Just the other week 7,800 professors, students and vendors associated with the University of San Diego were notified that their private income information had been stolen. As with hundreds of thousands of others notified of similar server hacks in 2005, the victims were upset that their mailed notifications included few details and came well after the breach discovery.
In 2005, such catastrophic data breaches and losses are starting to sound like old news. Such disclosures have grown so commonplace in the span of mere months that they now fail to garner gripping headlines as they did just months earlier, when Georgia-based data broker ChoicePoint Inc. was forced to tell more than 168,000 people that private data, which they never knew it possessed, had been stolen by conmen posing as clients.
If any security event marked 2005, it was the collection of companies and colleges forced to come clean about how hackers had stolen information that identity thieves eat up. That's because of a three-year-old California law that requires such notification, under limited conditions. The same approach spread to 20 other states in 2005.
In addition, law enforcement stepped up efforts to find and prosecute the digital-underground denizens behind database heists that spewed out spam, spied on online activities and stole credit data. Congress did its part at times by adding more rhetoric than real debate over new regulations. And millions of dollars poured into individual SOX-complaint companies' security programs, mainly to keep the top brass out of courtrooms.
Then there was the sneaky stuff.
The hackerdom tricked legions of users into downloading keystroke loggers and installing billions of bots that evaded standard detection technologies. Cisco Systems Inc. scourged Black Hat security conference attendees' booklets of a researcher's presentation detailing a controversial security hole. When he went ahead with his talk, they called in the lawyers. That researcher, Michael Lynn, now works for the competition.
Data brokers, credit card processing companies, banks, universities and a whole host of other enterprises kept mum as long as they could about how many customers, employees, clients, students and alumni were now at risk due to failed security processes. And an entertainment industry giant tried to pull a fast one by surreptitiously installing a nasty rootkit in millions of machines to prevent piracy.
Based on all this action (or inaction), here's our Christmas "wish list." With any luck, 2006 won't be another banner year for the bad guys.
Lawmakers that do the talk and the walk
After ChoicePoint, Lexis-Nexis Group, Bank of America Corp., Time Warner Inc. and a long, long list (85 and still counting) of other data custodians were hoodwinked or just plain careless with customer data, 21 states enacted their own versions of 2003's California's SB 1386, the nation's first state law requiring residents notification when certain unprotected private data is stolen. Some, like New York, made it mandatory that they tell the government. New Jersey also went a step further and passed laws eliminating the Social Security number as an identifier.
Still, a little less than half of the nation's citizens are now covered. And who does business in just one state now? Congress has tried to come up with a federal data breach notification law, but corporate lobbyists have thus far thwarted its attempts.
CSOs and CISOs who know their role
It's hard to find an industry that doesn't follow data security guidelines within HIPAA, SOX, Gramm-Leach-Bliley and several other federal regulations. While that's given rise to the CSO and CISO, their role hasn't always been clear. So, we'll do it for you: You're not a techie anymore. You're a business person who must understand supply chains, flow charts, P&E ratios, market trends and all that other stuff you managed to avoid in college in favor of learning C+ and Java. Yes, you still need to stay on top of the latest threats and vulnerabilities, but your role now is to help keep the business in the black -- and out of the headlines. That means understanding the working world as an MBA, not an MCSE.
Vendors that truly understand (and don't add to) our pain points
Sure, more developers are aware of secure coding and are using more diagnostic tools to vet their programs before they are put into production. But a disturbing trend in 2005 has been the number of vulnerabilities in security software that cybercriminals have exploited to move their malcode. Major antivirus vendors like Symantec and McAfee have fallen victim to this. Most critics admit Microsoft's gotten better at securing its operating system, but continues to take it on the chin in regards to applications, such as the widely used Internet Explorer. Firefox, the open source Web browser that gained a strong following largely because of IE exploits, also proved in 2005 that it isn't immune to serious security holes.
A key priority going into 2006 is for more application vendors to carefully scrutinize their offerings before they hit the market and to provide timely patches when inevitable flaws are found. This is especially important because most vendors do not provide automated patching. Most security experts agree the applications running within our networks are the next sweet spot.
That doesn't mean networking equipment and the software used to harden our perimeters will cease to be important. But Cisco's going to remain a big bull's-eye so long as it moves deeper into security and expands its self-defending network initiative. VoIP and wireless providers also will continue to be hot targets, in part because they continue to push functionality over security. Among the most bizarre backlashes has been consumers -- usually young and on the dating prowl -- angered that cell phone makers now have technology to prevent transmission interceptions on Bluetooth devices known as "bluesnarfing."
Employees and end users that don't undermine efforts
Everyone knows users are the soft spot in security programs. They've even confessed in recent surveys that they take more risks at work -- opening strange e-mail attachments, clicking bizarre IM links and downloading dubious programs -- because they can. Phish scams and spyware, the two major malware trends in 2005, will continue to proliferate with the aid of increased technical proficiency and sophisticated social engineering. Already we've quickly gone from phony financial Web sites to human-resource e-mails to fake jury duty notices and false subscriber notifications. That means security must continue to save us from ourselves. Just be aware some of the biggest offenders are probably sitting in the boardroom.
Auditors that are on the same page as the rest of us
At October's Information Security Decisions conference, some security managers privately admitted they are hoping to flunk their next security audit so they could gain more resources to buy some cool toys, particularly in the hot ID management market. That may come easy if auditors and organizations fail to follow the same methodologies when setting up data assurance. The fallout may lead to a preferred framework or two that everyone can follow.
Compliance will remain a major security issue, but the focus will shift toward data security laws and Federal Financial Institutions Examination Council rules now that HIPAA, Gramm-Leach-Bliley and SOX have marinated long enough. The same security vendors will tout themselves as FFIEC compliant.
A new malware outbreak that wipes out the so-called worm war
We're sick of these sons of Bagle, Netsky, Sober and Mydoom. Next year, let's start a new family of online fiends. It'll be a Trojan war, one that may already be under way according to some reports. Trouble is, Trojans are getting better at evading detection. And they are now pretty indistinguishable from spyware that carries a dangerous payload. Better buy a bigger bottle of Excedrin.
A thorough review of the DMCA
This fall Sony BMG created the perfect tool to once again unite the security community. The entertainment conglomerate's seriously flawed anti-piracy tool XCP has been universally condemned since it was "outed" by researchers, many of whom technically were prevented from finding the hidden hacker tool because of limitations in the DMCA. The blogosphere brought it to light, and since then it's been all bad news for the company and the British partner that created the creepy code. Lots of lawsuits.
Numerous experts and casual observers have noted that this lends further evidence to an again-growing argument that the omnibus, Hollywood-heavy Digital Millennium Copyright Act needs a major overhaul -- one that allows security researchers to investigate these kinds of tools without fear of prosecution. And yet fewer security researchers and research advocates have chimed in during this round with recommendations for tweaking the legislation. Many say they've been discouraged with the very low rate of approval for change.
But more ammo may come as details in the Sony case emerge, victims demand compensation and lawmakers realize this may just be a vote-grabbing issue. Lawmakers actually working for the pure benefit of the people, we realize, is a pipe dream. But, 'tis the season.