Widespread IT Broadens The Attack Surface

IBM doesn’t think small. It is currently offering to help us all live in a Smarter Planet, in which real time data is used make everything work more efficiently.

The idea of embedding more IT into all aspects of our lives, to make them less resource intensive, has been backed by the EU – though ti has also come in for criticism.

Whatever the virtues of this, there is one aspect of the IT-managed smarter planet that has had little coverage. IT in every corner of our lives will vastly increase the attack surface through which hackers can attempt to compromise our identities or exploit private data.

“As we do things smarter and smarter and greener, and our supply chains stretch, there is an explosion of data,” says Marc Van Zadelhoff, global business development director for IBM Internet Security Systems (ISS).

With more data spreading into more places, we are seeing an increase in large-scale hacks and breaches, he says – one which IBM documents in its X-Force Threat Reports, which categorises threats according to the ease of exploitation, the value of the data at risks – and the ease with which that data can be monetised by criminals.

“The X-Force report for 2008 has 7406 vulnerabilities,” says Van Zadelhoff. “That’s 20 percent of all the vulnerabilities we’ve found in ten years. Though it’s rising, we think it will level off next year.”

There may be a widely-reported tendency for budget-cutting in IT but, says Van Zadelhoff, “one area that is not getting cut is security.” It’s a $50 billion market, he says, and there’s one factor that prevents any CIO from cutting the security spend: compliance. Companies need to have certain levels of security in place to get PCI certification or to comply with Sarbanes Oxley. “It’s not optional. That’s a ratchet – we have another year of growth ahead.”

Companies are keen to cut their capital expenditure however, and that is driving them towards a managed services approach, he says: “A lot of companies were traditionally resistant to this, but they have said OK in order to cut their costs.” Managed security includes firewalls and intrusion preventions services (IPS), as well as ID management systems.

Security is moving towards continual monitoring of activity – “not just what can you do, but what are you doing” – to deal with insider threats, says Van Zadelhoff. “It’s not just about stopping bad people getting in, it’s about making sure good data doesn’t get out.”

There’s currently an explosion of vulnerabilities in applications, especially including SQL injection weaknesses: “Databases are badly written,” he says, and vulnerable to having their data manipulated or else denial of service attacks.

Half the vulnerabilities disclosed in 2008 have no vendor-supplied patch – a figure which he says means that flaws take an average of two years to fix. This means users need different ways to spot problems – in particular monitoring traffic and behaviour.

“Security breaches should be avoidable,” he says. “But a firewall is not enough – one technology is not enough. Compliance to regulations is not enough – it’s a bare minimum. You need audits – and yearly audits are not enough.”

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

Recent Posts

US Finalises Billions In Awards To Samsung, Texas Instruments

US finalises $4.7bn award to Samsung Electronics, $1.6bn to Texas Instruments to boost domestic chip…

50 mins ago

OpenAI Starts Testing New ‘Reasoning’ AI Model

OpenAI begins safety testing of new model o3 that uses 'reasoning' process to ensure reliability…

1 hour ago

US ‘Adding Sophgo’ To Blacklist Over Link To Huawei AI Chip

US Commerce Department reportedly adding China's Sophgo to trade blacklist after TSMC-manufactured part found in…

2 hours ago

Amazon Workers Go On Strike Across US

Amazon staff in seven cities across US go on strike after company fails to negotiate,…

2 hours ago

Senators Ask Biden To Extend TikTok Ban Deadline

Two US senators ask president Joe Biden to delay TikTok ban by 90 days after…

3 hours ago

Journalism Group Calls On Apple To Remove AI Feature

Reporters Without Borders calls on Apple to remove AI notification summaries feature after it generates…

3 hours ago