Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security

2010 Security Predictions

By Stephen Northcutt

Security Predictions for 2010

As basic research into the major trends affecting us, I took some time to review some of the experts' predictions for 2010 to see how we are doing as we move deeper into the first quarter of the year.

First up, IBM X-force, let's consider two of theirs from Eweek.

  • Pirated software will increase the number of infected systems, users of pirated software are afraid to download updates and newer versions of pirated software now come with malware pre-installed.
    • This prediction is on track. Let's see what we can learn:
      • Yahoo answers has a question, can you avoid getting caught, and the winning answer is no.
      • Softpedia reports, "Market researcher TNS reveals that 38 percent of the Britons connected to the Internet think that downloading pirated content from the web is not as serious as stealing from a store."
      • reports users are against Windows Genuine Update.
      • Slashdot reports Microsoft believes pirated machines more likely to have malware
      • ZDNet reports malware found in pirated OSX Apple’s iWork 09 software
  • "Social engineering meets social networks and ups the ante for creative compromises."
    • Yup, they certainly nailed UnitedAirlines on Twitter last week, so this is on track, but it was an established trend in 2009 as well.
      • Twitter itself reports that Britanny Murphy's death is being used in Blackhat SEO. OK, I admit I did not know Murphy was an actress who apparently took drugs while she had pneumonia and died.

Dino Dai Zovi had only one for the year, "2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time." Well, we have to give Mr. Zovi the second part, it is way past time. Not sure how true the sandboxed part is going to be:
    • H-online reports Fedora using sandbox for desktop applications, but how many people use Fedora?
    • There is always our good friend Sandboxie if you want to make your Windows world a safer place

McAfee Labs Blog
has as No. 1, "What should you be wary of in the coming year? Social networks." A lot of us are in agreement and we covered this with the similar X-force prediction, so let's give McAfee another shot from their report: "HTML 5 will blur the line between desktop and online applications. This, along with the release of Google Chrome OS, will create another opportunity for malware writers to prey on users."
    • The analytical engine blog points out you may be exposing customer data with cross domain XHR
    • This should be on the market soon, and very soon, Wikipedia reports "as of February 2010[update] HTML5 is still at Working Draft stage in the W3C. HTML5 has been at Last Call in the WHATWG since October 2009."

Verizon's Blog done by Russ Cooper, has cheery Nos. 1 through 3:
  • Social Media operators will gain more control over attackers (note the contradiction to X-Force and McAfee)
  • Malware will not evolve (Russ, did you write this April 1?); and,
  • Consumers are getting smarter. I can't think of any way to research this, so we will move on.

Andreas M. Antonopoulos, Network World, reports there will be a 10% increase in funding, congress will give us more compliance regulations (there was legislation at work at the end of 2009), mobile phone worms and trojans (this was happening to the iPhone at the end of 2009) and Real ID dies a permanent death ( not sure I agree, but I surely want to, what a bad piece of regulation).

Symantec's first three are reasonable enough: Anti-virus alone is not enough (true); rogue security vendors will try harder (the more I compromise, the more money I get, makes sense), Social networking apps will cause fraud (and your friends want to eat your brains or some such). Can't dispute these, let's dig a bit deeper. OK, number 7, URL-shortening services become the phisher's best friend. OK, I agree and I get it, but then why the peer pressure to go from tinyurl with preview to, and from my peers in security?

Websense wants me to register to read their report, I guess that means they don't have any predictions (and they won't get a link either).

Fortinet is reported by HSNW as saying, "Preventing infections from cross pollinating between virtual machines will be key in securing virtual movements of servers" as the top trend. I can agree it is important, but I would say it falls in position 30 or so.

This analysis brought to you by SANS Boston 2010 and SANS Security West 2010