Security

IT security: What to expect in 2002

IT security moved to the center of the technology stage in 2001 due to a variety of events. What does that mean for administrators--the guardians of that security--in 2002? This edition of The Locksmith provides some important insights.


Last year saw the outbreak of several major, productivity-sapping viruses, along with the call to action resulting from the Sept. 11 attacks. As a result, 2001 may be remembered in IT as the year that security finally became the top priority for most organizations. While 2002 may not be as dramatic as 2001, important IT security developments lie ahead. Let’s take a look at some of the highlights we can expect.

Prepare for more virulent worms and viruses
The outlook from the National Infrastructure Protection Center (NIPC) is that, increasingly, the big threats to IT security are coming from “blended” worms, which rely on system vulnerabilities—particularly flaws in server software—the way Code Red did.

Neither Nimda nor Code Red required any human action to spread and infect systems. Simply visiting an infected Web site was enough to cause problems. Other threats targeted server software flaws directly.

Intrusion detection and education will remain vital in blocking cyberthreats, but that’s only a partial solution. To secure your organization, you will also need to lock down operating system software and business applications as much as possible. That’s a difficult task in a Microsoft-dominated world. The Redmond software giant has a dubious track record in security, and that track record increasingly came under fire in 2001.

Unfortunately for Microsoft—and for those of us who use its products—2002 could be even worse. Virus writers have always loved to target Microsoft, and after the juicy flaws in its products were exploited with such ease and success in 2001, many more systems attackers may be motivated to take their shot at Windows, Outlook, Internet Explorer, IIS, and other popular Microsoft products.

Another factor to consider is that Microsoft released Windows XP and Internet Explorer 6 in the last part of 2001. XP and IE6 are poised to penetrate the business market this year, joining other versions of Windows and IE in the corporate infrastructure.

Although we don’t yet have a full grasp of the vulnerabilities these products will introduce, we already know that there were major flaws in the first distribution of XP, including Plug and Play vulnerabilities so severe that the FBI recommends disabling the service altogether, despite the release of Microsoft patches to fix the issue. We can only hope that this is not a sign of things to come for XP.

Terrorist label will apply to cyberthreats
As cyberattacks continue to rise in 2002 and the world relies more and more on IT infrastructure to run the economy, the government, and other areas of organized life, cyberattacks will increasingly be viewed as cyberterrorism, and attackers will be treated as terrorists.

Thus, this will probably be the year when some poor sucker will find himself in the position Kevin Mitnick was in when the hacker culture changed, he didn’t notice, and he was thrown in jail for a few years.

This will be an ongoing process. At first, someone will be caught spreading a worm and will be sued for an amount of money that would make even Bill Gates wince. Win or lose, this should have a chilling effect on computer vandals, especially if it’s some kid whose parents are also deemed responsible. That should finally put the hacker community on notice that malicious hacking is a real crime.

Recent changes to U.S. law make it easier to tap communications, so catching malicious hackers should become much easier. I don’t know if we will ever reach the point where a foreign hacker is hauled up before a military tribunal and sentenced to 40 years of hard labor, but it isn’t out of the question.

I believe that over the next decade, we will see the CIA, the NSA, and the military become closely involved in locating and punishing foreign-based malicious hackers. Remember that staffing responsibility for the NIPC is mostly split between the FBI and the Pentagon.

In his presentation "The Legal Aspects of Infrastructure Protection," made at InfoWarCon 2001, NIPC Director Ronald Dick said, “In case of a foreign threat or attack, the NIPC also stands ready to be placed in a direct support role to the Secretary of Defense.”

Is it possible that we could even see cyberterrorism classified along with chemical, biological, and nuclear threats as a Weapon of Mass Destruction? Given how much computers affect our lives, I don’t think this is farfetched or unreasonable, especially considering the potential economic and social impacts of cyberterrorism in this digital age.

Look for legal action over security flaws
Everyone is fed up with major security flaws in new software. The costs to business are increasing, and with the slower economy, people are looking to recover for what they see as negligence on the part of software publishers.

The National Academy of Sciences convened a panel last year to look into this problem, and its report calls for Congress to pass new legislation that would make it easier to place responsibility on software publishers, systems vendors, and (watch out!) system operators.

Here's a recommendation: If you do nothing else this year, begin a detailed log of every action you take and every recommendation you make regarding any work function that could possibly be related to security. Whether you need this to protect your company, cover your behind, or aid your company in legal action against a vendor, this sort of record will become increasingly important.

In his InfoWarCon speech, Mr. Dick also pointed out, “The Computer Fraud and Abuse Act, 18 U.S.C.1030, makes it a felony for anyone to knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization to a protected computer.”

My question is this: If the Justice Department has such a statute, couldn’t it soon be extended to a software publisher that releases code prematurely to meet a commercial deadline, even if the product contains known flaws or flaws that the company should have been aware of if it took the proper precautions?

Look for self-patching software to increase
Patch mania, which at times in 2001 reached the level of several Microsoft patches in a single week, will lead to the development and installation of more self-patching programs. Since many patches have unexpected adverse consequences, this trend will mean mixed results for administrators. It will save the time required to manually track and apply patches for some systems, but some of the patches automatically applied to those systems will cause conflicts and errors that could be more difficult to pinpoint and resolve.

Summary
There you have it. We can see that 2002 will witness some important trends in IT security. Administrators should start documenting their security activities, keep their systems up to date to avoid future worms and viruses, and track the activities of would-be attackers. And anyone dabbling as a hacker should realize that he or she could be the next poster child for the coming crackdown on cyberattackers.

Have a comment or a question?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.

 

Editor's Picks