As a starting point it is worth reminding ourselves that the bad guys never went away, but they too have continued to evolve. As they look for new ways to exploit holes in technology, they have become increasingly financially motivated, as illustrated by cases in the press of identity theft and credit card fraud. Organised crime has picked up where the ‘hobbyist hacker’, doing it for kicks, left off.

Perhaps the most significant trend is towards more intelligent, targeted attacks on both individuals and businesses. Big companies have lived with this for a while, being hit by those extorting money or causing damage for some political motivation. But with smaller organisations and their employees being more visible on the Internet than they have ever been, through their company Web presence, social media, and so on, there is both more risk of becoming a target, and more information available to attackers to work out how best to hit you.

So, what kinds of threats are we talking about? We can consider:

Malware, viruses and spyware. • Recent events such as the Conficker worm suggest nobody should be binning their desktop antivirus nor their content filtering tools just yet. Email viruses and malicious code continue to be a potential problem, but more of a risk today is that of spyware downloaded from the Web, which a user can inadvertently install at the same time as a ‘freeware’ program or a Web site plug-in. Spyware can be used to track the activities of the user (including logging key strokes, watching for potential credit card numbers and extracting other personal and corporate data), to act as a host for sending out Spam emails or denial of service attacks on Web sites, or indeed to serve as a relay point to infect other vulnerable computers.

Web page drive-by infections.• Building on the malware theme above, note that malicious content does not have to be downloaded or installed, but can be picked up even from innocuous and legitimate sites, if these have in some way been hacked. In the US, popular sports sites have been infected with malicious code in the past, including major league baseball and hockey sites, and CNN Sports. Such code can then infect a desktop computer without any indication, just by visiting the site.

Social engineering and fraud.• In these attacks, a Web user is duped into doing something that will open them up to risks. Social networking has made this easier than ever, bringing many more people into potential conversations with Web-based strangers who may not be who they say they are. Recent examples include the use of truncated URLs (such as Tinyurl or Bit.ly) in combination with Twitter – the user is encouraged to click on what is claimed to be a video link, but which actually directs the user to a malicious site.

Misdirection and phishing.• This is where fake Web sites are set up to look just like the real thing, typically in an effort to extract confidential information from a user such as financial account information, social security info, credit card numbers, and so on. A user may be directed to a phishing site via email or from another site. Even more clever are the ingenious ‘man-in-the-middle’ attacks which forward the user, via a corrupt Web site, to a real Web site such that username and password information can be captured as it passes through the corrupt Web site.

Denial of service and botnets.• A denial of service attack may be launched on a corporate or governmental Web site, either for extortion, or simply because of a difference in beliefs: the goal is simply to shut the site down, at least for a period of time. Attacks can be launched from the attacker’s own computers, or by using so-called ‘bots’ or ‘zombies’ running on desktop computers that have been infected by certain spyware, as a ‘Distributed Denial of Service’ (DDOS) attack.

What to look for in a security solution

So, where can you start when it comes to responding to the threats? Unfortunately, the answer is not as simple as ‘buy a package’. There are a number of requirements on the information security architecture as a whole, which derive from the fact that security is more about managing a permeable membrane to the organisation, than trying to shore up the fortress walls.

It is important to implement protections that can evolve alongside any threats and changes in use, across all channels and wherever users might be connected. This may sound like a tall order, but what it implies is to provide an appropriate selection of protection mechanisms, deployed and managed in a co-ordinated manner.
The main options for Web security are not so much to do with what threats are addressed (the answer is ‘all of the above, in some way’), but how they address them. There are three key places that you can apply protection: notably on the desktop, at the edge of the organisation (e.g. using a firewall or running a gateway appliance), or within the Internet layer itself. This last option is becoming more prevalent given the increasing interest in so-called ‘software-as-a-service’ (SaaS) based security applications.

Below we consider what are the required characteristics of security solutions, and the relative benefits and costs of each approach. Please note however that we do not see this as a one-or-the-other decision as each approach will offer a better fit to different needs.

Confidentiality and data leakage.• Any information that is being transmitted over the Internet, must be considered at risk from being seen or in some way tampered with. This goes for corporate information as well as personal information: we know for example that Web mail accounts are a major conduit for confidential information leaving organisations. As we have already seen in the case of phishing attacks, hackers can be quite innovative in obtaining confidential data; adding social media into the mix creates additional information leakage challenges and raises concerns around Internet acceptable usage policies. For example, there is now a site which ‘follows’ the Twitter feeds of top executives. Should the head of business development be broadcasting about potential M&A activity, or indeed where they are going for lunch? Another recent example involved the spouse of a UK security service head, sharing personal information on Facebook.

Just how serious are these risks? There are a number of Web sites which monitor such things, and while there is no need to panic, the general advice is to be vigilant. In the past, individuals and organisations have set store in ‘security by obscurity’ – or otherwise phrased, “Why would anyone bother targeting me?”

The answer is twofold: first, the very mechanisms that have enabled the Web to grow so wide, have also given the bad guys broad scope when it comes to attacks (such as DDOS, for example) – everyone who is connected, is in some way vulnerable. Second, if there is money involved, then there is increasing likelihood of targeted attack. This is as true for corporations as for successful individuals. As technology continues to evolve – for example, in terms of virtualization, cloud computing, smart devices and so on – so do the innovative ways in which people can be exploited .