Experts predict many of next year's security issues will grow from seeds sown in 2003.
Regulatory compliance will likely be the main driver for infosecurity spending and implementation. While most companies have a pretty good handle on the Health Insurance Portability and Accountability Act (HIPAA), a couple of new regulations entered the fray that companies will address this year. California passed the Security Breach Notification Act (SB 1386), which requires that companies disclose security breaches that may have compromised specific personal information on California residents.
But many observers say that the Sarbanes-Oxley Act will be the law that really drives infosecurity. Passed in response to the corporate governance scandals of 2002, the law doesn't directly address security. However, it mandates that the CEO and CFO sign off on the integrity of a company's financials (including internal controls), forcing upper-level management to take a personal interest in security.
Michael Rasmussen, director of information security at Forrester Research, predicts a similar law will be passed this year mandating upper-level management sign off on their company's information security plans.
The threat landscape may be a little different, as well. Experts predict organized groups will continue to write malicious code such as the Sobig family of worms, which added spam routing software to infected machines. Most experts suspect an organized group created them.
One trend Joe Hartmann, director of North American antivirus research for Trend Micro, expects to continue are worms coupled with scams. For example, variants of the Mimail worms tried to get recipients to give up their credit card information. He also expects P2P and instant messaging technologies will become more popular vectors for malicious code. "A lot of people will open a file coming through IM because they think it's coming from a friend," he said.
Yet Hartmann is quick to admit that it's hard to predict the future twists of security. "There is always something that really surprises us. We wouldn't have expected a worm to exploit the SQL vulnerability like Slammer did," Hartmann said. "I wouldn't be surprised if something like that happens again next year."
Remote Procedure Call (RPC) vulnerabilities are also likely to be an issue in 2004. A half-dozen high profile vulnerabilities in Microsoft implementations of the protocol paved the way for the Nachi and Blaster worms.
According to vulnerability scanning outsourcer Qualys, three of the top 10 most prevalent vulnerabilities in 2003 were RPC based. The company predicts such flaws will cover more than half the list for 2004, and the vulnerabilities won't only be in Windows.
"We are liable to see platform-agnostic worms that attack multiple platforms," said Gerhard Eschelbeck, Qualys' CTO. One of the reasons RPC-based vulnerabilities are so dangerous is the protocol is designed to allow different operating systems to communicate with each other. "It's designed to execute code on another system, which is exactly what a worm wants to do," he said.