News Stay informed about the latest enterprise technology news and product updates.

Spyware, application attacks to be biggest 2006 threats

Security experts say virus writers will turn their attention to spyware in the year ahead, victimizing many still-unsuspecting users. Application-specific attacks, phishing and data exposures will also plague security pros.

Happy New Year? IT security pros hope it will be, but if industry experts are right, companies in 2006 will be plagued by a number of new threats -- most notably application exploits and next-generation spyware.

Many still believe worms and viruses pose a greater risk than any other security scourges. But Natalie Lambert, security analyst with Cambridge, Mass.-based Forrester Research Inc., said that's not necessarily true.

2005 Year in Review
"At this point, if you think about it, it's been two and a half years since there was a big virus outbreak that brought down companies' defenses," Lambert said. "We think the reason for this is because there is no money in [developing] viruses and worms."

Even though Lambert said Forrester's research results consistently show that corporate security pros are primarily worried about worms and viruses, increased awareness and better defenses are causing virus writers to turn their attention elsewhere, namely to spyware.

"Spyware, on the other hand, is a billion-dollar industry," Lambert said, "so we think virus writers are switching to spyware as a way to make a living."

Recent research from vendor Webroot Software Inc. indicates that's already happening. The Boulder, Colo.-based antispyware firm's annual "State of Spyware" suggests spyware has already become a "global pandemic," with the average infected PC in the U.S. holding more than 24 different spyware programs.

Based on what's happened in 2005, it's hard to believe the volume of spyware in the wild will level off anytime soon, said Michael Cobb, a expert and founder and managing director of London-based consultancy Cobweb Applications Ltd.

"I think it's going to have to get worse before it gets better," Cobb said, because users aren't aware of the need for antispyware applications as they are with antivirus apps and firewalls. "It's still very low on their list of security requirements and in terms of awareness."

Shon Harris, president of Logical Security Inc., a McKinney, Texas-based consulting firm and a expert, said it will be at least another year before the average user understands what spyware is. And even then it will be a challenge to thwart it.

"We will make our tools better, but the threat will always be there because it comes down to what people do or do not do," Harris said. "It is just us security people who think about it all the time and even we don't follow our own preaching at times."

In addition to spyware, application-specific attacks are expected to be a major problem in 2006.

Cobb said attackers are increasingly likely to exploit flaws in specific applications not only because traditional perimeter defenses have improved, but also because generally the application layer is exceedingly vulnerable, especially in cases where insecure Web applications offer a direct route into an organization's database.

He said application security problems are becoming more common because application-layer firewalls are expensive to purchase and implement, and because few organizations emphasize secure application development.

"It's going to take a long time before applications generally are written at a level where the security problem starts to decrease," Cobb said.

While Microsoft has bore the brunt of application security criticism in recent years, Lambert said it's an industry-wide problem, and that all widely used applications are soon likely to become targets.

One often overlooked application threat is instant messaging. Charlotte Dunlap, information security analyst with Sterling, Va.-based research firm Current Analysis, said it's difficult to secure or restrict the use of public IM clients because many companies' workers use them to communicate with co-workers, as well as with others outside an organization's perimeter.

"IM has some good attributes, namely its collaboration usefulness," Dunlap said, "but I think it's just another [application] area for attackers to more easily go after."

Other notable threat trends for 2006 include:

  • Phishing: Cobb said phishing scams will rise to a new level of sophistication, to the point where legitimate Web and e-mail offers from trusted service providers will look less authentic than the fraudulent offers.

    "The banks, financial services companies and other high-profile sites will have to be very careful," he said, "because I think people's concern about phishing will impact not just their ability to promote businesses online, but also possibly online shopping altogether."

  • Blended threats: Lambert said as virus writers become more proficient in the art of spyware, a new generation of dangerous threat cocktails is likely to emerge.

    "Imagine a world where you might have spyware on your computer that records which sites you go to on a daily basis, and then relays that data back to a central server," she said. "Then, knowing which banks I use, I could get a targeted spam/phishing attack from an attacker, but it's no longer a random bank asking for my information. It looks like my bank asking for my information."

  • Data exposures and thefts: In 2006, few malicious hackers will be motivated by the challenge. Instead, Harris said, most will strive solely for financial gain, and that means companies that don't pay extra attention to safeguarding customer information will be victimized, a la Bank of America Corp., ChoicePoint Inc. and TransUnion LLC.

    "We will move out of this 'Wild West' stage we are currently in and move to a more controllable way of catching the bad guys, but I don't think it will drastically improve in 2006," Harris said. "Anytime that people are enticed into making money the easy way and there is a small chance of getting caught, this trend will only continue."

  • Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.