Sec Lab: Predictions and Trends for Information, Computer and Network Security
This is an effort to chronicle what a number of really smart
people believe the state of the information security industry to
be, and where we are going. A lot of the emphasis is on security
threats, but we also consider what is working and what good
practice is. We hope you will be able to use this in your
strategic planning and also as input for your security
Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security
Stephen Northcutt's Security Predictions 2012 and 2013
May 29th, 2011
By Stephen Northcutt, Google+
Security Predictions for 2012 and 2013 - The Emerging Security Threat
By Stephen Northcutt. In addition to the work that I have done rounding up other people's thoughts, I also work as a futurist for IT and IT Security and this is my set of predictions. I hope they are useful to you. This page is sponsored by SANS Security West 2011, which is the conference at SANS that is devoted to an evening focus on Emerging Trends.
TEOTWAWKI (The End Of The World As We Know IT)No, this isn't going to be a gloom and doom prediction, I am personally quite excited to live in a world where you can watch 3D movies on your home television; how cool is that! However, make no mistake it is the end of the world as we know it in infosec. Let me give you some quick examples and then work on 2011 and 2012. Are these sound bites familiar: "I see a world wide market for maybe 5 computer"s, "no one will ever need more than 640k". I spent a few hours today working on a keynote presentation "Everything I Know is Wrong"; remember when the safe way to send an attachment was a .pdf because it was "just a print file" and anti-virus actually worked? If you are a security person, so much has changed and a bunch of things that we "know" are no longer so. And that leads to the biggest reason that the world as we know it, is changing. In a related file to this one Richard Stiennon predicts that our niche industry will grow up and big companies will take over. Part of growing up is commercialization to be sure, but it is also professionalization. Today, if you want to call yourself security professional you have the freedom to do so, even if much of what you know is wrong. In the future, we will have to prove we are security professionals with credentials, possibly even a license. Now, folks that know me will be quick to point out that I have been saying this for some time. True, but that does not mean the gears are not turning. If you are familiar with the DoD instruction 8570, then you know that for DoD IT employees TEOTWAWKI has already happened; they have to have a certification. If you practice digital forensics in Texas or Michigan, TEOTWAWKI has already happened, you have to have a PI license. I will be astounded if they do not require some sort of trustmark to perform IT Security tasks for the U.S. Government ( or require that you are working under the supervision of someone with a professional trustmark ( certification or license) by 2012.
OSI Layer 2 and Peripherals Become DangerousIn July 2010, there was an announcement that Dell Poweredge servers R410 replacement motherboards contained spyware. This is certainly not the first time or the last time we have had malware delivered as part of the supply chain, way back in the 90s, we received a DEC Station with malware installed in the operating system and the media supplied with the system. And we have seen digital picture frames, USB keys and the like that come with malware out of the box. However, it is only going to get worse. As organized crime seeks new ways to initially install malware as well as keep it in place in the presence of anti-virus software and endpoint whitelist technology, they will increasingly use device drivers and peripherals. Modern computers do not just have intelligence in the CPU and GPU, everything from memory management to the network card may have processors and memory. Just last month Bigfoot networks released a network card with its own GPU primarily for gaming applications. As we approach 2011 and 2012, expect to read about more cases where malware is hidden in axillary parts of the computer and the operating system has no direct access. Also expect to see attacks against device drivers as well as malware pretending to be a device driver. None of this is new, we are simply expecting a sharp increase in the number of events.
Cars Are Computers, Computers Get HackedThis is fairly related to the OSI Layer 2 prediction. Cars aren't cars anymore, they are computers with wheels. GM ships OnStar, Ford has Synch, most states require "hands free" operation so we have bluetooth. Cars even have their own networking protocol. In 2011 and 2012 most of the hacking activity against cars will be boutique, just seeing how to do it. It won't go into high gear unless someone can figure out how to monetize it. There is extortion of course, your wife is driving down an empty road at night in the cold and rain and the attacker uses something similar to the OnStar "Stolen Vehicle Assistance" to slow and stop the vehicle. Then the attacker demands your debit card number and PIN if you want the car to run again. That is one off and possibly requires human intervention and could be high risk to the criminal since you could call police on your cell phone and report the event. Of much greater concern is the eventual integration of your PDA to the car network especially if you get one of those nifty accept credit cards on your PDA applications.
20 Critical Security Controls Grows with Proactive OrganizationsPartly as a result of the economic downturn, partly because executives at some of the best run companies will start to implement the 20 Critical Security Controls. The three primary drivers are the research behind the initiative (they aren't just someone's opinion), they are measurable and metrics driven, and finally they are largely automated (according to experts, 15 of the 20 critical controls can be automated). This has the potential to help shift the practice of information security from an art to a science. In concert with emerging risk models such as FAIR we will see the beginning of a state change in security.
Update: May 2010 We are starting to see metrics based risk management in the government with significant advances by NASA and the U.S. State Department.
Update: June 18, 2010 Seeing more and more calls for risk management to be science, metrics driven, this prediction appears to he on track as we are six months out from 2011.
Digital Forensics will become one of the most important security skills Sadly, system compromise is at an all time high. Since we are not successfully defending our endpoint systems, it will become more and more important to determine how they got in and what they were able to extract. The bar is already being raised in the incident response field. Ten years ago the job of incident response commonly fell to a Help Desk employee and the primary tool was the cleaning kit. Today, companies often have to bring in outside expertise at $330.00 hour with door to door billing and potentially emergency rates on top of that. And the battle isn't won in twenty four hours, it could take a year to clean up and complete the investigation and of course there are regulatory and compliance issues. Organizations will learn that it makes sense to invest in training their own internal people. In 2011 and even into 2012, this will be a very indemand security skill. As we start to enter 2013 - 2014, the combination of more trained people and better tools will take a bit of the bloom off the rose. In forensic circles they currently joke about tools, such is the infamous Forensicator Pro, just point it at a case and it spits out a picture perfect report. Of course such a thing does not and will not exist, but when you look at the advances in automating penetration testing and malware analysis, you can see there will be tools that will help investigators do their jobs more efficiently.
NOTE: on July 19, 2010 the Center for Strategic and International Studies released a document titled A Human Capital Crisis in Cybersecurity. It specifically called out defining forensic professionals for federal work as one of the first actions (page 24).
Human Mind HackingThe Sokal hoax becomes the norm. Print media continues to decrease, newspapers and magazines were failing or were concerned about failing at an increasing rate. Fortunately as of July 2010, that trend has started to slow. One of the tools I use is Google Trends and if you click *here* you will see an interesting search result,*here* is another comparing print media, magazines and television to Google. Because print media is so costly and you have to set up for a press run, considerable effort was made to edit and fact check. In the online only world, there is no need to be so careful because you can always change it. In addition, we tend to post, retweet, blog, etc., anything that meets our ideology. The result is we reach a point where the majority of the information we are exposed to is false, either intentionally or unintentionally. We may not totally believe it, but it does have its impact. For over twenty years, there has been published information in the social sciences about planting false memories. A growing trend is when we are exposed to information that we do not like; you see this in politics a lot with the so-called liberal and conservative debate, the unwelcome information has a so-called backfire effect and reinforces our beliefs. If you listen carefully to someone that listens to Fox News all the time, you will come to realize Human Mind Hacking is real and that poor individual is p0wned. Kathy and I ceased watching television over 25 years ago and I try to be careful about my news sources. You can never blindly trust in any one source, but here are a few to consider: Wired, a good source of all news, but the technology reporting is superb. BBC, or some other non U.S. focused site. For U.S. news I bounce between The New York Times, The Washington Post, The Washington Times and of course we all need local news, in my case The Seattle Times.
Update: November 13, 2010 Op Ed Piece by Ted Koppel is a must read, one quote, "This is to journalism what Bernie Madoff was to investment: He told his customers what they wanted to hear, and by the time they learned the truth, their money was gone. It is also part of a pervasive ethos that eschews facts in favor of an idealized reality."
Libraries Are Dead, Long Live LibrariesWhen was the last time you used a library? How long does a computer security book remain cutting edge? Even in the general population books are losing market share to digital readers, Kindle, iPad etc. And yet, libraries are a pillar of civilization. From the Library of Alexandria to your neighborhood branch, they are part of our culture and history. You used to go to libraries to research to some extent, but even more to check out books to read. From 1988 to 2002 there was a ten percent decrease in reading if you define it by reading books. Of course that doesn't mean we were exposed to fewer facts, kids have given up books and television for the internet. And when they do watch tv shows, they often watch them on a computer. As libraries have no customers, funding will dwindle, you will see this trend over the next decade, not just 2011 - 2012. But what will the pillar of civilization be? It may be social media, but that will not serve the role libraries have for research. As people get more information in short sound bites as opposed to reading books, it will become easier and easier for them to get biased or incorret information. Today, a number of people have a bias against Wikipedia, but it is one of the fastest growing bodies of knowledge in the world and along with the Google book archive project will become the next great library.
Update: July 21, 2010 Amazon announced that ebooks for Kindle and similar devices out sell paper books, they sell 180 ebooks for every 100 hardcover books, how much longer till they exceed paperbacks?
Organized Crime Becomes More Active and CreativeAs email becomes less effective for them because almost everyone has received at least ten emails saying your have won the lottery or a deceased relative wants to help you repatriate money the success rate drops to near zero. Sensational subject lines start to become less effective to get people to click on attachments, but even those will lose effectiveness. I tend to follow Brian Krebs blog to see what is going to. As we start to head towards 2011, here is where we are. The bad guys have great trojan tools to steal credentials and a pretty good distribution network ( attachments, drive by malware web pages and so forth to get the tools on end user, business owner and accountant's computers. However, they have a weakness, after they get the banking credentials and wire the money, someone has to pick up the money, a so called money mule. Some money mules are professional criminals of course, but others are unwitting dupes that get recruited via "secret shopper" and "work from home" ads. In May 2010, the FBI stated they would start going after money mules. As we enter 2011 and 2012 and the arrests and proscecutions start to happen, the word will get out and people will be a bit more careful and organized crime is going to be sitting on an interesting problem. They have malware on many systems that do some form of online banking.By mid-2011, they will probably have the ability to mine the data to find the systems and credentials that are likely to be able to access a considerable sum of money. But, the supply of money mules is suddenly getting tighter. Organized crime is very creative and I am sure they will come up with something, it will be interesting to see what.
Compliance groups will publicly admit they suckOK, this is the biggest stretch because I have never seen an auditor admit they were wrong; however, the cost of traditional certification and accreditation compliance is simply too high. I do not think you will see this in 2011, but maybe by 2012. From FISMA to HIPAA to Sarbanes Oxley ( which might be the best of them), people are going to finally realize that the cost of administrative based compliance does not yield benefits. Standards are important, compliance is important, but the paper based approach simply does not work, never has and never will. If you can't code it in XM or JSON and measure it with software, forget it.
The Era of Collaboration Security is unfoldsTo be sure, you see the first sprouts now, teams work on wikis, Groove and Microsoft SharePoint Workspace is a basic tool of the trade. But more often than not in 2010 we are still sending documents together and we may well still be doing that in 2012 and there may well be a large number of abandoned wikis; I mean something different when I say collaboration security. I first got the idea of improved collaboration, real collaboration, reading John Stewart's forward to Securing the Borderless Network. He said there have been four eras in information security. Perimeter Security, Mobile Security, Application Security and Collaboration Security. Now what Mr. Stewart means I think is that there will be increase use of collaboration tools outside of IT's direct control and that data will have to be secured and that is true. That is why I am interested in company's that are developing solutions like Beyond Encryption However, what you see gaining ground the fastest is collaborating to provide security.. If you care enough to monitor your browser add ons, or the files on your computer it is just a matter of time till you find an odd one. What do you do? You use Google to search and 9 times out of 10 you end up on some web site where people post questions "I have xyz on my system, how to I get rid of it" or similar and other people answer. There is a lot of handwringing right now on the use of social media, Twitter, Facebook etc. But security people are there in droves sharing information, links they find and even asking questions. Information Security has become too vast for any one person to know all of it and so we specialize and work to help one another. I have spoken with many consultants and they depend upon reach back to their company or their professional network when they run into something beyond their understanding. This is going to grow and social systems may develop to support it. As an example there are several private mailing lists already to support the exchange of security information. The idea is that everyone is vetted, maybe they all have a certification and have signed an NDA so you can ask questions you might not otherwise ask. The need is great, by 2012 expect to see this grow and develop perhaps in surprising ways.
Microsoft Fix it Center will be one of the most important security advances Launched in mid-2010, this service will become more powerful and more popular. By 2012, other vendors will see the need to create similar capabilities.
Boutique Web Sites Will be Even More Dangerous The move to virtualization will cause more smaller companies to move to web hosting environments instead of having their own server because of the cost of blades and virtualization software. The problem with webhosting is that if the attackers can get in, they may be able to infect many web sites with malware that will be installed when users visit them. There were several examples of this in 2010 and earlier, but they will continue to occur.
3D video will change the face of entertainmentSaw the digital theater presentation of sharks yesterday. It was even more impressive from a presentation standpoint than Avatar. By 2014 second generation 3D will be available and if you are still making 2D movies ( other than art or specialty films ), you will have a hard time getting shelf space. There will also be an increase in accidents for people driving at night on two lane roads as eyes used to rendering 3D are confused by the two headlights of oncoming vehicles.
Eight tech darlings that might have investment potential into 2012NOTE: initial calculations shown in table 1 were done 5/24/2010. Warning, I am not a professional investor, you should seek competent counsel, any investment based on reading this will almost certainly lose value. I read recently that in the United States about 20% of organizations that run their own IT do not virtualize at all, 60% have some virtualization, and 20% are fully virtual. I am never sure where people get their data, but one thing is certain, there is a market for more virtualization and disk storage as well. Who stands to benefit? EMC owning a major SANS and VMWare is in a great position. Also HP, Dell and IBM could all do well. From an investment standpoint what is possible.
Table 1: 5/24/2010
|Five year appreciation||- 66%||+28%||+103%||+ 63%||+20%||+557%||97.49%|
|One year appreciation||+24%||+56%||+34%||+22%||+31%||+101%||21.26%|
|30 day during April - May 2010 earnings giveback||-23%||-9%||-15%||-4%||-15%||-9%||-12.45%|
|Price to Earnings||16.69||29.85||12.98||12.11||19.81||11.78||21.62|
|Debt to Assets||12.12||11.56||13.79||23.94||15.11||0||0|
Update July 21, 2010 Year to date for 2010: AAPL +20.6%, CSCO -5.75%, Dell -9%, EMC +11.5%, GOOG -23%, HPQ -12%, IBM -4.3%
If you had invested in the three highest scores on the rubric in May 2010, you would be sitting on a handsome profit today. This year we need to add a moat factor since there is a lot of market chop, i.e. how hard would it be to truly compete. So this is an 8 x 8 table. Rubric scoring best in class gets 8 points, second 7 etc. Share price, we give two points for lower price share ( < 100) and one point for higher priced shares.
Table 2: 5/28/2011
|Five year appreciation||- 36%||+122.46%||+13.58%||+ 107.43%||-18.96%||+431%||36.59%||4.38|
|One year appreciation||+18.45%||+52.69%||-19.67%||+33.72%||-28.93%||+31.35%||7.26%||-4|
|30 day during April - May 2011||-.25%||-.39%||-8.8%||-1.92%||-4.8%||-2.69%||-3.17%||-7.3|
|Price to Earnings||9.46||31.13||9.07||14.06||12.93||16.08||20.23||9.8|
|Debt to Assets||15.54||11.19||17.91||25.23||18.84||0||5.9||6.9|
Conclusion, if I was betting on a tech titan, I would be very careful about putting a lot of money on Cisco, HPQ, and Dell without carefully researching. Of the three Cisco may have the most interesting story if they do the promised cost cutting and focus on core business, especially since they are poised to be a leader in IPv6. Of EMC, IBM, Apple, Google and Microsoft, there are probably some solid investment opportunties. I hold IBM, Google and Microsoft and would be willing to add to my holding on market dips. If you choose any of these, try to use limit orders or buy on dips, none of these screams value of the century. Cisco, Apple, and Google all have a Beta greater than 1 which means you should be able to make your buys on market swings. I sold Apple in February 2011 to raise cash for other investments. If Steve Jobs passes and the market panics, this might be an amazing buy.