Web threats dominate security landscape

This year, the overall trend for most security threats appears to be Web-related--most are either directly from the Web, or a result of being connected while on the go.

According to the Unisys Security Index, the main concern enterprises have about mobility is not that of mobile viruses, but identity theft and data loss.

The survey of 891 Singaporeans conducted late last year showed a high 83 percent of respondents were anxious about identity theft. This is consistent with that of previous years' results, said Unisys Asia South vice president Scott Whyman.

Whyman said in an interview: "In spite of healthy discussion and banks putting in tighter security measures, people still feel threatened regarding identity theft."

Data lost from physically losing devices is a related concern. Anand Jude, business development director of Singapore-based mobile security vendor, Ufinity, said he is seeing a continual uptake of customer demand for mobile phone protection.

Jude said in an interview: "Most customers want to restrict access to personal information on stolen or lost devices. We don't hear much concern about mobile spam, compared to data theft."

Jude noted an increasing number of competitors appearing, providing similar tools for remotely locking phones because of this rising demand. Singapore-based tenCube provides such a service; its CEO, Darius Cheung, said in a previous interview that he was "very optimistic about the market potential" for such services.

Web threats on the rise
Direct attacks on systems delivered over the Web are a growing concern. According to security company Sophos, it discovered one new infected page every 14 seconds last year--that translates to 6,000 new infections a month.

Sophos adds that the majority 83 percent of the sites were not originally malicious in intent, but legitimate sites that were compromised by third parties.

The motivation for such threats is profit, according to Trend Micro.

Raimund Genes, Trend Micro's chief researcher, said in a presentation: "Malware for profit is definitely driving these Web threats," adding that most malware this year will originate from the Web, rather than e-mail--traditionally the medium through which attacks have been delivered online.

Trend Micro chief executive Eva Chen said the reason for this is that e-mail security tools have become commonplace, while Web traffic security is also more difficult to enforce.

Chen said: "HTTP is real time and you need to be able to deal with the latency in the user experience."

Web 2.0 contributing to malware attacks
Malware authors tend to capitalize on trends in user behavior, as with the "Heath Ledger" malware wave earlier in 2008.

Another trend is that malware is targeting the increasing popularity of social networking sites. According to Unisys, breach of privacy is the main hole that malware authors are poking in at sites such as MySpace or Facebook.

Unisys' Whyman said: "As these sites connect to one another, many will cross-reference a member’s credentials. If a hacker can compromise one account, he could end up compromising many."

Such sites also encourage users to share information, because they are social in nature, added Whyman.

Research house, Yankee Group, also said that companies are largely ignorant of such threats, perpetuating the danger. A recent study it conducted found 65 percent of U.S. companies doing nothing to block Web 2.0 applications such as instant messengers and file-sharing programs.

Tom Rashke, senior analyst at Forrester, said companies need to secure the data transferred, not just the infrastructure.

Rashke explained that tools need to go beyond the network into content to determine whether it is a security risk--either incoming as malware or outgoing as data leakage.