In
this Issue:
- Perspective: Experts on Security
- February 2007 Articles in Print-Friendly Format
- Coming this Month
- Security Pro VIP Forum Now Available
- Share Your Security Tips and Get $100
Perspective:
Experts on Security
More-targeted
attacks, customer authentication, businesses keeping a closer eye on
employees and customer data, security company mergers and acquisitions,
better integration of security with the rest of IT—these are a few of the
trends that security experts are watching, according to a panel of
industry analysts and another panel of security company executives
assembled for the RSA Conference last month in San Francisco.
Andrew Jaquith of Yankee Group talked
about the "professionalization of malware" and an actual "supply chain"
that now exists from finding vulnerabilities through to delivering malware
that exploits those vulnerabilities. "There's money to be made," he said,
and "malware is a full-time job for people." Attacks are smaller, more
targeted, more geared toward financial gain for the attackers. Art
Coviello, president of RSA, the Security Division of EMC, gave the example
of an attack levied from the Philippines against a credit union in
Louisiana. He called this "puddle phishing" because of the small size of
the target.
The panelists also said that attacks
are increasingly using social engineering; for example, an attack might be
designed for a particular company to look like a message coming from one
or more employees inside that company. Jaquith noted that long term,
security suites will be more behavioral and less reliant on signatures,
but short term, companies have exposure in this area. Ray Wagner of
Gartner agreed, saying, "There's a human factors issue here. Can we
educate users enough? How do we signal them? You can have locks on the
door, but users have to decide whether to open it or not."
Another human-related security issue
for businesses is authenticating customers. George Tubin of TowerGroup
mentioned that financial institutions are working to implement new
authentication and fraud protection measures to comply with regulations
that went into effect at the end of 2006. He noted that the Internet is
very important for financial institutions because it promises a much
cheaper and easier point of contact with customers—for example, for
institutions to introduce new products and customers to manage their
accounts. However, in the last year, financial institutions have had to
communicate to users that they won't ask for personal info in email and
they've quit putting links to their Web sites in messages. Clearly, the
possibility of fraud has dealt a big blow to online banking and consumer
confidence in it.
Companies are also focusing on their
internal users and checking user computers before allowing them on
corporate networks. Jaquith mentioned "the rise of the suspicious
business" and surveillance of employees as being a trend. He also spoke of
the blending of consumer and enterprise equipment (as in people taking
their personal laptops to work) as being a challenge for companies. Both
Richard Palmer of Cisco Systems and Ben Fathi of Microsoft on the
executive panel mentioned access control and enforcing policies as being a
hot area for businesses right now—not too surprising given Cisco's Network
Access Control (NAC) and Microsoft's Network Access Protection (NAP)
initiatives.
We all realize that data protection is
another hot area, particularly with The TJX Companies data breach in the
news right now. Jaquith likened the necessity of storing customers'
personal information to asbestos or lead in its potential toxicity for
businesses. I'm not sure there's an exact parallel here—customer data
isn't a problem you can pay someone once to clean up—but I see his point,
and it makes for a good quote.
The panel of security company
executives, called "CEO Panel: A View from the Top," was actually a
misnomer, as Coviello pointed out. A year ago, he was CEO of RSA and his
fellow panelist, Tom Noonan, was CEO of Internet Security Systems (ISS).
Now those companies are owned by EMC and IBM, respectively, and Noonan is
general manager of IBM ISS. "There are no CEOs at this table," Coviello
joked. He also said that EMC would be acquiring more security companies to
broaden its portfolio and that security needed to be integrated into the
IT infrastructure rather than being a standalone industry.
Others on the executive panel agreed
that there would be more consolidation of security companies and that
security integration was necessary and coming. Noonan also emphasized that
companies are beginning to challenge the expense and complexity of
security and consider security outsourcing and services as an alternative
to trying to manage many disparate security products.
—Renee
Munshi, Security Pro VIP Editor
. . .
Register
