My 2008 Security Predictions!

by Anton Chuvakin

I just have to start with this quote from Rich Mogul: "... Legions of armchair futurists slobber over their keyboards, spilling obvious dribble that they either predict every year until it finally happens or is so nebulous that they claim success if a butterfly flaps its wings in Liechtenstein." :-) Amen to that, Rich. Onwards to my 2008 predictions!

So, just as in 2006 and 2007, I am coming up with security predictions that cover both technology and market. I just posted a review of my last's year's prediction where I mostly erred on the conservative side. I promise to be more 'extreme' this year, while still keeping the old wisdom of Richard Feynman in mind: if you predict the status quo, you are more likely to be correct...

Here is my 'twitter-style' (I guess what used to be called telegraph-style :-)) view of predictions in no particular order:

Platform security:

  • Vista makes us secure = no. People start to actually use it (in large numbers) = maybe. And then get 0wned = yes! The volume of Vista hacking (and then Win 2008 hacking) will increase as the year progresses.
  • Increase in Mac hacking = yes. The story is that Vista drives Mac adoption -> Mac increase in popularity will drive a new wave of Mac "0wnership"
  • Web application hacking still on the growth path = yes. As they say, 'it will get worse before it gets better.' I am predicting that 2008 is still the year when it continues to be getting worse.

Vulnerabilities:

  • 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who "need" to earn some cash off phishing and other data theft. Thus, "0day use" will no longer constitute news!

Hacking, data theft, etc:

  • Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!
  • Major utility/SCADA hack = no (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait another year or so for this ...
  • Cyber-terrorism = no (again, not yet!) Will it be a reality in the future? You bet! Just not now ...
  • A massive data theft to dwarf TJX = yes. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.

Malware:

  • The year of mobile malware = no (not yet, if you insist!). As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal (not the case yet in the US)
  • More fun bots = yes. Bots are here to stay: they follow an overall trend for IT automation (seriously!). Think of bot infrastructures as "shadow IT" with their own SLAs, business model innovation, performance optimization tactics, etc
  • Fewer worms and viruses = yes (why write one if you can make money off bots?) As the share of "conventional" viruses and worms in the whole malware universe decreases, so will the popularity of "legacy" AV vendors ...
  • Facebook malware/malicious app = yes . This one will be fun to see (others agree), and current malware defenses will definitely not stop this "bad boy."On the flip side, there is not that much to steal off Facebook accounts ...

Compliance:

  • PCI DSS continues its march = yes. In fact, I bet PCI DSS frenzy will spread downmarket - there is sooooo much more Level 3s and Level 4s compared to Level 1 merchants. They all take CCs, they are all insecure - thus, they will all be 0wned! And then hopefully fined :-)
  • ISO17799, ITIL, COBIT frameworks = maybe (again); they likely won't be 'hot,' at least not in the US; ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule.

Risk management:

  • Will we know what risk management actually is in the context of IT security = no. Some people (e.g here) might, but not the majority. And don't even get me started on security ROI :-) This part of security realm will continue to be occupied mostly by loudmouths who will spout, but never define; rant, but never explain; blab, but never clearly state. Sorry to those who are not like this, but you will continue to be in the minority in 2008.

Security technologies:

  • eVoting security will flare up = yes. Expect big and bad stories about evoting in preparation to the US elections. Maybe another "chad story", but with an "e-" added to it? Fun, fun, fun! :-)
  • Full disk encryption becomes popular = no. In fact, I predict that in 2008 encryption would be "the new firewall" - more and more people will hide from reality behind "we have encryption - we are safe now!" (check out my piece on encryption mistakes, while you are at it)
  • NAC= huh. Huh? The451Group said it best: "NAC has been the 'next big thing' for about four years now - that's a long time in the IT world." Others just say "NAC fallout has started." NAC vs insider attacks? Gimme a break... :-)
  • More whitelisting for host and network security = yes (but combined with blacklisting, which is certainly not going away!) As malware landscape becomes even more diverse, application whitelisting for security will start to shine even more.
  • Academic security research stays ridiculous = yes. Wrong problems, wrong solutions, wrong speed (as in: solving solved problems of day before yesterday...). There will be some exceptions: for example, some of the Project Honeynet academic participants deliver a punch!
  • Secure coding becomes mainstream = no (definitely, 'not yet' on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won't be hurtling down the highway at full speed. 2009? Sure, may be!
  • IPv6 = no (while most think 'not yet', some start thinking 'not ever') In other words, Internet 'secure by design' = pipe dream in 2008.

Security market:

  • Mid-market and SMB security = yes! I think 2008 is the year when smaller organizations will start buying the types of security solutions that were only looked at by the large enterprises before. After all, they have the same problems to solve! They have compliance too. They lose data
  • More security SaaS (software as a service) = yes. It is not just Qualys anymore ... More companies will figure out ways to sell security software as a service. This is especially true due to the SMB security spending increase predicted above!
  • 'Consolidation' = no. Whaaaaat? You just said 'no' to consolidation in security market? :-) Well, Vendor X might buy Vendor Z and Vendor N might go down in flames, but I predict that we will celebrate 2009 with just as many security vendors as we have today ...

Logging and log management:

  • Database logging = yes. 2008 is the year when database logs will be collected and analyzed just as Unix syslog, Windows event logs and firewall logs are collected and analyzed today by just about everybody.
  • Application logging will start = yes. People will start collecting (at least collecting at first) application logs, not just firewall and server OS logs (and database logs, as mentioned above). Maybe ERP, CRM logs, maybe other large enterprise applications will lead the way. Major 'application logging waterfall' will occur later, however ...
  • Now that collection and management are 'taken care of' in many organizations, log analysis will (again...) come to the forefront = yes. In the end of 2008, we will be doing log analysis in a large number of fun, new ways - it won't just be about rule-based correlation and keyword searching anymore (Andrew agrees)

Last year's drag-ons :-) and ongoing trends:

  • Some things make dumb predictions since they are so pitifully obvious and have been going on for years already. Thus, I pile them in this section...
  • So, client vs server exploitation: it started a few years back and will continue, for sure: more client vulnerabilities will be used to 0wn more desktops. Similarly, application vulnerabilities will beat platform ones. And targeted, commercially-driven attacks will overtake indiscriminate ones (another "no-brainer" that some try to sell as a prediction...)
  • Both of the above will power further evolution of network and system security into data and broader information security (it will be happening for another 3-5 years)
  • More fun "web 2.0" threats will come our way, but then again, this is true about most of the technologies that are being actively adopted ...

Dark horses, that will influence security in a major but unknown way in 2008:

  • Virtualization = people talk about hypervisor security and virtual security appliances as well as other fun stuff (e.g. this), but, in all honesty, we can't yet fathom the impact that the coming virtualization wave will have on information security.
  • Privacy = I predict that privacy issues, also privacy laws and public outcry due to privacy violations will impact the world of information security in 2008. However, my crystal ball is refusing to share the details on how exactly, citing "privacy concerns" :-)

Come back in Jan 2009 to see how I did!

Any comments? Additional predictions?

Technorati tags: , ,




2 Comments

netfish
2008-02-11 13:18:19
I failed to see how you made the outrageous prediction that:


[1 -- Vulnerabilities:
* 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who “need” to earn some cash off phishing and other data theft. Thus, “0day use” will no longer constitute news!]


As long as programmers keep being ignorant/lazy about the dangers and losses they bring to commercial and open source applications 0-days will continue to exist, and create mass havoc on servers all across the globe.


I found it contradictory how you went on to say that:


[2 -- Secure coding becomes mainstream = no (definitely, ‘not yet’ on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won’t be hurtling down the highway at full speed. 2009? Sure, may be!]


I have no idea who you believe will cease and eradicate their existence. Definitely not SANS. It will take a much greater effort for such a radical change to happen in the security industry.


In addition, I must either be missing some major unknown facts, or you must completely be thinking in a wishful manner for me not to believe your forecast. I see no signs of realistic ideology in your assertion, specially after looking at the trends from past years.


Can you further explain why you made the claim about the 0-Days, and why you think they would come to a screeching halt after all these years? I think it would make for another great article from you.

Anton Chuvakin
2008-02-11 18:30:08
>have no idea who you believe will cease and eradicate their
>existence


Noooo! Quite the opposite: 0days will become mundane since somebody will be owned via a 0-day every day; they will become widespread and "standard"; that is what I predicted!