Sec Lab: Predictions and Trends for Information, Computer and Network Security
This is an effort to chronicle what a number of really smart
people believe the state of the information security industry to
be, and where we are going. A lot of the emphasis is on security
threats, but we also consider what is working and what good
practice is. We hope you will be able to use this in your
strategic planning and also as input for your security
Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security
Stephen Northcutt's Security Predictions 2012 and 2013
Security Predictions for 2012 and 2013 - The Emerging Security Threat
By Stephen Northcutt. In addition to the work that I have done rounding up other people's thoughts, I also work as a futurist for IT and IT Security and this is my set of predictions. I hope they are useful to you. This page is sponsored by SANS Security West 2011, which is the conference at SANS that is devoted to an evening focus on Emerging Trends.
TEOTWAWKI (The End Of The World As We Know IT)No, this isn't going to be a gloom and doom prediction, I am personally quite excited to live in a world where you can watch 3D movies on your home television; how cool is that! However, make no mistake it is the end of the world as we know it in infosec. Let me give you some quick examples and then work on 2011 and 2012. Are these sound bites familiar: "I see a world wide market for maybe 5 computer"s, "no one will ever need more than 640k". I spent a few hours today working on a keynote presentation "Everything I Know is Wrong"; remember when the safe way to send an attachment was a .pdf because it was "just a print file" and anti-virus actually worked? If you are a security person, so much has changed and a bunch of things that we "know" are no longer so. And that leads to the biggest reason that the world as we know it, is changing. In a related file to this one Richard Stiennon predicts that our niche industry will grow up and big companies will take over. Part of growing up is commercialization to be sure, but it is also professionalization. Today, if you want to call yourself security professional you have the freedom to do so, even if much of what you know is wrong. In the future, we will have to prove we are security professionals with credentials, possibly even a license. Now, folks that know me will be quick to point out that I have been saying this for some time. True, but that does not mean the gears are not turning. If you are familiar with the DoD instruction 8570, then you know that for DoD IT employees TEOTWAWKI has already happened; they have to have a certification. If you practice digital forensics in Texas or Michigan, TEOTWAWKI has already happened, you have to have a PI license. I will be astounded if they do not require some sort of trustmark to perform IT Security tasks for the U.S. Government ( or require that you are working under the supervision of someone with a professional trustmark ( certification or license) by 2012.
OSI Layer 2 and Peripherals Become DangerousIn July 2010, there was an announcement that Dell Poweredge servers R410 replacement motherboards contained spyware. This is certainly not the first time or the last time we have had malware delivered as part of the supply chain, way back in the 90s, we received a DEC Station with malware installed in the operating system and the media supplied with the system. And we have seen digital picture frames, USB keys and the like that come with malware out of the box. However, it is only going to get worse. As organized crime seeks new ways to initially install malware as well as keep it in place in the presence of anti-virus software and endpoint whitelist technology, they will increasingly use device drivers and peripherals. Modern computers do not just have intelligence in the CPU and GPU, everything from memory management to the network card may have processors and memory. Just last month Bigfoot networks released a network card with its own GPU primarily for gaming applications. As we approach 2011 and 2012, expect to read about more cases where malware is hidden in axillary parts of the computer and the operating system has no direct access. Also expect to see attacks against device drivers as well as malware pretending to be a device driver. None of this is new, we are simply expecting a sharp increase in the number of events.
Cars Are Computers, Computers Get HackedThis is fairly related to the OSI Layer 2 prediction. Cars aren't cars anymore, they are computers with wheels. GM ships OnStar, Ford has Synch, most states require "hands free" operation so we have bluetooth. Cars even have their own networking protocol. In 2011 and 2012 most of the hacking activity against cars will be boutique, just seeing how to do it. It won't go into high gear unless someone can figure out how to monetize it. There is extortion of course, your wife is driving down an empty road at night in the cold and rain and the attacker uses something similar to the OnStar "Stolen Vehicle Assistance" to slow and stop the vehicle. Then the attacker demands your debit card number and PIN if you want the car to run again. That is one off and possibly requires human intervention and could be high risk to the criminal since you could call police on your cell phone and report the event. Of much greater concern is the eventual integration of your PDA to the car network especially if you get one of those nifty accept credit cards on your PDA applications.
20 Critical Security Controls Grows with Proactive OrganizationsPartly as a result of the economic downturn, partly because executives at some of the best run companies will start to implement the 20 Critical Security Controls. The three primary drivers are the research behind the initiative (they aren't just someone's opinion), they are measurable and metrics driven, and finally they are largely automated (according to experts, 15 of the 20 critical controls can be automated). This has the potential to help shift the practice of information security from an art to a science. In concert with emerging risk models such as FAIR we will see the beginning of a state change in security.
Update: May 2010 We are starting to see metrics based risk management in the government with significant advances by NASA and the U.S. State Department.
Update: June 18, 2010 Seeing more and more calls for risk management to be science, metrics driven, this prediction appears to he on track as we are six months out from 2011.
Digital Forensics will become one of the most important security skills Sadly, system compromise is at an all time high. Since we are not successfully defending our endpoint systems, it will become more and more important to determine how they got in and what they were able to extract. The bar is already being raised in the incident response field. Ten years ago the job of incident response commonly fell to a Help Desk employee and the primary tool was the cleaning kit. Today, companies often have to bring in outside expertise at $330.00 hour with door to door billing and potentially emergency rates on top of that. And the battle isn't won in twenty four hours, it could take a year to clean up and complete the investigation and of course there are regulatory and compliance issues. Organizations will learn that it makes sense to invest in training their own internal people. In 2011 and even into 2012, this will be a very indemand security skill. As we start to enter 2013 - 2014, the combination of more trained people and better tools will take a bit of the bloom off the rose. In forensic circles they currently joke about tools, such is the infamous Forensicator Pro, just point it at a case and it spits out a picture perfect report. Of course such a thing does not and will not exist, but when you look at the advances in automating penetration testing and malware analysis, you can see there will be tools that will help investigators do their jobs more efficiently.
NOTE: on July 19, 2010 the Center for Strategic and International Studies released a document titled A Human Capital Crisis in Cybersecurity. It specifically called out defining forensic professionals for federal work as one of the first actions (page 24).