Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

A collection of predictions about the future of security for computers, networks and information.

2009 Security Predictions - Updated January 3rd, 2009
Stephen Northcutt's favorite Security Predictions for 2008 - Updated April 16th, 2008

2009 Security Predictions

January 3rd, 2009
By Stephen Northcutt and friends
Version 1.8


Raphael Gomes Pereira from Chemtech in Brazil weighs in,
[Stephen Northcutt] Sure, I know of a case in Colombia where someone hacked the power company and lowered people’s bills. Turns out the law there says once you have sent the bill you can’t change it, so they lost a lot of money. However, my primary concern in this area is nation/state, where one country or a federation of hackers in a region goes after another country’s infrastructure.


Database Activity Monitoring will start to be the new security project for ITSEC shops. This will be driven by compliance, it will be very similar to the push for log monitoring. The initial push will probably start with PCI and as auditors start understanding the problem. This has all the earmarks of a hot project because there is a simple business driver. Employees snoop on database records when they shouldn’t. Britney Spears' records were accessed by 13 employees at UCLA Medical Center. George Clooney’s were accessed at a New Jersey medical facility. Even though both of these are clearly HIPAA violations, PCI has more specific language referring to database monitoring. President-elect Obama’s cell phone records were accessed by Verizon employees and also his passport file was improperly accessed.

In a related prediction, NewsBites 12/30/2008 carried the following story:
Report Finds DHS Intelligence Fusion Centers Present Privacy Concerns (December 23 & 29, 2008) According to a Privacy Impact Assessment (PIA) from US Department of Homeland Security (DHS) chief privacy officer Hugo Teufel III, the agency's intelligence fusion centers pose significant privacy concerns. The centers were created to comply with the Implementing Recommendations of the 9/11 Commission Act of 2007. The Act also requires that PIAs be performed. The PIA found several areas of concern, including ambiguous lines of authority rules and oversight; participation of the military and the private sector; and mission creep.
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ia_slrfci.pdf
http://www.fcw.com/online/news/154752-1.html?type=pf
http://www.nextgov.com/nextgov/ng_20081229_7913.php




David Swift, Sr. Security Specialist with Perot Systems, shares his 2009 security prediction:



David Hoelzer, Director of Research at Enclave Forensics, has just returned from teaching at a SANS conference, and he sent us his information security predictions for 2009:


David Linthicum, InfoWorld has posted his 2009 Service Oriented Architecture (SOA) predictions, my favorite, "There will be a larger focus on inter-domain SOA technology, or highly scalable and secure middleware technology that will provide scalable service and information access between the instances of SOAs within the enterprise, and perhaps intercompany as well. The fact is that much of the SOA solutions out there can't scale much past a single problem domain, thus this technology will become key to the strategic success of SOA."
[Stephen Northcutt] This is a huge problem and it may be more of a 2010 prediction as the cash meltdown in the economy is likely to slow development down. Part of the problem is UDDI Security, you just do not want to expose business logic to a large number of people, even internal people. So as people are working on this middleware, don’t forget to bake security into your software.


There will be any number of people warning about MySpace, Facebook, Google Hacking etc in 2009-2010. As they come up, I will try to toss links to them. And they are all valid to some extent: young vulnerable girls do post too much information on MySpace, people do use other social media to track other people. Here is a really creative crime, written up in Heraldnet.com, "Another area of online crime that people need to be wary of is the bogus job offer, which can lead to being duped, or dead. The man who robbed an armored truck guard in Monroe last month used a Craigslist ad to hire a dozen unsuspecting decoys to be in the area as he made his getaway. The ad was for a prevailing-wage job -- $28.50 an hour -- for a road maintenance project. Those who inquired were told to show up to work wearing a "yellow vest, safety goggles, a respirator mask ... and, if possible, a blue shirt." Turns out that's also what the robber wore."
[Stephen Northcutt] It is a dangerous world and one problem with Craigslist is that it can be hard to validate who you are dealing with.


Benjamin Wright, Attorney, author and SANS Instructor, shares his 2009 security predictions:

Stephen Northcutt muses on the recent G20 meeting, their final communique has five major points:
OK, first a financial observation, all that I have read says to diversify investments. However, almost every thing we have invested in is down. Growth stocks, down. Value stocks, down. I managed to eke out a profit first quarter, but it was just taking too much time. Bonds, down. Mutual funds, down. Foreign investments, down. Even start up companies are drifting down because the market is so tough. In fact, if Kathy had not insisted on the classic 4% CD for a measurable percentage of our investments, we would have been badly damaged financially. The only way to avoid negative spillovers is to implement some decoupling. Everything is still related, so there was no bright sector to turn to. There is an interesting advertising article by the Motley Fool on China and why their stimulus might actually create decoupling, but I am not in the mood to play in stocks of any sort before the end of the year. My 2009/2010 security prediction about the G20 communique is that to do all of this wonderful stuff they promise, they will have to do a lot of communication and planning. And some of the computer systems they do this communication and planning on are going to be infected with malware; the sort of malware that is designed to collect intelligence data. This article by Business Week paints a bit of the picture. And if you can get to SANS Security West, Rob Lee, a forensics expert, is going to explain the specifics of this in his night talk. The result of that is that some of this money will not be as effective as the people hoped because unscrupulous actors are going to intercept some of the plans and use them to their own advantage. Darkvisitor reports, "In October, Chinese hackers were able to gain access to the World Bank and this month it seems they have penetrated the International Monetary Fund. The analysis, provided by a former British intelligence officer, concludes that China is using this information for geopolitical leverage during the global financial crisis." If I was the G20, I would hire a few real security experts, run Kaspersky on as many systems as possible (my understanding is that while it is slow, it is the best of the lot), so even if you use a different AV product, at least scan them with Kaspersky and also the Microsoft One Care Safety Scanner, an awesome, free tool. Also, get as many of the G20 on Firefox 3 running the NoScript plugin as possible. Next, get whitelist software like SavantProtection, CoreTrace, Bit9 or Lumension on those systems to make it much, much harder to infect.

And this same advice goes for President-elect Obama, I hope that cybersecurity will be a priority in his administration. That was one of his campaign promises according to nextgov "As president, I'll make cybersecurity the top priority that it should be in the 21st century". "I'll declare our cyber-infrastructure a strategic asset, and appoint a national cyber adviser, who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cybersecurity policy and tighten standards to secure information -- from the networks that power the federal government to the networks that you use in your personal lives." No matter who you voted for, the evidence is compelling that the United States government needs to do a better job of securing their systems.

A blogger, Douglas Karr, that focuses on marketing, has an interesting prediction for 2009, that search and mobile are the future. The reason this prediction is interesting is that Nokia just announced they expect mobile device sales to be soft in 2009. The Marketwatch article states many high tech companies have lowered their forecast for 2009 including Intel, Cisco and Sun ( Sun is cutting 6,000 positions). According to ThomasNet, "Unsurprisingly, the world economic outlook remains grim, with global GDP expected to decelerate in 2009, according to recent economic reports. Recovery is not anticipated until the latter half of next year." So at first blush, I think Mr. Karr may miss the prediction since he pegs 2009, but that search and mobile are going to do well in the future is for certain. But before we listen to the gloom and doomers, let's drill down into the data. Mr. Karr's blog does point to an incredible file by Mary Meeker from Morgan Stanley (use the plus sign and view in full screen mode or the text is too small). It is the best analysis I have seen of the current economy and really have me thinking. If you want to understand the current economy, please take the time to read this, if you don't get it the first time, come back a day later and look at it again. Here is just one fact that I found amazing, Kindle, the Amazon ebook accounts for 12% of all Amazon book sales if that title was available for Kindle. Another thing that may help Mr. Karr's prediction is that the popular gadgets are really popular. According to a prediction published by Reuters in June, "Morgan Stanley expects 27 million iPhones to be sold in calendar year 2009 with an average revenue of $550 per unit." So maybe not every mobile device is going to do well, but Nokia could have an off year and Apple could have a banner one. And as far as search, Google remains a steady Eddie, continuing to wrest market share from Yahoo and Microsoft. I still hold that the Michal Perry blog that yellow pages will not be useful in 2009 misses by a few years.

Next a bit more on iPhones. Stephen Northcutt observes that almost all SANS instructors have iPhones. Will we see a major focus to compromise iPhones with malware in 2009-2010? Very likely. First some background, CSO magazine reported last year in an interview by Bill Brenner, possibly the best IT Security Journalist, with Mikko Hypponen, "It's quite quiet on the mobile side. We now have over 400 known mobile phone viruses and Trojans, but most of those target the older smartphone systems," he says. "Most of the current systems have improved built-in security." Hypponen believes the most likely mobile risk today isn't mobile viruses or Trojans, but mobile spying tools like FlexiSpy, Neocall or Mobile Spy. These commercial tools run fine even on the latest versions of Symbian, Windows Mobile or Blackberries, he says. Meanwhile, iPhone has been the target of some attacks, but it still has a minuscule market share globally compared to the big boys like Nokia. That means a smaller bull's-eye. But as that market share increases, he expects more attacks to materialize." Then, in January 2008, Internetnews.com reports, "The US Computer Emergency Response Team (US-CERT) has issued a warning that a fraudulent iPhone upgrade is making its way around the Internet and users should not be fooled into installing it. A package called "iPhone firmware 1.1.3 prep," which described itself as "an important system update. Install this before updating to the new 1.1.3 firmware" is floating around on the Internet. The fact it does not come from Apple is clue #1 that something is wrong. "This Trojan claims to be a tool used to prepare the device for an upgrade tofirmware version 1.1.3," the US-CERT advisory said. "When a user installs the Trojan, other application components are altered. If the Trojan is uninstalled, the affected applications may also be removed."
[Stephen Northcutt] So you can see the pattern here. If the iPhone is successful in the market place, it becomes a target. Is it a success? According to PC Retail, Apple "attains self-imposed target of ten million units sold in 2008. Apple has shifted ten million iPhones so far this year, beating its self-imposed deadline by two months, reports Mac World. Last quarter, with the release of the 3G version, iPhone sales outperformed all the other quarters combined with 6.8 million units shipped and outselling its closest rival, RIM’s BlackBerry by 700,000 units." And the iPhone has very little built in security, originally it was security by obscurity, according to CNET, "Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder." But that was in 2007, today there is an Apple developer page and SDK available. In addition to the authorized SDK, people have been finding ways to do unauthorized things like jailbreak the phone in about a minute. The bottom line, I would be completely amazed if we do not see a significant amount of malware targeting the iPhone to collect personal information.


Fred Kerby, SANS author and instructor, offers two predictions for 2009:

Michael Perry blogs that the Yellow Pages will not be useful in 2009, that it will all be done in Google.
[Stephen Northcutt] I certainly understand the thought, and it might be correct at some point, and this might be a display of my Luddite self, but I think that is not correct. I have a neighbor, that creates businesses by trolling in the Yellow Pages. As an example, he took out a yellow pages ad for a cleaning business, and then, after he got a call from a local mall, he made a bid, won the bid, hired people, bought stuff and now, when I look out of my office, more often than not I see him sitting out on his porch talking on his cell phone. That is not the only business Jeremy has started with the Yellow Pages. Over time, the deck is stacked against the Yellow Pages, their online presence is not what comes to mind when you want to find a good or a service. So it will happen, but I think they will still be something we count on in 2009 – 2010. Mr Perry links to the very famous science fiction movie EPIC 2014 , where the news companies go out of business as GoogleZon (Google/Amazon) emerges. I like the updated movie better, EPIC 2015.


Laura Taylor, founder of Relevant Technologies and author of the FISMA Certification & Accreditation Handbook, has come up with five predictions for 2009:
  • More and more private sector companies and universities will have to comply with FISMA. Why? Many companies that are government contractors are being required to comply with FISMA already as a stipulation in their contracts with the government. Organizations that accept grants from the government are increasingly being required to comply with FISMA.
  • FISMA 2008 will pass and government CISOs will become more empowered.
  • Information security compliance laws will drive security product development.
  • The use of digital vaults will increase as companies, universities, and organizations put more emphasis on secure exchange of information, privacy, and compliance with laws and regulations. Digital vaults are currently used for numerous applications such as e-mortgage processing, digital image exchange, secure records and documents exchange, secure applications, and secure remote collaboration (just to name a few).
  • VOIP security exploits will become more prevalent because more and more telecom switches use VOIP from the switch to the desktop. Since VOIP switches are usually more cost effective for companies to implement than traditional switches, more companies are purchasing them without understanding how vulnerabilities on these switches can be exploited. See this video on UTube for more info: http://www.youtube.com/watch?v=UA1quyLOTdg


Rob Lee, a principal consultant for Mandiant and a SANS author/instructor, with particular expertise in Computer Forensics and e-Discovery, gives us two predictions for 2009 and beyond::
  • Volatile Data and Analysis - Gone are the days of "Rip the power cord from the back of the computer." There has been amazing progress in the area of memory forensics over the last few years. Volatile memory collection and analysis dramatically augmented digital investigations and helped address many new challenges such as encryption and recovering key evidence that might only exist for seconds on a computer. Proper analysis of volatile data can help identify malware injected into processes and hiding on machines where A/V cannot.
In the next year, Volatile Data collection and analysis will be the focus of the top forensic and anti-virus software makers leading to many advances and new offerings both open source and commercial. Law enforcement will change standard operating procedures to include requirements to obtain volatile data prior to "ripping the power cord" out of the back of the PC. The first cases where evidence obtained and analyzed via volatile evidence will occur. Finally, computer incident response teams will shift incident response methodology where they would first examine volatile data where it is more difficult to hide malware before running subsequent tools.
  • Professional Forensic Standards - Professional Forensic Standards will be formally discussed and debated. With many schools and certifications graduating individuals with a computer forensic education, a formal need is required to establish what the minimal and intermediate forensic qualifications would entail. Discussing these standards will help establish the formality of the profession. Watch to look for many organizations, including SANS, take part in helping establish and discuss these forensic standards over the next year.


Douglas Huber (GCIH CISSP CCNP CCDP CCAI) CISCO Regional Academy at Akron University / Summit College:
John Bambenek from the Coordinated Science Lab at the University of Illinois: My thought is that we will see an increase in using technology for the purposes of economic manipulation from foreign powers. While I don't really believe that Estonia and Georgia were subjects of "cyberwar" in the proper sense of the term, I do believe it has broadened the horizons of nations as to ways to engage in "soft" conflict with other nations.


 During 2009 - 2010 you will start to hear about encryption key management problems with an end result of not being able to get your data back. Granted, this is not a new observation, Computerworld ran an article I believe was ahead of its time with the following pithy statement: ""If you share the key, you share the data; if you lost the key, you've lost the data," says Dennis Hoffman, general manager of the data security unit of RSA Security Inc., now owned by EMC Corp."
[Stephen Northcutt] After the VA lost laptop fiasco, it seemed like organizations were rushing to implement full disk encryption at least on mobile systems. As we close out 2008, that trend continues, but it is more of a plod than a rush. Even so, there are enough of these systems out there that we are bound to see some problems. The data at highest risk is that which is encrypted without key escrow, but I am betting even with key escrow, we will read about some lost data.

Somewhere between 2009 - 2012, you will start hearing rumblings of regulating Google (a scary thought). Let's go back to the United Airlines stock price dip and see what we can learn about the future: Sept 9, 2008, LATIMES, "Shares of UAL briefly plummeted as low as $3 early in the day -- from $12.30 on Friday -- after a 6-year-old story on the company's 2002 bankruptcy filing resurfaced on the Web and was reported as news by an investment letter. The shares bounced back after the market realized the report wasn't current. But investors who sold at the day's lows are stuck: The Nasdaq Stock Market, where UAL stock is listed, said trades triggered by the erroneous report wouldn't be rescinded. What's more, shares of other carriers, including Continental Airlines Inc. and AMR Corp., the parent of American Airlines, also briefly dived with UAL before rebounding. UAL blamed the mess on a posting of a 2002 Chicago Tribune article on the South Florida Sun-Sentinel's website. The story then was picked up by Income Securities Advisors, a Florida investment newsletter, and disseminated as a one-line brief over Bloomberg News -- triggering a wave of panic selling. Tribune Co., the owner of the Sun-Sentinel (and also the parent of The Times), initially pointed a finger at Google Inc., saying it appeared that the search engine highlighted the story out of the Sun-Sentinel's archives over the weekend, which generated traffic and caused the newspaper's computer to move the story to a page of most-viewed articles. But Google said the only reason its search engine "crawler" bothered with the story was that it was listed on the Sun-Sentinel page of most-viewed stories -- and with the weekend date on it, instead of the 2002 date."
[Stephen Northcutt] The point is this will almost certainly happen again. Today, Google is the primary way people look for information, so if it buries important information or brings to light unimportant information or recycles old news as new news there could be serious consequences as United airlines knows all too well.


Personal devices, from the iPhone to personal GPS, are going to throw up so much interference there will be unprecedented (though minor) problems, an O'Reilly blog talks about iPhones, but the concept of electronic interference can affect any of them, "We're really in an interesting time, radio speaking, in that there hasn't been a time before, certainly in the last five years, maybe the last ten, when there was such an inordinate number of relatively high-powered personal transmitters just wandering loose in the world."
[Stephen Northcutt] I have to agree, everyone in a house has a cell phone these days, and there are any number of devices under the FCC Part 15 rules that are cheap electronics and only so tested, as an amateur radio blog puts it, "The FCC rules require the equipment manufacturer or importer to design and test his products to ensure that they do not exceed the absolute maximum limits. In addition, the FCC requires that Part 15 devices be operated in such a way that they not cause harmful interference. The operator of the Part 15 device is responsible for correcting the interference or to stop using the device if so ordered by the FCC. This can create a very difficult situation. Imagine that the neighbor of a ham goes to a local retail store and buys a Part 15 device. If the device causes harmful interference, the rules place the responsibility of proper operation and correction of the interference on the user. This can put a ham into the unenviable position of having to explain to a neighbor that the device he or she just bought at a local store is being used in violation of federal law! The resultant disagreement is not unexpected." I did a webcast today with IBM and the webcast people are VERY aware of this; they insisted we shut our cell phones off, turn off any electronic devices, but the phone we were using for the show still had static and some breaking up..


Joshua Wright from Will Hack for Sushi says, "one of the trends I'm seeing is the continued movement toward pervasive wireless connectivity. Not limited to WiFi, there are lots of opportunities for people to connect to wireless for their social network site access, email, etc. Services like the Xohm WiMax offering in Baltimore will continue to spread, competing with existing 3G services and future 4G Long Term Evolution (LTE) technology as well. From a security perspective, users have a lot more ways to get connected now. Not only should organizations be concerned about rogue AP's, but they are also exposed from someone getting WiMax service at work to bypass content filters, or bridging their 3G card to their Ethernet segment. We still talk about auditing listening TCP/UDP ports, but now we also have to be concerned about a client's WiFi/Bluetooth/WiMAX/3G/802.15.4 connectivity as well."

Paul Asadoorian of PaulDotCom's 2009-2010 predictions. Paul is weighing in with 3:



Tim Stanley leads by example at Continental Airlines in labeling data according to CSOonline, “Stanley wants to categorize every file in the enterprise by three variables: owner, business value and risk level. The government has "top secret," "secret" and "confidential" ratings, but Continental's designations will be more granular and dynamic, using tiers and subsets of tiers. Thinking this way vaults Continental ahead of most companies.”


Eric Cole, Secure Anchor, offers two security predictions for 2009,


Kevin McLaughlin (CISO, GSLC, CISM, CISSP, PMP), University of Cincinnati Information Security Department frames his 2009 predictions in light of his recent article describing our nation in cyber crisis:
"For many reasons, we as a society have decided that safeguarding personal information should be a "soft" skill practiced by committee instead of managed by the certified, trained professionals we hire into information security roles. Many times, the members sitting on the committees that make information security decisions have no information security background, let alone being information security professionals. Instead of deferring to qualified pilots, we are allowing passengers to fly the plane. We cannot keep making information security decisions, like whether or not Personally Identifiable Information (PII) should be encrypted, by consensus."


Stuart King raises the question of Security Fatigue in his Risk Management Blog and asks the question, "Are we going through problem fatigue from working through a continual cycle of issues that have the same root causes?"
[Stephen Northcutt] Wow, sometimes this is one of my great fears. I know that Ed Skoudis is working on a keynote for SANS 2009, Now that the bad guys have won, what now? I suppose problem fatigue could lead to apathy, but hope I am one of the last to succumb. *smile*


Ken Steinberg, CTO of Whitelist/Endpoint Security vendor Savant Protection, weighs in with no less than three predictions:
The difference is this will all take place by simply using a touch screen method. Once this becomes part of the data management culture, information will contain security controls at its creation, not as a result of some secondary discover/meta tagging process."
[Stephen Northcutt] Shoots Ken, we ought to get some venture funding and go make this happen! Oh, yeah, the credit crisis, no funding, rats.

Mason Brown, a SANS Executive points out "Historically, I think it is right to say that crime tends to go up when the economy goes down. Good people WILL steal to feed their kids. So, I think we will see an increase in organized and other crime activity due to slowing economy. And I think it will be exacerbated by reductions in budget for IA training and technology. IOW, the bad guys will work harder and the good guys will be fewer and on average, have less current skills and technology.Which means the bad guys will win even more often."
[Stephen Northcutt] Good point Mason, I know CNN had a great article on this, quite touching and sobering. Perhaps you remember reading this famous passage from that story, "Pam van Hylckama Vlieg of Williamsburg, Virginia, says her great grandfather, Glen Surber, resorted to stealing food at times because he had hit rock-bottom. Surber left the family behind in Saltville, Virginia, so he could head out to West Virginia's coal mines. After he got laid off, he found himself trying to steal chickens from a nearby farmer to feed his hungry family. He hid behind a tree to wait for nightfall, but his plan was stymied when he found another person lurking in the shadows. "Both men took off running and then they realized they each thought the other was the farmer, but they were both there to steal a chicken," van Hylckama Vlieg said. "Needless to say, that was another night of water bread."


GTSI explains why we should not cross the streams. Dark Reading has picked up Georgia Tech Information Security Center report that highlights the top threats "Cellphones will become members of botnets. VOIP systems will get hit by blackmailing denial-of-service attacks. The cybercrime economy will thrive, even as the global economy struggles. And today, around 15 percent of all computers online are infected as bots, up from 10 percent last year, according to the Georgia Tech Information Security Center's (GTISC) new report on emerging cyber threats for 2009 and beyond."
[Stephen Northcutt] Well, I certainly agree with one thing, cellphones are not cellphones anymore. My wife has the AT&T Tilt and she is rapidly losing interest in her laptop. I have the iPhone and it has zero security, I am just hoping I survive till android is reliable; I know Savant has already written whitelist software for android.


Government Computer News also picks up the Georgia Tech Information Security Center report, their takeaway is "What's the top threat to data security going to be in 2009? According to the GTISC Emerging Cyber Threats Report for 2009 out of Georgia Tech's Information Security Center, the answer is malware specifically disguised as "benign social networking links."
[Stephen Northciutt] I've heard about this with MySpace and Facebook; my primary social media is LinkedIn and, as far as I've heard, the attacks there have been primarily spear phishing.


In 2009 - 2010 we will need to do a better job of measuring Information Security. From Kevin Thompson: "I just got done reading "The New School of Information Security" and "Security Metrics: Replacing Fear Uncertainty, and Doubt" and I was very pleased to see more attention being paid to measuring security and attaching business processes to the practice of information security. Having said all of that, I think the biggest challenge that we're going to be facing in the future is measuring information security. The time is coming when we will no longer be able to convince our management to spend money on something by scaring the bejezus out of them. This is already the case in some larger institutions with mature project selection processes, but I think if the economic recession continues more companies are going to be scrutinizing spending across the board. It is high time that everyone working in information security learn about using Net Present Value to select projects. However, if you're going to estimate cash flows, you need to have good data to go on, which means that you need to be able to measure events and the impact of those events. I don't know if this is a powerful trend for 2010 as much as 2012 or 2013, but it will be something that we all need to know.

Our inability to measure information security directly affects our ability to manage risk. How can we calculate Annual Loss Expectancy when we can't really determine how much our assets are worth? We have no way of reliably determining the probability of some event affecting our assets, and we have no way of knowing how much damage each of these events will do.

My advice would be to prepare yourself for these questions because they are coming. Selling me a self defending network is no longer sufficient. I want to know how many unpatched machines were connected to the network, what vulnerabilities are exposed because of the missing patches, how often those vulnerabilities are being exploited on other networks, and how much it has cost others when it was exposed. Then I can show my managers real benefit for their purchase.
[Stephen Northcutt] I really enjoyed reading "Security Metrics", but "The New School of Information Security" lost me.



J. Michael Butler, GCFA GSEC CISA, weighs in with a double hitter:
If you want to contact Michael, here are his details:
J. Michael Butler GCFA GSEC CISA
Information Security Consultant
Lender Processing Services
601 Riverside Avenue
Jacksonville, FL 32204
904.854.5851 (w)
j.michael.butler@lpsvcs.com
www.lpsvcs.com


Repeat from 2008: Tony Bradley's blog mentions Network Traffic Consolidation, I think it has legs for 2009
"One of the big technologies of 2007 was the introduction of unified communications by both Microsoft and Cisco. The merging of all communications technologies into a single, unified system will continue into 2008. Aside from the whiz-bang, 'keep-up-with-the-Jones' aspect, there is a lot to be gained in terms of efficiency and productivity for organizations that leverage unified communications."
[Stephen Northcutt] Now the question here is, exactly what does this mean? If Tony means Everything over IP, I totally agree. According to Building Broadband Networks by Littman, it could mean pervasive use of ATM. I tried to do a search on Google, but most entries were pretty old and were mostly related to core switching technology. But I am still betting on convergence. For sure, I talk with students that have separate voice networks, but when that PBX reaches end of life, will they actually buy a new one? I do not think so. SANS has a VoIP course if you want to get your SIP on.


Repeat from 2008, Rational Security is focused on Information Centric Security Phase One
"It should come as no surprise that focusing our efforts on the host and the network has led to the spectacular septic tank of security we have today. We need to focus on content in context and set policies across platform and transport to dictate who, how, when, where, and why the creation, modification, consumption and destruction of data should occur. In this first generation of DLP/CMF solutions (which are being integrated into the larger base of "Information" centric "assurance" solutions,) we've taken the first step along this journey. What we'll begin to see in 2008 is the information equivalent of the Mission Impossible self-destructing recording...only with a little more intelligence and less smoke. Here come the DRM haters".
--April 11 2008 Update: "It's time for the industry to move away from protection of infrastructure and toward an "information-centric" security model, said Thompson, chairman and CEO of Symantec" two days ago in a keynote at RSA. I think this is a sure fire winner for 2008. For one thing the move to comply with the rules of discovery has caused organizations to survey what information they have, which is a first step in information centric security.
[Stephen Northcutt] My wife asked me about cloud computing yesterday, what was it. And so, as I was explaining it, Kathy then asked how do you know where your information is or that it is processed correctly. So, I lamely tried to say, "well it all just works". Funny thing, at the time I was writing a keynote for a Cisco internal conference and the one suggestion I have for Cisco is to start focusing on delivering information to, from, and within clouds in an orderly and secure manner.