Web security in 2004 was typical given the various vulnerabilities and exploits that attempted to undermine the
security of network systems. The outlook for the Web security challenges in 2005 promises more of the same, but with greater intensity.
Phishing will grow in sophistication and danger. Very few security pros knew about phishing the last time the ball dropped in Times Square, but most are now aware of its risks. This exploit uses spoofed e-mails and Web sites to trick unsuspecting consumers into revealing sensitive account information and placing themselves at risk for identity theft.
When first launched, these illicit come-ons were obvious forgeries and fooled only the most naÏve of surfers. The broken English and misused idioms that peppered their urgent exhortations betrayed their Eastern European origins. However, today's slick phishing expeditions use graphics to mirror the design of legitimate sites, such as eBay, Citibank and SunTrust, right down to the small-print copyright notices and legal disclaimer page footers.
Expect these attacks to grow in sophistication next year. Phishers will become more proficient at duplicating legitimate communications and will likely use elements directly taken from a company's site. These attacks will increasingly pose a risk to Web security as they degrade the level of confidence that corporations have in the non-repudiation of Web-based transactions -- companies can't be sure that the transactions entered by users really were entered by those users. An attacker who steals a username/password pair using a phishing attack could easily impersonate the legitimate user. And, it also undermines the consumer's confidence in legitimate Web-based transactions.
The solution? Education. If you communicate with your customers via the Internet, be sure that they know that you don't solicit personal information via e-mail. It's best to notify them of this policy several times throughout the customer relationship, such as when they open their accounts, through periodic reminders, via face-to-face (if consumers open accounts in person, such as a banking relationship), via e-mail and also through notices published in your customer newsletters. Specify that they should always visit your Web site by typing the URL into their browser or using a bookmark, rather than clicking suspicious links. If you're dealing with a small segment of very high-value customers, you may wish to consider the cost/benefit ratio of multifactor authentication using a device such as a smart card.
New worms exploit new vulnerabilities. SQL Slammer, ILOVEYOU, Melissa. We've seen them all, or have we? 2005 will be no different from previous years. We'll see software vendors (especially our friends in Redmond) release news of vulnerabilities and automated worms designed to penetrate the systems operated by administrators too inattentive or "busy" to keep them appropriately patched. Many of the worms that appear during the next year will take advantage of the same common vulnerability classes we've already seen. For example, there's no doubt that someone will discover a "golden oldie" such as a buffer overflow lurking in a widely deployed application.
We've already seen the introduction of malicious code through new threat vectors, in fact 2004 showed us the first cell phone virus, and the introduction of infected attachments sent through IM technology. Your defense strategy for securing systems in 2005 should cover the basics -- keep patches up-to-date, run periodic vulnerability scans using tools like MSBA and Nessus and consider deploying an intrusion detection system (or network of IDS sensors) to monitor for illicit activity. If you don't think that security updates are mission critical, try explaining that to your boss when the system falls prey to the next generation worm.
High profile compromises will spur action. If you've been paying attention, you've likely noticed a few significant, but "under the radar" security breaches over the past couple of years, such as the disgruntled sub-subcontractor in India who threatened to post confidential medical transcription records from a major U.S. hospital on the Internet if prompt payment wasn't made. And, we've all heard the anecdotal stories from industry colleagues about major e-tailers that suffered security breaches, which compromised customer account information, including credit card data.
It's expected that one of these incidents will hit the national press, which could ultimately generate new resources for security professionals, particularly an incident publicized on a slow news day or one linked to a terrorist group. Such an attack will undoubtedly spur renewed interest in Web security with a commensurate dedication of resources. We could see government action that dedicates federal funding for improving critical components of our national infrastructure as a result. Prudent information security professionals should keep their "wish list" up-to-date with a ready battle plan should funds become available.
Information security professionals have made great strides in securing the infrastructure this year. Through 2005, vulnerability foresight and a proactive approach will remain critical to managing an effective Web security strategy.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of the About.com Guide to Databases.