Security's Top Five Priorities

What keeps you awake at night? If you're a politician, it's campaign funding. If you're a teacher, it's tomorrow's lesson plan. If you're Paris Hilton, it's how to get more cupholders into your convertible.

For security professionals, the awake-at-night issues keep changing. When we did our last "look ahead" story back in December, the industry had not yet been slapped by the TJX breach, Web 2.0 worries, or Gary Min's attempt to steal $400 million worth of trade secrets from DuPont. (See 2007: Trouble Ahead.) Security threats, apparently, are like politically-incorrect comments by Don Imus: There's a new one every few minutes.

And so, in one final nod to Dark Reading's first anniversary this week, we've done some research on security professionals' current concerns, and those they foresee in the immediate future. The following is a synopsis of what we found.

As you'll see, some of the top issues and priorities in IT security have shifted significantly in the scant four months since we last asked this question. We hope you enjoy it. But read it fast -- the next sea change can't be far away.

1. The Portable Problem
Laptops. USB thumb drives. Removable hard drives. PDAs, smartphones, and Apple iPods. No matter what the devices are, they're capable of holding a ton of data, and their capacities grow every day. They can be the getaway vehicles for sensitive data, or the unwary carriers of viruses and other malware.

It's no surprise, then, that removable storage is at the top of the list in almost every security professional's priority list these days. In a survey published yesterday, Centennial Software reported that 38.4 percent of attendees at the recent InfoSecurity Europe conference listed portable media as the number one security issue facing their organization. Viruses finished second at 23.7 percent; spyware garnered 22.3 percent.

"It comes up in every conversation I have with a customer," says Steve Stasiukonis, vice president and founder of Secure Network Technologies, a penetration testing firm. "It doesn't matter if it's stuff being taken out or coming in -- they say they worry 50-50 about both. It's bad if a user brings it in and [pollutes] the network, or worse if they take something out and it gets into the hands of someone who can hurt [them]."

And the problem is becoming more acute all the time. According to a study published two weeks ago by Senforce Technologies, 73 percent of IT professionals say their organization houses critical data on removable devices such as laptops, thumb drives, and iPods. Twenty-three percent of the respondents said their organization had reported a network security breach in the last 12 to 18 months, and another 25 percent said they didn't know whether such a breach had occurred. (See USBs' Giant Sucking Sound.)

2. Web Two Point Zero-Day?
Security experts agree: The corporate network security perimeter has become a pretty tough nut to crack. So, like any good squirrel, the hacking community is putting that nut down in favor of an easier one: the Web-based application.

In tests of some 31,000 Websites last year, the Web Application Security Consortium exposed more than 148,000 vulnerabilities, according to the latest WASC statistics. Despite the recent notoriety of the problem, nearly 85 percent of the sites tested were vulnerable to attacks via cross-site scripting (XSS).

As with portable devices, the problem with emerging Web applications -- sometimes collectively called Web 2.0 -- is that the popularity of the technology is rapidly outstripping the IT organization's ability to secure them. In a study of 1000 workers under the age of 29 conducted by British security firm Clearswift in March, some 42 percent of respondents confessed to discussing work-related issues on social networking sites and blogs.

Researchers also have found plenty of holes in next-generation Web technologies. Fortify Software earlier this month reported a new wave of Internet attacks targeting Web 2.0 sites and the Ajax applications that have helped make them so dynamic. Coined JavaScript Hacking, attackers go after vulnerabilities in major Ajax toolkits, allowing them to pretend to be victimized users and gain access to sensitive information.

3. Attacker Inside!
Corporations have always been concerned about security leaks and insider attacks. But that was before they heard about Vencent Donlan, Roger Duronio, and Gary Min.

In the past several months, the security industry has had an opportunity to see some of the biggest brass balls in the history of corporate theft and sabotage.

Donlan, a former stock options administrator, this week was charged with stealing some $7.7 million in company stock and routing it to an account in his wife's name. (See SEC: WFI Insider Stole $7.7M.) Duronio was convicted of planting a logic bomb in his company because he wasn't happy about his bonus. (See Ex-UBS Sys Admin Found Guilty.) And Min had to rent a storage bin and a separate apartment to house the $400 million worth of data and documents he stole while he worked at DuPont.

These three incidents may not be the biggest insider incidents in history, but with today's laws mandating breach disclosure, they put a new, ugly face on the prospect of such things happening at your company. As a result, many enterprises are taking a harder look at compliance, leak prevention, and end-user monitoring than ever before.

Next Page: Page Two

4. Endpoint End Game
Networks and applications are nice, but most hackers' favorite target is a nice, blissfully-ignorant end user. Whether it's shoulder-surfing at Starbuck's, hijacking a WiFi connection, or entry through an unpatched antivirus application, an attacker's pickings around a single end user are surprisingly good.

Security vendor Promisec yesterday released the results of 193,000 end point audits it has conducted across 32 organizations, and the results are sobering. Here's what it found:

Some 25,090 (13 percent) of the corporate PCs surveyed had unauthorized USB devices attached to them. More than 7,700 (4 percent) of corporate PCs had peer-to-peer (P2P) applications installed, such as KaZaa. About 2,900 (1.5 percent) did not have the latest Microsoft Service Packs, and 3,281 (1.7 percent) had antivirus monitoring and remediation issues.

It doesn't stop there. More than 2,300 (1.2 percent) of the 193,000 audited endpoints were without required third-party desktop security agents, and 1,579 (.82 percent) had unauthorized remote control software such as GoToMyPC. A smaller percentage had unauthorized and unprotected shareware.

Whether it's Cisco's NAC, Microsoft's NAP, or any one of a dozen other endpoint security strategies, corporations need to find a solution, and fast. Otherwise, hackers will continue to see them as big, strong castles -- with lots of open doors.

5. Botnet Bugaboo
When attackers crippled two of the Internet's key Domain Name Service servers in February, it was bad enough. But now experts are telling us that the attack might have been a prologue to a much larger attack, or perhaps even a sales demo for a botnet seller. Those are pretty scary possibilities. (See Fujitsu Softek Eyes Acquisitions and DNS Attack: Possible Botnet Sales Pitch .)

The creation and operation of botnets, experts say, has become big business. BBC News today is reporting that some companies have begun hiring hackers to launch botnet attacks on their competitors, creating spam networks or crippling their rivals' networks with botnet traffic.

And with zero-day vulnerabilities discovered in Microsoft's DNS just a few weeks ago, the botnet threat is greater than ever, experts say.

"Botnets are pervasive on the Internet and use zero-day vulnerabilities, such as Microsoft's DNS vulnerability, to grow their armies," said Ashar Aziz, CEO of security company FireEye. "Botnets enable theft of enterprises' customer data and intellectual property, and can be used to commit fraud and crime on a large scale. Enterprises should be very concerned about brand damage and legal liability due to botnets on their networks." (See DNS Flaw Creates Botnet Threat.)

— Tim Wilson and Kelly Jackson Higgins, Dark Reading