It's all about the privacy
- By William Jackson
- Feb 06, 2007
SAN FRANCISCO ' The big trends at this year's RSA computer security conference and tradeshow are the escalating efforts by criminals to steal personal information from online systems and the efforts of administrators to stop them.
The hacker community has turned pro, supporting an underground economy of spamming, phishing and extortion that is threatening the legitimate online economy, analysts told reporters.
'There is a fully-developed malware supply chain,' said Andrew Jaquith of the Yankee Group. 'This is a full-time job for a lot of people. It's very profitable to create new viruses that require new signatures and can fly under the radar.'
At the same time, government regulation and increasing publicity about personal data breaches are forcing organizations to take better steps to block these attacks and stop leaks of sensitive data. In the financial industry, the Federal Financial Institutions Examination Council has issued 'guidance' (read: requirements) for banks to do better risk analysis of online transactions and take measures to better secure them. Most are responding by adopting two-factor authentication for customers.
Losses from online banking fraud have been relatively small to date, said George Tubin of TowerGroup. 'But they're rising rapidly.'
Perhaps more importantly, there has been a slowdown in the adoption of online banking and many banks have had to abandon e-mail as a marketing and communications tool.
The overall result is that much of the focus of this year's conference will be on the consumer. RSA is not a consumer IT show, but organizations from banks to government agencies have to find the tools to securely accommodate consumers and end users on their IT systems.
Technology for this will include identity and access management, authentication and encryption of all kinds. End-point security also is a growing headache as devices become smaller, more mobile, more powerful, more varied and more common, said independent security analyst Steve Hunt.
'The one I'm holding in my hand has 2 gigs of memory, but no encryption and no antivirus,' Hunt said. 'I don't know how hackable it is. This has got to be a major concern for organizations.'
Technology for controlling what packets enter and leave an enterprise exists in two major classes. Content filtering matches strings of data to known samples. Another type uses algorithms to look for behavior and patterns of association. The next step in data control is to integrate these technologies, Hunt said.
'You can expect product development language saying they are moving toward each other,' he said. 'Engineering conversations are already happening.'
Hunt also sees convergence of physical and IT security as a major trend, one that is being driven by government in the form of the Personal Identity Verification card mandated by HSPD-12. The cards are intended to be interoperable across agencies and to be used for both physical and IT access.
'The PIV initiatives are driving interest by technology companies,' he said.
Despite attention being focused on data security, Jaquith said the IT security industry is beginning to mature, with a growing focus on integrating existing technology into processes and management. This can be boring, he said, but 'boring is good.'
It also leads to industry consolidation, as successful companies are acquired and less successful ones die out. That shakeout already is beginning, and it could result in fewer vendors exhibiting on next year's RSA show floor, Jaquith said.
'There already is a slight whiff of blood in the air,' he said.
William Jackson is a Maryland-based freelance writer.