Two-thousand six was an action-packed year for the information security industry. It started with an attack based on an exploit of the Windows Meta File (WMF) vulnerability, and ended with an onslaught of spam attacks, the potential that Microsoft Vista -- within days of its release -- was already susceptible to malware attacks and even Al-Qaeda made headlines, as it threatened cyberattacks against financial institutions' Web sites.
Here's a recap of noteworthy information security threat happenings in 2006.
1. Microsoft issues an emergency patch to protect against the WMF vulnerability
Most security managers were enjoying the holiday break between Christmas and New Year's, when the exploit that allowed attackers to use images to inject malicious code was discovered. In an effort to prevent this attack, Microsoft released its patch on Jan. 5, ahead of its monthly update cycle, in response to an unauthorized patch developed by an independent security researcher.
2. Veterans Affairs data breach compromises 26.5 million veterans personal data
In May, the theft of a laptop with personal data -- including Social Security numbers -- for 26.5 million veterans from the home of a VA employee made many companies rethink their policies for telecommuters with laptops. Similar data breaches, mostly from lost laptops and other remote devices, happened throughout the year.
3. RFID security issues places consumer information at risk
In October, researchers at the University of Massachusetts successfully cracked credit cards with RFID chips, igniting a debate about the security of data stored on RFID chips and the safety of RFID credit cards, in particular.
4. Malware threatens Windows Vista Operating System security
In November, Sophos announced that one third of new malware discovered that month could breach the Windows Vista operating system. The announcement came within days of the enterprise release of the new OS.
5. Growing army of botnets in 2006
By the fourth quarter, many businesses noticed massive volumes of spam in their email systems, generated mostly by growing botnets.
6. Al-Qaeda positions cyberattack against US financial institutions
In December, the U.S. Computer Emergency Readiness Team (US-CERT) warned of a potential cyberattack against U.S. financial institutions by Al-Qaeda. But it was later unable to corroborate the threat.
7. US District Court sentences man for botnet use
In the first prosecution of its kind, a US District Court in Los Angeles sentenced James Ancheta to 57 months in federal prison for running a botnet. The conviction in May followed the investigation and arrest of Ancheta by the FBI. Also, in September, the US joined the Council of Europe Convention on Cybercrime to extend its law enforcement to combat an unstoppable wave of phishing attacks, most of which originate overseas.
8. Financial institutions rush to meet FFIEC deadline
As the year drew to a close, financial institutions rushed to meet a Jan. 1, 2007 deadline to implement two-factor authentication for banking online, in accordance with guidance issued by the Federal Financial Institutions Examinations Council (FFIEC). The guidance -- created in an attempt to protect personally identifiable information -- states that user IDs and passwords by themselves could be cracked and were, therefore, insufficient for online banking security.
Aside from the headliners, there was the usual laundry list of data breaches, compliance issues, phishing attacks and general mayhem and mischief. Spyware remained a problem, and beefed up Trojans and keystroke loggers that could steal passwords became more prevalent.
More of the same in 2007?
While 2006 was an action-packed year, the industry should expect more of the same in 2007, but maybe worse. But there will also be differences, most notably because in 2007 a tightening economy will force many companies to fight these tougher information security battles with the same budget and staff levels as in 2006. Plus, information security professionals should be weary of innovative new security threats and attacks.
The pests of years past like Nimda, Sasser and Code Red are still out there, but have been upstaged by spyware and sophisticated keystroke-logging Trojans that take screen shots of user IDs and passwords. These threats will likely continue unabated throughout 2007. Likewise, botnets will continue to grow and threaten email usage through the year. The problem will beg a solution if it affects customer confidence in email or defeats current spam-fighting technology.
Web attacks, mostly phishing, will continue to plague businesses throughout the year. Banks and other financial institutions will continue to be the prime targets, as they always have been, but SMBs and smaller companies will be hit by targeted attacks, most likely in the form of spear phishing. Much of this will be driven by the continued growth of botnets spewing out spam and other email garbage with phishing lures.
Data breaches, some committed by insiders, will continue to be of concern to most companies in 2007. This is mostly due to a proliferation of portable devices, ranging from tiny USB keys to BlackBerrys, laptops and wireless devices. Endpoint security will be a huge emphasis, as evidenced by the growth of companies in this area in 2006.
Finally, all eyes will be on Windows Vista and whether it delivers on Microsoft's promise to be the software giant's safest operating system yet. With its release near year end, it's still too early to tell if the highly touted new security features will integrate into the enterprise environment.
Either way, 2007 already promises to be another fun-filled action-packed year for security professionals.
About the Author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in developer security, specializing in Web and application security, and the author of The Little Black Book of Computer Security available from Amazon.
