Security Pro VIP Update--March 1, 2007

In this Issue:

Perspective: Experts on Security

More-targeted attacks, customer authentication, businesses keeping a closer eye on employees and customer data, security company mergers and acquisitions, better integration of security with the rest of IT—these are a few of the trends that security experts are watching, according to a panel of industry analysts and another panel of security company executives assembled for the RSA Conference last month in San Francisco.

Andrew Jaquith of Yankee Group talked about the "professionalization of malware" and an actual "supply chain" that now exists from finding vulnerabilities through to delivering malware that exploits those vulnerabilities. "There's money to be made," he said, and "malware is a full-time job for people." Attacks are smaller, more targeted, more geared toward financial gain for the attackers. Art Coviello, president of RSA, the Security Division of EMC, gave the example of an attack levied from the Philippines against a credit union in Louisiana. He called this "puddle phishing" because of the small size of the target.

The panelists also said that attacks are increasingly using social engineering; for example, an attack might be designed for a particular company to look like a message coming from one or more employees inside that company. Jaquith noted that long term, security suites will be more behavioral and less reliant on signatures, but short term, companies have exposure in this area. Ray Wagner of Gartner agreed, saying, "There's a human factors issue here. Can we educate users enough? How do we signal them? You can have locks on the door, but users have to decide whether to open it or not."

Another human-related security issue for businesses is authenticating customers. George Tubin of TowerGroup mentioned that financial institutions are working to implement new authentication and fraud protection measures to comply with regulations that went into effect at the end of 2006. He noted that the Internet is very important for financial institutions because it promises a much cheaper and easier point of contact with customers—for example, for institutions to introduce new products and customers to manage their accounts. However, in the last year, financial institutions have had to communicate to users that they won't ask for personal info in email and they've quit putting links to their Web sites in messages. Clearly, the possibility of fraud has dealt a big blow to online banking and consumer confidence in it.

Companies are also focusing on their internal users and checking user computers before allowing them on corporate networks. Jaquith mentioned "the rise of the suspicious business" and surveillance of employees as being a trend. He also spoke of the blending of consumer and enterprise equipment (as in people taking their personal laptops to work) as being a challenge for companies. Both Richard Palmer of Cisco Systems and Ben Fathi of Microsoft on the executive panel mentioned access control and enforcing policies as being a hot area for businesses right now—not too surprising given Cisco's Network Access Control (NAC) and Microsoft's Network Access Protection (NAP) initiatives.

We all realize that data protection is another hot area, particularly with The TJX Companies data breach in the news right now. Jaquith likened the necessity of storing customers' personal information to asbestos or lead in its potential toxicity for businesses. I'm not sure there's an exact parallel here—customer data isn't a problem you can pay someone once to clean up—but I see his point, and it makes for a good quote.

The panel of security company executives, called "CEO Panel: A View from the Top," was actually a misnomer, as Coviello pointed out. A year ago, he was CEO of RSA and his fellow panelist, Tom Noonan, was CEO of Internet Security Systems (ISS). Now those companies are owned by EMC and IBM, respectively, and Noonan is general manager of IBM ISS. "There are no CEOs at this table," Coviello joked. He also said that EMC would be acquiring more security companies to broaden its portfolio and that security needed to be integrated into the IT infrastructure rather than being a standalone industry.

Others on the executive panel agreed that there would be more consolidation of security companies and that security integration was necessary and coming. Noonan also emphasized that companies are beginning to challenge the expense and complexity of security and consider security outsourcing and services as an alternative to trying to manage many disparate security products.

—Renee Munshi, Security Pro VIP Editor

February 2007 Articles in Print-Friendly Format

If you're someone who prefers your newsletters in printed form, check out this .zip file. It contains all the security articles (in .pdf format) and code posted on the Security Pro VIP Web site in February. Print and enjoy!

Coming this Month

"Rev Up Web Security with Two-Factor Authentication" by Tony Howlett
What exactly is two-factor authentication? How can you implement it for your Web applications? Here's a look at some of the solutions that are available today. This article is now live on the Web.

Toolbox: "Nmap Output" by Jeff Fellinge
When you use Nmap to scan your ports to assess your antivirus coverage, you can also use its command-line parameters to customize its output into XML data files for importing into other programs. Coming March 8.

"Bounce Unwanted Files out of Your Folders" by Mark Burnett
A new file screening tool in the Windows 2003 R2 File Server Resource Manager toolset lets you block certain files or file types from entering a folder or notify an administrator about the files and take some action. Coming March 15.

Access Denied
Randy Franklin Smith answers your Windows security questions. Coming March 22.

Reader to Reader: "Security from Scratch" by John Penrose
After joining a company with an IT infrastructure that was a "walking target," this network administrator used a combination of security measures and products to lock down IT assets. Coming March 22.

Security Pro VIP Forum Now Available

Chat with other Security Pro VIP subscribers on the new Security Pro VIP forum. Ask questions about security topics and about articles posted on the Security Pro VIP Web site, and get answers from other forum members, including Orin Thomas, forum moderator, and article authors. Let's talk!

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.