Infosec Scenario in 2009

1. Business continuity to get focus over disaster recovery
BCM is a process issue related to building the framework to increase business resiliency and restoration capability, while DR is about building redundancy through infrastructure investments. It is quite likely that new DR site investments might happen fewer than they did in 2008. But I would not advise cutting down on building your BCM capability – even if you are an SME. Each one of your people does need to know what needs to be done when things begin to fail. This does not require huge amounts of investment, but does require common sense, risk assessment, and regular training and awareness.
Counter: Focus on an effective Business Continuity Plan that takes into account at least the following – fire, ISP failure, transportation link failure, and yes a terrorist attack as well.
2. Capital expenditure on security technologies likely to be hit
This is one area that has seen the biggest hit and is likely to continue feeling the impact with new investments simply not happening. So fewer firewall upgrades, fewer adoptions of recently introduced solutions such as Data Leakage Prevention (DLP), Network Access Control (NAC), and others.
Counter: Really look for ROI on your capital expenditure on security technologies.
3. Focus on regulatory compliance to increase
Make sure you know very clearly what your responsibilities are towards data protection – not only for the specific industry you are in – but also for the countries that you do business in. I’ll soon be releasing a write-up on the Indian IT Act, and the new amendments recently pushed through in the Parliament, and what these mean for every individual and every business. Essentially, even if you are not ISO 27001 compliant or PCI DSS regulated, you are still very much legally liable to ensure due diligence to protect your customer’s data.
Counter: While cutting budgets on infosec is fine, don’t end up putting the existence of your business at risk due to negligence towards data protection.
4. Scareware, Social Networking Attacks, Phishing, and others
While Phishing attacks rose quite a bit in 2008, it is quite likely they will become more prevalent, more insidious and a huge pain in the wrong places in 2009. Combined with Scareware tactics (, exploitation of social networking sites ( and, and even Google ( and is going to ensure attacks are highly smart, effective, and definitely lucrative for the attackers.
Counter: Focus on awareness, not just within your organizations but also within your families and communities.
5. Computer fraud may rise – a lot
Today attackers are not concerned with releasing the latest virus onto unsuspecting Internet users. Do we even remember how long ago it was when CodeRed or Slammer hit us bad? Attackers today – both external and internal – have one simple agenda – making as much money as they can within as short a time as possible. We’re already seeing SAP, Oracle Apps, and business applications becoming the most lucrative target of fraudsters. All they need is the knowledge (if you’re working with 2-3 years on the same system you know its flaws well enough), motive (layoffs, salary cuts, no bonuses), and opportunity.
Counter: Invest in forensic accounting, and keep a panel of experts on standby to be called in when fraud happens. Get advice on a list of red flags to watch out for.
6. Cyberwarfare could become a reality
At least as far as the South East Asian region is concerned, we’ve already seen an increase in the number of cyber attacks on Indian banks and government websites. This trend will get more serious and more malicious with some really sensitive data being targetted in the months to come. The next frontier for terrorism will be digital, and we’re all going to be facing the brunt of professional hacking, espionage, and digital sabotage.  We’re already seeing this with the current Israeli war on Gaza (, and the recent attacks by Pakistani hackers on the Eastern Railways site (, and a couple of PSU banks. See this link for in-depth Indo-Pak cyberwar coverage
Counter: If your organization is governmental, semi-governmental, public sector, or provides a service or utility of national importance, you are pretty much going to be targeted. Focus on securing your external perimeter and get it tested.


1 comment

Would wait eagerly for your write up on Indian IT ACT

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.