The biggest IT security developments of 2004 fit into three
categories: Mergers, Phishing, and Spam.

Mergers

On the merger front, the Oracle and PeopleSoft deal is only
the biggest of a long line of mergers that helped consolidate the software
industry this year. The most important development for security-conscious IT
professionals is the ever-shrinking number of security (especially antivirus)
software companies.

Microsoft scared the entire antivirus industry by gobbling up GeCAD, a
Romanian antivirus vendor, back in June 2003. That probably triggered a lot of
the consolidation in the security software industry. Since then, the following buyouts/mergers
have occurred:

  • Symantec
    bought @stake
  • Computer
    Associates bought Netegrity and Pest Control
  • TruSecure
    and Betrusted merged to become Cybertrust
  • McAfee
    bought Foundstone.

And those are just the major mergers and acquisitions.

Of course, Microsoft hasn’t yet entered the antivirus software
business, so at it appears that GeCAD expertise is currently being used to simply
harden Windows software. However, some industry analysts have applauded the
prospect of Microsoft moving into the antivirus arena because it could mean a
faster reaction time if the same company owns the vulnerable operating system
and Web browser that owns the antivirus software. Others view Microsoft
entering the antivirus software market as yet one more move that limits
innovation and competition.

The Oracle PeopleSoft deal is important because it now
reportedly makes Oracle the largest vendor of some applications to a number of
markets, including the U.S. government and even North American financial
services. There are no specific security concerns with Oracle or PeopleSoft and
Oracle CEO Larry Ellison recently said that PeopleSoft applications will
continue to be supported and developed through version 9. But Ellison has also
said the products will eventually be merged into a single product line to which
users will be encouraged to migrate. As with Microsoft’s dominance of the
operating system and browser arena, any time you put too many IT eggs in one
basket you run the risk of a catastrophe if a major vulnerability is discovered
in that family of widely-used products.

Phishing

Phishing has hit a new level with The Anti Phishing Working
Group recently announcing a 33% surge just in November and, with the holiday
shopping binge and an ever-increasing appetite for online shopping, this
December is very likely to set an all-time high for phishing attacks and new
phishing sites, especially with some recently disclosed browser vulnerabilities
I reported on
the December 13
.

As more and more criminals see the value in phishing and
turn to it for their attacks, it’s important to remember that if your company
has any online ordering or billing pages of any sort, you too could eventually
become a phishing target to the detriment of your reputation and your clients’
accounts.

Spam

Spam is still a major story because dealing with it costs
every business both time and resources, either killing off e-mail borne malware
or simply trying to filter out the masses of junk mail that robs employees of
productive time.

Spam is also to blame for increasing hardware expenditures (to
handle mail volume) and lost business as people simply give up trying to weed
through all the junk to find critical messages from customers or potential
customers.

Spam is also a main cause of malware infections. Not only
does some Spam include malware, but the sheer volume of junk mail eats up
resources and makes it considerably more difficult to separate out spam and
malware attacks from legitimate messages.

For those reasons I have placed Spam in my top three list.

Other security issues

Worm and virus attacks are a continuing problem but there
really wasn’t any major new development in this area other than the
ever-decreasing time between the disclosure of a new vulnerability and the
release of malware designed to take advantage of the small window of
opportunity between when a patch is released and when it is installed on a
sufficient number of machines to blunt the impact of a new attack.

A related story is the way major vendors have recognized
this and have taken into account the fact that administrators simply can’t take
down systems every day or two to install new patches. That is one major reason
underlying Microsoft’s, Oracle’s, and other vendors’ decisions to schedule the
vast majority of security and other patches either once a month or once a
quarter.

Since few IT departments have the resources to test and
deploy patches every week, let alone every couple of days, software vendors
have slowly come to realize that publishing security bulletins every week simply
means giving attackers useful information they can use to craft new attacks
against known vulnerabilities.

Witness the early December release of an emergency security bulletin
by Microsoft, which was made out of the usual sequence almost certainly because
the vulnerability had been disclosed by a third party before Microsoft’s
regular monthly security patch and update cycle was completed.

The security patches are the place where most users as well
as many attackers first learn of new vulnerabilities, so reducing the number of
announcements and timing them to coincide with regular quarterly maintenance
cycles actually improves security as long as vendors such as Microsoft are
prepared to make emergency patches available out of sequence when required by the
early disclosure of a new threat and publication of an exploit.

Looking forward

In my next column I will take a look ahead at the security
developments to keep an eye on for 2005.