In businesses like commercial real estate that are increasingly dependent upon computers to do their jobs, it’s easy to become comfortable with technology, reassured that perimeter defenses are in place to protect individual employees. But what if this year hackers decide to stop attacking your businesses servers, and instead switch their sights to a new, softer target – your desktop. Still feeling comfortable?

The very first PC virus, a simple floppy-disk spread bug called Brain, was discovered in the wild almost exactly 20 years ago in spring 1986. Today a variety of expert estimates put the number of viruses currently at large somewhere in the region of 150,000. Each year there are more and more reported threats and vulnerabilities, and security measures are not being built in any significantly different way that could prevent the overall 20-year trend of growth continuing. But that does not mean the nature of the security threat isn’t changing and evolving. In business in 2006, we must try to understand how hackers are adapting to conditions, which areas of vulnerability are currently being targeted, and how we can best protect those resources.

I have no hesitation in highlighting one single predominant security threat to business in 2006 – the growth of client-side vulnerabilities. The motivation that drives the creators of security threats has progressed from a basic motive, to simply having the means, to potential gains, and finally to evaluating the quickest route to the best possible returns of investment. We then need to look at this motivation in light of basic trends taking place in data security: more regulations, and more administrative systems are being put in place in corporate environments, with efforts concentrated on securing valuable assets, such as data servers; businesses are moving further away from a headquartered model, with more and more branch offices becoming directly attached to the public internet, with VPNs replacing traditional leased line connectivity; finally within business networks we are seeing a steep increase in services and applications using data networks, such as VoIP, instant messaging and other verified apps.

Client-Side Vulnerability

By taking into account both the motivation of the external threat and current trends within business networks, it becomes clearer to see why client-side vulnerabilities are of increasing concern, but what do we really mean by client-side vulnerability, and why is that area becoming so much more attractive than traditional server-side targets?

Server-side attacks usually seek to exploit vulnerabilities in web, FTP or email servers, and the potential damage can be quite serious. On the other hand, the number of available target machines is typically rather low, so attackers looking for a huge number of ‘owned’ machines are not concentrating their efforts on this area. For this reason we don’t expect to witness such an increase in activity on this side.

Instead, we are finding more vulnerabilities and exploits on the client side, with a lot of activity concentrating on popular client applications, including web browsers, messaging apps, VoIP clients and so on. The potential target audience for this form of attack is huge, and that’s probably the main reason why the bad guys are moving their efforts in this direction. Unfortunately for businesses, a steadying level of server attacks, coupled with an increasing number of threats on the client side means and overall growth of malicious activity once more. Ultimately business users and home users remain vulnerable in many of the same ways. For an attacker with clear financial motives, every machine they control has value, and can be used to download malware, to steal private information, or more likely used to be used as launch-pads for denial of service attacks or for sending spam campaigns.

This is partly why ‘phishing’ continues to be such a prominent issue pervading the public consciousness. Phishing is an effective way to lure individuals to a website, so there is a strong connection between this practice and exploiting client side vulnerabilities. For example, within a browser session or P2P client, a user could be redirected to a website where they could acquire or be fed malicious code. In this respect a phishing lure causes users of all kinds to visit deceptive sites and perhaps heighten exposure of corporate networks to exploits. It is a means by which malware computers can open up more and more client machines to infection, which can then be opened up and used to direct spam, DDoS attacks and more. Preventing this is very hard in a corporate context and virtually impossible when it comes to home workers, so inevitably the practice will continue to gain momentum in 2006. Without an informed awareness of possible security threats to businesses, together with sufficient training to help minimize these threats, and a responsible attitude towards data protection, the end-user is always going to be the weakest link.

Highlighting the Threat

So who is doing this? Who are we referring to when we discuss hackers, attackers and malicious coders? Instead of a mental image of an individual or group of hackers, it is better to think: “What is their motive, what is their best hope for a good return on their investment?” Again this enquiry reinforces my concerns for further client side attacks. Servers are generally better configured and secured than clients. It’s true that even corporate users might have some local security applications installed on their laptops, but they still won’t be as well secured as servers, and personal usage patterns are more erratic around the clock, leading to more overall exposure. Any malicious individual or group will always be interested in targeting low hanging fruit if it is available. From their point of view, the returns are bigger. Many of them are in this business primarily to make money, so they are naturally becoming more organized. There is of course the likelihood that some of these organizations are linked to organized crime. In the last two years it has become very clear that these individuals are chasing the money. Experts have followed the trail of spam profits to virus writers and worm writers.

One expectation of heightened security threat that hasn’t really borne fruit is our increasing reliance on wireless networking. This is largely because wireless technologies are actually quite mature, and have already undergone years of standards development and ratification, and so the basic security issues have already been solved. It’s more a matter of whether administrators are really doing it thoroughly enough, and setting up their networks meticulously, so that they are safe. As anyone with a Centrino laptop or Wi-Fi PDA will know, there are a lot of open wireless corporate networks out there, but many administrators aren’t even aware their networks are open. This isn’t a technical failing, because the ability to secure wireless networks is readily available. But there are a number of issues over accountability, and responsibility for open networks. Security certainly takes away some elements of convenience. But then there is the question to ask: Is an open network a public invitation, or is it just open because whoever set it up didn’t know any different? The technical problems have been solved, but there remains an ethical and legal problem. Especially in corporate network, poorly administered wireless networks might open security holes wider and expose the network as a whole if administrators don’t have the right skill sets.

Fresh Approaches

Although they aren’t new threats as such, a lot of companies are now trying to adapt their thinking to new ways working with data that circumvent traditional perimeter security, and that includes wireless devices, as well as removable media. At the same time we need to fight the increasing threat from the client-side attacks. Fortunately there are a number of ways by which to increase internal security, including network segmentation, internal intrusion prevention systems (IPS), and internal firewalls. A flexible firewall is an excellent tool for segmenting networks, and enabling access control across segments. Combine a firewall with an enhanced IPS to prevent attacks before they happen, and businesses can look more deeply into their traffic for malicious attacks. State-of-art security products alone are not enough. What the administrators need in addition is an unified management system for these components, as it gives them not just cost-efficient configuration capabilities, but more importantly it transforms the raw information of what happens in the network to an understandable form which helps the administrators in making right decision at a right time.

Security systems alone are not enough. Many security threats, like those related to removable media, are best solved without new products. The security impact of new forms of removable media is really not that different from the issues of laptops or transferable media in the past – the issue hasn’t changed in its seriousness, just in format. Again, the important thing is to enforce administration controls, and educate businesses about nontechnical security precautions.

In 2006 we will see the introduction of improved, simplified security support for VoIP implementation, combined with QoS and bandwidth management. Innovative converged services such as VoIP require secured, optimized, and resilient connectivity. More and more complex applications are routinely running across our enterprise networks, so security solutions have to become ever more sophisticated to cope with additional traffic demands. Businesses are used to the reliability of traditional telephone systems, but are not used to discussing similar levels of reliability for their data networks. They need to think about this when implementing services such as VoIP. There are implications on both the security and network side, and it is important that businesses build networks to minimize latency and ensure there is sufficient bandwidth provided for business critical calls, bandwidth management, QoS, and high availability. By unifying security, networking and end-to-end availability, businesses can reduce the complexity of their systems while increasing security and service availability. Equally, a unified management platform would save organizations both money, and time in which to run their core business, while providing more efficient security incident management.

Lowering the Level of Risk

So which development in our industry will prove most effective in the fight against security threats to business in 2006? Sadly there will be no single tool, no silver bullet solution, but it is vital that businesses plan to deploy a combination of different technologies. They must build a network infrastructure capable of supporting the powerful management systems required to control a sophisticated system of defense mechanisms, to provide the best possible chance to react manually or automatically to a security situation. It’s vital that technical solutions are always combined with good processes and trained people, otherwise a business has no defense in depth. All-in-one systems do have their place, but in companies with multiple offices the situation is very different, and businesses must deploy the appropriate functionality and manageability needed for their own situation.

In the end, absolute security does not exist in a digital world. Instead businesses must seek adequate security that matches the risk level the company is willing to accept. In the end, there is always risk in doing business, and our job is to help the companies to lower that risk level to an acceptable level.