Ten to fifteen years ago, the security threats to information systems were primarily mischievous in nature. Malicious elements focused on defacing web sites and hacking into computers as a demonstration of technical skill. The most damaging malware of the previous decade was simply destructive in nature, deleting data or denying service. Modern malware is much more insidious, seeking to compromise systems and stealthily steal valuable information. Modern security threats are primarily an organized criminal activity that is focused on making money through the sale of illicitly acquired information. Ten current and emerging security topics are detailed herein.
1. Data leak prevention
In an interconnected world, it is very easy for employees to unintentionally send company data to networked locations that are unsafe. As Marisa Mack states in her 2006 article,
“As it turns out, a lot of information compromise happens not because of a malicious or rogue employee bent on destruction, but rather because users are preoccupied–they’re thinking about bolstering the bottom line or bolting for the door to get to dinner on time. They may be unaware of policy, uninformed about information handling or security procedures, or unconvinced that their acts could really affect security.” (Mack, 2006)
2. Securing web services and service oriented architectures
The web services protocols and the service oriented architectures that WS-* support are loosely coupled programs that can be joined together to form fluid applications. However, securing service-to-service communications can be very challenging. Imamura et al describe some of the challenges and potential research areas within this technology domain. (Imamura, Tatsubori, Nakamura, & Giblin, 2005)
3. Securing information in the cloud
There is a strong industry trend towards cloud computing, public and private clouds, and numerous as-a-service paradigms (software, platform, infrastructure). The cloud category offers significant returns on investment, more options between OpEx and CapEx and more agile provisioning. However, there are significant unknowns surrounding data security. Kandukuri et al review many of the security issues that must be addressed via service level agreements when engaging cloud based services. (Kandukuri, V., & Rakshit, 2009)
4. Data-at-rest encryption, encrypted hard disks, and solid-state disks
Software based data-at-rest encryption has become a standard for protecting business laptops. However, software based solutions incur a performance penalty. Hard disks with built-in hardware based encryption are expected to be widely available in the near future. Solid-state disks present a separate challenge for organizations that have compliance requirements associated with being able to securely wipe data. Some SSD’s have spare blocks for redundancy that may not be erasable. (Diesburg, Meyers, Lary, & Wang, 2008)
Single and dual-factor authentication mechanisms provide effective authentication in many circumstances. However, increasingly sophisticated attacks and increasingly sensitive information on network computers means biometric authentication to ensure people are who they assert themselves to be. Biometrics authentication is complicated and susceptible to false positives and false negatives. In addition, there are privacy concerns associated with using a person’s body as an authenticator. (Bhargav-Spantzel, et al., 2007)
6. Securing health information
With a presidential call for electronic health records and a promise of reduced health care costs from increased information efficiencies, there’s a clear impetus towards digitally storing a person’s most confidential information. However, there are significant security challenges to be met regarding the safe and secure storage of health information. (Mercuri, 2004)
7. Securing financial information
With many similarities to the handling of health information, the handling of financial information is also a critical area for information security research. An increasing amount of financial information is online and must be secured. The Payment Card Industry (PCI) has established a framework for security compliance that promises to help. However, more research is needed to stay ahead of the security threats. (Comazzetto, 2007)
8. Safe and secure social networking
Social engineering has long been one of the most effective techniques for attackers. With the increasing popularity of social networking tools, social engineering becomes much easier. Providing safe and secure social networking while understanding and mitigating the risks is an important area for security research. (Gibson, 2007)
9. Cyber warfare
While the predominant threat to systems is organized crime, there are also state actors involved in information systems security incidents. The use of information systems technologies to conduct warfare is an emergent security threat that requires security research and analysis. (Denning, 2009)
10. Advanced persistent threats and targeted malware
The advanced persistent threat represents the next generation of malware. Targeted at specific organizations and designed with state-of-the-art encryption and evasion algorithms, mitigating this category of malware will require the development of new detection technologies. Jiang et al’s 2007 research represents an example of the new approaches to malware detection required to defeat APT’s. (Jiang, Wang, & Xu, 2007)
Security professionals must remain current with a changing landscape of malicious software and criminal activities. The topics listed above are not comprehensive, but they do illustrate the breadth of current and emerging issues facing information security professionals.
Bhargav-Spantzel, A., Squicciarini, A. C., Modi, S., Young, M., Bertino, E., & Elliott, S. J. (2007). Privacy preserving multi-factor authentication with biometrics. [Article]. Journal of Computer Security, 15(5), 529-560.
Comazzetto, A. (2007). How to Comply with the Payment Card Industry Standard. Retrieved from http://whitepapers.zdnet.com/thankyou.aspx?regSrc=wp&promo=100500&tag=content;col1&docid=310785&view=310785
Denning, P. (2009). Are Militaries Lagging Their Non-State Enemies in Use of Internet? An Interview with Chris Gunderson. Ubiquity, 2009(October).
Diesburg, S. M., Meyers, C. R., Lary, D. M., & Wang, A.-I. A. (2008). When cryptography meets storage. Paper presented at the Proceedings of the 4th ACM international workshop on Storage security and survivability.
Gibson, R. (2007). Who’s really in your top 8: network security in the age of social networking. Paper presented at the Proceedings of the 35th annual ACM SIGUCCS conference on User services.
Imamura, T., Tatsubori, M., Nakamura, Y., & Giblin, C. (2005). Web services security configuration in a service-oriented architecture. Paper presented at the Special interest tracks and posters of the 14th international conference on World Wide Web.
Jiang, X., Wang, X., & Xu, D. (2007). Stealthy malware detection through vmm-based “out-of-the-box” semantic view reconstruction. Paper presented at the Proceedings of the 14th ACM conference on Computer and communications security.
Kandukuri, B. R., V., R. P., & Rakshit, A. (2009). Cloud Security Issues. Paper presented at the Proceedings of the 2009 IEEE International Conference on Services Computing – Volume 00.
Mack, M. (2006). Data Leak Prevention Tools. Network Computing.
Mercuri, R. T. (2004). The HIPAA-potamus in health care data security. Commun. ACM, 47(7), 25-28.