Top Five Security Threats for 2006

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
In anticipation of the new year ahead, I'd like to look at those thingsmost likely to test our security patience. Let's talk about the Top Fivethings we can anticipate becoming bigger issues or more insiduous threatsin the months to come.

To know the future, you must understand the past and this has never beenmore the case in IT than it is today. The future will carry many thingsthat have foundations in the threats and exploits of the past year ortwo. Without a clear understanding of those things, the threats andvulnerabilities of the new year will seem overwhelming.

Here are my Top Five things to look for in the new year -- and why you'vealready seen forshadowings of them and should be prepared to deal withthem.

  • Targeted Phishing Scams -- It will seem like they are morenarrowly focussed but when you take a look at all the attempts, you'llsee that's not true. It isn't that they are more targeted, it's that yourfiltering systems already have taken out the ones most likely to be spamand left those that are possibly related to you or your interests. Fuzzylogic is a nifty thing.

    The bad news is that your end users are going to be more susceptible tothese because the scams will look like the real thing. Now is the time tostart educating your users on methods to protect themselves.

  • Self-Contained Electronic Devices -- PDA/pager/phone/email --it's all in one box! Be the first on your block to carry the all-in-onesolution to staying connected. Be the first on your block to download theBlackberry- or Treo-targetted virus. Be the first on your block to bringthe company Intranet down with a piggy-backed payload designed fordesktops. I think we'll be seeing the first cross over infections fromhand-held devices to desktops and corporate networks in the coming year.

  • Spam -- That unwanted bulk email will become more insiduous ingetting around spam filters at both the border and application level. Asspam filtering becomes more sophisticated, we'll see messages that areless like advertisements and more like email addressed specifically tous. Like phishing schemes, spam will feel more personally directed.

  • Voice over IP -- VoIP will continue to be the industry's darling'innovation'. The media focus, however, has most frequently failed toaddress possible security concerns. In all the articles on the subjectthat I've read, only one of them comments on security implications.

    One way to really simplify the matter is to ask two questions: When wasthe last time you had an analog phone compromised and a keystroke loggerinstalled? Oh, yeah. Never. When was the last time any one of yourworkstations was compromised with any form of rootkit? A lot morefrequently than you'd like to admit to probably.

    So, let's hook the phones up to the computer so any traffic sniffer willnot only have access to all your data, but all your strategic andtactical discussions on how to build your company successfully. Warningbells should be going off for even the most inexperienced IT manager atthis point.

    To be practical about this, you are effectively setting your company upfor a single point of failure. And it's one that is known to occur on aconsistent, if not regular, basis, and one that can cause considerabledamage before identified and remediated. By adding your phone lines tothis matrix, you increase the amount of damage possible prior todiscovery.

    I am not saying that you cannot implement VoIP securely. Setting up yourVoIP implementation should mean taking the necessary precautions tosecure the implementation appropriately. Securing the server that will behandling your phone calls, setting traffic on a protected subnet andother precautions specific to your environment are paramount. I've heardhow some are excited to be able to push phone calls over to wirelessaccess points for greater convenience. This indicates to me that they arereally missing the key point to security.

    As with any technology, proper security implementation has to be includedfrom the outset. Attempts to add security as a secondary considerationare going to cause difficulties in the implementation. If you come to apoint where VoIP is no longer a discussion but a directive, it's time toswitch to arguing for appropriate security levels and valid descriptionsof the threats to corporate assets.

  • The House of Gates -- Microsoft will continue to experiencesetbacks in the security arena. With more than 5 billion lines of codeto sort through, Micro$oft will have more zero-day events to deal withsimilar to the one announced in late December.

    The .WMF vulnerability and exploit was reported late in December, andpublished in Microsoft Security Advisor 912840. It has shown thatMicrosoft is not in the clear for future events of this nature. Exploitswill continue to become more esoteric, as well as virulent in the sensethat they will affect a wider spectrum of the Windows operating systems.

    In the case of the .WMF vulnerability, every version of Windows isvulnerable (even those Microsoft no longer supports security patches for)regardless of patch level.

    Second, it's not just one portion of the operating system that isaffected but multiple major portions. The Windows Fax and Image Viewerlibrary (shimgvw.dll) is used to render images in Windows Explorer,Internet Explorer and other applications such as Lotus Notes. Anythingthat gives a view (whether thumbnail image or full view) of an image isat risk of processing malicious code in an image that's been downloadedfrom the Internet, or transmitted by email or instant messenger service.

    System administrators will have to decide whether to use thrid-partypatches or wait for the official patch from the House of Gates. This willbe the case, as well, in future incidences.

    This is the future -- more spam, more phishing, more really cooltechnology gone awry, and Microsoft making your life dificult, becauseyou can't live with them and you can't live without the operating system.

  • Submit a Comment

    Loading Comments...