December 17th, 2007
Fewer worms and viruses will surface in the wild
This blog covers the second of ten predictions regarding events and trends that I have forecasted will occur in 2008. This prediction was:
Fewer worms and viruses will surface in the wild—a continuation of the present trend.
I am sure that you have noticed that massive virus and worm infections in the past such as those by Code Red, Nimba, Sircam, MSBlaster, Slammer, Netsky, Beagle, and others are no longer occurring. In contrast, this trend is not occurring with other types of malicious code—botnets and rootkits are proliferating at an unprecedented rate.
Why are viruses and worms becoming increasingly scarce? I addressed this question in a paper that I published in Computer Fraud and Security in 2006. To summarize, computer criminals are increasingly trying to profit from their sordid activity. If they are going to profit, what they do and the programs and processes that they install in systems that they compromise both need to avoid being noticed. Writing and distributing a worm or virus is counter to this goal.
Both viruses and worms often scan other systems in an attempt to discover which ones they can infect; the rate of scanning must be high if a worm of virus is to spread prolifically. Similarly, viruses generally work through attachments that contain malicious routines.
The scanning activity is highly noticeable by automated means such as intrusion detection and prevention systems and also directly by network operations staff. Attachments can also be easily spotted. Once detected, worms and viruses are not likely to make much headway in networks and systems because numerous eradication methods can be used. Would-be profiteers’ goals are thus likely to be thwarted.
In comparison, malware such as hidden keystroke capturing tools and rootkits that minimize the likelihood of successfully detecting their presence is much more suitable to the goals of today’s computer criminals.
Several other factors also in all likelihood contribute to the reduction of worms and viruses in the wild in 2008.
Unfortunately, individual Internet users are likely to continue to be disproportionately susceptible to worm and virus infections for a variety of reasons, of which failure to run and update anti-virus software and use of peer-to-peer networking are the most obvious.
Yet a much greater number of organizations and Internet service providers (ISPs) use anti-virus software as well as other anti-virus and worm measures compared to only a few years ago.
Additionally, the well-publicized arrest of the notorious teenage worm writer Sven Dietrich in Germany as well as of other virus and worm writers in other countries appears to have sent a poignant message to would-be writers of viruses and worms.
Another possibility is that virus and worm writers have simply become bored of continuing to write this form of malware, which first surfaced way back in 1980.
Although I predict a reduction in the number of worms and viruses in 2008, I am not by any means saying that it is time to relax when it comes to the risks that these types of malicious code pose—au contraire. Anti-virus software, properly configured and maintained firewalls and virus walls, patches, and user education and awareness are all still very much necessary.
~ : ~
December 13th, 2007
Cybersecurity laws will be a mixed bag
In my last blog I made ten predictions regarding events and trends that I believe will occur in 2008. The first was:
Cybersecurity legislation regarding prompt notification of individuals potentially affected by data security breaches will be signed into law in the US. Other major cybersecurity-related legislation will, however, once again fail.
Passing cybersecurity-related legislation in the US is anything but an easy feat. Over the years many very worthy pieces of proposed cybersecurity legislation have died in committee or have been tabled or voted down once they have reached the full House of Representatives or the Senate.
You may well remember that even though nearly two-thirds of the states in the US have passed legislation mandating notification of individuals potentially affected by data security breaches, Senator Feinstein’s proposed federal legislation requiring such notification died in 2006.
What will be different in 2008 that will result in data security breach notification legislation finally getting passed?
First, the momentum for such legislation has been building for several years now. The fact that such legislation is now law in most states has provided much of this momentum. Additionally, the number of reported and publicized data security breaches has continued to grow dramatically to the point that public concern has risen rapidly.
Consider, for example, the numerous lost and stolen computers as well as intrusions into systems containing personal information within the US government (particularly within the Veterans Administration) over the last few years. (This type of incident is by no means limited to the US government, either—Her Majesty’s Customs and Revenue recently lost CDs containing information related to 25 million UK residents.)
Numerous corporations, universities and research institutions have also experienced such incidents, increasing the public concern level even higher. Finally, resistance to legislation requiring notification of individuals who have potentially been affected by a data security breach has come mainly from legislators who have been worried that such requirements would unduly penalize businesses.
The composition of the US Congress has been changing over the last few years, however, to the point that a greater number of Congresspersons who favor individual rights and privacy over business interests is now in Congress.
The second part of my prediction is that other security-related legislation in the US will fail.
Unfortunately, the perception that somehow the loss and disruption resulting from computer-related crime is not nearly as severe as from other types of crime lingers; US Congresspersons are no exception.
Clearly, US legislators, let alone the public at large, are in dire need of security awareness and training, yet the likelihood that they will ever get such training remains miniscule.
Additionally, there does not appear to be much impetus for such legislation from lobbists, US agencies, and other groups that influence decisions concerning federal legislation. I would therefore not count on other significant security-related legislation passing any time soon.
~ : ~
December 10th, 2007
The year 2008 is right around the corner and with it new, very significant information security-related events, some of them good, some of them bad, will undoubtedly occur. Based on trends that I’ve been tracking, I’d like to make the following predictions:
- Cybersecurity legislation regarding prompt notification of individuals potentially affected by data security breaches will be signed into law in the US. Other major cybersecurity-related legislation will, however, once again fail.
- Fewer worms and viruses will surface in the wild–a continuation of the present trend.
- Vendors of eVoting machines will greatly improve the out-of-the-box security of their products to the point that they will be widely deployed with far less concern for their security than has surfaced so far.
- There will be a proliferation of rootkits, particularly kernel-level rootkits and rootkits that work as spyware, to the point that a surprisingly large percentage of systems that connect to the Internet will be rootkit-infected without the knowledge of either users or system administrators.
- Attackers will continue to shift their focus from attacking Windows systems and towards attacking Linux and Macintosh systems.
- An attacker or group of attackers will for the first time succeed in their attempts to bring the entire Internet down for a period of several hours or possibly even longer.
- The trend of CISOs reporting to executive-level management will accelerate due to the increasing importance of information security within organizations.
- PCI-DSS compliance will grow in focus and importance to point that it will become one of the top two or three security issues in security practices of organizations that deal with credit card information. The amount of fines for non-compliance will also proliferate greatly as an increasing number of corporations and organizations are found to be out of compliance.
- The financial and legal repercussions of TJX’s data security breaches will snowball to the point that this company will be forced to sell itself or to merge with another company just to survive.
- International cooperation in dealing with computer crime and information security issues in general will grow substantially due to the increasing realization that the overall lack of cooperation that has been too widespread over the years has gotten law enforcement and countries nowhere.
Predictions without explanations are of little value, however, so I will explain these predictions one-by-one in each blog that I write over the next five weeks or so.
~ : ~
December 6th, 2007
One item in the recent news that caught my attention was a call by certain consumer groups to develop a “do not track” list in the US.
This list, parallel in principle to a “do not call” list that went into effect years ago to curb unsolicited telephone calls, would allow people to “opt out” or “opt in” concerning whether companies and organizations can track their visits to Web sites through the use of cookies.
Advertisers that install cookies on users’ computers would have to register every server used in connection with tracking Web site hits with the Federal Trade Commission (FTC). A two-day long FTC public forum on this subject was held earlier this month.
If people were allowed to choose whether or not companies and organizations can track their Web surfing, predicting that most people would decide that they did not want anything tracking what they did would be a “no-brainer.”
The only real advantage to users might be simplifying certain Web interaction sequences because cookies usually contain information about previous interactions and provide this information to Web servers, thereby precluding the need for users to repeat actions in which they have previously engaged.
In contrast, the overwhelming advantage of using cookies belongs to companies that use the information provided to them to tailor advertising according to user profiles that these companies construct.
The reaction from industry has thus been predictably negative. Randall Rothenberg, who heads the Interactive Advertising Bureau, went so far as to call the “do not track” movement a hindrance to industry innovation. He instead advocates self-regulation by industry.
I’d like to go on record as being strongly in favor of the “do not track” initiative.
For one thing, installing tracking cookies in users’ computing systems with neither their knowledge nor consent is unethical; it constitutes a gross invasion of privacy, one in which “big brother” is perpetually watching, so to speak.
Additionally, why should a company or organization have the right to install anything on another individual’s system without that individual’s permission? Users should be afforded the right to determine exactly what does and does not run on their computers.
If not, think what might be next—perhaps even covert monitoring devices installed in cars to determine where the driver is going. And as far as what Rothenberg’s claim that a “do not track” list would stifle industry innovation, all I can say is “get real.” If innovation translates to infringement of individuals’ privacy using clandestine measures, it is time for Rotherberg and the others whose interests he represents to rethink the nature of innovation and what it should entail.
Finally, “self-regulation” is a great idea in principle, but in reality it does not turn out to be what its advocates promise. Consider, for example, how little “self-regulation” has done for the practice of information security. If it were not to various security-related statutes and regulations, as ugly as some of them regrettably are, the practice of information security would still be in the proverbial dark ages, as it was twenty years ago.
The fight concerning the “do not track” initiative has just begun. Individual privacy is at stake. Getting federal legislation passed will not be easy. The opposition will be well organized and well funded. So stayed tuned—the events surrounding this issue are bound to be intriguing.
~ : ~
December 3rd, 2007
Several weeks ago the Office of Management and Budget’s (OMB’s) head of the Office of Electronic Government and Information Technology stated that the reported security-related incidents for US government agencies had more than doubled (from 14 to 30) in only a few months.
Why the sudden increase in the number of reported incidents?
A possible explanation is the impact of a fairly recent OMB edict that requires these agencies to report security incidents in which personally identifiable information is compromised to the US Computer Emergency Readiness Team (US CERT) within one hour of the start of the incident.
Evans asserted that this increase is due to agencies taking no chances—they now report anything that appears to be an incident in which personal information may have been obtained without authorization. She added that there may now also be increased awareness concerning potential incidents within agencies, something that she views as a positive development.
An alternative explanation is simply that more incidents in which personal information is being compromised may be occurring. After all, recent statistics indicate that the number of such incidents has been growing rather dramatically over the past few years.
Regardless of what the cause of this sudden increase in data security breaches is, an important underlying issue, the amount of time allowed, needs to be scrutinized.
Although the one hour reporting deadline might superficially seem reasonable, in real settings it is anything but so. In reality this deadline translates to technical personnel having only a few minutes to analyze evidence that may be associated with potential incidents. Perhaps a decade or more ago, when security incidents were relatively rudimentary compared to today’s incidents, one hour might have been sufficient.
Today’s incidents, however, are generally much more insidious; attackers generally use tools and methods that very carefully masquerade their activity on the systems that they attack. Consequently, carefully investigating potentially compromised systems may require hours if not days of meticulous effort of one or more technical experts. The one hour deadline will thus result (and has undoubtedly already resulted) in a substantial increase in reported events that in the long run are judged to merely be false alarms.
All is not amiss, however.
The merit of requiring federal agencies to report potential data security breaches within an hour of their onset must ultimately be weighed not simply its disadvantages, but rather by comparing its advantages to disadvantages.
The advantages are substantial. Before this reporting requirement went into effect, many data security breaches within federal agencies were simply not reported, or if they were reported, they often were not reported in a timely manner.
The one hour deadline may ultimately increase the number of false alarms reported (and the associated frustration, waste of resources, and political fallout), but at it also dramatically increases the probability that incidents will at least be reported. It also helps ensure that they will be promptly reported.
If personal information has been potentially compromised, one of the major considerations should be protecting the interests of individuals who have potentially been affected. Prompt notification of these individuals is possible only if the incident is promptly detected and reported.
Additionally, as Evans has so aptly pointed out, the reporting requirement (no matter how unreasonable the deadline is) has increased awareness concerning data security breaches within federal agencies, thereby ultimately increasing the likelihood that any such incidents will be handled properly.
What is the “bottom line?”
Granted, to require a determination whether or not a potential incident is a bona fide incident within one hour is not really very realistic. At the same time, however, this requirement seems to have awakened federal agencies out of a deep stupor regarding detecting, responding to, and reporting data security breaches in which personal information is involved.
Susceptibility to identity theft has at the same time been greatly reduced. All things considered, therefore, this requirement appears to have turned out to be a very good thing.
~ : ~
