Business Daily from THE HINDU group of publications
Monday, Mar 10, 2008
ePaper | Mobile/PDA Version
Business Daily from THE HINDU group of publications Monday, Mar 10, 2008 ePaper | Mobile/PDA Version |
|
|
|
|
|
|
|
eWorld
-
Security Columns - Security Musings Stress on safety R.K.Raghavan Cisco's Annual Security Report drives home the need for constant vigil in cyberspace. Uncertainty is the only certainty there is, and knowing how to live with insecurity is the only security. (John Allen Paulos, A Mathematician plays the Stock Market) (Basic Books 2003) Technology giant Cisco does not obviously want to be left behind its competitors in disseminating knowledge on information security to the world at large. This is evident from its decision recently to prepare and circulate for the first time a document devoted to the subject. Called the Annual Security Report (ASR), it makes several recommendations to organisations on how to protect their information assets. The document may not exactly make sensational reading. Its recommendations, nevertheless, constitute distilled conventional wisdom that is so crucial to making computer users more conscious of security requirements than they are now. Viewing it from this perspective, we need to commend Cisco for having taken the first step. The ASR, no doubt, recognises the value of the traditional approach of protecting content from the usual threats posed by worms, viruses, Trojans, Spam and phishing. But it believes that an organisation should go beyond content protection to risk management. The six categories of risk mentioned by the ASR flow from factors in the areas of vulnerability, law, trust, identity, human relations and geopolitics. These cry for action such as anti-malware and data-leakage protection, enterprise risk management and disaster planning. These risks persuade the ASR to make seven broad recommendations. They include conducting periodic audits, changing the mindset of employees, consumers and citizens (who should become proactive against threats and not be mere spectators as they are now), making security education a priority and influencing security suppliers to provide comprehensive security systems that extend throughout the network infrastructure. Surveying incidents reported during 2007, the ASR said that the good news was the slight decline in operating system (OS) and server OS vulnerabilities. As against this, the bad news was the rise in web application attacks, thanks to the dramatic increase in the number of e-commerce, customer relationship management (CRM) and other Web applications. RealNetworks' RealPlayer, QuickTime and Sun Java Web applications were a few that came for special attention from attackers. Business applications such as MS Office Suite, the Open Office suite of applications, Adobe products and Symantec antivirus software suites were also targeted by hostile elements. The report noted that malware attacks continued to become more and more sophisticated with a view to stealing account information from banking Web sites. Also, mobile device attacks were reported by 80 per cent of the operators surveyed by Cisco. Last year also witnessed more ingenuity on the part of those who launched spam attacks. In 2005 and 2006, image spam made news. As if this was not enough, 2007 saw the emergence of a novelty that took the form of introducing spam within document attachments. Spammers were seen using common office document files to deliver spam messages that could successfully elude conventional spam-filtering techniques. What should be of the greatest concern to all of us, organisations and individuals alike, is that malware development has become a highly profitable commercial activity for many criminal elements. (I would strongly recommend to my readers that they read a blog entitled `The cybercrime Service Economy', dated February 1, 2008 posted by Scott Berinato, Executive Editor of CSO magazine at http://conversationstarter.hbsp.com) For instance, there are now any number of subscription- based attack services that offer viruses, Trojans and other malicious codes for sale. Significant in this connection is the report that the anti-virus vendor Sophos claimed recently that it was identifying 30,000 new malicious Web sites per day. Can there be anything more forbidding or despicable to the honest computer professional? This is something that should excite law enforcement agencies and not merely software producers. PREDICTIONS FOR CURRENT YEAR The most significant part of Cisco's ASR is the one that makes bold predictions for the current year. This projection believes that exploitation of application vulnerabilities will grow, and one could witness multiplatform attacks that aim to maximise the impact from a single attack. It will be organisations more than individuals who will be the targets for professional attackers, a tribe that is fast growing across the globe. Also possible is that the focus of attacks will be on system memory, a shift from the hitherto concentration on hard drives. This is because an average RAM size is constantly increasing. What I like best about the ASR is the number of passages it quotes from a wide spectrum of philosophers and jurists. These aphorisms bring home to the reader the basic wisdom of securing ourselves from threats, emanating both within and outside. The one that impressed me most was from Confucius: The superior man, when resting in safety, does not forget that danger may come. When in a state of security, he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his States and all their clans are preserved. I wonder whether any other pithy saying could have described better the perils that await a careless man or a careless organisation. There is something in conclusion that would interest those looking for a deep study of spam attacks. It was generally believed that the ongoing US Presidential primaries would see a lot of spam activity. Surprisingly there has been very little of it, possibly because, as Symantec reports, of the risks involved in a high visibility campaign that is being closely monitored by several agencies. Symantec and the other leading antivirus vendor McAfee, however, bring on record a sole spam attempt that tried to hoodwink users into downloading a Trojan horse pretending to be a video of Senator Hillary Clinton in action before the Virginia Primary. The bogus e-mail led the unwary user into clicking an embedded link that promised a full video of an imaginary interview by the Senator. Those who fell for the bait actually became victims of a Trojan that turned their Windows-running PCs into spam-spewing bots. I am sure this was a sufficiently powerful trauma which should caution us to be much more wary than we are now while surfing the more and more alluring cyberspace. The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd. More Stories on : Security | Security Musings
Article E-Mail :: Comment :: Syndication :: Printer Friendly Page
|
Stories in this Section |
 |
|
The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription Group Sites: The Hindu | The Hindu ePaper | Business Line | Business Line ePaper | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |
Copyright © 2008, The
Hindu Business Line. Republication or redissemination of the contents of
this screen are expressly prohibited without the written consent of
The Hindu Business Line
|