GRC Journal - (Page 44)

Security & Privacy Will an up-and-coming threat such as phishing become the most egregious burden and come to shift the attention of corporate America, or will spam’s reign as the king of fiscal impositions continue to dominate the concerns of the manufacturers? Phishing is a concern to those whose sites have been phished. But I don’t think spam and phishing are at the top of most organizations’ security concerns. A huge bank, like Bank of America, may be concerned about their site being phished; however, for an organization like Gartner, phishing is not at the top of the list of concerns. There are definitely other security threats within most companies where more concern should be placed – like content leakage and the loss of intellectual property. For most organizations, I don’t think spam and phishing are top security concerns for 2007 – it’s not to say that these aren’t important, but the technologies for detecting phishing sites have gotten better, browsers are evolving to incorporate anti-phishing capabilities, and the technologies for detecting spam have gotten better. For example, in the latest Gartner Information Security Hype Cycle, we position spam on “the plateau of permanent annoyance.” Spam is still there, but it’s become manageable background noise. Every now and then the spammers will come up with new techniques – like using text embedded in graphic images – and then the spam filters will develop techniques to counter the new threat – in this case, open up graphic images and look for text. Spam has gotten to a fairly manageable level; there’s still a lot of spam, but we’re good at blocking the vast majority of it. I’d say the area where people will be spending the most money and attention in 2007 will be trying to get a handle on unmanaged devices. Contractors with unmanaged machines, employees working from home with unmanaged machines, employee-owned consumer-oriented devices being connected – all of these things can bypass traditional perimeter security, potentially carry malicious code, and could walk off with corporate data. Gartner estimates that about half of all enterprises will undertake an initiative in 2007 to get a better handle on unmanaged devices connecting to their enterprise assets. What are the ramifications of taking insufficient preventative measures when securing a messaging platform? The most obvious ramification is lost productivity; the more stuff that gets through the filters, the more an employee’s time is wasted trying to sift through and get rid of it. It also wastes space on servers; it wastes bandwidth to send that spam around; and it potentially wastes backup resources as well. Ultimately, insufficient preventative measures could waste a lot of corporate resources and is a drain on corporate productivity. So far, we’ve focused a lot on inbound message protection. There is also a very real concern on protecting from information leakage; people emailing out content, information, source code, formulas, customer lists, etc. that could potentially leak intellectual property. Does the visibility of spam put organizations’ minds at ease that it is the only substantial threat that endangers their corporation? Is there a need for companies to better educate themselves regarding unseen risks? There is a risk now that since we’ve gotten pretty good at dealing with spam, we forget that the people with malicious intent will inevitably figure out another way to get to us. Even in the last week, for example, we’ve seen attacks where malicious content was loaded into Wikipedia, and there was another case where malicious content was uploaded into one of the Google video-sharing communities. These examples are a form of social engineering, but by using the good name and reputation of Wikipedia and Google, they were able to mask their malicious intent. I think the risk is that as things like anti-virus and spam become fairly well-known and well understood, organizations become complacent and forget that those people out there with malicious intent continue to innovate. So, our security protection technologies must continue to innovate as well. Unseen risks keep me awake at night, where most organizations don’t realize they have a problem. Security tools can’t report on what they aren’t programmed to identify. I believe most organizations are oblivious and blissfully ignorant to targeted threats that are financially motivated, taking false comfort in anti-virus and vulnerability assessment tools that continue to show everything is fine. Our prediction here is that by the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. Many times, organizations will push back on making investments for threats they can’t see or don’t believe in – just like some people don’t buy flood insurance until they’ve actually experienced a hurricane. In that same aspect, it may take a loss of inside information and public disclosure of confidential customer information for an organization to invest money into educating and protecting themselves from the thousands of unseen risks out there. Others that are more risk aware and more mature in the way that they approach and manage enterprise risk, will understand that the people with malicious intent continue to evolve and proactively make investments in newer security technologies to address targeted attacks before an attack creates damage. Losing credibility among end-users is an ever present threat associated with spam. Outside of immediate repercussions, what are the long-term effects of allowing spam to infiltrate an organization’s messaging platform? How difficult is it for a company to regain trust among clientele? There are two ways to look at this: 1) As an IT department, if I’m allowing spam to come in and waste the time of my end-users, I look bad and it looks like I’m not doing my job. It would also bring into question how confident I am as an end-user at other types of security IT is providing if they can’t keep simple spam out of my inbox. 2) Then there’s the other side; if I am a multi-national bank (let’s say ABC Bank), and somehow, somebody is able to send out spam that uses an ABC Bank’s email address because of a compromised system, that would create a huge loss of public confidence in ABC Bank from their customers. Q1 2007 | www.btquarterly.com BTQ Business Trends Quarterly 173 http://www.btquarterly.com Table of Contents for the Digital Edition of GRC JournalGRC JournalGRC Journal - (Page 1)GRC Journal - (Page 2)GRC Journal - (Page 3)GRC Journal - (Page 4)GRC Journal - (Page 5)GRC Journal - (Page 6)GRC Journal - (Page 7)GRC Journal - (Page 8)GRC Journal - (Page 9)GRC Journal - (Page 10)GRC Journal - (Page 11)GRC Journal - (Page 12)GRC Journal - (Page 13)GRC Journal - (Page 14)GRC Journal - (Page 15)GRC Journal - (Page 16)GRC Journal - (Page 17)GRC Journal - (Page 18)GRC Journal - (Page 19)GRC Journal - (Page 20)GRC Journal - (Page 21)GRC Journal - (Page 22)GRC Journal - (Page 23)GRC Journal - (Page 24)GRC Journal - (Page 25)GRC Journal - (Page 26)GRC Journal - (Page 27)GRC Journal - (Page 28)GRC Journal - (Page 29)GRC Journal - (Page 30)GRC Journal - (Page 31)GRC Journal - (Page 32)GRC Journal - (Page 33)GRC Journal - (Page 34)GRC Journal - (Page 35)GRC Journal - (Page 36)GRC Journal - (Page 37)GRC Journal - (Page 38)GRC Journal - (Page 39)GRC Journal - (Page 40)GRC Journal - (Page 41)GRC Journal - (Page 42)GRC Journal - (Page 43)GRC Journal - (Page 44)GRC Journal - (Page 45)GRC Journal - (Page 46)GRC Journal - (Page 47)GRC Journal - (Page 48)GRC Journal - (Page 49)GRC Journal - (Page 50)GRC Journal - (Page 51)GRC Journal - (Page 52)GRC Journal - (Page 53)GRC Journal - (Page 54)GRC Journal - (Page 55)GRC Journal - (Page 56)GRC Journal - (Page 57)GRC Journal - (Page 58)GRC Journal - (Page 59)GRC Journal - (Page 60)GRC Journal - (Page 61)GRC Journal - (Page 62)GRC Journal - (Page 63)GRC Journal - (Page 64)GRC Journal - (Page 65)GRC Journal - (Page 66)GRC Journal - (Page 67)GRC Journal - (Page 68)GRC Journal - (Page 69)GRC Journal - (Page 70)GRC Journal - (Page 71)GRC Journal - (Page 72)GRC Journal - (Page 73)GRC Journal - (Page 74)GRC Journal - (Page 75)GRC Journal - (Page 76)GRC Journal - (Page 77)GRC Journal - (Page 78)GRC Journal - (Page 79)GRC Journal - (Page 80)GRC Journal - (Page 81)GRC Journal - (Page 82)GRC Journal - (Page 83)GRC Journal - (Page 84)GRC Journal - (Page 85)GRC Journal - (Page 86)GRC Journal - (Page 87)GRC Journal - (Page 88)GRC Journal - (Page 89)GRC Journal - (Page 90)GRC Journal - (Page 91)GRC Journal - (Page 92)GRC Journal - (Page 93)GRC Journal - (Page 94)GRC Journal - (Page 95)GRC Journal - (Page 96)GRC Journal - (Page 97)GRC Journal - (Page 98)GRC Journal - (Page 99)GRC Journal - (Page 100)GRC Journal - (Page 101)GRC Journal - (Page 102)GRC Journal - (Page 103)GRC Journal - (Page 104)GRC Journal - (Page 105)GRC Journal - (Page 106)GRC Journal - (Page 107)GRC Journal - (Page 108)GRC Journal - (Page 109)GRC Journal - (Page 110)GRC Journal - (Page 111)GRC Journal - (Page 112)GRC Journal - (Page 113)GRC Journal - (Page 114)GRC Journal - (Page 115)GRC Journal - (Page 116)GRC Journal - (Page 117)GRC Journal - (Page 118)GRC Journal - (Page 119)GRC Journal - (Page 120)GRC Journal - (Page 121)GRC Journal - (Page 122)GRC Journal - (Page 123)GRC Journal - (Page 124)GRC Journal - (Page 125)GRC Journal - (Page 126)GRC Journal - (Page 127)GRC Journal - (Page 128)GRC Journal - (Page 129)GRC Journal - (Page 130)GRC Journal - (Page 131)GRC Journal - (Page 132)GRC Journal - (Page 133)GRC Journal - (Page 134)GRC Journal - (Page 135)GRC Journal - (Page 136)GRC Journal - (Page 137)GRC Journal - (Page 138)GRC Journal - (Page 139)GRC Journal - (Page 140)GRC Journal - (Page 141)GRC Journal - (Page 142)GRC Journal - (Page 143)GRC Journal - (Page 144)GRC Journal - (Page 145)GRC Journal - (Page 146)GRC Journal - (Page 147)GRC Journal - (Page 148)GRC Journal - (Page 149)GRC Journal - (Page 150)GRC Journal - (Page 151)GRC Journal - (Page 152)GRC Journal - (Page 153)GRC Journal - (Page 154)GRC Journal - (Page 155)GRC Journal - (Page 156)GRC Journal - (Page 157)GRC Journal - (Page 158)GRC Journal - (Page 159)GRC Journal - (Page 160)GRC Journal - (Page 161)GRC Journal - (Page 162)GRC Journal - (Page 163)GRC Journal - (Page 164)GRC Journal - (Page 165)GRC Journal - (Page 166)GRC Journal - (Page 167)GRC Journal - (Page 168)GRC Journal - (Page 169)GRC Journal - (Page 170)GRC Journal - (Page 171)GRC Journal - (Page 172)GRC Journal - (Page 173)GRC Journal - (Page 174)GRC Journal - (Page 175)GRC Journal - (Page 176)GRC Journal - (Page 177)GRC Journal - (Page 178)GRC Journal - (Page 179)GRC Journal - (Page 180)GRC Journal - (Page 181)GRC Journal - (Page 182)GRC Journal - (Page 183)GRC Journal - (Page 184)GRC Journal - (Page 185)GRC Journal - (Page 186)GRC Journal - (Page 187)GRC Journal - (Page 188)GRC Journal - (Page 189)GRC Journal - (Page 190)GRC Journal - (Page 191)GRC Journal - (Page 192)GRC Journal - (Page 193)GRC Journal - (Page 194)GRC Journal - (Page 195)GRC Journal - (Page 196)GRC Journal - (Page 197)GRC Journal - (Page 198)GRC Journal - (Page 199)GRC Journal - (Page 200)GRC Journal - (Page 201)GRC Journal - (Page 202)GRC Journal - (Page 203)GRC Journal - (Page 204)GRC Journal - (Page 205)GRC Journal - (Page 206)GRC Journal - (Page 207)GRC Journal - (Page 208)GRC Journal - (Page 209)GRC Journal - (Page 210)GRC Journal - (Page 211)GRC Journal - (Page 212)GRC Journal - (Page 213)GRC Journal - (Page 214)GRC Journal - (Page 215)GRC Journal - (Page 216)GRC Journal - (Page 217)GRC Journal - (Page 218)GRC Journal - (Page 219)GRC Journal - (Page 220)GRC Journal - (Page 221)GRC Journal - (Page 222)GRC Journal - (Page 223)GRC Journal - (Page 224)GRC Journal - (Page 225)GRC Journal - (Page 226)GRC Journal - (Page 227)GRC Journal - (Page 228)GRC Journal - (Page 229)GRC Journal - (Page 230)GRC Journal - (Page 231)GRC Journal - (Page 232)GRC Journal - (Page 233)GRC Journal - (Page 234)GRC Journal - (Page 235)GRC Journal - (Page 236)GRC Journal - (Page 237)GRC Journal - (Page 238)GRC Journal - (Page 239)GRC Journal - (Page 240)GRC Journal - (Page 241)GRC Journal - (Page 242)GRC Journal - (Page 243)GRC Journal - (Page 244)GRC Journal - (Page 245)GRC Journal - (Page 246)GRC Journal - (Page 247)GRC Journal - (Page 248)GRC Journal - (Page 249)GRC Journal - (Page 250)GRC Journal - (Page 251)GRC Journal - (Page 252)GRC Journal - (Page 253)GRC Journal - (Page 254)GRC Journal - (Page 255)GRC Journal - (Page 256)GRC Journal - (Page 257)GRC Journal - (Page 258)GRC Journal - (Page 259)GRC Journal - (Page 260)GRC Journal - (Page 261)GRC Journal - (Page 262)GRC Journal - (Page 263)GRC Journal - (Page 264)GRC Journal - (Page 265)GRC Journal - (Page 266)GRC Journal - (Page 267)GRC Journal - (Page 268)GRC Journal - (Page 269)GRC Journal - (Page 270)GRC Journal - (Page 271)GRC Journal - (Page 272)GRC Journal - (Page 273)GRC Journal - (Page 274)GRC Journal - (Page 275)GRC Journal - (Page 276)GRC Journal - (Page 277)GRC Journal - (Page 278)GRC Journal - (Page 279)GRC Journal - (Page 280)http://www.nxtbookMEDIA.com

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.