The biggest IT security developments of 2004 fit into three categories: Mergers, Phishing, and Spam.
On the merger front, the Oracle and PeopleSoft deal is only the biggest of a long line of mergers that helped consolidate the software industry this year. The most important development for security-conscious IT professionals is the ever-shrinking number of security (especially antivirus) software companies.
Microsoft scared the entire antivirus industry by gobbling up GeCAD, a Romanian antivirus vendor, back in June 2003. That probably triggered a lot of the consolidation in the security software industry. Since then, the following buyouts/mergers have occurred:
- Symantec bought @stake
- Computer Associates bought Netegrity and Pest Control
- TruSecure and Betrusted merged to become Cybertrust
- McAfee bought Foundstone.
And those are just the major mergers and acquisitions.
Of course, Microsoft hasn't yet entered the antivirus software business, so at it appears that GeCAD expertise is currently being used to simply harden Windows software. However, some industry analysts have applauded the prospect of Microsoft moving into the antivirus arena because it could mean a faster reaction time if the same company owns the vulnerable operating system and Web browser that owns the antivirus software. Others view Microsoft entering the antivirus software market as yet one more move that limits innovation and competition.
The Oracle PeopleSoft deal is important because it now reportedly makes Oracle the largest vendor of some applications to a number of markets, including the U.S. government and even North American financial services. There are no specific security concerns with Oracle or PeopleSoft and Oracle CEO Larry Ellison recently said that PeopleSoft applications will continue to be supported and developed through version 9. But Ellison has also said the products will eventually be merged into a single product line to which users will be encouraged to migrate. As with Microsoft's dominance of the operating system and browser arena, any time you put too many IT eggs in one basket you run the risk of a catastrophe if a major vulnerability is discovered in that family of widely-used products.
Phishing has hit a new level with The Anti Phishing Working Group recently announcing a 33% surge just in November and, with the holiday shopping binge and an ever-increasing appetite for online shopping, this December is very likely to set an all-time high for phishing attacks and new phishing sites, especially with some recently disclosed browser vulnerabilities I reported on the December 13.
As more and more criminals see the value in phishing and turn to it for their attacks, it’s important to remember that if your company has any online ordering or billing pages of any sort, you too could eventually become a phishing target to the detriment of your reputation and your clients’ accounts.
Spam is still a major story because dealing with it costs every business both time and resources, either killing off e-mail borne malware or simply trying to filter out the masses of junk mail that robs employees of productive time.
Spam is also to blame for increasing hardware expenditures (to handle mail volume) and lost business as people simply give up trying to weed through all the junk to find critical messages from customers or potential customers.
Spam is also a main cause of malware infections. Not only does some Spam include malware, but the sheer volume of junk mail eats up resources and makes it considerably more difficult to separate out spam and malware attacks from legitimate messages.
For those reasons I have placed Spam in my top three list.
Other security issues
Worm and virus attacks are a continuing problem but there really wasn’t any major new development in this area other than the ever-decreasing time between the disclosure of a new vulnerability and the release of malware designed to take advantage of the small window of opportunity between when a patch is released and when it is installed on a sufficient number of machines to blunt the impact of a new attack.
A related story is the way major vendors have recognized this and have taken into account the fact that administrators simply can’t take down systems every day or two to install new patches. That is one major reason underlying Microsoft's, Oracle's, and other vendors’ decisions to schedule the vast majority of security and other patches either once a month or once a quarter.
Since few IT departments have the resources to test and deploy patches every week, let alone every couple of days, software vendors have slowly come to realize that publishing security bulletins every week simply means giving attackers useful information they can use to craft new attacks against known vulnerabilities.
Witness the early December release of an emergency security bulletin by Microsoft, which was made out of the usual sequence almost certainly because the vulnerability had been disclosed by a third party before Microsoft’s regular monthly security patch and update cycle was completed.
The security patches are the place where most users as well as many attackers first learn of new vulnerabilities, so reducing the number of announcements and timing them to coincide with regular quarterly maintenance cycles actually improves security as long as vendors such as Microsoft are prepared to make emergency patches available out of sequence when required by the early disclosure of a new threat and publication of an exploit.
In my next column I will take a look ahead at the security developments to keep an eye on for 2005.