Future of securuty

There’s nothing better than adding a good bit of jargon and a catchy acronym to define a market trend in a way people can understand. Finjan, an up and coming leader in secure Web gateway products, recently did just that by highlighting the increasing growth in criminals using online cybercrime services rather than going to the trouble of developing their own crimeware operations. Far easier to just buy the malware off the shelf, subscribe to a service or simply buy or lease the results.

Finjan is calling it Crimeware-as-a-Service and describes a number of CaaS activities increasingly making their presence felt. “Cyber-criminals and criminal organisations are getting better at protecting themselves from law enforcement by using the Crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised but only provides the infrastructure for it,” explains Yuval Ben-Itzhak, CTO of Finjan.

Graham Titterington, Principal Analyst at Ovum, specialises in IT security and business continuity. He highlights criminalisation of cyber attacks as the number one security issue faced by the industry today. “This is the big one,” he says.

It’s not news that crimeware creators are making toolkits for their growing customer base, but their level of sophistication continues to grow and they now offer services such as sophisticated, anti-forensic attack techniques and the ability to manage and monitor malicious code affiliation networks all backed with comprehensive update mechanisms.

The introduction of malware for profit has irrevocably changed the threat landscape for organisations and individuals alike and generally, we’re ill prepared for them. Patrik Bihammar, a senior analyst for IDC’s software practice, has a focus on the security and system management markets in Australia and New Zealand. Bihammar told CRN the big changes facing local companies are similar to those abroad. Traditional security solutions, he explained are not prepared for the latest Web-borne threats the industry is now facing.

Most other pundits agree; email, adware even Instant Messaging and VoIP attacks are all still there and in some cases growing, but the potential for Web-based attack vectors from drive-by-downloads to cross site scripting attacks are becoming an increasingly popular way to deliver malicious code.

Web defence specialists, Websense, recently announced that for the first time in late 2007 the number of legitimate Web sites compromised by attackers surpassed purpose built sites created by attackers. It’s no longer a matter of simply avoiding suspicious Web sites. High profile, trusted sites or even lesser known legitimate sites are likely to from time to time become a source of malware infection.

Websense says it scans more than 600 million Web sites and 350 million emails per week searching for malicious code and traditional security measures are just not designed to handle the new age threats. Attackers know that compromising sites with plenty of traffic and good reputations, coupled with more effective and targeted email lures, can improve their success rate.

IDC’s Bihammar says the traditional approaches to Web security such as URL filtering are no longer meeting the security needs of the enterprise. Where Web site filtering was appropriate as a productivity and security measure in the past, the increasing number of ‘legitimate’ sites being infected by criminal malware means simply blocking obviously undesirable or risky sites is ineffective as a security mechanism.

“What we are starting to see about these threat perspectives is that it used to only be risky sites, but the malware is being uploaded to reliable sites. It is really putting more pressure on sophisticated Web security,” said Bihammar.

“This is an opportunity for the channel to develop in that area,” he said explaining it’s a traditional channel play with vendors providing tools which can be applied relatively easily to the problem.

Two of the most dominant players in this market have become one with the merger of Surf Control and Websense, but other vendors are buying in or developing their own Web traffic filtering solutions that can do more than simply filter URLs.

There are up and coming players too. Finjan, an Israeli company, is gaining marketshare in this space, says Bihammar.

Not all products are a straight appliance or software sale, Websense for example offers an on-demand hosted service, and almost all involve some sort of subscription service to keep reputation scores and signatures up to date.

Privacy concerns

“We are now up against organised and well resourced communities working to their own business model,” says Ovum’s Titterington.

“All the big vendors, including Symantec, IBM (ISS), Cisco etc are taking the battle back to the Internet with everything from comprehensive traffic monitoring, to multi-level protection for customers.”

Second on Titterington’s list of security trends is the need for better user access control and authentication. “Users need something easier and quicker to use, something more resilient than a password,” explains Titterington. “Something that doesn’t incur the help desk costs of forgotten passwords. The smart card vendors are in the forefront here, along with token suppliers such as RSA, and some innovative suppliers such as pictorial key pads,” he suggests.

Echoing other commentators warnings about Web-borne threats, Twittering points to application security. “Organisations are realising that externally facing applications on the Web are providing a soft entry point into corporate data repositories and other assets,” he says.

Of course with the focus on profit whether its fraud or industrial espionage, the enterprise needs to protect its information in a way it never had to in the past. When security was about stopping script kiddies affecting worker productivity or launching DoS attacks to embarrass your Web server, the target wasn’t getting your customer database, your credit card details or even your login for Facebook.
It is now.

Bihammar believes the data leakage protection market is an increasingly important part of the Australian security industry. This is driven not just by the threat of fraud, however, the name and shame affects of data losses overseas is making local Board members wake up and take notice before their organisations are embarrassed as has happened in the UK and US.

The Australian Law Reform Commission is currently reviewing the Australian Privacy laws and there is a fairly wide expectation that disclosure provisions will ultimately be included in the Privacy Act when it is reformed later this year.

The Australian Privacy Commissioner, Karen Curtis, has called for compulsory notification of major data security breaches by Australian organisations saying: “While reporting would need to be proportional to the severity of the breach, it would provide organisations with a strong market incentive to adequately secure their databases. It would also give people an opportunity to take any necessary steps to protect their personal information.”

The Australian Law Reform Commission seems to agree stating in its earliest discussion papers that The Privacy Act should be amended to include data breach notification provisions. Exactly how that plays out into legislation may take some time.

According to an international survey of security professionals conducted by Websense, there is significant support for strict penalties for Board and C-level executives that failed to properly protect customer information. A full quarter of the respondents believed that jail time was an appropriate punishment. Nearly eighty per cent advocated company fines and nearly two thirds supported compensation for consumers affected by data breaches.

It’s not only the threat of legislation pushing the end-point control and encryption market. The respondents said that loss of brand equity, pressure from the media and the potential impact on company share prices was also putting pressure on organisations. However, twenty two per cent said they believed that companies would only take action once it was legally required.

“This survey indicates a strengthening opinion for action to be taken against cybercrime and data loss on a broader scale than ever before,” said Phil Vasic, ANZ Country Manager, Websense. “Board members should ensure proactive, strategic action is taken to protect their organisation’s essential information from emerging Web-based and email borne security threats and data loss to prevent sensitive information getting into the wrong hands.”

It is a potentially lucrative area for resellers. Security or networking vendors are now offering comprehensive end-point security systems incorporating security policy enforcement, encryption and Network Access Control suitable for most sized-organisations.

Zoe Nicholson, Channel Manager for Sophos says Network Access Control was a big topic last year and it is now being integrated into main vendors’ products sets.

“Companies are looking at their end-point, but IT budgets aren’t increasing and the total cost of point products is too high. Analysts used to tell users to deploy best-of-breed point products from multiple vendors, now they are saying they should look for a complete solution from one product,” she said.

Accordingly, Sophos is following other vendors and building a suite of products that help reduce management cost and complexity by bringing several solutions under one umbrella.

It’s an opportunity for resellers to go out and educate their customers on the new generation of suite products, says Nicholson. There’s also a good potential for service revenue to establish policies, identify which data needs protection and then to ensure adequate defences are in place.