Face threats head on

A new wave of security risks means IT managers must stay ahead of the game, writes Sally Whittle

You have anti-virus software, intrusion detection systems, routers with in-built encryption. You rollout patches regularly and email communications are strictly monitored and filtered. Your security is fine.

Think again, say the experts. This year will see the emergence of a new group of security threats – more sophisticated and persistent than anything most IT managers have experienced before. Computing spoke to a range of security experts and asked them to identify the top 10 emerging security threats for 2007.

Root kits and smarter viruses
Viruses are nothing new to IT managers – but in 2007 prepare yourself for an onslaught of more sophisticated viruses and Trojans that will push your anti-virus defences to their limit, says Graham Titterington, principal analyst with Ovum.

‘We are starting to see attacks within root kits, which are bits of software designed to embed themselves into the operating system where they can not be detected,’ he explains. ‘It is possible then for a virus to get so far into the operating system that it can interfere with the anti-virus software before it kicks in.’

The number of viruses and worms discovered in the second half of 2006 increased 50 per cent over the previous year, according to software specialist McAfee.

The turnaround time between discovering a vulnerability and it being exploited by a virus is also becoming shorter, says Paul Vlissidis, a technical director with NCC Group. The solution is to reconsider your patch management programme – do not rely on monthly patches and implement a multi-layered approach, ideally combining several anti-virus products.

Embedded image spam
You might think your organisation has control over spam, but that will change this year, says Bob Tarzey, a service director with analyst firm Quocirca. He says spammers are changing their methods to stay ahead of security applications , and that means a huge growth in embedded image spam – where the commercial message is disguised within a large image.

Such a new breed of spam presents IT managers with two problems: finding a spam product or service that is capable of scanning embedded images and large attached image files; and dealing with the massively increased size of each individual spam email.

‘The file size of image spam is easily 10 times that of a regular spam email – and if you are filtering internally, that will affect your network and storage requirements,’ says Titterington.

VoIP and video telephony
Using voice over IP (VoIP) is not necessarily any less secure than a legacy telecoms system – but if your firm routinely secures email and instant message communications then you should apply the same precautions to your VoIP systems, says Forrester Research analyst Paul Jackson.

‘IP telephony protocols are not mature, and there is definitely a risk element,’ says Jackson. This year saw the first security alert around VoIP when vendors, including ISS, warned clients of a flaw in Cisco’s voice offering that could potentially allow hackers to eavesdrop on conversations.

However, it is important not to overestimate the number of vulnerabilities – VoIP hacking is extremely new and still rare, says Tarzey. ‘So far, it is just talk, and the biggest danger is probably getting the risk out of proportion,’ he says.

Companies that want to ensure VoIP communications are secure should consider implementing a specialist network security system, such as those available from BorderWare, Secure Logix or NFR, which are designed to filter VoIP traffic for suspicious patterns.

YouTube and video
Perhaps one of the most recent threats for IT managers is the danger of malicious code concealed in video content. Tarzey says the YouTube phenomenon means that workers now regularly send video content across corporate networks, along with links to sites where users can view or download video.

‘All it takes is a video of someone falling over, and that can provide a cover for downloading all kinds of things onto the network,’ he says.

Analysts believe that hackers can very easily embed code into a video clip, which can then be distributed through a legitimate file sharing service, or using a spoof site designed to mimic a popular service such as YouTube.

The problem for IT managers is that relatively few corporate IT security systems are geared to monitor, filter or block video content – since online video is a relatively recent phenomenon.

‘While you certainly have something to filter spam, you are far less likely to be filtering and scanning video,’ says Tarzey. ‘Firms should definitely extend content filtering from email to web so employees cannot access or download video.’

International legislation and relations
Last year saw a series of newspaper headlines about security breaches at offshore outsourcing companies – and this trend could increase substantially in 2007, says Robert Jackson, head of security consulting with Capgemini UK.

‘As offshoring extends into new regions, and offshore providers are themselves offshoring data, the risks will increase enormously,’ says Jackson. ‘Companies must ensure they know the security standards and policies at all levels.’

When working with any overseas supplier, Jackson recommends regular penetration testing and rigorous checks to ensure that companies are complying with new legislation, from the Data Protection Act to the Patriot Act.

‘It is becoming a huge problem because legislation in different parts of the world can actually be contradictory, and it is a risk that many companies are not yet thinking about,’ he says.

Spyware, bots and mules
Spyware is not a new phenomenon, but security firms report a dramatic increase in malicious code in recent months. NCC Group’s Vlissidis says the increase is down to a new generation of spyware programs and bots written to exploit popular applications, particularly instant messaging programs that users may download without the knowledge of the IT department.

In addition, spyware is increasingly sophisticated, with many able to outsmart all but the most recent security systems. Security experts cite recent spyware programs that are able to regenerate after being deleted, or rename themselves every time a computer boots.

Other recent spyware programs have been able to hide themselves from the Windows Explorer tool, making them difficult to identify.

Smishing
It might sound like an excuse for yet another piece of terminology, but security specialists say that smishing is a real and emerging security threat.

Smishing is essentially phishing ported to mobile devices – and typically arrives in the form of a text message suggesting the user has signed up for a service, and will be charged until they cancel using a web site. The site then prompts the user to click on a link, which actually triggers the download of a Trojan horse that turns the computer into part of a bot network.

Although this is a new threat, McAfee recently included smishing as one of the top 10 security threats of 2007, because the firm believes users do not extend the same security awareness to their mobile devices as they generally do to desktop computers.

Organisations should therefore take steps to secure mobile devices ahead of time, and educate users of the potential risks.

Microsoft Vista
Apart from the usual security threats, Quocirca’s Tarzey sees one other issue potentially tripping up IT managers in 2007: the release of Microsoft Vista on the desktop.

The updated operating system incorporates a number of new security features, but Tarzey is concerned that the release could lead to some IT managers neglecting other security systems – leaving vunerability gaps that Vista will not fill.

‘This is increasingly likely because of the lawsuits going on between security vendors and Microsoft, which will generate confusion and uncertainty among customers,’ says Tarzey.

‘It is vitally important that you do not let any security subscription go unless you are absolutely sure that Vista – or something else – will replace it.’

Organised crime
The nature of the hacker has changed in recent months, and there is now a fully mature market for all kinds of hacks, malware and corporate information.

‘Where there is money, people follow, so you now have gangs of much more organised hackers, who work just like businesses, using the internet to share information,’ says Ovum’s Titterington.

‘There are even sites popping up now where you can buy services such as the launch of a denial of service attack for about $50 (£25),’ he says.

As the hacker community has become more organised, the nature of the threat will change, Titterington believes, with a new set of scams designed to make money, rather than demonstrate technical know-how or simply to make users’ lives difficult.

One of the fastest-growing scams this year is likely to be the password-stealing web site, which uses a fake sign-in page for popular online services such as eBay or online financial institutions.

Podslurping and information leakage
The phenomenon of podslurping refers to the ability of users to download or upload large volumes of data using a device such as an iPod and a USB port. You might not consider iPods to be a particularly grave security threat, but employees with MP3 players, digital cameras and even smart mobile phones are effectively wandering your offices with high-capacity, portable hard drives.

Such flexibility spells trouble for IT departments without a clear or consistent view of what devices are connecting to corporate networks, says Andy Kellett, senior research analyst with Butler Group.

‘You are talking about someone potentially walking away with up to 60GB of information on a USB stick, or storing information on an online storage account, way beyond your control,’ he says.

Mobile devices that connect wirelessly to corporate computers via Bluetooth – or that bypass them entirely to go online, like a BlackBerry or Treo – can also cause data leakage, says Forrester’s Jackson.

‘Information loss of this kind is much more difficult to detect than via storage devices,’ he says.

University College Falmouth scans computers remotely

Emerging dangers

New phishing scam uncovered