Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security


SANS Security West 2010 Speaker Room Predictions


Stephen Northcutt and Tommy Luke

Thoughts from the SANS Speaker Room at SANS Security West San Diego 2010

Since we had a number of smart people together, I asked Tommy Luke to go interview instructors and see what they were thinking about the future in May 2010. I sent a few suggestions in as "seeds" and Tommy worked this up. His text is shown at the bottom as "The final word".


1. Awareness/Training Outsourced away from InfoSec Dept.
Upper management and CIO/CISO's will notice that their InfoSec department sucks at awareness and training; this will be outsourced to internal or external training departments.
===
Lenny Zeltser:
I'm not aware that this is a trend. However, it is a good idea to outsource security awareness and training. We need people who are good at presenting and that can make the content entertaining.


2. Conflict due to real/perceived 'time-wasters'
Social media, W2.0, streaming, other 'waste of time' activities (perception and/or reality) - will cause conflict between (some) IT/InfoSec and The Biz.
===
Ben Wright:
The conflict will come when the business (specifically marketing, PR, etc) needs legitimate access to these types of sights and the older IT/InfoSec folks will not facilitate this. Records departments won't like the fact that they cannot capture tweets (et al) that are used to conduct business.


3. Invasion of Beautiful, Wonderful Gadgets
There will be a continual loss of control regarding what hardware (personal and/or business purchased) authorized folks use to connect to corporate data; iPads, Androids, et al come to mind. (20 CC also comes to mind.)
===
Steve (Stephen) Sims:
Upper management are actually the ones setting the bad example. Additionally, people want to (and are) connecting/syncing their unmanaged, personally purchased devices. DLP will be a way to address this.


4. Generation Next (millennials, Gen Y, [insert stereo-type here], or the young at heart) will demand the latest and greatest stuff (gear, h/w, s/w, and access) and expect/demand quick turn around. If InfoSec pros don't provide overall (and efficient) policies, strategies, ways to deal with exceptions, etc., upper management will *give in to the younger generation. (*I don't mean to imply that upper MGT will willingly/knowingly give in; rather they are not quick enough to respond and before they know what's happened, the GenNext or [insert label here] will have already implemented their want(s) and these things/methods will have become the de facto standard.)
===
Stephen Northcutt:
The push to make the iPhone a corporate tool supports this theory. The need for speedy turnaround on solutions will push entities towards SaaS. InfoSec's role is to ensure protection around critical data.


5. Companies will realize that they have lost control over their online presence as their employees (esp. younger generation) post things as if they speak for the company. Reactions will be vastly different, from sharp, negative, reactions to ignoring the issue (head in the sand).
===
Mike Poor:
It will be realized that people will be held responsible for their actions. It is up to companies to create enforceable policies and take disciplinary action. InfoSec's role is to provide guidance in the creation of the policies and these policies must be generic, not over reaching and consider the comingling factor.


6. Perimeters will shrink/harden.
The perimeter will shrink (and hopefully harden) to be 'around' the data center(s) that a company utilizes. This will be driven by several things, namely cost, management and uncertainty. Cost: networks will be outsourced (e.g. MPLS) and the providers of such services will be able to provide => security (at least that's what their marketing cloud will state) than internal IT departments. If the providers can do it "better", for "less" money and "more securely" companies will lean toward this and keep IT focused primarily on the data center.
Management: managing devices and software will become too burdensome and doing RA on every new thing will not be efficient, better to focus on protecting the data center and worry less (read: spend less time, resources, dollars) about what the LAN/WAN/MAN looks like from a security and support perspective.
Uncertainty: Newer generations coming into the work-force think about technology differently... in fact, they might not think about it at all (in comparison with most folks that have been in the work force for over 10 years); they just use it as an extension of normal life. They won't accept the boundaries and limitations placed on them by 'standard' software, hardware, etc. Especially as more and more average, common, business apps can be completed via a browser the OS and platform matter less. The uncertainty will come from more traditional IT and InfoSec folks who will feel like their losing control of "their network" and retreat to their data centers as anyone would agree that this area/data/hardware/software must be protected.
===
Bryce Galbraith:
Things have come (or are coming) full circle; we seem headed back towards centralized computing. However, there will be an increased focused on endpoint security and more draconian controls put in place to protect the endpoints. We do need more controls focused on the data center.


7. Not to be an Apple fanboy, but the ipod really changed the whole music paradigm - not just the hardware, but the way people acquire and interact with music. I think the iPad will change things in a parallel way - leaving Flash behind is a sign of this. The current paradigm of computers is still descended from the calculator - it's a fancy number cruncher. The iPad is more of a handheld browser, sort of like a dumb terminal only with fancier graphics. I think this is going to accelerate the trend of moving data to a more virtualized and remote state, so that the iPad becomes a "window to the cloud" (sorry). So what are the follow-on effects? We have seen the increasing porosity of the perimeter, and the need to find and secure the data, rather than securing the entire perimeter of the organization. Will this shift make that process easier? If the data is concentrated in one place, will it be easier to protect? (Maybe, but will it be better protected as a result?) We have a hard time identifying which data is more important; will that get any easier? (No, because aggregation and correlation can created meaningful information out of seemingly meaningless or random data.) Will this new "browser" become a target of attack since it is a conduit to the data? (Undoubtedly.) Will there still be sensitive data that is stored locally on the "cloud browser"? (Probably. It's may be easier to control this, but reliability of the cloud, and lack thereof, will mean that people will want data locally "just in case".) Will people change their behaviors and become more security focused? (Not without some catastrophic event, and even then probably not sufficiently.)
--- Contributed by Ray Davidson (twitter = @raydavidson)---
===
David Hoelzer:
The iPad could fundamentally change things. It is the first device that is not truly a desktop or laptop.


The Final Word by Tommy Luke:
Here are the 5 that come right off the tip of my brain, so to speak. These are near/dear to my heart and current experiences and I have reason to believe that they are or will be nearly universally experienced, if not now - in the near future. For the remaining 5-ish, I intend to harness the power of my fellow facilitators and students. Let me know if that will be acceptable. This is good and worthy work (fun) but I also want to ensure that I stay true to my first two priorities: SANS facilitator and CISSP exam-taker. Having the other facilitators/students assist with the remaining five will help me towards all three goals.

Here are the five:
1. Folks will notice that 'classic' InfoSec departments suck at awareness and training; then they'll outsource this to an internal or external training department. BTW, If the InfoSec pros do not participate in this transitional period and on-going maintenance the information delivered will experience attrition (read: suck).
2. Social media, W2.0, streaming, other "waste of time" activities (perception and/or reality) - will cause conflict between IT/InfoSec and younger biz workers. Pro-active is key! Administrative controls should not be forgotten or put on the back-burner and technical controls should be *rightly* and *timely* implemented by InfoSec. InfoSec needs to understand and then shape what the biz wants in this arena.
3. Losing control of what connects to corporate data (20 critical controls will greatly help with this!); iPads, Androids, et al come to mind.
4. Generation next (millennials, Gen Y) will demand the latest and greatest stuff (gear, h/w, s/w, access) and quick. If infosec pros don't provide overall policy, strategy, ways to deal with exceptions, etc. and do it quickly, upper management will *bow to the younger generation. (*btw, I don't mean to imply that upper mgt will willingly/knowingly/cognitively 'bow' to the younger generation, rather they will not be quick enough to respond and before they know what's happened the GenY's will have already implemented their want(s) and these things/methods will have become the de facto standard.
5. Companies will realize that they have no control over their online presence as their employees (esp. younger generation) post things as if they speak for the company. Reactions will be vastly different, from sharp, negative, reactions to not acknowledging the issue (head in the sand). InfoSec can and (and should) shape these policies and other controls.