With pundits making predictions for the state of cyber-crime and malicious software in 2008, one might be tempted to say, “OK, but what should I do with this information?”
In some cases, this means an increase in specific types of attacks. In other cases, it means the rise of attacks against existing technologies. In all cases, it means that to prepare for next years attacks you should keep doing what you already should have been doing this year, last year, and before that as well.
Understanding your weaknesses and then implementing “defense in depth” remains the fundamental method of ensuring proper security. Depending on your business, penetration testing (pen testing) may be useful for both understanding your weaknesses and the proper implementation of layered defenses.
Proactive defenses are in order for next year, but have been in order for a very long time.
For a couple of years now we have heard that traditional signature-based anti-virus products cannot keep up with the rapidly growing rate of malicious software being released. Proactive solutions that do not require signatures for each new threat are essential. If you have not already adopted proactive anti-virus solutions, then in 2008 you can be more secure by doing so.
For the record, anti-virus is really a misnomer. Most anti-virus products detect much more than just viruses. Your anti-virus product should detect viruses, worms, trojans, adware, spyware, rootkits and bots. To find out what products are providing high levels of proactive detection for these new threats you can look through the retrospective tests of AV-Comparatives.org. Be sure to include false positive rates in your assessment of products.
Much noise has been made about increases in VOIP (voice over IP) attacks. Preparing for these attacks next year is not proactive, it is reactive. The technology is already here, and potential attacks have been discussed. Waiting for the war to start before you mobilize your army isnt a great strategy.
Internet connectivity in commercial aviation will likely increase in 2008. We already have public wireless Internet access. Aircraft Internet connectivity will require the same types of defensive measures as any public Wi-Fi.
Laptops will continue to be lost and stolen. The key to protecting the data on these devices is encryption. Encrypting the data before it gets lost is proactive. Looking for the laptop after it is stolen is reactive. Does it really matter if a lot of data is compromised this year and a whole lot more will be compromised next year? If your data is sensitive and you are prepared this year, next year will present little in the way of challenges.
One of the key but generally neglected areas of security is education. Social engineering is increasingly used to lure users into running malicious software and divulging valuable information. The time is far overdue to teach employees at all levels how to recognize and avoid social engineering attacks. Policy is critical to a successful security profile, but without education some employees will be unable to comply with policy. If users do not understand that using a hotel business center computer can compromise the contents of their documents, they may not know how to comply with confidentiality policies.
Auditing is also an essential part of security. If a fire alarm rings and nobody hears it, does it make a noise? Your log files are early warning systems that can reveal mounting attacks against your network. Log files are also valuable forensic tools-if you use them.
If you are already prepared for this years security threats, then you dont need any advice on how to prepare for next year. If you are not prepared for next years threats, then start doing what you should have been doing last year-implementing an in-depth defense through proactive security solutions, education, policy and auditing. Doing so will go a long way toward preparing for 2008.
Randy Abrams is the director of technical education at ESET and a passionate security evangelist. Prior to joining ESET in 2005, Abrams held various security positions at Microsoft. He also publishes a weekly podcast on a variety of security topics at http://eset.com/podcasts/index.php.