Widespread IT Broadens The Attack Surface

IBM doesn’t think small. It is currently offering to help us all live in a Smarter Planet, in which real time data is used make everything work more efficiently.

The idea of embedding more IT into all aspects of our lives, to make them less resource intensive, has been backed by the EU – though ti has also come in for criticism.

Whatever the virtues of this, there is one aspect of the IT-managed smarter planet that has had little coverage. IT in every corner of our lives will vastly increase the attack surface through which hackers can attempt to compromise our identities or exploit private data.

“As we do things smarter and smarter and greener, and our supply chains stretch, there is an explosion of data,” says Marc Van Zadelhoff, global business development director for IBM Internet Security Systems (ISS).

With more data spreading into more places, we are seeing an increase in large-scale hacks and breaches, he says – one which IBM documents in its X-Force Threat Reports, which categorises threats according to the ease of exploitation, the value of the data at risks – and the ease with which that data can be monetised by criminals.

“The X-Force report for 2008 has 7406 vulnerabilities,” says Van Zadelhoff. “That’s 20 percent of all the vulnerabilities we’ve found in ten years. Though it’s rising, we think it will level off next year.”

There may be a widely-reported tendency for budget-cutting in IT but, says Van Zadelhoff, “one area that is not getting cut is security.” It’s a $50 billion market, he says, and there’s one factor that prevents any CIO from cutting the security spend: compliance. Companies need to have certain levels of security in place to get PCI certification or to comply with Sarbanes Oxley. “It’s not optional. That’s a ratchet – we have another year of growth ahead.”

Companies are keen to cut their capital expenditure however, and that is driving them towards a managed services approach, he says: “A lot of companies were traditionally resistant to this, but they have said OK in order to cut their costs.” Managed security includes firewalls and intrusion preventions services (IPS), as well as ID management systems.

Security is moving towards continual monitoring of activity – “not just what can you do, but what are you doing” – to deal with insider threats, says Van Zadelhoff. “It’s not just about stopping bad people getting in, it’s about making sure good data doesn’t get out.”

There’s currently an explosion of vulnerabilities in applications, especially including SQL injection weaknesses: “Databases are badly written,” he says, and vulnerable to having their data manipulated or else denial of service attacks.

Half the vulnerabilities disclosed in 2008 have no vendor-supplied patch – a figure which he says means that flaws take an average of two years to fix. This means users need different ways to spot problems – in particular monitoring traffic and behaviour.

“Security breaches should be avoidable,” he says. “But a firewall is not enough – one technology is not enough. Compliance to regulations is not enough – it’s a bare minimum. You need audits – and yearly audits are not enough.”