The year ahead: Juggling IT risks, opportunities

There's a four-letter word IT pros know all too well: risk.

In 2007, IT executives will need to clearly evaluate risk as they weigh sometimes opposing proposals to bolster security, increase wireless connectivity, extend more business processes over the Internet and address regulatory requirements.

In the end it's a balancing act. To help tip the scales in your favor, we've put together a preview of what the year ahead holds in key technology areas.

For starters, security will be no less challenging in 2007 than last year, when plagues of bots, spam and phishing attacks threatened corporate environs. This year, in addition to generic phishing, enterprises will have to contend with custom Trojans and spear-phishing, aimed at specific individuals or corporations.

"The year 2007 is going to be the year of the custom-Trojan attacks," says Richard Stiennon, chief marketing officer at Fortinet. "These Trojans, which will be targeted at the help desk at a bank, for instance, will avoid being detected by the signature base. Traditional antivirus signatures will be increasingly futile."

"Malicious code won't go away, but attackers will shift their attention to social-based engineering attacks," predicts Oliver Friedrichs, director of emerging technologies at Symantec's Security Response division. This means using every trick in the book to fool a victim into thinking an attacker is a trusted source.

If that's not enough, some say the adoption of VoIP technology, which is subject to denial-of-service and stolen capacity, may lead to disruptions in traditional circuit-switched telephony as well.

"More trouble is yet to come in VoIP, and hackers are going to gain complete control over your VoIP network," says Rohit Dhamankar, senior security manager at 3Com.

Because VoIP servers "are interfacing with traditional ‘old phone' networks," he points out, hackers are likely to launch attacks through VoIP that will seriously affect the telecom infrastructure, such as Signaling System 7 for call setup. The result: downtime and criminal exploitation of the circuit-switched phone system through VoIP.

Other trends, says Friedrichs, can be traced to Web 2.0 technologies, such as AJAX, which support very flexible access to server resources behind the corporate firewall. This very flexibility appears likely to facilitate a new genre of exploits that will be difficult to detect and analyze, he notes.

Meanwhile, with Microsoft's Vista was expected to begin to gain a footprint in the enterprise and on consumer desktops in 2007, all eyes will be watching how well it holds up without patching. So far, some are at least optimistic. "Microsoft has made significant improvements in the core operating system," Friedrichs says.