How to securevirtualised
IT environmentsis likely to haunt IT users
and security experts in 2008.
This was the view of Joe Telafici, vice-president of operations
at the
McAfee
Avert Laboratory, speaking exclusively to Computer Weekly. The
laboratory has global responsibility for developing products that
detect and neutralise malware and net-based attacks for McAfee.
Telafici said that he expected to see new products brought out
specifically for virtualised environments, and said that users
still have a lot to learn about how to configure them securely. "We
are still developing best practices," he said.
Telafici said that as information security improves, attackers'
attention shifts to more vulnerable targets.
"After a pretty level playing field for some years, in 2007 we
saw a big increase in social engineering to facilitate attacks,
more precisely targeted attacks and more secretive attacks, as well
as a change in motive from fame to fortune," he said.
Telafici said Microsoft had done a lot to
improve
the security of its products, but attackers are adapting their
targets and methods to maintain their risk-reward ratio. Attackers
were turning away from usual targets such as
PayPal and
eBay to smaller, less sophisticated targets that were easier to
subvert.
"The criminals are driven by the risk-reward ratio," he said,
"so these changes actually reflect the success of the industry in
producing more effective products plus users' greater awareness of
what not to do."
Commenting on the
Safecode Forum initiative to produce more secure software,
Telafici endorsed its aims, but added there was a long way to go,
especially given the number of legacy systems. "If you make one
piece of software more secure, the criminals will still switch
their attention to less secure systems," he said.
Telafici was sceptical of suggestions that software houses
should be legally liable for damages from insecure code. "Where do
you draw the line?" he said. "I do not think it is possible to
write perfectly secure code. Besides, Microsoft was popular because
its code was so open. If they close it down, attackers will find a
more popular but probably weaker target."
He was concerned that liability could threaten innovation. "The
first to market usually reaps the biggest rewards, so they try to
make the product easy to use, and this usually makes it more open
to attack," he said. "It is the two sides of the same coin."
However, Telafici said the open source movement, which depends
on its user community to find and patch vulnerabilities, had some
merit as a model for developing secure code.
Looking ahead, he said the effects of the entry of Google and
Microsoft into software security are likely to change the dynamics
of the market in 2008. He anticipated more mergers and acquisitions
among security product suppliers, both to consolidate the market
and to fill gaps in product lines.
"We also expect virtualisation to be the big focus area, and it
is not clear that users or the security sector understands or has
developed best practices yet that address all the issues," he
said.
As Microsoft's Vista
operating system became more widely used, firms were likely to find
many of their existing applications unable to run in native mode.
This meant they would have to be redeveloped for Vista or an
alternative found. Either way, security was likely to be uppermost
in both users' and developers' minds.