If there’s one area of it that’s continually in flux, it’s security. Broadly, the definition doesn’t change: it’s about the protection, integrity, access control and availability of an organization’s systems and data. Yet the threats to that status quo are always changing.I think it was back in 2003 that we ran a cover story called The Year of the Worm in the late, lamented eBusiness Journal. Last year was perhaps the Year of the Phish, a year marked by the emergence of socially engineered strategies to pilfer users’ personal information. This may be the Year of Adware, those annoying little pop-up executables that at first appear to be simply annoying, but in fact are a serious threat to system security.
We’re beginning to see the emergence of the zero-day exploit, system-compromising code that’s in the wild the same day a vulnerability is announced (or even earlier). But it’s not just that the bad guys are changing. As technology evolves, vulnerabilities change; as it becomes more pervasive, the potential impact of an insecure system increases.
For example, the convergence of networks has spelled an increase in the use of voice over Internet Protocol technology. The telephone becomes part of the data network, sharing its vulnerabilities. If I can write an exploit to log your keystrokes for me, what can I do with your voice over IP system? Hijack it to make long-distance calls? Make it part of a distributed denial of service attack on the telephone infrastructure? Turn it into a listening device in your office that I can turn on and off at will?
System security is constantly breaking new ground, as we try to keep pace with emerging vulnerabilities — and the bad guys.