How to secure virtualised IT environments is likely to haunt IT users and security experts in 2008.
This was the view of Joe Telafici, vice-president of operations at the McAfee Avert Laboratory, speaking exclusively to Computer Weekly. The laboratory has global responsibility for developing products that detect and neutralise malware and net-based attacks for McAfee.
Telafici said that he expected to see new products brought out specifically for virtualised environments, and said that users still have a lot to learn about how to configure them securely. "We are still developing best practices," he said.
Telafici said that as information security improves, attackers' attention shifts to more vulnerable targets.
"After a pretty level playing field for some years, in 2007 we saw a big increase in social engineering to facilitate attacks, more precisely targeted attacks and more secretive attacks, as well as a change in motive from fame to fortune," he said.
Telafici said Microsoft had done a lot to improve the security of its products, but attackers are adapting their targets and methods to maintain their risk-reward ratio. Attackers were turning away from usual targets such as PayPal and eBay to smaller, less sophisticated targets that were easier to subvert.
"The criminals are driven by the risk-reward ratio," he said, "so these changes actually reflect the success of the industry in producing more effective products plus users' greater awareness of what not to do."
Commenting on the Safecode Forum initiative to produce more secure software, Telafici endorsed its aims, but added there was a long way to go, especially given the number of legacy systems. "If you make one piece of software more secure, the criminals will still switch their attention to less secure systems," he said.
Telafici was sceptical of suggestions that software houses should be legally liable for damages from insecure code. "Where do you draw the line?" he said. "I do not think it is possible to write perfectly secure code. Besides, Microsoft was popular because its code was so open. If they close it down, attackers will find a more popular but probably weaker target."
He was concerned that liability could threaten innovation. "The first to market usually reaps the biggest rewards, so they try to make the product easy to use, and this usually makes it more open to attack," he said. "It is the two sides of the same coin."
However, Telafici said the open source movement, which depends on its user community to find and patch vulnerabilities, had some merit as a model for developing secure code.
Looking ahead, he said the effects of the entry of Google and Microsoft into software security are likely to change the dynamics of the market in 2008. He anticipated more mergers and acquisitions among security product suppliers, both to consolidate the market and to fill gaps in product lines.
"We also expect virtualisation to be the big focus area, and it is not clear that users or the security sector understands or has developed best practices yet that address all the issues," he said.
As Microsoft's Vista operating system became more widely used, firms were likely to find many of their existing applications unable to run in native mode. This meant they would have to be redeveloped for Vista or an alternative found. Either way, security was likely to be uppermost in both users' and developers' minds.