Ten security trends worth watching

IDG News Service - In a keynote speech that was webcast at last month's Hack in the Box Security Conference in Kuala Lumpur, Malaysia, Bruce Schneier, chief technology officer of managed security services provider Counterpane Internet Security Inc., identified 10 trends affecting information security today.

1. Information is more valuable than ever. For example, Amazon.com Inc. relies on information to make purchasing of books easier through its one-click purchasing system. Similarly, when Internet retailer Pets.com went belly-up, the company's database of customers "was the only asset of value they had," he said.

Information also has value for controlling access, such as single sign-on and authentication for users, and law enforcement, which uses information to help track criminals and gather evidence.

2. Networks are critical infrastructure. The Internet was not designed to serve as critical infrastructure. "It just sort of happened," Schneier said, noting that hasn't stopped more critical systems from migrating to the Internet.

The Internet helps companies run more efficiently and eases communication between people, but there are real economic risks involved. "If the Net goes down, or part of the Net goes down, it really affects the economy," he said.

3. Users do not necessarily control information about themselves. For example, Internet service providers have control over records the Web sites that users visit and email messages they send and receive. Also, some mobile operators keep a copy of users' phone books on their servers.

"There's a lot of value in information about you," Schneier said. "But you have no control over the security of that information, even though it may be highly personal."

4. Hacking is increasingly a criminal profession. Hacking is no longer for hobbyists. More and more, attacks are organized and led by criminals who are driven by a profit motive. "The nature of the attacks is changing because the adversary is changing," Schneier said.

Extortion related to denial of service attacks and phishing attacks are two examples of criminal attacks. In addition, there is a black market for exploits that allow attackers to penetrate corporate IT systems.

5. Complexity is your enemy. "As systems get more complex they get less secure," Schneier said, calling the Internet "the most complex machine ever built."

Advances in security technology simply have not kept pace with the Internet's growth. "Security is getting better, but complexity is getting worse faster," Schneier said.

6. Attacks are faster than patches. New vulnerabilities and exploits are being discovered faster than vendors can patch them. In other cases, vulnerabilities in some embedded systems, such as Cisco Systems Inc. routers, cannot be patched, leaving companies vulnerable.

7. Worms are more sophisticated than ever. They already contain vulnerability assessment tools, and are scanning corporate defenses for weaknesses and using Google Inc. for intelligence gathering. "This trend is a result of more worms being criminal."