End of spam, phishing threats not far off

By Eric B. Parizo, News Editor 09 Jan 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Viruses, spam and phishing may have been big messaging security threats in 2005, but this year expect secure archiving, risk management and layered threat prevention to take center stage.

That's the forecast from San Francisco-based Ferris Research, which last week unveiled its latest report, Top 10 Messaging & Collaboration Issues of 2006.

According to one of the report's authors, Ferris Lead Analyst Richi Jennings, traditionally vexing problems like spam and phishing still exist, but increasingly sophisticated antispam software and its ubiquitous use are mitigating those threats.

"Spam will continue, but people will no longer see it," Jennings said. "And if they can't see it, they can't buy things from spam ads. And if they can't buy, then the spammers don't get paid, since they work on commission. And if they don't get paid, there's no more incentive, and then presto, the spam problem implodes."

But that won't happen overnight. Jennings said it's likely to be another 18-24 months before the spam industry recedes. Phishing may take even longer, he said, but it's only a matter of time before it goes away as well, thanks to improved defenses and an increased willingness among companies exploited as phishing fronts -- eBay, PayPal and major banks, most notably -- to go after phishing outfits.

As a result, Ferris sees other security issues taking the fore. E-mail archiving and retention topped the overall list. Jennings sees it as a security issue because compliance with the Sarbanes-Oxley Act and other government regulations typically mandates secure retention and purging of messaging archives. He said most organizations will need add-on software products or new hosted services to complete these tasks.

The bottom line, Jennings said, is that organizations can no longer risk losing sensitive information that could in turn result in a regulatory violation. "Regulations like HIPAA have a great deal to say about the security and privacy of heath care information," he said, "so I think it should be very much top-of-mind."

Mobile messaging security is becoming more important as well, but many fail to realize that it's a two-fold issue. In addition to securing mobile data and the devices it resides upon -- "If someone comes across a lost BlackBerry and wants to extract the data," Jennings said, "it can be quite easy to do," -- it's necessary to constantly monitor and evaluate the risk management aspects of mobile messaging.

For instance, Jennings said, mobile messaging requires an organization to "punch through the firewall and expose a service using an additional protocol," but doing so creates another potential point of entry that attackers could exploit.

"It's a classic risk management argument, and it's something some people don't understand well," Jennings said. "They don't understand how to go about making risk management decisions and understanding the implications, particularly the small and medium-size organizations that choose to run all their IT themselves."

Zero-hour exploit control is also an increasingly urgent issue, Jennings said, because several incidents in 2005 proved that attackers can take advantage of vulnerabilities almost immediately with damaging consequences, most notably the Zotob attacks of last summer that caused network outages at CNN, ABC and The New York Times.

Despite the myriad of emerging messaging threats, Jennings said the best way to circumvent any number of them is through a layered defense strategy, such as using a perimeter security product from one vendor, a messaging-specific product from a second vendor and desktop security software from a third. That way, if one vendor's product fails to spot a problem, perhaps another will.

"It's tempting to go with one vendor whom you're familiar with and just buy an all-in-one product," Jennings said, "but for zero-hour exploits and variability among vendors, it's a good idea to have several security layers."

He also recommended always tracking state-of-the-art messaging security products, because better techniques are always emerging. "The bad guys aren't standing still," Jennings said, "so you shouldn't stand still either."

Tags: Information security management for the midmarket,  Risk management for the midmarket,  Security tools for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program Security tools for the midmarket Why CIOs need to get real about identity and access management in 2010 Free risk management tools and resources for the enterprise IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary