Wednesday, December 31, 2008

My Top 10 Infosec Predictions for 2009

It's that time of year again when we all make predictions. Here, in no particular order, are my top ten:

1. The economy will continue its descent into the *#*$% and non-specialized security jobs will continue to be squeezed. Well you certainly don't need to be Alan Greenspan to know the economy is headed down, way down (and re-reading that sentence, AG may be a bad example). Security won't be hit as badly as most industries - after all, one of the main reasons we are in this bind is that audits and controls failed. A great President once said that the rising tide lifts all boats. In 2009 the tide will be increased regulation brought on by failed financial controls and the information security boat will definitely get lifted by this. But security middle management, non-expert specialists, and anyone who does not directly contribute to the bottom line had better be polishing their resumes. And by bottom line, I mean fulfilling an immediate required organizational function - not ROI based on fluffy loss prevention. Hey, it ain't pretty but welcome to the Recession (and unlike the last time around, this time it's got a capital R).

And speaking of increased regulation, that brings us to number two-

2. There will be...increased regulation. This has been in the pipeline for a long time. Some of these regulations will be fairly specific. Sticking with tide metaphors, when the tide falls you see who has been swimming naked. Many companies will have products that they won't be able to bring into compliance overnight. And at a more glacial pace, EU regulators will move towards greater regulation and breach notification-ish laws in the coming year. More on that in this blog in 2009...

3. Cybercrime will become more criminalized. The increasingly stiff penalties for cybercrime will do more than all the web application firewalls in the world to secure our networks. Despite all the scary statistics the vendors put out, the rewards for cybercriminals are not that great. It is the relatively light punishments that make skimming a few credit card numbers a better risk/reward trade-off than holding up a 7-11. This will have major consequences for the way networks need to be secured.

Even more important than the evolution of laws is the public's perception of the law. The Sarah Palin Yahoo account incident was a turning point for public opinion.In case you were sleeping through the election cycle (or have tried to suppress it deep within your subconscious), Sarah Palin's yahoo mail account was "hacked" by a 20 year old who correctly guessed the answer to her security question (Where did you meet your future husband? Wassila High). The fact that the University of Tennessee student was actually arrested and subsequently indicted dispelled any notion that just because a door is open on the Internet you are allowed to walk in. The very wide publicity this and similar incidents have received will undoubtedly make many script kiddies think twice before attempting a port scan.

4. The so-called vulnerability circus will continue. Applications are large and complex and have vulnerabilities that smart people can find. I seem to remember seeing a quote by Marcus Ranum that things will continue to be just secure enough to be functional, and not any more. Especially with Web 2.0 (or whatever it will be called next year) this isn't going to stop. There are very few Facebook or MySpace or iPhone users who would opt for a dumbed down but locked down service. If its functionality vs. extra security, people will opt for functionality.

5. People will finally start realizing that not all crime that involves a computer is cybercrime. Just because you forked over your life savings to some "prince" in Nigeria does not make you the victim of an elaborate cybercrime. It makes you the (pretty darn naive) victim of fraud. I boldly predict that people will start to demand that the word cybercrime be reserved for crimes that were actually intrinsically tied to the use of a computer (OK, not "demand" in the sense of riots in the street, but you get what I mean). All these crazy statistics about hundreds of billions of dollars in cyberlosses are starting to wear people down. Which brings me to...

6. People will get increasingly sick of the FUD (Fear Uncertainty and Doubt). Fear sells products and writes a lot of paychecks, but barring truly shocking security breaches, peoples' attention will shift elsewhere. Getting a computer virus is not the end of the world, despite what anti-virus vendors will try to sell you. The masses have been drinking the Kool Aid for a long time, and the hangover is starting to set in. There are many risks in life completely unrelated to information security, and for the vast majority of people information security ranks low on their list of priorities. Computer security is an organizational and corporate issue, and the job of security people is to manage and take care of the problem so that everyone else can get on with the business of running their business. Security is a tax, and our job is to best manage that tax. Which now brings us to...

7. We will get better metrics for how much the security tax should cost, especially in software security. OK, this fits more in the hope than prediction category. Network security has matured to the point where there is at least a very general consensus on best practices and associated costs. Increased regulation (see #2) will drive the formation of a similar consensus in the software and application security sphere. Call it the industry maturing or the inevitable commodotization of security, but its going to come around eventually.

8. The curtain will close on the security generalist/superhero. Did any of you see Justin (I-am-a-Mac) Long in Die Hard 4? This guy could walk into a server room for the first time and 1 minute later he had hacked into a traffic light 20 miles away. The popular myth of the hacker superhero, who can break any system, is so deeply embedded in our collective minds that even we believe it as information security professionals. Penetration testers are able to advertise themselves as all round pen testers who can test any application.

The truth is much more mundane. An Oracle security expert is lucky if they really know something about MS SQL, and a Java security expert probably won't be able to help you with your .Net application. That's not to say that they know nothing about other platforms; its just that real expertise - the kind of expertise you want for a code review - is siloed. There is no such thing as one guy who know everything about everything. Renaissance Man only existed in the Renaissance, and Renaissance Computer Man only existed in the 80s and early 90s. Not in 2009.

9. Barack Obama will introduce consistency into US cybersecurity policy. OK, this too is more of a hope than an actual prediction. But wouldn't it be great if very-soon-to-be President Obama were to finally empower a cybersecurity czar to stick around for a while and bring around real change?

10. Complex stand-alone security products will continue to decline. The big vendors continue to build audit and other security capabilities into their products. A good built-in capability will always win over a standalone product, especially in tough economic times. And who wants to manage yet another vendor relationship? Niche products that address a real market need and do their job well will continue to thrive, but others will either be acquired or fade away.

And in case you are not totally convinced that these 10 predictions contain the entire security landscape for 2009, you may want to check out some other thoughts at SANS.

And of course - Happy New Year!

No comments:

Post a Comment