Top Five Security Threats for 2006
Columnist Linda LeBlanc takes a look at the Top Five threats IT and security managers will be facing in 2006. Are you prepared?
To know the future, you must understand the past and this has never been more the case in IT than it is today. The future will carry many things that have foundations in the threats and exploits of the past year or two. Without a clear understanding of those things, the threats and vulnerabilities of the new year will seem overwhelming.
Here are my Top Five things to look for in the new year -- and why you've already seen forshadowings of them and should be prepared to deal with them.
One way to really simplify the matter is to ask two questions: When was the last time you had an analog phone compromised and a keystroke logger installed? Oh, yeah. Never. When was the last time any one of your workstations was compromised with any form of rootkit? A lot more frequently than you'd like to admit to probably.
So, let's hook the phones up to the computer so any traffic sniffer will not only have access to all your data, but all your strategic and tactical discussions on how to build your company successfully. Warning bells should be going off for even the most inexperienced IT manager at this point.
To be practical about this, you are effectively setting your company up for a single point of failure. And it's one that is known to occur on a consistent, if not regular, basis, and one that can cause considerable damage before identified and remediated. By adding your phone lines to this matrix, you increase the amount of damage possible prior to discovery.
I am not saying that you cannot implement VoIP securely. Setting up your VoIP implementation should mean taking the necessary precautions to secure the implementation appropriately. Securing the server that will be handling your phone calls, setting traffic on a protected subnet and other precautions specific to your environment are paramount. I've heard how some are excited to be able to push phone calls over to wireless access points for greater convenience. This indicates to me that they are really missing the key point to security.
As with any technology, proper security implementation has to be included from the outset. Attempts to add security as a secondary consideration are going to cause difficulties in the implementation. If you come to a point where VoIP is no longer a discussion but a directive, it's time to switch to arguing for appropriate security levels and valid descriptions of the threats to corporate assets.
The .WMF vulnerability and exploit was reported late in December, and published in Microsoft Security Advisor 912840. It has shown that Microsoft is not in the clear for future events of this nature. Exploits will continue to become more esoteric, as well as virulent in the sense that they will affect a wider spectrum of the Windows operating systems.
In the case of the .WMF vulnerability, every version of Windows is vulnerable (even those Microsoft no longer supports security patches for) regardless of patch level.
Second, it's not just one portion of the operating system that is affected but multiple major portions. The Windows Fax and Image Viewer library (shimgvw.dll) is used to render images in Windows Explorer, Internet Explorer and other applications such as Lotus Notes. Anything that gives a view (whether thumbnail image or full view) of an image is at risk of processing malicious code in an image that's been downloaded from the Internet, or transmitted by email or instant messenger service.
System administrators will have to decide whether to use thrid-party patches or wait for the official patch from the House of Gates. This will be the case, as well, in future incidences.
This is the future -- more spam, more phishing, more really cool technology gone awry, and Microsoft making your life dificult, because you can't live with them and you can't live without the operating system.