 |
 |
 |
|
10.29.08 Emerging Threat Trends For 2009  By
Dan Morrill The Georgia Tech Information Security Center has released what its trends an indicators are for emerging information security threats for 2009. Unfortunately, these are all things we have been battling for years and just not winning. The list is unremarkable, that is the scary part. Is that the emerging threats for 2009 are the same ones we have been fighting for years as information security professionals. The problem comes in that as we deal with what should be an emerging threat, we are busy fighting yesterdays war being identified as an emerging threat. That means we should focus on the right people with the right education, training, certificates, and everything else we use to vet good information security folks from the average for employment might just end up not working out the way that it was intended. - Malware - Botnets - Cyber warfare - Threats to VoIP and mobile devices - The evolving cyber crime economy Source: GTISC You can watch a video of the report here.
The problem comes in with the way that we are currently designing programs, and how those programs are not checked for information security issues at all, or partially checked. When someone puts a program on the internet, it immediately goes into an extraordinarily hostile environment. From a testing perspective, this means that testers and security testers should not be looking at just the functionality of the program. The underlying data, how to get it, is something that should be part of everyone's testing plans for a program. A rush to market does not allow for a long time or in many cases any time doing a full security sweep of the program before it goes out and gets integrated into a web site. Startups are particularly vulnerable to this kind of rush to market mentality, and the idea that they are resource constrained. This opens up an opportunity for hackers to do your security testing for you. What they want is the data, data on your customers, where money moves, what data is important, personal or private data that can be resold. It is not necessarily that they want to take over the site; they want to use your site as their own. To deliver malware, compromise customers, and use that information down the road or sell to the highest bidder. As companies draw down employees, it becomes vital for companies not to compromise their security departments. It is also important that security departments make themselves meaningful to the company. Looking at what GTISC is talking about is talking about where we have been in the past, these are not emerging threats, these are threats that we deal with every day. The idea that we have to reissue these as emerging tells us that we, as a profession, are not getting it. We are not keeping the right people in the job with the right skills, doing the right thing. Comments About the Author: Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community. |
|
| ||||
-- EnterpriseSecurityNews is an iEntry, Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal archives | advertising info | news headlines | free newsletters | comments/feedback | submit article |
