The hacker challenge
Summary: Will we ever reach the stage where hackers, rather than system administrators, will constantly be on the offensive?
Talking about IT security tends to bring out people's inner four horsemen of the Apocalypse, or at least their lurking George Bush Jr. "It's an arms race," says Neil Campbell, national security practice manager for Dimension Data. "The bad guys are always innovating and coming up with new ways of circumventing security."
"Hackers and attacks are becoming more and more sophisticated everyday and will continually challenge in-place systems," says Paul Serrano, Asia Pacific senior director marketing for NetScreen. "Security systems must adapt and grow with them."
The near-ubiquity of the Internet has also dramatically changed the nature of the security challenge. "Security is being redefined to encompass continuous availability," says Rick Seeto, director enterprise data portfolio for Nortel Networks Asia Pacific. Indeed, the need to make segments of the corporate network available in the form of a Web server has been one of the most significant changes in the typical security setup over the past decade.
The opportunity to sell some extra technology into an otherwise cautious market certainly has vendors champing at the bit. IDC estimates that by 2006, the global market for IT security systems will be worth a staggering $38 billion -- no mean feat in an industry generally considered to be in the throes of a major and prolonged downturn.
Unusually for the generally mature IT space, competition also remains fierce, with dozens of small companies competing for a slice of the pie via their own highly specialised products. "You don't have to be a huge vendor to get some mind share," points out Campbell. Indeed, the proliferation of vendors is such that for many IT managers, the trickiest decision is working out whether you need all the different options on offer. Do you need an IDS and an IPS? How many firewalls are too many?
One relatively undeveloped area is in physical security, although vendors are fond of pointing out that it represents one of the most obvious ongoing threats. "If you can get physical access to a machine, there is no security," says Callum Russell, solutions marketing manager IT infrastructure at Microsoft Australia.
"Some may say that the only secure computer is one that has its power cord removed and has been buried under six foot of dirt," says Daniel Zatz, security specialist at Computer Associates ANZ. "That isn't exactly true. It is possible to dig that computer up and plug the power back in, and then it isn't so secure."
While that's undoubtedly so, IT managers aren't being kept awake at night worrying about whether someone has dug up their old computers and plugged them in. The evidence suggests they're being kept awake worrying about who is going to hack into the ones they haven't buried yet. According to a survey of chief security officers (CSOs) conducted by IDC last year, 59 percent believe that electronic attacks represent the biggest potential threat to their company. Just eight percent expressed concerns over physical attacks to their systems, and a practically insignificant three percent were worried about electronic attacks that might have physical consequences.
Though the survey also revealed that nearly 50 percent of CSOs (a job specialisation that may well ultimately go the way of the late, unlamented chief knowledge officer) are concerned about the possibility of an electronic attack by terrorists, that concern doesn't seem to have spread into the general business community. No, it's busy worrying about the most visible threat: virus writers.
Feeling viral
A steady stream of publicity has ensured that antivirus software has become virtually ubiquitous for all computer users, even if they ignore every other potential security threat. The evidence suggests they are doing just that. In a survey of Australian businesses carried out by the Australian Bureau of Statistics, only 14 percent of businesses using a computer claimed to have no IT security measures in place. However, 80 percent of those businesses which did claim to have a security solution in place were running nothing apart from antivirus software. It seems the notions of fighting viruses and security have become equivalent in the minds of many businesses. This is both interesting and disturbing, since most security observers agree that virus writers, however much inconvenience they can cause with a successful virus, are hardly typical of the major security threats faced by companies. Because of the relative ease with which viruses, especially macro viruses, can be constructed, virus creators are generally viewed as a distinct category from other hackers. "Viruses are not a technological phenomenon, they are a social phenomenon," says Dave Perry, global director of education at corporate antivirus vendor Trend Micro. "What drives people to write viruses is the need for notoriety." "Research into the motivations and backgrounds of virus writers has shown that the early virus writers were not evil incarnate, but rather adolescents who were basically just like the kids next door," notes Sarah Gordon, a psychologist who has spent much time investigating the virus writing community and who has been employed by companies such as Symantec for her professional expertise. "Initially, the virus writing and hacking communities were very much two separate groups. Hacking required a totally different set of skills and mindset from virus writing. Now, with the massive connectivity available, the two skills are having some crossover."
Continuing media hysteria, and the steady rise of viruses distributed via e-mail, has ensured that most people have antivirus software in place. Fairly straightforward online upgrades mean that most such systems stay relatively up-to-date. This is useful, since the virus community shows no sign of slowing down its activities. By 2010, Trend's Perry predicts that more than 10 million viruses will be in existence.
"Antivirus is like a game of cards in which the highest card wins," says Paul Ducklin, head of technology for antivirus vendor Sophos Asia Pacific. "But not only is there no limit to the number of turns in the game, there is also no highest card in the deck." In other words, no matter what tricks virus writers come up with, antivirus companies can generally work around them in fairly short order.
While that's undoubtedly so, IT managers aren't being kept awake at night worrying about whether someone has dug up their old computers and plugged them in. The evidence suggests they're being kept awake worrying about who is going to hack into the ones they haven't buried yet. According to a survey of chief security officers (CSOs) conducted by IDC last year, 59 percent believe that electronic attacks represent the biggest potential threat to their company. Just eight percent expressed concerns over physical attacks to their systems, and a practically insignificant three percent were worried about electronic attacks that might have physical consequences.
Though the survey also revealed that nearly 50 percent of CSOs (a job specialisation that may well ultimately go the way of the late, unlamented chief knowledge officer) are concerned about the possibility of an electronic attack by terrorists, that concern doesn't seem to have spread into the general business community. No, it's busy worrying about the most visible threat: virus writers.
Feeling viralA steady stream of publicity has ensured that antivirus software has become virtually ubiquitous for all computer users, even if they ignore every other potential security threat. The evidence suggests they are doing just that. In a survey of Australian businesses carried out by the Australian Bureau of Statistics, only 14 percent of businesses using a computer claimed to have no IT security measures in place. However, 80 percent of those businesses which did claim to have a security solution in place were running nothing apart from antivirus software. It seems the notions of fighting viruses and security have become equivalent in the minds of many businesses. This is both interesting and disturbing, since most security observers agree that virus writers, however much inconvenience they can cause with a successful virus, are hardly typical of the major security threats faced by companies. Because of the relative ease with which viruses, especially macro viruses, can be constructed, virus creators are generally viewed as a distinct category from other hackers. "Viruses are not a technological phenomenon, they are a social phenomenon," says Dave Perry, global director of education at corporate antivirus vendor Trend Micro. "What drives people to write viruses is the need for notoriety." "Research into the motivations and backgrounds of virus writers has shown that the early virus writers were not evil incarnate, but rather adolescents who were basically just like the kids next door," notes Sarah Gordon, a psychologist who has spent much time investigating the virus writing community and who has been employed by companies such as Symantec for her professional expertise. "Initially, the virus writing and hacking communities were very much two separate groups. Hacking required a totally different set of skills and mindset from virus writing. Now, with the massive connectivity available, the two skills are having some crossover."
Continuing media hysteria, and the steady rise of viruses distributed via e-mail, has ensured that most people have antivirus software in place. Fairly straightforward online upgrades mean that most such systems stay relatively up-to-date. This is useful, since the virus community shows no sign of slowing down its activities. By 2010, Trend's Perry predicts that more than 10 million viruses will be in existence.
"Antivirus is like a game of cards in which the highest card wins," says Paul Ducklin, head of technology for antivirus vendor Sophos Asia Pacific. "But not only is there no limit to the number of turns in the game, there is also no highest card in the deck." In other words, no matter what tricks virus writers come up with, antivirus companies can generally work around them in fairly short order.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback