Re:Viewing 2006: The year in security

2006 lacked 'old school' security scares such as major virus outbreaks or headline-grabbing new threats but, perhaps more worrying, it did see a maturing of some of the biggest threats to our personal and corporate data. More sophisticated and more targeted attacks appear to be the future of security. Will Sturgeon looks back at the year that was.

If it was easy to say 2004 was the year of 'phishing' and 2005 was all about Trojans and spyware then by comparison finding such a concise hook on which to hang 2006 is close to impossible.

But while the overall security landscape may have been less media-friendly in its simplicity, it was not without serious pitfalls and a bubbling under of real portent of worse to come.

The one recurring theme throughout 2006 was the repeated failure to protect personal and sensitive data from harm. This year more than any other was marred by a spate of data thefts, losses and fairly meagre surrenders by end users.

New technology or new end user behaviours tend to bring additional threat vectors and so it proved with the 'whole web 2.0 thing'. The growing trend towards social networking in particular refocused the security glare away from the enterprise and back towards the end user. The increase in 'spear phishing' was symptomatic of this shift.

This year community sites such as MySpace were targeted more frequently than before as they reached a critical mass which made them very tempting for the criminals. The information which members make available on themselves and the fact they are intentionally easy to contact meant new threats grew up around these communities.

Software applications appeared for sale online in 2006 which can launch attacks against whole swatches of the MySpace community. This enables greater social engineering. So for example, criminals can target anybody who has expressed a preference for a particular band or sports team or who has included other keywords in their profile, meaning attacks can be tailored to be more relevant and therefore more appealing to the unsuspecting victim.

Security from A to Z

Click here to find out everything you wanted to know about security.

With increasing amounts of information about individuals on social networking sites, blogs or even searchable via Google more targeted forms of phishing are developing. Known as 'spear phishing', this isn't new but it has seen significant growth in the past year.

Companies are also suffering in similar ways. With increasing amounts of information available and easily searchable online, attacks are becoming even more targeted.

2006 also saw an unprecedented number of data losses and thefts from large companies, including news in April that one UK retailer was the source of a credit card scare which affected thousands of users.

That led silicon.com to call for the introduction of US-style laws demanding full disclosure from companies on data breaches. The retailer in this case stayed tight-lipped and refused to admit its liability despite questioning from silicon.com, even when we narrowed down the list of suspects to two.

In February security vendor McAfee warned staff that a CD containing sensitive data on current and former employees had gone missing while in the care of an external auditor.

More data was at large in May when back-up giant Iron Mountain lost tapes containing employee data from one of its customers.

Data loss raised its head again and again throughout the year. In November three laptops were stolen from LogicaCMG containing sensitive employee data belonging to the Metropolitan Police force, once again raising questions about how companies are protecting their data, both physically and digitally.

The concern around this issue is two-fold, fuelled firstly by the fact the modern workforce is increasingly mobile and sensitive data therefore resides in more portable and easily lost or stolen devices. It is also fuelled by a growing awareness among the criminal fraternity that other people's data is worth serious money.

It seems nobody is beyond falling foul of such problems. The UK government for starters has had more than its fair share of bad luck with mobile phones and laptops in recent times – as exposed by a silicon.com Freedom of Information Act enquiry earlier this year.

According to one security expert quoted on the pages of silicon.com this year, laptops are increasingly being targeted because of the expectation they may carry sensitive data which poor protection all too easily gives up.

Other findings, opinions and statistics which came to light over the course of the year suggest companies are doing too little to mitigate the threat of damaging data losses.

This includes the failure to crack down on the use of removable storage devices such as iPods and digital cameras.

With more and more of these items appearing each day in the average employee's handbag or manbag the potential for huge chunks of data to be take outside the enterprise either mistakenly or maliciously is increasing.

And bearing in mind the 'insider job' is still the commonest form of corporate fraud there is room for improvement there.

However, in light of all this data loss and theft, it's no surprise some businesses were making identity and access management (IAM) a priority this year. According to attendees at Gartner's Security Summit 2006 in London, ensuring strict measures and security around system access is key and requires a careful balancing act between security and usability.

Other threats which were by no means new but which certainly matured in 2006 include the growing amount of spam in our inboxes.

It's not just an increase in total volume of spam but in the size of messages as well, with image spam becoming an increasing problem for companies and individuals.

This proliferation of junk email is being perpetuated by the growing number of bot-nets at large - networks of broadband-connected PCs compromised by a Trojan and used to pump out spam. It's another old problem but one which is apparently showing few signs of diminishing as email users the world over suffer the consequences of predominantly home users failing to protect their home PCs.

Of course where security goes over-hype, disappointment is sure to follow and this year's security industry equivalent of the England football team was the oft-mooted, rarely seen threat of mobile phone viruses.

Operator Orange even went so far as to encourage users to sign up for a £2 per month antivirus service, in association with vendor F-Secure whose widely criticised rhetoric appears almost single-handedly to have created the market it serves.

Slightly more justified in the hype it created is the arrival of Microsoft's latest operating system, Vista, which includes a raft of improved security features. Only the business version of Vista is currently available and with IT chiefs apparently in no rush to upgrade it's going to be late 2007 or 2008 before we see whether the additional security really stands up to life in the outside world.

And finally, one story which dominated the headlines in the security industry this year was undoubtedly the plight of the so-called Nasa hacker, the hapless Gary McKinnon, who was arrested for breaking into a number of US military computers and systems – talking of the ease with which he did it.

McKinnon's trial rumbled on throughout the year as he unsuccessfully fought extradition to the US.

His latest appeal against the extradition ruling is now due to be heard in February 2007.