond simple usernames and passwords, as the need for more stringent methods becomes clear. Additionally, the creation of various laws in Canada, the US and elsewhere is forcing companies to adhere to stricter cyber-security. In the job area, with all these changes that companies are doing they will need experts and specialists to fill roles. Security remains one of the few areas in IT where growth is happening. The CISSP designation is still king of the heap and hotly followed by the SANS GIAC certification and vendor-specific security designations.
However, 2006 will probably still remain victim to the various identity theft issues and phishing will continue to register big on the radar. Because of this, trust in e-commerce will continue to erode for the average consumer. If companies make the effort to provide more secure environment to do business, then the consumer will return.
So here's to the past year as it reminds of where we need to be careful. And here's to the New Year with all its hope that things are getting better. Best holiday wishes to all!
This article was first published on EnterpriseITPlanet.com.