This year saw a number of notable events. The 2002 Sarbanes-Oxley Act, with its harsh penalties for public companies...
that lack internal data controls, finally kicked in. Phishing proved profitable for fraudsters, and at the expense of big businesses. Spam proliferated, despite federal and state laws that netted a few convictions. Vulnerability management stepped forward with the adoption of the new Application Vulnerability Description Language standard. While patching remained a huge problem, mainly because there seemed to be so many holes to fill, it prompted industry leaders to band together to demand safer software. Meantime, Microsoft unveiled the massive XP Service Pack 2 to demonstrate its commitment to secure software. At the same time, Microsoft's Internet Explorer became the fave flaw for exploits, prompting an upstart open-source browser, Mozilla's Firefox, to declare war -- and market share. Then there was a national obsession with tamper-proofing e-voting. Here is a sampling of interesting comments that helped define 2004.
Google grows up
"Google kind of makes it easy to connect all the dots together. I think Google is the biggest privacy invader on the planet, no doubt about it."
--Former Privacy Foundation CTO Richard M. Smith around the time of the search engine company's much ballyhooed initial public offering. The once-scrappy startup's aggressive search tools inspired the 'Google hacking' phenomenon, and this year's release of Gmail, which trawls customer's Inboxes to match advertising to keywords in messages, didn't make privacy advocates any happier.
Saving us from ourselves
"We simply aren't smart enough as a species to handle this."
--Paul Kocher, chief scientist at Crytography Research, on the increasingly sophisticated social engineering used by today's worm and virus writers -- a widely discussed topic at this winter's RSA Security annual conference.
"Cybersecurity should become second nature, just like brushing our teeth."
--National Cyber Security Alliance Chairman Ken Watson, upon declaring October National Cyber Security Awareness Month.
Championing secure software
"To say a system is secure because no one is attacking it is very dangerous."
--Microsoft founder Bill Gates, referring to claims by competitors, particularly open source rivals like Linux, that their products are better because they aren't targeted as often by hackers.
"We need secure products, not security products."
--Phil Venables, CISO, Goldman Sachs, speaking on the complexity of security confronting enterprises at the Burton Catalyst Conference in July. Vendors from major security companies banded together this spring to promote higher quality software development to reduce the number of flaws upon a product's release.
"Ultimately, it's up to all of us ... to stop designing insecure systems. It is as simple as that."
--Paul Simmonds, global information security director for British conglomerate ICI Plc. and co-founder of the Jericho Forum, during this summer's keynote at Black Hat Briefings.
"Everyone in the industry knows that CERT and most vendors don't release advisories until they have a fix available. In the interim, the underground and industry are talking about it, and the bad guys have a pretty defined window of opportunity to mess with people."
--Richard Forno, a security consultant and former CSO of the InterNIC, during an interview. Among this year's trends was the decreasing time to mere days between patch release and exploit.
"The software industry as a whole has never made a concerted effort to write better code, [so] it's far too early to throw in the towel."
--Mary Ann Davidson, CSO, Oracle, which this year followed Microsoft's playbook and introduced monthly, and now quarterly, security patches.
RFID raises the bar
"It's basically a bar code that barks."
--Robin Koh, director of applications research at the Auto-ID Labs of the Massachusetts Institute of Technology, in a newspaper interview on radio frequency ID tags used to track prescription drugs. Wal-Mart and the Department of Defense also plan to use RFID tags in their supply chains next year. IT security managers openly expressed worries with maintaining and protecting the wealth of digital files these tags will produce. Not to mention black-hat tools already exist to thwart tags' effectiveness.
Hoorahs and headaches for XP SP2
"There really are a lot of nice little things that make SP2 more like an XP SE rather than a patch."
--Posting by a Windows user on an online forum upon the release of Microsoft's biggest update to date, created with security in mind.
"From the security manager's perspective, SP2 is certainly a step in the right direction. However, in practice, SP2 oversimplifies security management tasks and will likely cause significant disruptions to normal operating processes due to poor user choices -- especially in larger organizations with thousands of users."
-- Chuck Adams, CSO of NetSolve in Austin, Texas, in an interview.
E-commerce in the crosshairs
"These are the crooks who, in the future, are going to elbow the hobbyists aside, and then settle in for a nice long vampire slurp from our e-commerce bloodstream."
--Novelist Bruce Sterling, on the rebirth of a criminal underworld that uses malicious code to install backdoors in networks. He spoke at June's Gartner IT Security Summit.
"Organized criminals go where the money is, and the amount of valuable data online is increasing all the time."
--Purdue University professor Gene Spafford, addressing the growing influence of extortion and racketeering in e-commerce, such as threatening businesses with denial-of-service attacks. The comment came during his keynote at this fall's Information Security Decisions conference.
"Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there's a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords."
--Bruce Schneier, CTO of Counterpane Internet Security, in an interview.
Knitting SOX into the enterprise
"Sarbanes-Oxley is the absolute worst. They don't tell you what you need to do at all. Of course, they'll throw you in jail if you don't do it properly."
--Paul Proctor, META Group's vice president of security and risk strategies, on the quandary facing companies trying to become SOX-compliant. The comment came during this fall's Information Security Decisions conference.
Hackers strike out at e-voting
"The more technology is embedded into our lives and the political process, the more people out there will find ways to hack into machines and tamper with them."
--Steve Thornburg, a senior consultant for Newport Beach, Calif.-based Mindspeed Technologies Inc., prior to November's presidential elections, which had its share of technical voting glitches, but none serious enough to alter outcomes of major races.
More Microsoft backlash
"We've been in the biggest beta test there is, for years. We call it Windows."
--Victor Wheatman, managing VP for Gartner Group, discussing Redmond's omnipresent software flaws during Gartner's IT Security Summit in June.
Dig Deeper on Sarbanes-Oxley Act