Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list

By Ron Condon, U.K. Bureau Chief 24 Jun 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Those are the main conclusions in a new report from the Information Security Forum, an independent group harnessing expertise from a pool of companies, including some Fortune 100 businesses. The forum asked 200 of its corporate members, all major organisations, to list what they thought would be the biggest threats facing them in 2011.

The top five threats (see sidebar) range from the increased threat of Internet attacks from organised crime groups, to the loss of control resulting from outsourcing and cloud computing.

ISF's Top Five Threats Criminal attacks * Crimeware as a service * Disgruntled employees * Infiltration of organisations Weakness in infrastructure * Reduced investment * Increased complexity and integration * Increase in zero-day attacks * Reliance on third parties for upgrades Tougher regulation *Increased emphasis on privacy * Incompatible laws *Harsher punishment for non-compliance Offshoring/outsourcing * Drive to outsource more business operations and security * Hard to meet compliance requirements *Instability of providers Eroding network boundaries * Adoption of cloud computing * Proliferation of connections * Bypass of defences by new malware

Nick Frost, senior research consultant at the ISF, said the rise of cybercrime attacks is a particular worry. "The criminals are taking a very professional approach, and because they work as very loosely connected groups in different jurisdictions, it is very difficult to prosecute them," he said. He added that there was good evidence to show that some foreign students at U.K. universities had been sponsored by cybercriminal gangs, and had then gone on to work at U.K. organisations.

The recession is also pushing companies to increase the amount of offshoring and outsourcing they do, and Frost said this was often done with little regard for security. "Outsourcing is quite mature now, and companies are looking to outsource more critical business processes. But information security is often only considered at the last moment when these decisions are made," he said.

ISF members also noted a tendency for user-developed applications and files, such as Excel spreadsheets, to be implemented without consulting security people. "They don't really want it to go on security's radar for fear they will try to delay it," he said. Frost added that even with quite large application developments, security would often be brought in near the implementation stage to "try to bolt on some security controls."

ISF members also predicted that mobile malware will become more prevalent as more applications go on to smartphones and the devices' processing power and storage capacity increase.

Respondents also noted their struggles with an increasing number of regulatory requirements, as well as with an IT infrastructure that is becoming more and more integrated and reliant on third parties.

William Beer, director of assurance at PriceWaterhouseCoopers (PWC), said many of the mentioned threats could be turned into an advantage, but security people need to adopt the language of business to get their voices heard. "There is an opportunity to get across our key messages. For instance, Sarbanes Oxley was once viewed as a big cost, but it is now seen as having reduced costs and improved the way companies operate," he said. "If by increasing security, we can leverage confidence and trust during a recession, then we can turn a negative into a positive."

Tags: Threat and Vulnerability Management,  Compliance Regulation and Standard Requirements,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat and Vulnerability Management Zeus botnet temporarily disrupted, but back in full force Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary