What Happens Next? | Security for Microsoft Visual Basic .NET

In the immediate future, things are likely to get worse before they get better. Here are some current trends in security:

Security becoming more unified In the past, many companies considered computer security as network or perimeter security— securing the connection point to the network. But it is becoming increasingly important to include application security as well, because Web services and Web-enabled applications push more and more functionality through port 80. Along with securing the network, companies must make an extra effort to train staff in secure techniques. Hackers targeting a company often use social engineering to try to dupe staff into revealing private information. Imagine a conversation such as the following:

“Hi Mike, this is Bob from telephone accounts. Your manager, Catherine, wanted us to follow up on your remote access records. According to our logs, you’ve called the number 555-5555 forty-five times in the last month. Can you explain what this is for?”

“There must be some mistake. I don’t call that number.”

“You’re not using that number? Hmmm… OK, I’ll follow up on this. What number are you using?”

“555-1234.”

“OK, and your usercode is?”

“Mike1.”

“OK thanks. We’ll look into it.”

To make the phone call more realistic, the intruder might learn some jargon and the names of key people in the organization, which is not hard to do. Using the phone number and user code, the intruder can now attempt to break into the system. To properly secure against combination attacks like this, we have to think of security as network security + application security + staff training + physical security. If an attack can use a mixture of threats, companies should consider unifying the security department so that it can respond to combination attacks.
Arms race increasing The race between hackers finding holes and administrators patching holes is increasing in scale and pace. In 1998, the number of reported computer intrusion incidents, including worms and hacker attacks, was 3,734. In 2002, this increased to 82,094—a 2000 percent increase over four years. (A single computer intrusion is defined as a hacking attack or a virus that affects one or more computers.) Every day this year, more than 20 new viruses will be written. The increase in scale and pace is fueled in part by openly available hacking information and hacking toolkits that make it easy for unsophisticated script kiddies to attempt attacks. For example, at the time of writing this book, I notice that I can obtain freely available tools that break WEP (wireless networks Wired Equivalent Privacy security), inject TCP/IP packets onto wired or wireless networks, try passwords, perform dictionary attacks to break keys, and mount denial of service attacks.
Viruses becoming more ingenious To circumvent antivirus tools, hackers are creating megaviruses, which change every time they replicate and target multiple vulnerabilities instead of exploiting just one weakness. At the same time, viruses may start carrying deadlier payloads that steal or destroy data. Viruses might also begin to be used to open the door to other hacking techniques, such as stealing passwords that can be used to hack into the network. As virus-writing toolkits and techniques become more prevalent, we might see the rise of vertical viruses, which are custom viruses written to attack one specific company and which are designed not to spread outside of the company. Vertical viruses are hard to detect because most companies rely on commercial virus protection products that are only designed to detect and contain widely-spread, or horizontal viruses.
Costs increasing The cost of protecting against viruses and hacking is increasing. Simply keeping pace with new threats means committing more resources to the problem. If you are not spending more, you will be falling behind. A secure system that is not maintained will gradually degrade in security as new vulnerabilities are found.

As you can see from even this short summary, the future is likely to introduce more concerns about security than ever before. In the next section, we tell you about new developments that are addressing these concerns.