Secure Thoughts

Executive Summary

Seven years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first.

The threat landscape is very dynamic, which in turn makes it necessary to adopt newer security measures. Just over the last year, the kinds of vulnerabilities that are being exploited are very different from the ones being exploited in the past. Here are some observations:

Operating systems have fewer vulnerabilities that can lead to massive Internet worms. For instance, during 2002-2005, Microsoft Windows worms like Blaster, Nachi, Sasser and Zotob infected a large number of systems on the Internet. There have not been any new large-scale worms targeting Windows services since 2005. On the other hand, vulnerabilities found anti-virus, backup or other application software, can result in worms. Most notable was the worm exploiting the Symantec anti-virus buffer overflow flaw last year. 

We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets. 

Users who are allowed by their employers to browse the Internet have become a source of major security risk for their organizations. A few years back securing servers and services was seen as the primary task for securing an organization. Today it is equally important, perhaps even more important, to prevent users having their computers compromised via malicious web pages or other client-targeting attacks. 

Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year. These vulnerabilities are being exploited widely to convert trusted web sites into malicious servers serving client-side exploits and phishing scams. 

The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2008! 

Attackers are finding more creative ways to obtain sensitive data from organizations. Therefore, it is now critical to check the nature of any data leaving an organization's boundary.

The Economic Downturn and Your Data Center

The economic downturn has arrived in the data center. According to a survey of 275 members of SearchCIO.com and SearchCIO-Midmarket.com, many shops will work with smaller IT budgets this year, and few will see large increases. The economic downturn appears to have many shops scaling back infrastructure expansions and focusing more tightly in 2009 on delivering business applications, dealing with security and meeting compliance and disaster recovery (DR) mandates. The infrastructure boom of recent years is likely to give way to a second wave of consolidation.

In large enterprises (companies with more than 1,000 employees), 42% of respondents are reducing from 2008. The pain isn't restricted to any one industry, either, with traditional spenders like computer manufacturing and financial services taking their lumps along with manufacturing and retail. In fact, manufacturing and retail are also represented among those spending more or holding the line. The bottom line: Businesses of all stripes are being affected by the economic downturn, but the impact on IT is not uniform. In every industry, there are cutters and increasing spenders, as well, which suggests that a company's particular outlook and strategic plan may be the decisive factor in IT budgeting.

In surveys conducted during the past several years, decreases in IT budgets at more than 5% of companies have been unheard of. Yet the are not being made across the board. Security and compliance budgets are not only rising at most companies, but they're also claiming larger shares of the budget as well.

The most common areas for security investment are in data protection, endpoint security, threat management and vulnerability assessment. Just more than 50% of large enterprises reported that they intend to spend in those areas this year. The largest drivers of security spending in the enterprise are preventing external and internal data thefts.

The ability to prevent data theft and demonstrate that capability is intertwined with compliance mandates such as PCI. The survey puts to rest the notion that the economic downturn would result in companies ignoring compliance in favor of more lucrative endeavors. Only 18% of enterprises cited decreasing compliance spending, with 56% increasing, making compliance one of the most robust spending areas for IT in 2009. No single law or regulation is driving this activity -- respondents reported "industry-specific regulations" most commonly, followed by the Health Insurance Portability and Accountability and Sarbanes-Oxley acts and the usual suspects.

As for where compliance spending is going, no surprises there, either: backup; data protection; log management; governance, risk management and compliance; and archiving were all cited by more than a third of enterprise respondents.

As for IT's core mission of delivering applications to the business, the picture there is mixed:Business software budgets are increasing at 36% of shops, with 32% holding the line; Business intelligence is the biggest software winner, with spending at 57% of shops; business process management was the second-highest priority at 38%; Only 27% reported reducing their development efforts; and Software as a Service will see a gain at 21% of IT departments.