During a debate at the Information Age Enterprise Security 2005 conference in London, the expert panellists were asked if they thought the information security war was being won or lost. In spite of their desire to be optimistic, the four panellists were unable to deny what they were seeing each day with their own eyes: it certainly is not being won, and it is probably being lost.
If that message sounds depressing to others who must also fight off viruses, spam and other forms of malware, then there is more bad news: "It's going to get worse," says Stuart Taylor, who manages SophosLabs UK, one of the world's most advanced facilities for identifying and preventing viruses and other security threats.
"What we can expect in future? More viruses; more spam; more phishing." Although he thinks that users, aided by security specialists, are winning most battles, "the war continues. It is showing no signs of slowing down." For a few dozen suppliers of security services and software, that is, of course, not necessarily bad news. But for the rest of the business world, it means security issues will take up more time, more money and cause more trouble.
To make matters worse, SophosLabs confirms the views of the UK's High Tech Crime Unit and others that the war is "professionalising". In other words, the so-called "script-kiddies" and teenagers who hacked or built viruses for fun are now being largely (but, of course, not entirely) outflanked by a more sinister group with different motivations. "Money is involved and criminals are very interested."
This change in personnel has led to some clear changes in the number and type of security problems now appearing on the Internet. For example, viruses that caused damage have now been largely replaced by ones that perform a function in support of a money-making scheme.
"Gone are the days when we had damaging payloads. When did you last see a virus that wiped all your files? That was teenage stuff. Professionals want to keep them [the viruses] there and exploit vulnerabilities," says Taylor.
Another development: Two years ago, says Taylor, viruses and spam (unsolicited email) were separate problems, but now, virus writers and spammers are getting together. This approach maximises the distribution of the viruses and spyware, which can be used to help spammers gain more information about a user, or to hijack the machine for the distribution of more spam or denial of service attacks.
SophosLabs has so far recorded about 100,000 viruses in existence, with about 1,200 new ones discovered every month. Of these new ones, some three out of five involve some form of spyware – meaning the computer is being monitored or can be used for further malicious activity without the knowledge of the user.
To date, the vast majority of all viruses found target one type of operating system – the market leader, Windows. Apple Macintosh and Unix systems have, so far, being largely ignored by virus writers. Given the relative market shares of these systems, this is unlikely to change – except in one key area: mobile systems.
So far, only one virus for the Palm operating system and a few ‘Trojans' have been discovered, and none for the Psion Epoc system. This, says Taylor, is largely due to the diversified nature of the mobile platforms. Surprisingly, the PocketPC, which runs a cut down form of Windows, has not attracted the virus writers' attention.
But nobody really expects this to continue. Mobile devices will become much more prevalent, and the Symbian mobile phone operating system (backed by Nokia, Ericsson, Panasonic and other leading device makers), in particular, will be very popular. This will, in turn, attract more viruses.
The new release of Symbian (version 9) could be a turning point: if, as expected, it has much greater security than earlier versions, then, says Taylor, the threat could be squashed from the outset.
But no one should be under illusions: whether it is viruses, spyware, or phishing, the problems are likely to continue to grow. A combination of better technological defences, better laws and better education will all play a role, but none will be decisive.