Top 10 Internet Security Trends for 2007
Data breaches, ongoing integrity concerns about the Windows Vista operating system and spam, which reached record levels this year, topped Symantec's Top 10 Internet security trends of 2007 list.
In light of this list from the Cupertino, Calif-based IT security giant and maker of the near-ubiquitous Norton Anti-Virus program, a particular concern for IT pros in the Windows enterprise space is whether Vista, which has been patched 16 times as of Nov. 13, 2007, is worth the effort of implementing right now.
"I don't think the widespread adaptation of Vista has happened as fast as other operating systems in the past," said Dean Turner, director of Symantec's Global Intelligence Network, which publishes the firm's Internet Security Threat reports. "Enterprises are really cautious about moving on from legacy systems or other infrastructure because of the strenuous testing and deployment that is needed."
Meanwhile, as systems and security administrators continue to evaluate Vista's place on their respective companies' migration maps amid mixed reviews, Turner described the Web as "patient zero." This means hackers will continue to launch both client and server-side attacks via the Internet through more creative channels.
Here were the ten major security trends of the year as Symantec and others have seen them:
- Data Breaches. Late last month, documents from an information-breach lawsuit against the TJX Corporation -- owners of TJ Maxx -- revealed that as many as 94 million customers using Visa and MasterCard were exposed to hackers. Further, in addition to Monster.com and Salesforce.com being hacked, there is also a report coming out next week that suggests half a million database servers are vulnerable. Turner says these events are what made data breaches the top concern among security experts this year.
- Vista Introduction. More than a dozen security patches, perceived complexity and an ambivalent reception among tech media and some technologists have kept the much talked about OS in the news, making it a top issue of 2007.
- Spam. The hair-growth pill promotions, penny stock tips, and promises of money from deposed African dictators won't stop hitting your e-mail inbox anytime soon. Moreover, spammers are increasingly taking more sophisticated approaches such as sending disguised PDF files, pretending to know you in e-mail subject lines and delivering Storm Worm malware through e-greeting cards.
- Professional Attack Kits. Symantec believes that not only are hackers becoming more savvy but are also setting up a new revenue stream by selling hacker kits to peers. Such kits include MPack, which was popular this year and "phishing" toolkits pervade cyberspace as well.
- Phishing. Phishing, a cousin of spoofing and masquerade hacking, gets its name from the way hackers use friendly or seemingly benign programs as bait. Symantec's Turner says criminals no longer have to hack in, as some users are coming to them.
- Exploitation of Trusted Brands. By exploiting a trusted Website, hackers can trick someone into thinking they're getting on Bank of America's homepage by, for instance, sending them a link such as firstname.lastname@example.org. Someone may then key in information on a false interface. While most browsers nowadays are equipped with warning messages, "Phishermen" also take advantage of misspellings of popular Internet addresses.
- Bots. Hacking by proxy is an increasingly common way for cyber criminals to maintain anonymity, and the use of "Bots", or Electronic Data Interchange translators, is one of the many malicious emissaries used to siphon protected information.
- Web Plug-ins. ActiveX control modules, derived from Microsoft's Component Object Model and used to manage multimedia applications, comprised the majority of plug-in vulnerabilities in 2007, according to Symantec. These modules are usually downloaded from Web pages and used to make programs more compatible with others -- but they can also be used as attack vectors.
- Vulnerabilities for Sale. This year the debate over the link between proof of concept exploits and "wild" exploits heated up after a decision in late September by Swiss tech upstart Wabi Sabi Labi Ltd., to create an eBay Inc.-style auction for unpatched, zero-day software vulnerabilities.
- Virtualization Machine Security. Software and server virtualization, as evidenced by VMware's multi-billion-dollar IPO and new entries by Oracle, Sun, Microsoft and others, is definitely here to stay. If two file servers can do the work of ten, as some proponents attest, then a hacker can have a field day exploiting such technology.
Click here for a listing some of the top predicted security trends for 2008.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.