Tom Kendra, Group President, Symantec Corp. –
While increased internet connectivity has fundamentally changed the way we do business, it also has introduced new security and IT risks that make yesterday’s approach to security ineffective. Just as new ways of doing business were ushered in with Web 2.0, next-generation security practices must be adopted to ensure a more enlightened era of enterprise security.

Call it Security 2.0—an evolution in security that focuses not only on protecting systems and keeping hackers out but also on securing information and interactions. Security 2.0 is driven by policy, enabled by technology and strengthened by a well-managed infrastructure.

All large and publicly traded companies have IT and security policies they need to enforce. Developing security policies to meet the requirements of external regulations can be difficult and costly. Typically, these regulations do not include specific recommendations on what technologies and procedures a company should put in place to achieve and demonstrate compliance. Basing a security policy on frameworks such as ITIL, COBIT and ISO provides specific guidelines on what information a company needs to secure and what IT controls to implement.

In a Web 2.0 world, security policies must focus not simply on protecting devices but on securing information. After all, the primary purpose of the devices and systems that make up an IT infrastructure is to carry and contain the organization’s most valuable asset—its information. Consequently, a security policy must help organizations manage and control both inbound and outbound content to protect them from the inadvertent or intentional distribution of confidential and sensitive information.

The growing sophistication of today’s attacks and the varied risks that businesses face in today’s connected world calls for security that is both scalable and layered. In addition, businesses must operationalize security by standardizing and automating the processes and the software. This will allow organizations to drive down the costs of day-to-day security activities so they can be more proactive when it comes to protection.

Companies need to have adequate antivirus, antispyware, and other signature-based protection in place. However, these measures are no longer enough on their own and must be layered with more proactive types of protection such as whitelisting or behavioral-based protection that analyzes patterns and reputation to block targeted threats before they happen.

Protecting the network must also be considered. Technologies like Network Access Control and anti-spam appliances are becoming commonplace within large and mid-size businesses to prevent bad things from entering the network. Data loss prevention (DLP) solutions are ideal for protecting the good things—sensitive information like customer credit card data or intellectual property—from exiting through the network.

As security becomes a foundational component of business, the traditional way with which companies manage it must change. A next-generation security strategy should embed security throughout an organization’s business processes. Security policies, workflows and technologies must span disconnected organizations to address the interconnected risks that threaten the organization as a whole, because the organization is only as protected as the weakest link in the security chain.

Tom Kendra is Group President, Security and Compliance Management Group, at
Symantec Corp.

Maksym Schipka, Senior Architect, MessageLabs –

I have been spending a lot of time recently exploring the criminal underworld. The shadow internet economy is a $105 billion business and involves tens of thousands of participants – a market even bigger than the global drug trade.

As senior architect and chief malware researcher at messaging and web security provider, MessageLabs, I am on the front lines of the internet daily, exploring and infiltrating the very websites and chat rooms that the bad guys are using to assemble their next attack.

Speaking Russian fluently, I am able to understand more of the websites, chat forums and exchanges that are very active in online crime. What I have discovered is disturbing. The shadow economy is more specialized and sophisticated than we ever believed possible. Online criminals boast of making $10,000 a day and there is little chance of ever being caught. The shadow economy operates similarly to the global economy with price competition, division of labor, specialized trade and marketing.

The crime starts with the malware author who creates a new virus, Trojan or spyware to infect a computer. These authors market their software in the hopes that a middleman will buy it. Off-the-shelf malware sells for about $250, and $25 per month gets a subscription to updates that will ensure the program evades detection. The middleman uses a botnet to spread their newly purchased malware, using its massive computing power for widespread spamming. As innocent, unassuming computer owners begin to respond, the middleman collects stolen credit card numbers with complete identities which he can sell for around 3 percent of the remaining card balance.

Some middlemen make a business out of laundering stolen credit cards, using a drop service to receive the goods purchased with a stolen credit card. An elaborate system of guarantors and escrow accounts has also emerged to regulate transactions in the underground. This proves that the market is growing more and more sophisticated and is driven by economics and the participants who value their long-term reputation in the shadow economy.

It is clear that the front runners in the shadow economy are constantly working to improve the quality of the products that they sell, testing them against anti-virus mechanisms to guarantee their products are effective. Every time a vendor updates its anti-virus product, the malware author creates a new version. In fact, malware authors can produce new malware as fast as every 45 seconds to keep it undetected.

For those of us in malware detection, this means that there is no end to malware in sight. Heuristic detection is the only surefire way to prevent the bad guys from propagating more malware.

Jack Rogers, Content Editor —
I am pleased to welcome all of our website visitors to the new SC Magazine Awards 2008 Blog. The Awards Blog will feature commentary from C-level executives of our SC Awards finalists, who will be posting their thoughts on current trends in our industry and the key challenges facing all organizations in today’s high-risk security environment. It is our hope that these high-level blog postings will provoke an ongoing dialogue among the industry leaders that are included in this year’s list of finalists. We also are inviting our readers and site visitors to comment on the Awards Blog postings.

All subjects related to the critical issues and challenges facing our industry are open to discussion on the SC Magazine Awards 2008 Blog. We ask only that bloggers avoid product-specific commentary in your postings, so we can maintain a high-level discussion that cuts across all sectors of the diverse universe that encompasses IT security.

We want to make it as easy as possible for you to participate in our new SC Magazine Awards 2008 Blog. All you have to do is email your blog postings or commentary to me at jack.rogers@haymarketmedia.com, and I will post them on our site.

Here are a few simple guidelines:
Blog submissions should not exceed 500 words.
All submissions should be vendor-agnostic and exclude product/service proselytizing.
Blog postings and commentary should focus on topics, trends and risks most relevant to today’s security industry.
Blog submissions must include byline, title and company name for author.

I’m sure you agree that our new SC Magazine Awards 2008 Blog is an excellent way for the security thought leadership of our industry to address the key issues facing everyone in IT security. Once again, welcome to the Awards 2008 Blog!
Jack Rogers
Content Editor
SCMagazineUS.com