If one force drove the computer security industry this year, it was money, plain and simple. Gone are the days when teenage hackers vied for bragging rights by defacing a Web site or writing an annoying worm. In 2005 a more sinister class of hacker emerged, working for money and often using quieter, more precise techniques. 2005 was also the year that the financial cost of security breaches became crystal clear, thanks to a California disclosure law that is expected to become a model for upcoming federal legislation in the U.S.
Crime Pays When You're Online
Online crime is a going (and growing) concern as a growing number of malicious programs are being designed for theft or extortion.
Although 2005 saw no Internet-crippling virus outbreak, as in years past, hackers created countless variations on worms and viruses designed to sneak past antivirus software and take control of PCs. These growing armies of infected computers, called "botnets," were then used to host fraudulent Web sites or, as part of extortion schemes, to mount sophisticated denial of service attacks.
If you're still wondering about the financial justification for security spending, just ask the folks at ChoicePoint. They took a $6 million charge this year after information thieves collected data on thousands of consumers from the company. And credit card processor CardSystems Solutions may yet go out of business from the fallout of a major security breach at the company's Tucson, Arizona, operations center.
With more than 20 state laws on the books requiring disclosure of security breaches, U.S. companies found themselves paying a stiff public-relations penalty whenever computer systems were compromised. Legislation is in the works to make the disclosure law nationwide.
According to a recent survey of security breach victims, consumers don't take the loss of their data lightly. Sixty percent of respondents said they are, at least, thinking of terminating their relationships with the company in charge of the data.
Network Becomes Target
Michael Lynn may have lost his job at the Black Hat 2005 conference this year, but he gained worldwide attention for pointing out something that had previously only been understood by a select group of security experts: Routers can be hacked, too.
Lynn, formerly a researcher with Internet Security Systems, was sued after giving a controversial presentation that showed how he had been able to run unauthorized software, called shell code, on a Cisco Systems router. Since Lynn's presentation, Cisco has patched a number of related bugs in the Internetwork Operating System that runs on its routers, and security experts are wondering if we may someday see the first worm written for routers.
Rootkits for Everyone
Last year, rootkits were considered a relatively obscure form of Trojan horse program made for Unix computers. But in November, the rootkit went mainstream, thanks to Sony BMG Music Entertainment, which shipped a rootkit as part of the copy protection software on a few million of its CDs. After weeks of consumer backlash, Sony recalled the product, but according to security experts, Windows-based rootkits are here to stay.
Microsoft Eyes the Security Market
After building the antivirus software market into a respectable $2.5 billion per year industry, software vendors Symantec and McAfee are nervously waiting to see what will happen when Microsoft becomes a competitor. The software giant is already offering a free beta version of its antispyware product, and an early release of the company's corporate-focused Microsoft Client Protection antivirus software is expected any day now.
Though Symantec has downplayed reports that it has called for a European antitrust investigation into Microsoft, company CEO John Thompson clearly has this new competitor in mind: "They can't use their Windows monopoly unfairly, and the world will be watching," he said of Microsoft earlier this year, adding, "And we will as well."