It's a new year. Out with the old and in with the new, right? Not so, according to SANS. Rather, it's in with the old and let's get it right this time.
Security has been set back to 1999--at least that was the consensus among security professionals who contributed to the SANS Institute's Top 20 vulnerability list for 2005. The reason: lack of automated patching for applications.
So, don't pop the bubbly yet, and put down that party hat: 2006 could be a year of patching hell.
Attackers are targeting Windows Office and other popular applications, backup software, antivirus software and even media players. Hackers are also looking to exploit networking equipment. In essence, even the technology that is supposed to protect you could make you more vulnerable.
So why are we going back to the future?
The problem is that we've been in reactionary mode for too long. Our knee-jerk response has been to put up walls to shield our networks from outside threats. But while we focused on hardening the perimeter, we failed to protect the inside.
I don't need to tell you that today's threats are far more nefarious. Those linked to organized crime are stealing customer names and personal data, often skirting network security to break into applications themselves. At the same time, amateurs are trying their hand at hacking. Google the word "hacking tools," you'll get close to 10 million results in 14 seconds. A similar search in 2001 yielded just 258,000 results, according to a Morgan Stanley report.
That's not the worst of it. Company employees-- your employees--whom you trust to protect data are actually turning on the spigot, spilling or even stealing confidential company information. (See "Don't Spring A Leak")
All of these types of attacks have huge financial implications. Eighty-one percent of such breaches resulted in financial losses upwards of tens of millions of dollars, according to a 2005 U.S. Secret Service and Carnegie Mellon Software Engineering Institute study.
But instead of patching like it's 1999, is there some reason to party like it's 1999?
Yes. Vendors are heeding the call. They are embedding security lower in the stack and earlier in the flow. Software is starting to feature security as much as functionality. Meanwhile, service providers are looking at ways to offer "clean pipes" to customers, as outlined in "Help from Above".
The good news is that security managers should have the money to face many of today's challenges head-on. In a recent survey of more than 400 Information Security readers, one-quarter of companies forecast IT security budget increases of 10 percent to 24 percent, and roughly one in 10 expect to see at least a 25 percent hike. (Only about 7 percent think their budgets will be cut.) According to a Morgan Stanley poll of CIOs, their primary and secondary spending priorities were security software and hardware. Perhaps it's all the security breaches of the past year or regulatory compliance pressures, but security seems to be finally getting much-needed attention at the C-level.
There are other reasons to be optimistic about 2006. Sixty-one percent of infosecurity pros told us they think their organizations will do a better job of managing risk, and 74 percent think overall security will improve.
So lift a glass to 2006 and make a toast to getting it right.