Open source software security

The New Threats in Computer Security

30 November -0001

I recently attended the Educause Security 08 conference in Washington, DC. There were many wonderful presentations at the conference and I came away with a lot to think about. One of the trends that seemed to come up over and over again was the changing landscape of computer security. There seems to have been two major sea changes in information security over the last couple of years. These changes must fundamentally alter the way information security professionals regard their charge or face obsolescence.

The first major change is the shift in composition of attackers. As recently as five or six years ago the average attacker was someone out to prove their skills. These attackers were looking to deface a website or host an IRC server or FTP dump. The attacks then were generally annoying but didn't cause serious harm unless the attacker mistakenly deleted something. Today, having hacking skills can make money. Attackers have realized they can sell credit card numbers, PII, bank account information, usernames and passwords and get paid for helping enable click fraud and sending spam. Now that attackers can get paid they are becoming more skilled and specialized. Attackers have developed the skills necessary to become experts in one of these areas in order to reap massive cash rewards. This trend has also changed the targets of many attacks.

The second change involves the targets that attackers look for. In the past, servers with lots of bandwidth were the most common targets of attacks. Today, the end user has become the target. Attackers seek the information stored on or transmitted through end user computers. Additionally, attackers seek to add end user machines as nodes to their zombie (or bot) networks. These networks can carry out sophisticated attacks (such as sending spam) using principles developed for distributed computing.

This shift has meant that instead of defending a few choice machines, security professionals must now defend *every* machine on their networks. Because the target pool has gotten so great the tools that professionals use must change as well. Traditionally firewalls and network intrusion detection systems were sufficient. Today professionals must consider using host based intrusion detection, anomaly based intrusion detection, and increasingly malware detection and elimination is becoming a critical part of computer security.

These changes demand new skills from information security professionals. Just being able to read a packet capture is no longer enough to perform well in this career field. Just as IT is changing, security is becoming less tractable. Security professionals must actively learn and explore new trends. They must evaluate new tools and approaches to doing their jobs. Increasingly they must rely on the power of computers to help them filter out the deluge of information and hone in on critical problems quickly and accurately. There has been a shift from intrusion detection to quick incident response because preventing every security incident has become impossible due to the sheer volume of machines that must be monitored.

All of these evolutions demand a response from security. Organizations that rely on their traditional methods will be overcome. We must find new ways to combat evolving threats and resist the urge towards complacency. Training, and learning from the security community will be key to insuring a safe computing environment in the future.