RealSecurity

There are a lot of ways to get hacked (duh) and manipulating URLs a prevalent tool for hackers in facilitating an attack. It may not be “the” attack, but it’s a common stage in the attack vector. Links can be misleading, used in SPAM, and in XSS attacks. They can also help people legitimately make money through click-through warehouses and even by manipulating affiliate programs. Now, look at Twitter and TinyURL through these lenses and you sorta see where I’m going.

Let’s face it, security can be complex and the fact that attackers are always finding something new to test the industry’s capability make it difficult to know the real capacity for a control’s effectiveness. As an industry we tend to layer things on one another applying a defense-in-depth strategy, which is a proven strategy and makes perfect since. But, do we really look at various security controls through this lens or are we just putting something in because we think it will help?

Security in the mobility space is not all that new. We’ve seen our fair share of worms, spam, and attacks against cell phones, PDA’s, and smart phones. Over the years various products and solutions have surfaced in an attempt to address these challenges with varying degrees of success. Nevertheless, as cell phones become more and more sophisticated gaps in security are becoming alarmingly huge.

Sometimes you have to state the obvious just to make sure the message sinks in and this is an important message we all need to acknowledge: The threat landscape has changed dramatically and fundamentally. Back in early 90’s hackers were hobbyists looking to cause harm and gain some street cred in the process. Viruses were a painful nuisance, but at least you knew you had one. As time passed, the fundamental culture of the dark side didn't change. Of course, we began to see more aggressive worms, tools, and attack strategies, but the goal was pretty much the same with only a few elite hackers tearing into systems and people for financial gain. Today, unfortunately, attacking for money is the norm, the goal, the culture, and it's going to get a lot worse.

There are several books, articles, and models providing guidance for assessing information security risk. Nevertheless, regardless of the amount of information one consumes, determining risk remains more art than science. One must consider the threats, vulnerabilities, potential of occurrence, and impact to draw conclusions of risk appetite. For me, one of these elements represents an area few delve deeply into, and that is threats.

With the increasing demand from the business to better utilize IT and vast amounts of information more effectively, web services and service oriented architecture (SOA) solutions are the new frontier of the Internet. The ability to comprehensively leverage information and systems to drive competitive services and products through enhancing customer, partner, and employee collaboration is the impetus for the explosion of custom application development in the 21st century. However, this new business approach has become the breeding ground for sophisticated attacks with a broader potential for impact. Meanwhile the hacker community is significantly more organized, well armed, and are seeking new methods to acquire revenue of their own.

According to Symantec's March, 2005 threat report, spam, usually defined as junk or unsolicited email, made up over 60% of all email traffic during the reporting period from July to December 2004. By anyone's definition, that's a lot of junk e-mail. But, as security professionals know, spam is much more than annoyance and can adversely affect system and data integrity. Moreover, its existence can be an indicator of a much larger issue.