2011: A Better Year for Information Security?
October 10th, 2011
The year 2010 is behind us; a new year is beginning. Last year will not go down in history as a particularly good year from an information security perspective. Attacks funded and initiated by countries (particularly the Peoples Republic of China) continued to occur frequently. So many denial of service (DoS) attacks came from China that domain name registrars began to distance themselves from entities in this country. The Stuxnet worm, which surfaced last year, proved for the first time that a virus or worm could actually cause physical damage to SCADA systems and, unfortunately, was almost certainly only the harbinger of a new, more formidable generation of malware. Data security breaches continued to occur at an astounding rate, as exemplified by recent statistics from the Privacy Rights Clearinghouse–nearly 600,000,000 pieces of personally identifiable information have fallen into unauthorized hands since this organization began counting in 2005. No one could have guessed the amount of information leaked to the wikileaks.org Web site, allegedly because of the actions of Private Bradley Manning of the US Army. And nobody would have imagined the ferocity of the DoS attacks that wikileaks supporters launched against Visa, MasterCard, and other credit card companies after these companies quit allowing their credit cards to be used for contributions to wikileaks. U.S. Government security efforts continued to flounder haplessly, and no major federal cybersecurity-related legislation was passed in the U.S. last year. Efforts to get a global treaty on cybercrime in place failed. Crime rings operating in Eastern Europe, Brazil, and elsewhere continued to rake in large amounts of money through a plethora of computer crime methods.
Will 2011 be a better year for information security? I do not think so. Why? Information security is for the most part still not a board room issue, so to speak. The economic downturn over the last two years or so is a major reason. Companies that are fighting for survival are not likely to increase information security budgets. Government agencies have often faced the same types of issues, and, oddly, despite having initially expressed strong support for improving cybersecurity in the U.S. government, President Obama has largely focused his attention on other issues. Despite laudable efforts to fight cybercrime by law enforcement and investigatory agencies around the world, the global nature of computer crime continues to create significant barriers against bringing computer criminals to justice. Software vendors continue to produce bug-riddled products, and systems and applications continue to have many unpatched vulnerabilities. Even if organizations and individuals are conscientious with respect to installing patches, zero-day vulnerabilities continue to surface, resulting in outbreaks of new, previously unforeseen and successful attacks. An increasing proportion of malware writers are working co-operatively with others and are well-financed by nation states bent on achieving world dominance and crime rings motivated by financial reasons.
What can change things for the better? As I have said before, it is difficult to appreciate how serious a threat fire is until one gets burned. The same applies to information security. Just look at what having experienced such a massive data security breach did for Heartland Payment Systems security. Heartland is now a poster child for information security. Many of the organizations that were victimized by the Aurora attacks less than two years ago have also improved their security posture considerably, albeit still not adequately. Ultimately, major information security-related incidents serve as the best wake-up call for information security. So if 2011 becomes a better year for information security, it will be due more to organizations that have been burned getting more serious about information security and implementing security measures that are appropriate to the risks they face.
I also think that if improvements in the state of information security occur this year, they will in part be due to compliance-related pressures. As imperfect as it is, the PCI-DSS standard has resulted in improved security in many organizations that are subject to this standard. And although FISMA has not really improved security in U.S. government circles, FISMA 2 promises to have a more positive influence.
Let’s hope that I am wrong and that 2011 is a banner year in the practice of information security.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.