Happy New Year? IT security pros hope it will be, but if industry experts are right, companies in 2006 will be plagued by a number of new threats -- most notably application exploits and next-generation spyware.
Many still believe worms and viruses pose a greater risk than any other security scourges. But Natalie Lambert, security analyst with Cambridge, Mass.-based Forrester Research Inc., said that's not necessarily true.
Even though Lambert said Forrester's research results consistently show that corporate security pros are primarily worried about worms and viruses, increased awareness and better defenses are causing virus writers to turn their attention elsewhere, namely to spyware.
"Spyware, on the other hand, is a billion-dollar industry," Lambert said, "so we think virus writers are switching to spyware as a way to make a living."
Recent research from vendor Webroot Software Inc. indicates that's already happening. The Boulder, Colo.-based antispyware firm's annual "State of Spyware" suggests spyware has already become a "global pandemic," with the average infected PC in the U.S. holding more than 24 different spyware programs.
Based on what's happened in 2005, it's hard to believe the volume of spyware in the wild will level off anytime soon, said Michael Cobb, a SearchSecurity.com expert and founder and managing director of London-based consultancy Cobweb Applications Ltd.
"I think it's going to have to get worse before it gets better," Cobb said, because users aren't aware of the need for antispyware applications as they are with antivirus apps and firewalls. "It's still very low on their list of security requirements and in terms of awareness."
Shon Harris, president of Logical Security Inc., a McKinney, Texas-based consulting firm and a SearchSecurity.com expert, said it will be at least another year before the average user understands what spyware is. And even then it will be a challenge to thwart it.
"We will make our tools better, but the threat will always be there because it comes down to what people do or do not do," Harris said. "It is just us security people who think about it all the time and even we don't follow our own preaching at times."
In addition to spyware, application-specific attacks are expected to be a major problem in 2006.
Cobb said attackers are increasingly likely to exploit flaws in specific applications not only because traditional perimeter defenses have improved, but also because generally the application layer is exceedingly vulnerable, especially in cases where insecure Web applications offer a direct route into an organization's database.
He said application security problems are becoming more common because application-layer firewalls are expensive to purchase and implement, and because few organizations emphasize secure application development.
"It's going to take a long time before applications generally are written at a level where the security problem starts to decrease," Cobb said.
While Microsoft has bore the brunt of application security criticism in recent years, Lambert said it's an industry-wide problem, and that all widely used applications are soon likely to become targets.
One often overlooked application threat is instant messaging. Charlotte Dunlap, information security analyst with Sterling, Va.-based research firm Current Analysis, said it's difficult to secure or restrict the use of public IM clients because many companies' workers use them to communicate with co-workers, as well as with others outside an organization's perimeter.
"IM has some good attributes, namely its collaboration usefulness," Dunlap said, "but I think it's just another [application] area for attackers to more easily go after."
Other notable threat trends for 2006 include:
"The banks, financial services companies and other high-profile sites will have to be very careful," he said, "because I think people's concern about phishing will impact not just their ability to promote businesses online, but also possibly online shopping altogether."
"Imagine a world where you might have spyware on your computer that records which sites you go to on a daily basis, and then relays that data back to a central server," she said. "Then, knowing which banks I use, I could get a targeted spam/phishing attack from an attacker, but it's no longer a random bank asking for my information. It looks like my bank asking for my information."
"We will move out of this 'Wild West' stage we are currently in and move to a more controllable way of catching the bad guys, but I don't think it will drastically improve in 2006," Harris said. "Anytime that people are enticed into making money the easy way and there is a small chance of getting caught, this trend will only continue."