Experts predict many of next year's security issues will grow from seeds sown in 2003.
Regulatory compliance will likely be the main driver for information security spending and implementation, as companies use laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act as benchmarks for assessing their security postures.
The threat landscape may be a little different, as well. Experts predict organized groups will continue to write worms such as Sobig, which added spam routing software to infected machines.
Experts also think Remote Procedure Call (RPC) vulnerabilities will also be an issue in 2004. Vulnerabilities in Microsoft implementations of the protocol paved the way for the Nachi and Blaster worms, two of this year's most destructive.
Compliance will drive security
Existing regulations will drive much of next year's cybersecurity spending. New laws may further push organizations to invest more heavily in information security.
In the early part of 2003, companies scrambled to comply with (or just plain understand)HIPAA, which protects the security and privacy of personal medical information.
While most companies have a pretty good handle on HIPAA, a couple of new regulations entered the fray that companies will address next year. For example, California passed Security Breach Information Act 1386 (SB 1386), which requires that companies disclose when customers' personal information has been compromised or accessed. In many ways, the law scares companies into becoming more secure. Many companies that are hacked keep it quiet for public relations reasons. SB 1386 will force them to admit it.
Many observers say that Sarbanes-Oxley will be the law that really drives information security. The law, passed in response to the corporate governance scandals of 2002, doesn't directly address security. However, it does require that publicly traded companies have internal controls in place.
Sarbanes-Oxley mandates that the CEO and CFO sign off on the integrity of a company's financials (including internal controls). In other words, upper-level management must take a personal interest in making sure security controls are in place.
Michael Rasmussen, director of information security at Forrester Research Inc., Cambridge, Mass., predicts a similar law will be passed in 2004 that will mandate that upper-level management sign off on their information security plans.
You haven't heard the end of RPC
Many security professionals became intimately acquainted with RPC this year because a half dozen high profile vulnerabilities were found in Windows' implementation of it.
According to vulnerability scanning outsourcer Qualys Inc., Redwood Shores, Calif., three of the top 10 most prevalent vulnerabilities in 2003 were RPC based. The company predicts such flaws will cover more than half the list for 2004, and the vulnerabilities won't only be in Windows.
"We are liable to see platform-agnostic worms that attack multiple platforms," said Gerhard Eschelbeck, Qualys' CTO. One of the reasons RPC-based vulnerabilities are so dangerous is the protocol is designed to allow different operating systems to communicate with each other. "It's designed to execute code on another system, which is exactly what a worm wants to do," he said.
Malicious code authors team up
The biggest malicious code threat of 2003 was the Sobig family of worms. Though they took some novel tacks, the most interesting thing about the worms was their origins. Most experts suspect an organized group created them.
For starters, Sobig variants dropped spam-routing software onto infected systems. One went so far as to remove itself after delivering its cargo so antivirus scanners wouldn't discover it. Each variant was coded with a deadline to stop working. Experts felt this was a sign that the creators were testing out each variant to see which features worked best.
In many ways, the worms created by such groups aren't that novel, said Fred Cohen, an information security expert and an analyst with the Burton Group, Midvale, Utah. "They are a lot better at self control," he said.
Microsoft took an unusual step this year and issued a bounty for the authors of Sobig,but experts doubted whether it would be helpful. "I'm not sure if Microsoft's bounty will be very successful," said Joe Hartman, director of North American antivirus research for Trend Micro Inc., Tokyo. "[The virus writers] seem to know what they are doing. They are hiding their tracks."
One trend Hartman expects to continue is worms being coupled with scams. For example, variants of the Mimail worms tried to get recipients to give up their credit card information.
He also expects newer technologies such as peer-to-peer networking and instant messaging will become more popular vectors for malicious code. "A lot of people will open a file coming through IM because they think it's coming from a friend," he said.
Yet Hartman is quick to admit that it's hard to predict the future twists of security. "There is always something that really surprises us. We wouldn't have expected a worm to exploit the SQL vulnerability like Slammer did," Hartman said. "I wouldn't be surprised if something like that happens again next year."
FEEDBACK: What do you predict will be the biggest security issue of 2004?
Send your feedback to the SearchSecurity.com news team.