Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security

Stephen Northcutt's Emerging Trends in IT and Security 2013 - 2015

By Stephen Northcutt
Version 1.2

Is that a computer in your pocket or are you just happy to connect with me? I was reading this article in Slashdot, And I realized in just a couple of years, our smartphones really will be our computers. Prediction: within five years, business travelers will check into hotels and there will be a keyboard and screen to plug your smartphone/computer into. Most people I have run this prediction past say it will happen much faster than five years. I never try to time the market, but think about the implications of leaving that generation of smartphone in a taxi. Though I have to laugh about the transition. In 2013 the pundits kept saying the laptop is dead, everyone is going to use tablets or pads. An article in May 2014 says the market for pads and tablets is slowing. I don't think it is so much laptops are dead, tablets are dead, smartphones are dead, but more, I already have a laptop, a tablet, a smartphone and there is not enough improvement in the latest model to compel me to buy a new one. Android is now selling more tablets than Apple, but Apple still rules as "the" brand.

3D Printers. Will begin to do to sculpture what giclees did to painting. HP is already shipping printers that can produce 3D models. A lot of people use 3D systems as a proxy for this market segment. With a price to earnings ratio of 115 as of May 19, 2014, one might say they are over-hyped. However, the technology is going to prevail.

Anonymous takes it to the next level. It may be by a different name, lulzsec, Antisec, or whatever, but a worldwide, skilled, interconnected, hacktivist group will make their past exploits, which are already impressive, look like child's play. Don't believe me? Just ask Stratfor, the California Police Union,, Westboro Baptist, Sony, or NATO for starters. Update May 2014, there is some evidence the US government is able to penetrate and even use this hacking network.

Certificates will fail to provide suitable authentication. In fact this has already happened with Stuxnet and Quakbot causes the user to accept whatever certificate is presented. A number of certificate granting authorities have been compromised. In addition, MD5 certificates are no longer accepted. As we approach the mid-point in 2014, it is clear they are under stress, here are a couple stories.

Cloud security will prove to be elusive. I hate the word cloud, but the simple truth is most enterprises cannot possibly have their own infrastructure for everything they do. So, we are all increasingly depending on service providers. But those service providers may not "get it" when it comes to security.

DNS will take a more central role in attacks. DNS can be used for command and control, spoofing, as well as amplifier attacks and the use of it is increasing. There are many uses of DNS that are supported by the service and protocol and these will used increasingly.

Geolocation records used inappropriately. You load an app on your mobile device and it uses GPS, location of 802.11 etc., to determine your position and phones that data home. Sometime soon, probably in the elections, you are going to see geolocation records used to discredit some politician showing they went to some seedy location. This will be 2012's version of the video rental records used to discredit Robert Bork, a Supreme Court nominee, and will cause Congress to pass a law similar to the Video Privacy Protection Act. The US Supreme Court ruled against the use of GPS tracking devices on cars without a warrant. The FBI is already telling Congress they need to be able to do it. NYC is putting GPS devices into honeypot prescription drug containers. The program has already led to one suspected criminal's death.

Getting hacked will increasingly hurt profits. Target is the poster child. For years, we have mostly had an attitude of "there but for the grace of God go I", but that is starting to change.

Hacking Cars.
Proof of concept car hacks have made the news for a couple years now. Before 2014 ends, you will see one of these techniques used for carjacking.

India. This country's economy will continue to grow largely based on advances in IT and information processing despite overwhelming challenges. This is not to suggest that holding the ETF EPI will prove to be a wise idea, it will lag behind the country's rate of growth. That said, as of May 2014, it was up 16% for the past 12 months.

IPv6. Companies will have to start taking v6 seriously when devices they buy from China only have a RFC 6434 compliant v6 stack. By 2014, even the US will have companies implementing it; badly, or to do it right. Network attacks, largely a solved problem today, will come roaring back. UPDATE February 15, 2012 Arbor networks reported DDOS against IPv6 networks.

Robotics. Will continue to be a growing part of industry, especially in manufacturing and medicine. If you are an investor, do yourself a favor and take a look at Robotreport, Robotstocknews, Business Insider, Stockpickr, my favorite is ISRG even though as of May 2014 is is down 24%, that just means a buying opportunity to me.

Tech Stocks. According to Searchengine land, 22% of searches in 2012 will be from mobile devices. Experian hitwise says Google had 66% of searches (mobile or not) in July 2011. They also state that Bing is increasing to about 15%. Careful what you read, since you can read just about anything, but in 2013 one article claims 46% of searchers use mobile exclusively. Another says by end of 2015, 50% of search will be mobile. Asymco says Apple has sold 700 million IOS devices, so we are looking at a billion. If you don't have an iPad, (or Android pad), it makes sense to get one, just to be familiar with the technology. In terms of tech stocks probably makes sense to hold shares of Google (GOOG), Microsoft (MSFT) and Apple (AAPL), with a underweight position in Microsoft and an overweight position in Google. Some potentially high risk, high payoff thoughts are Fireeye and Palo Alto, they have been crushed lately.

Big Data. For years I have been saying that investing in companies that manufacture disk drives or focus on data warehousing makes sense. The disaster in Thailand will slow this down a bit, but as we process and collect more data and improve algorithms for search and storage, people will actually successfully monetize the vast amounts of data that have been collected. Scott McNealy will be proven right, "you already have zero privacy - get over it".