Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security


2009 Security Predictions


Stephen Northcutt and friends
Version 1.11


Guy Bruneau, Senior Security Consultant at IPSS weighs in with his prediction for 2009:
  • Network Traffic Forensic Analysis (NTFA) is going to take more importance as analysts are trying to find ways to understand what is going on in their networks and improve their ability to detect problems and attacks. To accomplish this you typically record all of the network traffic for days or even weeks. Then if you suspect you have an issue, perhaps from a log file alert, you can begin the process of reconstructive traffic analysis. First we "sessionize" the traffic, that is isolate all of the packets sent between the IP addresses of interest and then isolate the flows or conversations. Then we begin looking for the artifacts of interest.


Slashdot reports Kurzweil’s 2009 Security Predictions made ten years ago. According to Wikipedia, "Raymond Kurzweil (pronounced /k?zwa?l/) (born February 12, 1948) is an inventor and futurist. He has been a pioneer in the fields of optical character recognition (OCR), text-to-speech synthesis, speech recognition technology, and electronic keyboard instruments. He is the author of several books on health, artificial intelligence (AI), transhumanism, the technological singularity, and futurism."
  • Let’s take a look at a few (my comments in italics):
    • "It is now 2009. Individuals primarily use portable computers, which have become dramatically lighter and thinner than the notebook computers of ten years earlier." That is certainly true, my wife has an ATT Tilt that she can use to edit MS Office applications and it is smaller than a cigarette box.
    • "People typically have at least a dozen computers on and around their bodies, which are networked using "body LANs"" Exactly, that would be Bluetooth and the Personal Area Network.
    • "Cables are disappearing.2 Communication between components, such as pointing devices, microphones, displays, printers, and the occasional keyboard, uses short-distance wireless technology." Have to give him another score on that.
    • Let’s do one more. "Computer displays have all the display qualities of paper--high resolution, high contrast, large viewing angle, and no flicker. Books, magazines, and newspapers are now routinely read on displays that are the size of, well, small books." Sounds like Amazon’s Kindle to me.
  • Now here is the point, and it is something I have a hard time getting across to my students. These futurists don’t just predict the future, they have big part in creating it. Take ECC for example, it was invented in 1985 and quickly began being considered for use in small devices such as cell phones for eCommerce because it uses lower power to achieve a level of protection. Someone had to think of the idea of the cell phone, someone had to think of using cell phones in eCommerce and then start putting the technology together to make the concept possible. It is not a bad idea to visit a futurist web site or two; for instance, this link will take you to Futurist Magazine’s 2009 and beyond predictio


Raphael Gomes Pereira from Chemtech in Brazil weighs in,
  • In 2009/2010 we will have more problems and issues related to information security in industrial environment (SCADA, PIMS, MES and other industrial systems). As a result of increased successful attacks, we will see more security products developed for this market as well.
[Stephen Northcutt] Sure, I know of a case in Colombia where someone hacked the power company and lowered people’s bills. Turns out the law there says once you have sent the bill you can’t change it, so they lost a lot of money. However, my primary concern in this area is nation/state, where one country or a federation of hackers in a region goes after another country’s infrastructure.


Database Activity Monitoring will start to be the new security project for ITSEC shops. This will be driven by compliance, it will be very similar to the push for log monitoring. The initial push will probably start with PCI and as auditors start understanding the problem. This has all the earmarks of a hot project because there is a simple business driver. Employees snoop on database records when they shouldn’t. Britney Spears' records were accessed by 13 employees at UCLA Medical Center. George Clooney’s were accessed at a New Jersey medical facility. Even though both of these are clearly HIPAA violations, PCI has more specific language referring to database monitoring. President-elect Obama’s cell phone records were accessed by Verizon employees and also his passport file was improperly accessed.

In a related prediction, NewsBites 12/30/2008 carried the following story:
Report Finds DHS Intelligence Fusion Centers Present Privacy Concerns (December 23 & 29, 2008) According to a Privacy Impact Assessment (PIA) from US Department of Homeland Security (DHS) chief privacy officer Hugo Teufel III, the agency's intelligence fusion centers pose significant privacy concerns. The centers were created to comply with the Implementing Recommendations of the 9/11 Commission Act of 2007. The Act also requires that PIAs be performed. The PIA found several areas of concern, including ambiguous lines of authority rules and oversight; participation of the military and the private sector; and mission creep.
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ia_slrfci.pdf
http://www.fcw.com/online/news/154752-1.html?type=pf
http://www.nextgov.com/nextgov/ng_20081229_7913.php



David Swift, Sr. Security Specialist with Perot Systems, shares his 2009 security prediction:
  • I’m afraid I’d have to go with "Peter Picks a Pundit". Following the Peter principle, many in high places within IT, through no action of their own, who are not well informed, nor willing to ask those who are, will continue to be led by consulting/marketing groups in their choices rather than driven by business needs.


Jason Fossen of Enclave Consulting, also a SANS author and instructor, offers his security prediction for 2009:
  • The successor to Windows Vista is Windows 7. Windows 7 is on track to be released just before the 2009 Christmas rush. Since about 94% of corporations skipped over Windows Vista, the pent-up demand to upgrade will be great, and, as the recession lifts in late 2009, there will be mass migrations from XP to Windows 7 in 2010.
  • Windows 7 and IE8 development has benefitted from Microsoft's SDLC efforts for Windows Vista/2008 and IE7, so the rate of new Windows/IE critical vulnerability disclosures should continue its current decline. Nonetheless, Windows 7, Server 2008-R2 and all the "Live" web-based services they are designed around are the most complex products Microsoft has ever produced, and because a large percentage of security incidents are enabled by configuration errors or omissions, the total number of incidents globally on Windows networks will increase despite the inherent OS security improvements (security goes down as complexity goes up).
  • In Q1'09, Microsoft will release Office 2007 SP2, which will include native support for ODF and PDF files. Google Docs and OpenOffice both use ODF and PDF files primarily. OpenOffice 3.0 is much better than before, Google Docs is part of the "cloud computing" wave, and both are free. The recession in 2009 will drive wider adoption of both Google Docs and OpenOffice, which will drive hacker interest in subverting these formats.
  • Microsoft will make another bid to buy Yahoo after Yahoo's stock hits a new market low in the first half of 2009. Unlike before, Yahoo's shareholder's will jump at this "second chance" to recoup their losses from the 2008/2009 bear market.
  • Microsoft will fumble the "cloud computing" ball in 2009/2010, allowing competitors like Google to make further headway in this niche. The cause will be corporate culture exhaustion: the change from selling shrink-wrapped Windows and Office licences to providing software as a service will be too much of a shock to the Microsoft apparatchiks. The Yahoo purchase will be somewhat squandered, allowing Google to simply further lock its dominance in the search space (Microsoft will have hobbled Google's number one competitor). Microsoft's cloud computing services won't extend much beyond the home/SOHO markets until after 2010 or later.
  • Just like Citrix in an earlier battle, Microsoft will continue to successfully hammer away at VMware's dominance in the virtualization field. Virtualization technologies will be well on their way towards commoditization in 2010, which will benefit Microsoft at VMware's expense, though VMware will still be viewed as the official leader, just as Citrix is still the official leader in thin-client computing.
  • The continuing Vista debacle will allow Apple to win 12% of market share of new computer purchases in 2009, but the recession and Windows 7 will together make this percentage the peak for a few years afterwards. Linux on the desktop will continue its downward slide as Apple, not Microsoft, pulls even more Linux advocates away.
  • Windows Server 2008-R2 will only support 64-bit hardware. Windows 7 will come in both 32-bit and 64-bit versions, but will probably be the last edition of Windows to support 32-bit. Hence, late 2009 or early 2010 will finally see the shift to 64-bit on the desktop/laptop as the default in all environments. RAM prices will continue to fall, of course, and it won't be uncommon to purchase 64-bit desktop computers that come with 16GB of memory (which will be good for Windows 7, it'll be just as RAM-hungry as Vista).
  • Cold boot attack tools will proliferate, becoming more powerful and easier to use. The threat of cold boot attacks will spur more purchasing departments to only buy new laptops if they come with a Trusted Platform Module (TPM) chip. Security software vendors will follow suit, all of which want to claim "TPM integration" on their marketing brochures.


David Hoelzer, Director of Research at Enclave Forensics, has just returned from teaching at a SANS conference, and he sent us his information security predictions for 2009:
  • I predict that in 2009 a major corporation who is fully PCI/DSS compliant will experience a major data breach, proving the point that "Compliant" is not the same as "Secure". PREDICTION FULFILLED
    • Stephen Northcutt [January 21, 2009] It looks like David's first prediction has already come to pass! Read his blog about Heartland Payment System's data breach announcement.
  • My second prediction is that we'll see the industry begin to look for the next "big thing" in log management since many feel that SIEMs, SEMs, and the log management tools that they are paying for are not delivering the promised results.


David Linthicum
, InfoWorld has posted his 2009 Service Oriented Architecture (SOA) predictions, my favorite, "There will be a larger focus on inter-domain SOA technology, or highly scalable and secure middleware technology that will provide scalable service and information access between the instances of SOAs within the enterprise, and perhaps intercompany as well. The fact is that much of the SOA solutions out there can't scale much past a single problem domain, thus this technology will become key to the strategic success of SOA."
[Stephen Northcutt] This is a huge problem and it may be more of a 2010 prediction as the cash meltdown in the economy is likely to slow development down. Part of the problem is UDDI Security, you just do not want to expose business logic to a large number of people, even internal people. So as people are working on this middleware, don’t forget to bake security into your software.


There will be any number of people warning about MySpace, Facebook, Google Hacking etc in 2009-2010. As they come up, I will try to toss links to them. And they are all valid to some extent: young vulnerable girls do post too much information on MySpace, people do use other social media to track other people. Here is a really creative crime, written up in Heraldnet.com, "Another area of online crime that people need to be wary of is the bogus job offer, which can lead to being duped, or dead. The man who robbed an armored truck guard in Monroe last month used a Craigslist ad to hire a dozen unsuspecting decoys to be in the area as he made his getaway. The ad was for a prevailing-wage job -- $28.50 an hour -- for a road maintenance project. Those who inquired were told to show up to work wearing a "yellow vest, safety goggles, a respirator mask ... and, if possible, a blue shirt." Turns out that's also what the robber wore."
[Stephen Northcutt] It is a dangerous world and one problem with Craigslist is that it can be hard to validate who you are dealing with.


Benjamin Wright, Attorney, author and SANS Instructor,
shares his 2009 security predictions:
  • However, firms have legitimate desires to pare down the quantity of the records they keep and to better understand the records they do keep. To tackle this problem, a few advanced firms are developing custom artificial intelligence programs. The programs examine each e-mail, text and so on and decide how to categorize it and how long to keep it, based on an analysis of content. This is a fertile field for the application of AI.

Stephen Northcutt
muses on the recent G20 meeting, their final communique has five major points:
  • We agreed that a broader policy response is needed
  • Based on closer macroeconomic cooperation
  • To restore growth
  • Avoid negative spillovers, and
  • Support emerging market economies and developing countries
OK, first a financial observation, all that I have read says to diversify investments. However, almost every thing we have invested in is down. Growth stocks, down. Value stocks, down. I managed to eke out a profit first quarter, but it was just taking too much time. Bonds, down. Mutual funds, down. Foreign investments, down. Even start up companies are drifting down because the market is so tough. In fact, if Kathy had not insisted on the classic 4% CD for a measurable percentage of our investments, we would have been badly damaged financially. The only way to avoid negative spillovers is to implement some decoupling. Everything is still related, so there was no bright sector to turn to. There is an interesting advertising article by the Motley Fool on China and why their stimulus might actually create decoupling, but I am not in the mood to play in stocks of any sort before the end of the year. My 2009/2010 security prediction about the G20 communique is that to do all of this wonderful stuff they promise, they will have to do a lot of communication and planning. And some of the computer systems they do this communication and planning on are going to be infected with malware; the sort of malware that is designed to collect intelligence data. This article by Business Week paints a bit of the picture. And if you can get to SANS Security West, Rob Lee, a forensics expert, is going to explain the specifics of this in his night talk. The result of that is that some of this money will not be as effective as the people hoped because unscrupulous actors are going to intercept some of the plans and use them to their own advantage. Darkvisitor reports, "In October, Chinese hackers were able to gain access to the World Bank and this month it seems they have penetrated the International Monetary Fund. The analysis, provided by a former British intelligence officer, concludes that China is using this information for geopolitical leverage during the global financial crisis." If I was the G20, I would hire a few real security experts, run Kaspersky on as many systems as possible (my understanding is that while it is slow, it is the best of the lot), so even if you use a different AV product, at least scan them with Kaspersky and also the Microsoft One Care Safety Scanner, an awesome, free tool. Also, get as many of the G20 on Firefox 3 running the NoScript plugin as possible. Next, get whitelist software like SavantProtection, CoreTrace, Bit9 or Lumension on those systems to make it much, much harder to infect.

And this same advice goes for President-elect Obama, I hope that cybersecurity will be a priority in his administration. That was one of his campaign promises according to nextgov "As president, I'll make cybersecurity the top priority that it should be in the 21st century". "I'll declare our cyber-infrastructure a strategic asset, and appoint a national cyber adviser, who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cybersecurity policy and tighten standards to secure information -- from the networks that power the federal government to the networks that you use in your personal lives." No matter who you voted for, the evidence is compelling that the United States government needs to do a better job of securing their systems.

A blogger, Douglas Karr, that focuses on marketing, has an interesting prediction for 2009, that search and mobile are the future. The reason this prediction is interesting is that Nokia just announced they expect mobile device sales to be soft in 2009. The Marketwatch article states many high tech companies have lowered their forecast for 2009 including Intel, Cisco and Sun ( Sun is cutting 6,000 positions). According to ThomasNet, "Unsurprisingly, the world economic outlook remains grim, with global GDP expected to decelerate in 2009, according to recent economic reports. Recovery is not anticipated until the latter half of next year." So at first blush, I think Mr. Karr may miss the prediction since he pegs 2009, but that search and mobile are going to do well in the future is for certain. But before we listen to the gloom and doomers, let's drill down into the data. Mr. Karr's blog does point to an incredible file by Mary Meeker from Morgan Stanley (use the plus sign and view in full screen mode or the text is too small). It is the best analysis I have seen of the current economy and really have me thinking. If you want to understand the current economy, please take the time to read this, if you don't get it the first time, come back a day later and look at it again. Here is just one fact that I found amazing, Kindle, the Amazon ebook accounts for 12% of all Amazon book sales if that title was available for Kindle. Another thing that may help Mr. Karr's prediction is that the popular gadgets are really popular. According to a prediction published by Reuters in June, "Morgan Stanley expects 27 million iPhones to be sold in calendar year 2009 with an average revenue of $550 per unit." So maybe not every mobile device is going to do well, but Nokia could have an off year and Apple could have a banner one. And as far as search, Google remains a steady Eddie, continuing to wrest market share from Yahoo and Microsoft. I still hold that the Michal Perry blog that yellow pages will not be useful in 2009 misses by a few years.

Next a bit more on iPhones. Stephen Northcutt observes that almost all SANS instructors have iPhones. Will we see a major focus to compromise iPhones with malware in 2009-2010? Very likely. First some background, CSO magazine reported last year in an interview by Bill Brenner, possibly the best IT Security Journalist, with Mikko Hypponen, "It's quite quiet on the mobile side. We now have over 400 known mobile phone viruses and Trojans, but most of those target the older smartphone systems," he says. "Most of the current systems have improved built-in security." Hypponen believes the most likely mobile risk today isn't mobile viruses or Trojans, but mobile spying tools like FlexiSpy, Neocall or Mobile Spy. These commercial tools run fine even on the latest versions of Symbian, Windows Mobile or Blackberries, he says. Meanwhile, iPhone has been the target of some attacks, but it still has a minuscule market share globally compared to the big boys like Nokia. That means a smaller bull's-eye. But as that market share increases, he expects more attacks to materialize." Then, in January 2008, Internetnews.com reports, "The US Computer Emergency Response Team (US-CERT) has issued a warning that a fraudulent iPhone upgrade is making its way around the Internet and users should not be fooled into installing it. A package called "iPhone firmware 1.1.3 prep," which described itself as "an important system update. Install this before updating to the new 1.1.3 firmware" is floating around on the Internet. The fact it does not come from Apple is clue #1 that something is wrong. "This Trojan claims to be a tool used to prepare the device for an upgrade tofirmware version 1.1.3," the US-CERT advisory said. "When a user installs the Trojan, other application components are altered. If the Trojan is uninstalled, the affected applications may also be removed."
[Stephen Northcutt] So you can see the pattern here. If the iPhone is successful in the market place, it becomes a target. Is it a success? According to PC Retail, Apple "attains self-imposed target of ten million units sold in 2008. Apple has shifted ten million iPhones so far this year, beating its self-imposed deadline by two months, reports Mac World. Last quarter, with the release of the 3G version, iPhone sales outperformed all the other quarters combined with 6.8 million units shipped and outselling its closest rival, RIM’s BlackBerry by 700,000 units." And the iPhone has very little built in security, originally it was security by obscurity, according to CNET, "Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder." But that was in 2007, today there is an Apple developer page and SDK available. In addition to the authorized SDK, people have been finding ways to do unauthorized things like jailbreak the phone in about a minute. The bottom line, I would be completely amazed if we do not see a significant amount of malware targeting the iPhone to collect personal information.


Fred Kerby, SANS author and instructor, offers two predictions for 2009:
  • Organizations that have 'streamlined' the risk assessment process to include blind adherence to results from credentialed scans (and ignore other considerations) will experience a continued downturn in security effectiveness. Approved scanning templates that produce out of context reports will continue to mislead accreditors, resulting in more re-work for already burdened system administrators and other security personnel.
  • Encryption for portable storage devices will continue to be a significant challenge for organizations of all sizes. Some organizations that implemented public key cryptography earlier for encrypting email (with the intent to leverage that infrastructure to portable devices) are now living in the theory - reality gap where they experience the frustration of not being able to obtain private decryption keys that were believed to be escrowed earlier.

Michael Perry blogs that the Yellow Pages will not be useful in 2009, that it will all be done in Google.
[Stephen Northcutt] I certainly understand the thought, and it might be correct at some point, and this might be a display of my Luddite self, but I think that is not correct. I have a neighbor, that creates businesses by trolling in the Yellow Pages. As an example, he took out a yellow pages ad for a cleaning business, and then, after he got a call from a local mall, he made a bid, won the bid, hired people, bought stuff and now, when I look out of my office, more often than not I see him sitting out on his porch talking on his cell phone. That is not the only business Jeremy has started with the Yellow Pages. Over time, the deck is stacked against the Yellow Pages, their online presence is not what comes to mind when you want to find a good or a service. So it will happen, but I think they will still be something we count on in 2009 – 2010. Mr Perry links to the very famous science fiction movie EPIC 2014 , where the news companies go out of business as GoogleZon (Google/Amazon) emerges. I like the updated movie better, EPIC 2015.


Laura Taylor, founder of Relevant Technologies and author of the FISMA Certification & Accreditation Handbook, has come up with five predictions for 2009:
  • More and more private sector companies and universities will have to comply with FISMA. Why? Many companies that are government contractors are being required to comply with FISMA already as a stipulation in their contracts with the government. Organizations that accept grants from the government are increasingly being required to comply with FISMA.
  • FISMA 2008 will pass and government CISOs will become more empowered.
  • Information security compliance laws will drive security product development.
  • The use of digital vaults will increase as companies, universities, and organizations put more emphasis on secure exchange of information, privacy, and compliance with laws and regulations. Digital vaults are currently used for numerous applications such as e-mortgage processing, digital image exchange, secure records and documents exchange, secure applications, and secure remote collaboration (just to name a few).
  • VOIP security exploits will become more prevalent because more and more telecom switches use VOIP from the switch to the desktop. Since VOIP switches are usually more cost effective for companies to implement than traditional switches, more companies are purchasing them without understanding how vulnerabilities on these switches can be exploited. See this video on UTube for more info: http://www.youtube.com/watch?v=UA1quyLOTdg


Rob Lee,
a principal consultant for Mandiant and a SANS author/instructor, with particular expertise in Computer Forensics and e-Discovery, gives us two predictions for 2009 and beyond::
  • Volatile Data and Analysis - Gone are the days of "Rip the power cord from the back of the computer." There has been amazing progress in the area of memory forensics over the last few years. Volatile memory collection and analysis dramatically augmented digital investigations and helped address many new challenges such as encryption and recovering key evidence that might only exist for seconds on a computer. Proper analysis of volatile data can help identify malware injected into processes and hiding on machines where A/V cannot.
In the next year, Volatile Data collection and analysis will be the focus of the top forensic and anti-virus software makers leading to many advances and new offerings both open source and commercial. Law enforcement will change standard operating procedures to include requirements to obtain volatile data prior to "ripping the power cord" out of the back of the PC. The first cases where evidence obtained and analyzed via volatile evidence will occur. Finally, computer incident response teams will shift incident response methodology where they would first examine volatile data where it is more difficult to hide malware before running subsequent tools.
  • Professional Forensic Standards - Professional Forensic Standards will be formally discussed and debated. With many schools and certifications graduating individuals with a computer forensic education, a formal need is required to establish what the minimal and intermediate forensic qualifications would entail. Discussing these standards will help establish the formality of the profession. Watch to look for many organizations, including SANS, take part in helping establish and discuss these forensic standards over the next year.


Douglas Huber (GCIH CISSP CCNP CCDP CCAI) CISCO Regional Academy at Akron University / Summit College:
  • My prediction is that the new applications oriented firewalls that allow the construction of rules based upon packet content/signatures in conjunction with protocols and ports will be chased by a number of vendors and will change the role of firewalls in a number of data center topologies. These will tend to displace the role of traditional IDS, proxy servers and other individual products as these become all-in-1 solutions that may be easier to manage.
  • A second prediction is that corporate management will become increasingly aware of intellectual property theft as an IT security risk. This will occur as the financial visibility of these losses increase.

John Bambenek
from the Coordinated Science Lab at the University of Illinois: My thought is that we will see an increase in using technology for the purposes of economic manipulation from foreign powers. While I don't really believe that Estonia and Georgia were subjects of "cyberwar" in the proper sense of the term, I do believe it has broadened the horizons of nations as to ways to engage in "soft" conflict with other nations.


During 2009 - 2010 you will start to hear about encryption key management problems with an end result of not being able to get your data back. Granted, this is not a new observation, Computerworld ran an article I believe was ahead of its time with the following pithy statement: ""If you share the key, you share the data; if you lost the key, you've lost the data," says Dennis Hoffman, general manager of the data security unit of RSA Security Inc., now owned by EMC Corp."
[Stephen Northcutt] After the VA lost laptop fiasco, it seemed like organizations were rushing to implement full disk encryption at least on mobile systems. As we close out 2008, that trend continues, but it is more of a plod than a rush. Even so, there are enough of these systems out there that we are bound to see some problems. The data at highest risk is that which is encrypted without key escrow, but I am betting even with key escrow, we will read about some lost data.

Somewhere between 2009 - 2012, you will start hearing rumblings of regulating Google (a scary thought). Let's go back to the United Airlines stock price dip and see what we can learn about the future: Sept 9, 2008, LATIMES, "Shares of UAL briefly plummeted as low as $3 early in the day -- from $12.30 on Friday -- after a 6-year-old story on the company's 2002 bankruptcy filing resurfaced on the Web and was reported as news by an investment letter. The shares bounced back after the market realized the report wasn't current. But investors who sold at the day's lows are stuck: The Nasdaq Stock Market, where UAL stock is listed, said trades triggered by the erroneous report wouldn't be rescinded. What's more, shares of other carriers, including Continental Airlines Inc. and AMR Corp., the parent of American Airlines, also briefly dived with UAL before rebounding. UAL blamed the mess on a posting of a 2002 Chicago Tribune article on the South Florida Sun-Sentinel's website. The story then was picked up by Income Securities Advisors, a Florida investment newsletter, and disseminated as a one-line brief over Bloomberg News -- triggering a wave of panic selling. Tribune Co., the owner of the Sun-Sentinel (and also the parent of The Times), initially pointed a finger at Google Inc., saying it appeared that the search engine highlighted the story out of the Sun-Sentinel's archives over the weekend, which generated traffic and caused the newspaper's computer to move the story to a page of most-viewed articles. But Google said the only reason its search engine "crawler" bothered with the story was that it was listed on the Sun-Sentinel page of most-viewed stories -- and with the weekend date on it, instead of the 2002 date."
[Stephen Northcutt] The point is this will almost certainly happen again. Today, Google is the primary way people look for information, so if it buries important information or brings to light unimportant information or recycles old news as new news there could be serious consequences as United airlines knows all too well.


Personal devices, from the iPhone to personal GPS, are going to throw up so much interference there will be unprecedented (though minor) problems, an O'Reilly blog talks about iPhones, but the concept of electronic interference can affect any of them, "We're really in an interesting time, radio speaking, in that there hasn't been a time before, certainly in the last five years, maybe the last ten, when there was such an inordinate number of relatively high-powered personal transmitters just wandering loose in the world."
[Stephen Northcutt] I have to agree, everyone in a house has a cell phone these days, and there are any number of devices under the FCC Part 15 rules that are cheap electronics and only so tested, as an amateur radio blog puts it, "The FCC rules require the equipment manufacturer or importer to design and test his products to ensure that they do not exceed the absolute maximum limits. In addition, the FCC requires that Part 15 devices be operated in such a way that they not cause harmful interference. The operator of the Part 15 device is responsible for correcting the interference or to stop using the device if so ordered by the FCC. This can create a very difficult situation. Imagine that the neighbor of a ham goes to a local retail store and buys a Part 15 device. If the device causes harmful interference, the rules place the responsibility of proper operation and correction of the interference on the user. This can put a ham into the unenviable position of having to explain to a neighbor that the device he or she just bought at a local store is being used in violation of federal law! The resultant disagreement is not unexpected." I did a webcast today with IBM and the webcast people are VERY aware of this; they insisted we shut our cell phones off, turn off any electronic devices, but the phone we were using for the show still had static and some breaking up..


Joshua Wright from Will Hack for Sushi says, "one of the trends I'm seeing is the continued movement toward pervasive wireless connectivity. Not limited to WiFi, there are lots of opportunities for people to connect to wireless for their social network site access, email, etc. Services like the Xohm WiMax offering in Baltimore will continue to spread, competing with existing 3G services and future 4G Long Term Evolution (LTE) technology as well. From a security perspective, users have a lot more ways to get connected now. Not only should organizations be concerned about rogue AP's, but they are also exposed from someone getting WiMax service at work to bypass content filters, or bridging their 3G card to their Ethernet segment. We still talk about auditing listening TCP/UDP ports, but now we also have to be concerned about a client's WiFi/Bluetooth/WiMAX/3G/802.15.4 connectivity as well."

Paul Asadoorian of PaulDotCom's 2009-2010 predictions. Paul is weighing in with 3:

  • Other threats will become as easily exploitable as remote exploits. We've all seen how people scramble and make noise when Microsoft releases a patch for a new remote exploit (ala MS08-067). We will start to see attackers using other most subtle measures, such as web applications and mobile device attacks, in the same manner. Except, at least in the beginning, there will be no scramble and noise.
  • Wireless networks will continue to source attacks. So many organizations have done a good job implementing "secure" wireless networks. However, there are always other threats that will continue, such as guest networks, handheld devices, client-side wireless software, that will open doors for attackers. These attacks are targeted and subtle now, look for a "knock your socks off" wireless attack in 2009 to really help put the risks in perspective.
  • Someone will unplug the Internet - We've danced around it for quite some time and have seen some examples (youtube.com went away briefly in 2008), but time has come for major meltdown. This will most likely be a targeted attack as we move closer to cyberwarfare tactics really hurting. With the economy in the US already weak, enemies will be looking to take their shots and cyberwarefare will be one of them. Economic targets or even natural resources will be at risk. Thats the fun about predictions, you don't have to be right and you can think big. [Stephen Northcutt] Well that is certainly thinking big. For myself, I think there is enough redundancy that you cannot take down the Internet. I guess the closest thing we have to study is the Akamai attack.


Tim Stanley leads by example at Continental Airlines in labeling data according to CSOonline
, “Stanley wants to categorize every file in the enterprise by three variables: owner, business value and risk level. The government has "top secret," "secret" and "confidential" ratings, but Continental's designations will be more granular and dynamic, using tiers and subsets of tiers. Thinking this way vaults Continental ahead of most companies.”


Eric Cole, Secure Anchor, offers two security predictions for 2009,

  • Less reliance on patching This is a tricky one because I am not saying organizations should not patch. Patching is critical and still must be done. However, with the window shrinking between when a vulnerability is public and when the exploit is released, organizations will have to deploy other measures to help minimize their impact to exposure. This is further emphasized by seeing more out of cycle critical patches released by vendors, showing that organizations are going to have to do more with desktop lockdown. Hardening a client system by not allowing administrator access and removing all unnecessary components are important. Two results of organizations being less reliant on patching for their primary protection are more deployments of HIPS (host based intrusion prevention) and think clients increasing in popularity. Thin clients could also take the form of virtual machines where you load a new image every time you start the computer.
  • More focus on data, less on the perimeter The perimeter is critical and must be maintained to have a proper level of security; however, the focus needs to be on understanding, mitigating and reducing the risk to critical data. Therefore, organizations will put more energy and time against data focused protection. The DLP (data loss prevention) space will have to be redefined since much of the current technology goes after low hanging fruit and companies will demand solutions that truly protect critical information.


Kevin McLaughlin (CISO, GSLC, CISM, CISSP, PMP), University of Cincinnati Information Security Department frames his 2009 predictions in light of his recent article describing our nation in cyber crisis:
"For many reasons, we as a society have decided that safeguarding personal information should be a "soft" skill practiced by committee instead of managed by the certified, trained professionals we hire into information security roles. Many times, the members sitting on the committees that make information security decisions have no information security background, let alone being information security professionals. Instead of deferring to qualified pilots, we are allowing passengers to fly the plane. We cannot keep making information security decisions, like whether or not Personally Identifiable Information (PII) should be encrypted, by consensus."
  • In 2009-2010 we will continue to see a trend where IT resources are asked to step up and become Information Security leaders and to re-tool themselves into that role. This means that we will continue to be climbing the curve towards having enough Information Security expertise inside of organizations to meet the basic Infosec needs of the business but we won't reach the saturation point of that effort during the 2009-2010 time frame.
  • We will also continue to see Information Security departments with inadequate funding (a generalization) when compared to other business units; and, while companies tout that they spend 3-5% of their IT budget on security, they forget to mention that this is spread across Systems operations, network operations, development, business services, and, oh yeah, the security unit gets some of it also. This means that the trend of Information Security professionals having to coax peer groups to lead the way in many new security implementation areas will continue.
  • We will continue to see a migration of Information Security professionals out of core IT and into a more overall Risk Management unit, which is a good thing, and this move will position our profession much better in regards to being able to better influence business/compliance strategies - one of which will be to educate our communities that we need to be data centric not equipment, location or infrastructure centric.


Stuart King raises the question of Security Fatigue in his Risk Management Blog and asks the question, "Are we going through problem fatigue from working through a continual cycle of issues that have the same root causes?"
[Stephen Northcutt] Wow, sometimes this is one of my great fears. I know that Ed Skoudis is working on a keynote for SANS 2009, Now that the bad guys have won, what now? I suppose problem fatigue could lead to apathy, but hope I am one of the last to succumb. *smile*


Ken Steinberg, CTO of Whitelist/Endpoint Security vendor Savant Protection, weighs in with no less than three predictions:

  • "Integrated Touchscreen Biometrics: One of the biggest problems in data protection is the initial classification and protection of the data as it is "laid down" (read saved). With the popularity and productizing of touch screen technology, I think it is feasible that when files are created/edited/copied, the producer/consumer will identify themselves by simply touching the screen as the file is accessed, allowing the computing system to use their fingerprint as a watermark and security protection mechanism. File system drivers will be written to work against a series of rules that apply to the stored biometric signature and will control read and write natively.
    • Create a file, in order to save it you must imprint it and assign a classification.
    • Read a file, you must provide biometric access which is checked against a rules engine.
The difference is this will all take place by simply using a touch screen method. Once this becomes part of the data management culture, information will contain security controls at its creation, not as a result of some secondary discover/meta tagging process."
[Stephen Northcutt] Shoots Ken, we ought to get some venture funding and go make this happen! Oh, yeah, the credit crisis, no funding, rats.
  • Risk Aware Wireless: My network access is too passive in its orientation towards security. I can easily see my network cards providing me an assessment of potential risk or risky activity as I access different LANs (terrestrial or wireless). Wireless providers or an independent agency would greatly aid the overall mobile community by tracking Access Points by risk and/or enhancing network cards to detect improper network activity which would signal changes in one only risk profile. The industry needs to enhance HIPS to include WIPS (wireless intrusion prevention) and I can clearly see this being introduced by a vendor in the next 18 months.
  • Data Masking Browsers: For companies that want to make sure their employees are not shipping data outbound via their browsers, enhancements will be provided which will allow the CSO to set up trust relationships with certain websites and to assign customer encryption with these endpoints so that employees can only go to certain websites and any data payloads are encrypted by a process outside their span of control. If the target http server does not have the key for decryption, the data is still secure. This will help combat against users shipping data to themselves on a home or third party webserver and the possible DNS poisoning.

Mason Brown, a SANS Executive points out
"Historically, I think it is right to say that crime tends to go up when the economy goes down. Good people WILL steal to feed their kids. So, I think we will see an increase in organized and other crime activity due to slowing economy. And I think it will be exacerbated by reductions in budget for IA training and technology. IOW, the bad guys will work harder and the good guys will be fewer and on average, have less current skills and technology.Which means the bad guys will win even more often."
[Stephen Northcutt] Good point Mason, I know CNN had a great article on this, quite touching and sobering. Perhaps you remember reading this famous passage from that story, "Pam van Hylckama Vlieg of Williamsburg, Virginia, says her great grandfather, Glen Surber, resorted to stealing food at times because he had hit rock-bottom. Surber left the family behind in Saltville, Virginia, so he could head out to West Virginia's coal mines. After he got laid off, he found himself trying to steal chickens from a nearby farmer to feed his hungry family. He hid behind a tree to wait for nightfall, but his plan was stymied when he found another person lurking in the shadows. "Both men took off running and then they realized they each thought the other was the farmer, but they were both there to steal a chicken," van Hylckama Vlieg said. "Needless to say, that was another night of water bread."


GTSI explains why we should not cross the streams. Dark Reading has picked up Georgia Tech Information Security Center report that highlights the top threats "Cellphones will become members of botnets. VOIP systems will get hit by blackmailing denial-of-service attacks. The cybercrime economy will thrive, even as the global economy struggles. And today, around 15 percent of all computers online are infected as bots, up from 10 percent last year, according to the Georgia Tech Information Security Center's (GTISC) new report on emerging cyber threats for 2009 and beyond."
[Stephen Northcutt] Well, I certainly agree with one thing, cellphones are not cellphones anymore. My wife has the AT&T Tilt and she is rapidly losing interest in her laptop. I have the iPhone and it has zero security, I am just hoping I survive till android is reliable; I know Savant has already written whitelist software for android.


Government Computer News also picks up the Georgia Tech Information Security Center report, their takeaway is "What's the top threat to data security going to be in 2009? According to the GTISC Emerging Cyber Threats Report for 2009 out of Georgia Tech's Information Security Center, the answer is malware specifically disguised as "benign social networking links."
[Stephen Northciutt] I've heard about this with MySpace and Facebook; my primary social media is LinkedIn and, as far as I've heard, the attacks there have been primarily spear phishing.


In 2009 - 2010 we will need to do a better job of measuring Information Security. From Kevin Thompson: "I just got done reading "The New School of Information Security" and "Security Metrics: Replacing Fear Uncertainty, and Doubt" and I was very pleased to see more attention being paid to measuring security and attaching business processes to the practice of information security. Having said all of that, I think the biggest challenge that we're going to be facing in the future is measuring information security. The time is coming when we will no longer be able to convince our management to spend money on something by scaring the bejezus out of them. This is already the case in some larger institutions with mature project selection processes, but I think if the economic recession continues more companies are going to be scrutinizing spending across the board. It is high time that everyone working in information security learn about using Net Present Value to select projects. However, if you're going to estimate cash flows, you need to have good data to go on, which means that you need to be able to measure events and the impact of those events. I don't know if this is a powerful trend for 2010 as much as 2012 or 2013, but it will be something that we all need to know.

Our inability to measure information security directly affects our ability to manage risk. How can we calculate Annual Loss Expectancy when we can't really determine how much our assets are worth? We have no way of reliably determining the probability of some event affecting our assets, and we have no way of knowing how much damage each of these events will do.

My advice would be to prepare yourself for these questions because they are coming. Selling me a self defending network is no longer sufficient. I want to know how many unpatched machines were connected to the network, what vulnerabilities are exposed because of the missing patches, how often those vulnerabilities are being exploited on other networks, and how much it has cost others when it was exposed. Then I can show my managers real benefit for their purchase.
[Stephen Northcutt] I really enjoyed reading "Security Metrics", but "The New School of Information Security" lost me.



J. Michael Butler, GCFA GSEC CISA, weighs in with a double hitter:
  • "The job of the forensic investigator will be made increasingly difficult by the technically savvy user. With the ubiquitous availability of (free!) tools like TrueCrypt, and the ability to easily hide an encrypted volume, even in an encrypted volume, law enforcement investigators will have to rely on more indirect evidence in some cases, such as judicially warranted keystroke loggers or other surveillance options." [Stephen Northcutt] Great point Michael, I know we are starting to cover antiforensics in our hands-on Computer Forensics, Investigation, and Response class, but it may become more of an issue as time moves on.
  • "In regard to eDiscovery, my prediction is that, with the increasing number of eDiscovery tools available, there will be an increased expectation by the court for more documentation in less time. While it may not become law, the simple knowledge that the tools are available will make the court less lenient when a corporation complains of excessive resource cost in time and money required to produce documentation. It will become a due diligence expectation for a corporation to acquire and use automated tools designed to streamline the eDiscovery process." [Stephen Northcutt] Interesting thought Michael, let's keep an eye on case law and especially see if this impact the applicatiion of Zubulake.
If you want to contact Michael, here are his details:
J. Michael Butler GCFA GSEC CISA
Information Security Consultant
Lender Processing Services
601 Riverside Avenue
Jacksonville, FL 32204
904.854.5851 (w)
j.michael.butler@lpsvcs.com
www.lpsvcs.com


Repeat from 2008: Tony Bradley's blog mentions Network Traffic Consolidation, I think it has legs for 2009
"One of the big technologies of 2007 was the introduction of unified communications by both Microsoft and Cisco. The merging of all communications technologies into a single, unified system will continue into 2008. Aside from the whiz-bang, 'keep-up-with-the-Jones' aspect, there is a lot to be gained in terms of efficiency and productivity for organizations that leverage unified communications."
[Stephen Northcutt] Now the question here is, exactly what does this mean? If Tony means Everything over IP, I totally agree. According to Building Broadband Networks by Littman, it could mean pervasive use of ATM. I tried to do a search on Google, but most entries were pretty old and were mostly related to core switching technology. But I am still betting on convergence. For sure, I talk with students that have separate voice networks, but when that PBX reaches end of life, will they actually buy a new one? I do not think so. SANS has a VoIP course if you want to get your SIP on.


Repeat from 2008
, Rational Security is focused on Information Centric Security Phase One
"It should come as no surprise that focusing our efforts on the host and the network has led to the spectacular septic tank of security we have today. We need to focus on content in context and set policies across platform and transport to dictate who, how, when, where, and why the creation, modification, consumption and destruction of data should occur. In this first generation of DLP/CMF solutions (which are being integrated into the larger base of "Information" centric "assurance" solutions,) we've taken the first step along this journey. What we'll begin to see in 2008 is the information equivalent of the Mission Impossible self-destructing recording...only with a little more intelligence and less smoke. Here come the DRM haters".
--April 11 2008 Update: "It's time for the industry to move away from protection of infrastructure and toward an "information-centric" security model, said Thompson, chairman and CEO of Symantec" two days ago in a keynote at RSA. I think this is a sure fire winner for 2008. For one thing the move to comply with the rules of discovery has caused organizations to survey what information they have, which is a first step in information centric security.
[Stephen Northcutt] My wife asked me about cloud computing yesterday, what was it. And so, as I was explaining it, Kathy then asked how do you know where your information is or that it is processed correctly. So, I lamely tried to say, "well it all just works". Funny thing, at the time I was writing a keynote for a Cisco internal conference and the one suggestion I have for Cisco is to start focusing on delivering information to, from, and within clouds in an orderly and secure manner.