IT threats are growing in number, sophistication, and ill intent. Think you've got them under control? Just wait till tomorrow.
Business-technology folks would love to believe their IT systems are well-protected, not only from the destructive worms and viruses that speed across the Internet but from the increasingly sophisticated attacks that target people and their valuable data. But the ready-for-anything attitude that's prevalent among IT pros is misleading and even dangerous. Sure, IT defenses may be stronger than ever--but the threats are more perilous, too.
InformationWeek Research's U.S. Information Security Survey 2005, conducted in July and August in partnership with management-consulting firm Accenture, reveals an IT populace that believes it has the situation under control. When asked if their organizations were more vulnerable to malicious code attacks and security breaches than a year ago, only 16% of survey participants say things have gotten worse.
Then came Zotob, a run-amok worm that reminds everyone that malicious software is never more than a few keystrokes away. Just two weeks ago, Zotob and like-minded "bots" worked their way across the Internet, infecting Windows 2000 PCs at more than 175 companies, including Caterpillar, General Electric, and UPS. They dug their way into the operating system's Plug and Play feature, and they included code that opens an Internet Relay Chat channel back to designated servers, from which the worms can download additional code to further compromise a machine or turn it into a zombie capable of spamming or denial-of-service attacks. Cable-news channel CNN, a victim of Zotob, took the threat so seriously that it sent an E-mail alert to subscribers of its breaking-news service, generally reserved for major events such as suicide attacks in Iraq.
Most companies aren't planning to take any major leaps in outsourcing security tasks. Sixty-five percent expect to spend the same amount of money on security outsourcing this year as they did last year. Just under a third plan to spend somewhat or significantly more.
Is information security included in your organization's overall IT budget? 81%
How will spending on information security in 2005 compare with 2004?
The much-talked-about lull in worm attacks--it had been more than a year since Blaster and Sasser ripped through business networks--shouldn't be interpreted as an "all's clear" sign. The miscreants apparently were using the time to plan their latest business-interrupting charade. The reality is that cyberattacks are shifting from adolescent, attention-seeking mass nuisances to professionally executed, targeted probes for financial gain.
"It's definitely profitable for those who are involved in it, because of the way that the Internet is built with anonymity everywhere, trillions of dollars of value just floating all over the place, generally clueless users, few laws and even fewer law-enforcement officials, no borders, no boundaries," says Marcus Sachs, who runs the U.S. Department of Homeland Security's Cyber Security Research and Development Center and is deputy director of the Computer Science Laboratory of nonprofit research-and-development organization SRI International. "It's like the perfect storm for the criminal world."
Our survey, completed on the Web by 2,540 business-technology and security professionals in the United States, shows that the IT community recognizes the ugliness of the situation, even if it overestimates its readiness. Of those respondents who believe their companies are as vulnerable, or more so, than a year ago, 78% point to the increasing sophistication of threats as the cause for their anxieties. Other top concerns are that there are more types of attacks, they're growing in volume, and they're increasingly malicious in nature. The SANS Institute identified more than 422 new Internet security vulnerabilities in the second quarter, an 11% increase from the first quarter and a 20% jump from the same period a year ago.
Should vendors be held legally and financially liable for security vulnerabilities in their products?
yes, unless they prove state-of-the-art development practices
How rigorous are your organization's current practices concerning the security of customer data?
not very rigorous
Here's how the hackers, crackers, and crooks have raised the stakes: Computer attacks have become multimodal in nature. Worms no longer merely infect an operating system and shut it down--like Zotob, they carry instructions that open holes for other points of entry, exploiting specific vulnerabilities for specific purposes. In addition, virus writers have begun mimicking hackers in their use of rootkits, code that intercepts system functions, to hide their work from detection. And phishing is yesterday's sport; pharming is the more dangerous spin-off that aims to confuse your customers into revealing sensitive account information.
In the face of the onslaught, many businesses (51%) plan to increase spending on IT security in 2005, with enhanced application security (40%), better access controls (31%), and secure remote access (28%) at the top of their to-do lists. And 56% of survey respondents report that the need to comply with government regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act has led them to take a more-structured approach to information security.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.