Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security


Security Predictions 2013-2014: Emerging Trends in IT and Security


Instructors at SANS Security West 2012
2013-14 SecWest 2012 Emerging Trends

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Some "predictive" input from SANS Security West 2012 instructors on emerging security trends:


Fear and Loathing in Information Security:
What we are doing is not working. We need to review what we are doing and why. We need to re-evaluate everything, from passwords to pentests to firewalls to DLP.We have to stop doing the same thing over and over again. We have to stop being insane. My prediction? Companies will start looking for alternative security technologies to augment or outright replace many of the technologies that have failed time and time again.
- John Strand


I expect to see a sharp increase in attacks against end-users and administrators who are accessing and controlling cloud-based services (both public and private clouds). Much of the focus is on the security of the cloud itself but very often the end-users are left to their own while connecting from less secure public networks. Administrators in particular will be targeted as they hold the keys to the cloud-based kingdom.
- Bryce Galbraith


No profession has ever achieved status and creditability prior to developing effective metrics showing cause and effect, providing reliable prognostication and delivering the information needed by various parts of an organization to make informed decisions. Information security is no different. While practitioners frequently lament the profession’s lack of standing with business executives, we continue to fail to provide credible answers to essential questions and reliable evidence for the value of our craft. Most of us only provide management with obscure technical measures that do little to provide needed answers, actionable information or comfort, let alone assurance. But relentless pressure to cut costs, to increase both effectiveness and efficiency and do more with less will increasingly drive development and deployment of better metrics in the coming years.
- Krag Brotby


Prediction: Windows 8 will drive adoption of Unified Extensible Firmware Interface (UEFI) on PCs in 2012. UEFI is a replacement for the old BIOS. And while Windows 8 UEFI-enabled features like "secure boot" will be beneficial, especially with a TPM on board, UEFI will also attract much more attention from the hacking community in order to circumvent its protections, perhaps even UEFI bootkits. Centralized and scalable management of UEFI updates will appear on our IT to-do lists (and wish lists) as more exploits are published.
- Jason Fossen


This will be the year for advancements in authentication. Even though good multi-factor authentication systems have existed for years, most organizations have relied on passwords to the exclusion of these other technologies despite clear demonstrations that usernames and passwords just aren't enough (http://auditcasts.com/screencasts/16-hacking-windows-user-accounts-with-powershell). 2011 was a banner year for major compromises involving tens to hundreds of thousands of usernames, often with passwords also being revealed. I believe that this will trigger two things related to authentication: 1) serious adoption of multi-factor authentication and 2) focused research info an even more cost efficient yet more secure authentication process in an effort to eliminate the username/password equation and move us to "who you are" authentication systems.
- David Hoelzer


With the continued development and proliferation of intelligent portable electronic devices (smartphones, tablet computers, etc.), I predict a rise in account compromises resulting from the credentials for those accounts being stored on unsecured devices. While the user may have selected a password of sufficient length, when it's stored on an unsecured device it may be easily recoverable by an attacker.
- Fred Kerby


2012 - The Year of Geolocation? A little known fact about the new HTML5 web specification is that device geolocation is baked in. With just a few lines of code, any website can now enable geolocation features, potentially leaving geo-artifacts on any device with a web browser. The recent US Supreme Court case, U.S. vs. Jones, demonstrates how interested law enforcement has been in geolocation monitoring. I predict a much wider range of investigators, both public and private, will begin to take advantage of geo-artifacts present on nearly every computer and mobile device, giving the ability to put the device at a particular place at a particular time.
- Chad Tilbury Twitter --- Blog


Gamification, the application of game design techniques to real-world problems, will play a far more important role in Information Security education in the coming years. Because capture the flag games and other InfoSec challenges provide excellent vehicles for building skills and identifying talented personnel across a wide range of skill levels, competitions will proliferate in 2012, with new, engaging challenges filling the calendar to run on a near continual basis. Although it is by no means a new phenomenon, with airline and hotel rewards programs benefiting from its ideas for decades, its use in the classroom in only just beginning to be explored. The field of Information Security education is uniquely positioned to explore these possibilities and act as an incubator of ideas for gamifying education. Competition and gaming have always played a large role in the Information Security community. One need only look at the immense number of excellent Capture the Flag competitions played yearly, online and at conferences. Taking advantage of the fervor for competition and games to fuel learning in the classroom has already proven to be successful. The future is rife with opportunities. SANS itself has already experimented in this field with ID- net, IP-net, course-specific Capture the Flag competitions, and most recently, NetWars.
Yori Kovichko @YoriKv

The "Post Post PC era" or the "Internet of Devices": Up to now, the internet connected mostly "people": The end point of an internet connection was usually implemented using a PC, a server or more lately tablets and phone. But foremost, a person was operating and using the device connected to the network. In parallel to this "internet for people" we always had an "internet for devices": Small control systems and embedded devices that delivered metrics and control to other devices or larger control networks. Up to now, the proliferation of these devices was limited to specialized networks and environments. However, in particular the advent of IPv6, and the continuation of Moore's law to deliver cheaper and more powerful devices, will make it much easier to deploy devices ubiquitously. We already see a surge in internet controlled home automation and alarm systems. Cars with not one but several IP addresses, sub $50 "servers" as implemented in the Raspberry Pi project and projects like Androino to deliver sensory and control capabilities to the masses. These technologies frequently take advantage of cloud computing to supplement their limited computing capacity and heavily rely on commodity networks for data exchange. We should pretty soon see successful attacks against these devices by exploiting unsecured communication networks. Later on, complete take over of the device by injecting exploit code into the insecure communication stream may be achieved.
- Johannes Ullrich

Thinking Beyond the Public Cloud: The use of cloud computing promises better computing resource utilization by centralizing computing capability and arranging them in multi tenant facilities. However, much of the world's computing resources are still unused in desktops, laptops and mobile devices. Some of the original cloud computing approaches used clients installed on these systems to harness spare CPU cycles. While this approach has been widely overlooked in recent cloud approaches, it is bound to resurge and become a part of future cloud aware operating systems. From a security point of view, loss of control of the physical computing resources is one major concern. Future open and dynamic cloud environment may even further erode this control if cloud provider stop running at least some of their own hardware, but instead attach crowd sourced elements to their cloud infrastructure. In addition, as models like virtualization and clouds become less distinct, we may see "micro clouds" being offered which consist of any number of interchangeable processing nodes a person buys to create a local cloud of the desired computing capacity. Systems to meter computing power, share workload, tokenizing data and redundant processing as well as storage have to be optimized and secured.
- Johannes Ullrich