People may remember 2005 as the year that corporate America woke up to the problem of data breaches and the importance of data privacy. Data leaks at Bank of America Corp., LexisNexis Seisint division, ChoicePoint Inc. and CardSystems Inc. fed headlines for months, spawned countless lawsuits on behalf of aggrieved consumers and provided the impetus for federal legislation—still pending—to protect consumer data. But what will 2006 bring?
More of the same, say leading security experts.
More than ever before, enterprise IT managers will have to fight a battle on two fronts next year. On one side, more sophisticated and targeted attacks from organized, online criminal groups will test networks in new ways that are hard to detect.
At the same time, enterprises that have just begun to get their arms around regulations such as the Sarbanes-Oxley Act, HIPAA (Health Insurance Portability and Accountability Act) and the PCI (Payment Card Industry) security standards must continue demonstrating compliance with those regulations and strengthen corporate control over user access to sensitive data, experts say.
The threat facing enterprise networks has shifted in the last months from viruses, spam and worms to "bot" networks of zombie computers, said Paul Judge, chief technology officer at CipherTrust Inc., of Alpharetta, Ga. CipherTrust sees more than double the number of attacks from zombies on its customer base today than it did a year ago—about 250,000 a day, Judge said.
The change in attacks has put a bigger premium on CipherTrusts TrustedSource Internet monitoring service than on the companys spam detection technology, he said. Originally started to identify the source of spam e-mail messages, TrustedSource now tracks armies of zombie computers, Judge said.
At the same time as attacks are changing, companies next year will have to wrestle with government and industry regulations, said Murray Mazer, co-founder and vice president of Lumigent Technologies Inc., in Acton, Mass. "In 2005, people were trying to get their head around what it means to comply and be responsive to the laws," Mazer said. In 2006, companies that have a grasp on compliance will begin to implement tighter controls on their sensitive data, he said.
Enterprises will need to do a better job of auditing their networks, putting strong controls around databases, and deploying continuous assessment tools that can spot suspicious activity or problem configurations on networked systems, he said.
Meeting audit requirements for PCI and other legal and regulatory frameworks scored first and second on Rick Wenbans security Top 10 list for 2006. "I really believe the biggest costs and problems a company faces are not from the once-in-10-years security breach, but the day-to-day inefficiencies and monthly audits," Wenban, an information security consultant for Michaels Stores Inc., of Irving, Texas, wrote in an e-mail.
Enterprises have a firmer grasp on what information on their network is important and are starting to look for ways to automate data collection, reduce human error and spot malicious behavior, Mazer said.
The IT staff at Thomson Learning, a division of Thomson Corp., is creating an enterprisewide specification for SOAP (Simple Object Access Protocol) headers that will allow administrators to audit Web services transactions across the whole company, said Christopher Crowhurst, president and principal architect at Thomson Learning, in Stamford, Conn.
"Were a large company, and there are so many places [auditors] have to go to get the data they need," Crowhurst said. "If you have one consistent place and schema to do that, you can dramatically reduce the cost."
Identity management and user provisioning were third and fourth, respectively, on Wenbans Top 10 and promise to be high on the agenda of many enterprise IT departments in 2006.