The Top 15 Security Issues That Affect
Computer Users and Companies
Reduce your exposure

by Claudiu Popa
Published in MC Showcase 06/02/2005

I recently overheard a comment made by an "executive type" at a conference on information protection: "We live in interesting times." When it comes to IT security, I certainly couldn't agree more.

Indeed, as understatements go, this one shows that awareness of information asset protection has finally reached the ranks of upper management. In my own experience, it has also crossed the gap between the work and home environments, thanks to the fluid transfer of work and play data between computers, as well as increased user-friendliness. And let's not forget the fact that networking is now not only ubiquitous but indispensable.

It was only a few years ago that the industry was wondering whether the Internet could support commerce and whether it would collapse under the ever-growing demand for more traffic. Now our problems are more mundane: How to keep our inboxes sparkling clean, how to preserve our privacy online, and how to communicate with our friends across the world in real-time are top-of-mind issues facing individuals. Companies no longer debate whether they should go online. Rather, they're interested in optimizing and streamlining their existing connections for increased speed, productivity, and profit.

As with every successful social and economic domain, this growth brings with it issues of security and the challenges of protecting all this amassed value. The year is 2005, and we are increasingly seeing the products of the technologies that have been knocking on our door for a long time. The evolution of many security-related concerns is now a reality, and you can bet it will contribute to rapidly growing competition in the security products space. If media coverage and international daily activity reports are any indication, the following 15 issues are currently the most popular, controversial, and influential.

1 and 2: Viruses and Worms
Software that mimics biological organisms by the manner in which it replicates and infects computers systems is a problem for all computer users. Whether you are in a home or corporate environment, chances are your computer is running anti-virus software. Yet viruses, Trojans, and worms (or "malware," as this type of malicious software is commonly called) still find their way into computers daily, infecting them, propagating, and sometimes turning computers over to remote attackers.

Despite the speed with which anti-virus companies release new signatures, malware will be with us for a long time, due in large part to the industry's reluctance to develop and release more intelligent, behavior-based detection systems (rather than signature-based ones). Your best bet is to keep your anti-virus software up-to-date and supplement its protection with a desktop firewall that also monitors outbound traffic.

3 and 4: Privacy and Identity Theft
As it turns out, people do care about privacy. A lot. Just when we thought that the e-commerce picture couldn't be rosier, online organized crime decided to enter the business, enlisting the help of spammers, virus writers, and other unethical groups to shake things up. Just when spam was reaching the climax of its commercial potential and generating a lot of attention from regulatory bodies, industry, and governments, spammers decided to up the ante and collect valuable private information under false pretenses.

The most widespread current practice is that of "phishing," where "phishers" use spam to convince unsuspecting email recipients that their bank accounts will be closed unless they respond by surrendering confidential data to a Web site that looks identical to that of their current financial institution. According to the Anti-Phishing Working Group, up to a whopping 5% of recipients have surrendered some data to these sites. Depending on which estimates and surveys you believe, losses are in the tens, hundreds, and even thousands of millions. One thing is certain: This simple scam works.

The success of phishing and other online scams, in conjunction with the propensity of companies to publicly and embarrassingly lose the private information of individuals to hackers, has contributed to making consumers much more protective of their private information, placing a premium on trust and opening the door for many businesses to openly tout their dedication to security and compliance with privacy practices.

5: Social Engineering
Social engineering, the practice of abusing the trust of individuals to gain unauthorized access, was publicized by convicted criminal-turned-crusader Kevin Mitnick, whose exploits continue to be recounted with glee by the media and many industry insiders. The age-old practice of what most people simply call lying is now beginning to play a big part in security breaches--from virus infections to phishing attacks. Because it relies on human social response, there is no quick technology fix for it. The only solution is security awareness training for employees and individuals. Both social engineering and the training to counter its devastating effects are going to be growth areas over the coming 18 months, with organizations and criminals scrambling to realize the value of their chosen approach.

6: Spyware
Spyware is another type of malware whose effects started out as a mere annoyance but have since grown to include criminal activity. Spyware has evolved. What was once simply intelligent adware designed to analyze our Internet usage patterns and present us with just the right kind of advertising banner has grown into keyboard monitoring programs that steal access codes, confidential data, and private communications. The growth and popularity of this type of parasite have made analysts predict sales of anti-spyware in the billions of dollars over the next couple of years. The market is so hot that even Microsoft has released its own product, including it freely (for now) with its regular software updates.

7: Peer -to-Peer (P2P)
The file-sharing revolution that started with Napster continues today with a variety of networks and file-sharing applications designed to not only facilitate transfers but also keep the system active and fresh.

As expected, security and privacy concerns abound. The biggest issue is that novice users often activate the software without properly configuring it and inadvertently share confidential information (including intellectual property) with the entire connected world. This gets even more complicated when the software is installed at work. In addition to compromising corporate data, some users expose their systems to spyware that is usually bundled with the P2P software, to viruses being shared by users of the network, and more recently, to organizations that are motivated to monitor these networks for copyright violations.

Expect the peer-to-peer phenomenon to span everything from large-scale distributed computer processing designed to break encryption codes, to long-distance communications (as seen with the innovative Skype software), to virtual workplace collaboration. There is no shortage of security and privacy concerns, but the productivity gains and financial benefits are often too strong to overlook.

8: Secure Data Backups
Secure data backups are becoming the norm in many large organizations, and smaller companies are now considering them. Most companies (and even individual consumers) use data backup methods to protect their data against loss. Thanks to the serious (and embarrassing) nature of recent high-profile backup tape losses, the issue of securing corporate data has become top-of-mind for many IT managers and compliance officers.

The potential for compromise cannot be understated. As hackers typically choose the fastest and easiest way into a situation, they will often prefer to simply swipe a few backup tapes rather than match wits with intrusion detection systems and potentially hardened networks. All they need to do in order to have an exact clone of the company's data is to restore it from a fresh backup. The effects of such a publicized event are invariably damaging, often resulting in the loss of thousands of client records and expensive scrutiny by regulatory bodies. The solution is quite simple: Encrypt and decrypt backup data in real-time using a hardware appliance that is plugged in between the server and the backup drive. It's a very elegant, simple, and comparatively inexpensive solution that will find its way into many organizations over the next 18 months.

9: Wireless
Wireless systems are selling like hotcakes. Concerns over unauthorized access through unprotected work and home access points have motivated manufacturers to strengthen encryption levels and beef up their default security settings, but the reality is that wireless technology allows malicious users to breach systems and even cell phones more effectively than before.

10: Teleworking
Teleworking (a.k.a. telecommuting) via remote access is a very effective way to preserve employee productivity and even lower operating costs, but unless the home environment is as secure as the workplace, teleworking can become an expensive liability. The reality is that many workers use less-than-secure, shared home PCs to access confidential work data, giving potential attackers numerous opportunities to intercept and steal it as it crosses the wire or is stored in the infected home computer.

11: Removable storage
Removable storage is in everything from the latest Pocket PC to any USB keycard, giving users the ability to copy work data and take it home--unencrypted and vulnerable to theft, unauthorized disclosure or simply loss. Some companies have taken steps to ban these devices, but most organizations continue to ignore the threat.

12: Passwords
Passwords are just as unsafe today as they were 10 years ago. Unfortunately, the sensitivity of the data they protect has increased significantly. This issue has perhaps the easiest solution: Systems that require new user passwords to be sufficiently complex and significantly different from the previous ones, two-factor authentication (tokens or smartcards) and three-factor authentication (biometric) methods are much more effective in protecting confidential data. Independent audits of password strength almost invariably yield a 90%+ failure rate, indicating a low awareness level among both employees and system administrators.

13: Lack of Management
Lack of security management and training is the root cause of many security issues. The good news is that many organizations are making some effort to educate IT about security practices and to document corporate security policies. The bad news is that the ranks of management continue to lag behind in security knowledge. To adequately manage any company's operations, management has a critical need to understand best practices, security and risk management, and compliance standards.

14: Unpatched Systems
Unpatched systems are an area of concern for many IT managers because they leave doors wide open to attack, yet the application of patches without time-consuming testing can destabilize the network and hinder availability. For companies that do not have a requirement to test system stability against new patches, a number of solutions for on-the-fly patch application are available. Unfortunately, large companies that do have such a requirement will continue to leave open a critical window of vulnerability during which infections and hacking attacks may take place. Microsoft is expected to introduce a new adaptive technology (currently dubbed Vigilante) to bridge this patch deployment gap sometime next year.

15: Physical Security
Physical security is the most overlooked aspect of data protection. Physically securing assets makes as much sense at work as it does at home. It's important to not overlook simple things like door locks and being aware of "shoulder surfers." Additionally, travelers have the burden of constantly remaining in the presence of their computers and data hardcopies to avoid a potentially disastrous loss, theft, or unauthorized disclosure situation.

Don't Let Your Guard Down
Over the coming year, we will continue to see large-scale, publicized security breaches at some well-known organizations--each time due specifically to one or more of the above issues. Managers and IT staff need to learn from every documented situation and change internal policies, communicate procedures, and add to their security awareness training program to adequately control the risk. Your best bet is to anticipate the possibility of security breaches and adapt your security posture to stay ahead of the threat. Ignoring security threats is no longer an option, so take the necessary steps to significantly lower recovery efforts and reduce costs.

Claudiu Popa is a certified security consultant and trainer with InformationSecurityCanada.com. He can be reached at Claudiu@InformaticaSecurity.com.