Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security

Security Predictions 2012 & 2013 - The Emerging Security Threat

Stephen Northcutt & Friends
Version 5.4

Security Predictions 2012 & 2013 - The EmergingSecurity Threat

This is an effort to chroniclewhat a number of really smart people believe the state of theinformation security industry to be, and where we are going. A lot ofthe emphasis ison security threats, but we also consider what is working and what goodpractice is. We hope you will be able to use this in your strategicplanning andalso as input for your security architecture.

This web page is sponsored by SANSSecurity West 2011: Emerging Trends, May 3 - 12, 2011 San Diego.

Photo of San Diego Harbor

Whatdo we mean sponsored by SANS Security West? Of all the conferences inthe year, this is the one we use to focus on emerging security threats.Many of us have been working on our panel material and evening talkssince Security West ended last year.

Security Grows Up -A Niche Industry No Longer

I see the most dramatic change yet coming to the IT securityindustry. That is the entry of the big boys. Up until now IT securityhas franklybeen a niche industry. No one segment has gone much over $5 billion intotal spending. (The market for yogurt in the US is larger than theentire firewall industry.) By the Big Boys I mean the defense industry.Boeing, Raytheon, Lockheed, SAIC, Northrop Grumman, BAE, EADS, HP(EDS)and others will be expanding their security capabilities and makingacquisitions. With big guns like these even Symantec could be in play.Times change, and our cozy little industry is going to change with thetimes. There will be good and bad repercussions from these changes.Just as the nascent rocket industry was fueled by governments piling onto deliver weapons around the earth, which led to manned exploration ofthe Moon, IT security (or dare I say *cyber* security?) will fall intothe hands of governments and the industry giants that provide them withproducts and services. The end result will be better security productsand services, but the down side will be insane disruptions to theInternet passed by over zealous legislatures and the militarization ofcyber space.

- Richard Stiennon of ThreatChaos

More Targeted Custom Malware Attacks

Stuxnet, way back in 2010 signaled the new era. The Google and Heartland attacks have highlighted the need forsomething more than traditional black-list approaches to malware. Wewill start to see more security vendors committing to applicationwhite-listing approaches and more customers realizing anything otherthe than thetraditional black-list approaches is "hard." If your security posturecan be bypassed with custom malware you are probablyalready compromised. This will force many organizations to take ahard-long look at the 20 Critical Security Controls.

- John Strand @strandjs

David Hoelzer @David_Hoelzerfrom Enclave Forensics has a similartake:

Ed Skoudis has been saying it foryears (the zero-day, polymorphic, metamorphic, multi-platform flashworm). I believe this is the year of the zero-day malware. The growingtrend over the past year has beenfor more and more well planned and executed breaches leveragingzero-day or customizedmalware. Four out of the last five incidents that I''ve dealt with haveinvolved targeted malware widely deployed in an enterprise, none ofwhich couldbe detected by any main-stream antivirus product. With behavioral-based malware detection likeMemoryzefrom Mandiant just beginning to come on the scene, the window ontraditional forms of malware is beginning to close. As the saying goes,the night is always darkest before the dawn! It''s incredibly importantto get your informationassurance and audit programs up to snuff right away. Check out the SANSAudit Siteand theSANS IT Audit blog for tips and techniques on how to detectzero-day malware throughout yourenterprise!

MasonPokladnik comments further, Intruders will continue to increase thepersistence of their network foothold by attacking all of the otherdevices on the network from printers and routers on one end to morenon-traditional targets on regular desktop/server computers. Thenewest Alureon rootkit attempts to persist even after a reinstall ofWindows 7 64-bit and a researcher has just announced a proof of conceptrootkit embedded in a Broadcom network card''s firmware.[2] Theseattacks will become more common in 2011 since they do not require thesame level of investment as attacking the supply chain with modifiedhardware. The only surprise is it took so long. EdSkoudisand Lenny Zeltser have been pointing at this trend since at least their2004 book Malware:Fighting Malicious Code. Expect securityappliances built on top of custom Linux distributions to be anappealing target. And of course, Stuxnet was the final nail in thiscoffin, it may have set Iran''snuclear program back, but it also served as a massivetech transfer for targeted malware.


Cory Ramsden suggests we will see grid worms –malware targeted atpoorly secured smart meters and meant to cause widespread disruption.He also points out geolocation could result in location-aware malware.Imagine a program that was smart enough to not take any action unlessit was within a certain geographic area, say within a governmentbuilding. Once it knew it was inside the building it could propagateover a wireless connection to poorly secured access points, takepictures, infect other handheld devices, send contact information, etc.

Steve Elliot adds,

1)Reputational Hostage Malware: Future ransomware may say, "Note theattached embarrassing media of you, found on your drive/in your cloudstorage. (The media files are actually attached.) Pay us $X,orcopies will be sent to these
friends: <list follows, includingpeople you know well, your co-workers, church friends, etc.>."(Inan ironic twist, the malmarket will price your ransom proportionatelyto the "ick" factor of your blackmail.)

2) Physical Hostage Malware: Your car doors will not unlock until youpay $X.
You''lleither be locked in or out of your vehicle. Your smartphone''s e-payfunction can pay a small ransom and release the doors instantly. Out ofdesperation, many would immediately pay a token amount (less than 3dollars, perhaps).

3) Bioimplant Malware: "You know thatpacemaker your loved one has? Our organized crime family has some goodnews for you, and some bad news..." After the first real bioimplantattack gets sensationalized in the mainstream media, no matter howesoteric the attack vector, it will resonate loudest with the leasttechnically savvy among us: those most vulnerable to fear. Whowouldn''t pay any sum to save a loved one''s life? Naturally,98%of these messages will be faux-bio scareware, but the e-mob willcollect millions anyway.

Editor''s Note: The window may be closing for traditionalmalware in large organizations that can afford skilled securitystaffers, but all of theresearch I have been doing indicates the small business owner and homeuser is a sitting duck. In fact, we could read a situation in 2011 -2012 when there are essentially no uninfected Windows home systems. Infact ChetLangin famously remarked, "I wonder if there''s a StockholmSyndrome for people "held hostage" by malware?" According toWikipedia,Stockholm syndrome is a term usedto describe a paradoxical psychological phenomenon wherein hostagesexpress adulationand have positive feelings towards their captors that appear irrationalin light of the danger or risk endured by the victims. This israre enough, it only happens to about a quarter of victims and only ifenough time passes. However, what if the malware was to interactwith the user? Robert Axelrod is an Americanpolitical science professor whose field of study iscomplexity theory, especially agent-based modeling. His primaryresearch has been in the evolution of cooperation. His work has beeninstrumental in making BitTorrent the success that it is, and theprinciple he uses is reciprocalaltruism. If the malware was to make itself apparent to theuser, make it very clear an attempt to clean the system would resultdestruction of the OSAND even be helpful in some ways some times, people would probably bewilling to put up with its presence.

The Changing Face of Incident Response

The virtual incident response team concept will begin to fadein favor of full time Incident Responders, Forensic Analysts, andReverse Engineering MalwareSpecialists. Many companies responded to incidents by using thevolunteer fire department model where individuals were drafted intoserving on an IR team temporarily during an incident. However, with thescale of incidents growing and the time to respond shiftingfrom weeks to months and even years, organizations find that theycannot pull core IT staff off their normal duties to continuallyrespond to incidents. Security Operations Centers will begin to formdedicated full-time incident response teams to respond to ongoingsecurity threats. Usually in enterprise sized IT organizations, theration should be 1 responder to 7,500 systems. So if you have a 100,000node networkyour team size should be around 13-14 dedicated personnel. As a result,the demand for experienced incident responders will risesharply.

- Prediction by Rob Lee


radds, I would add to the list a shortening in Incident Response (IR)cycle due to advances in large scale IR, hybrid approaches that includemore aspects of the evidence chain (hd forensics, timelining, memoryanalysis, log analysis, etc). As a result of this I believe attackers(especially in the Advanced Persistant Threat (APT) arena) will beginto look at cycle times as well, access to networks will lead to morerapid use of those networks for whatever motivation the attacker has. Ibelieve we will also see increased sharing among private organizationsand LE/USG as both are able to ad value to each other''s investigations.I think that we also must mention more google and stux like attacksthat are launched with very,very specific goals in mind, and have thecustom malware to go with it.

IPv6 will Become Important When IPv4 Address Space isExhausted

Some time within 2011 or 2012, ARIN and regional registrars willexhaust the existing IPv4 address space ( this point, ISPs will no longer be able to grow unless they start toimplement IPv6. In order to support the roll out of IPv6, operatingsystem vendors aggressively add IPv6 support and enable support forvarious auto configuration mechanisms, including auto configuredtunnels, by default. However, at this point only a small number ofnetworks has implemented IPv6 ( of the hold ups is a lack of security tools supporting IPv6.Implementing IPv6 properly, including the necessary security controls,is a time intensive and difficult process. The lack of properlyimplemented IPv6 networks and the increasing availability of autoconfigured IPv6 connections from desktops and servers will lead to a"shadow network" of IPv6 tunnels which will evade many controls likeintrusion detection or prevention, firewalls, content filtering, dataleakage monitoring, spam filters and many other technologies we havebeen relying on in network security. Securing the end point will becomemore important. Asset detection and patch management has to includemore passive components instead of relying on active scanning for rogueand unpatched systems. Prediction by Johannes Ullrich of the Internet Storm Centerand author of SANS IPv6course.Raphael Gomes Pereia wrote in to say that he agrees and that he thinksit will take six or seven years to get the whole IPv4 - IPv6 transitioncomplete.

ARM Hacking

Advanced RISC Machines are prevalent in cell phones andmicrocontrollers. As cell phones become more advanced, As more and moredata is stored on mobile phones, since they are gaining in popularityas laptop replacements, they become a bigger target. More services runson mobile phones, and some of them are vulnerable in the same way theare vulnerable on PCs, although, exploiting those weaknesses wereharder till 2010, in 2011 with more common tricks and more shellcodes,it will be easier for hackers to exploit vulnerabilities on mobilephones. Most of the focus is on Android/iPhone, of course, whichsuffered from different attacks in 2010. Remote attacks such as sendingmalicious links, or doing MiTM for mobile phones became bigger threatfor devices surfing through WiFi. I expect this process will becomemore automatically in 2011 including Metasploit modules for phonevulnerabilities, etc. You can expect to see the hacker communityfocusing on ARM devices attacks such as thisblog post.[Updated 12/30/2010]

- Prediction by Itzhak Avraham @ihackbanmeon Twitter

What about Secure Hardware?

We''re seeing significant improvements in secure softwaredevelopment teams. Not all vendors have made the huge strides thateliminate a great deal of software bugs, butmajor vendors have stepped up to the task, leading the way for smallersoftware vendors to follow. Missing from this trend isthe design of securehardware systems. Exploiting weaknesses in hardware systemsis becoming a more and more attractive target area for attackers,especially considering the lack of secure hardware developmentknowledge and practice, as well asthe general lack of hardware "patching," giving an attacker an extendedperiod of time to exploit a hardware vulnerability while a vendor orcustomer attempts to recover from the flaw. We''ll continue to seeinteresting research on exploiting various hardwaresystems from parking meters to smart appliances and more, with growingconcern over the kind of power an attacker can wield when they controlcritical hardwaresystems such as electrical generation and traffic management systems.

Editor''s Note: One of the most fascinating implementations in2010 is the Iron Key designed for secure onlinebanking.

- This prediction is by Josh Wright author of WirelessEthical Hacking, Penetration Testing, and Defenses who will hackfor sushi.

Insider Image

Improved Social Engineering Attacks

As it has been famously said, nothing is idiot proof becausewe keep making better idiots. Lenny Zeltser makes the followingobservation.

Attackers will increasingly make use of social-engineeringtactics to bypass technological security controls, fine-tuning theirtechniques to exploit natural human predispositions. We''ve already seensuch approaches succeed at influencing victims into clicking onquestionable links,opening exploit-laden attachments, and installing malicious software.Economics of on-line crime will focus the attention of talented scamand con"artists" on Internet-based activities. Their techniques will takeadvantage of psychological factors, such as our desire to have morestuff, the need to comply with social norms, and the reliance we placeon authority figures. This will bring us closer to merging the linebetween externaland internal threat agents, because social engineering will allowexternal attackers to quickly gain an internal vantage point despitetraditionalperimeter security measures.

Lenny Zeltser teaches malwareanalysis at SANSand shares his perspectives on Twitter@lennyzeltser.

Social Media

More organizations will adopt social media as a core aspect oftheir marketing strategy. They will struggle to balance the need to beactiveas part of on-line social communities while balancing compliance andlitigation risks associated with such activities. Similarly,organizations will have a hard time controlling online socialnetworking activities of their users. Attackers will continue to takeadvantage of the still-evolving understanding of online socialnetworking safety practices to defraud people and organizations.Security vendors will position their products as solving all theseproblems; some of them will stand out by allowing organizations togranularly control and monitor on-line social networking activities,while being mindful of users'' privacy expectations.

Lenny Zeltser discusses security related to social networkingand other issues on hisblog. Lenny leads a security consulting team and teaches howto analyze malware and combat malware.

Ben Trufanow suggests that Wikileaks points to a futurewhere social media, such as Twitter will be used to organizemobsthat are using DDOS bots, they''remaking noise and, at least at times, they are exercising a fair amountofpower for better or for worse. The Infosec world had bettergetready for a time when all thosemasses get really pissed at losing tuition, or tax breaks, or food istooexpensive to feed the baby, there are going to be plenty of talentedhacktivists around who will discover clever ways to not only organizethosemasses, but will take the lessons from the DDOSing of minor servicesand applythem to critical services--things like law enforcement networks, powerstationsand communication networks. We''ve set ourselves up to be dependant on alot oftechnologies that just can''t take much of a load. I keep thinking abouta telcofriend of mine, much older guy from the Bell days. He confirmed to methat ifeverybody picks up their phones at the same time, the system can''thandle itbecause it is designed to be used by a small proportion of userscompared todevices. Our lives are filled with these services.

Editor''s Comment: We are also starting to see these tools become morerefined. On my Twitter account ( Twitter suggests who to follow and these are almost 100% securityfocused.

Securing The Human

Humans are the weakest link, regardless of how technologychanges attackers know they can always hack employees. If you look atmany of the predictions for 2011 they focus on how these human attackswill only grow in sophistication andnumbers, and I could not agree more. Cyber attackers will always takethe path of least resistance. What I think will change in 2011 isorganizations and management will finally start doing something aboutit, they will begin to secure the human. At somepoint people will realize technology can do only so much, that thehuman issues must start getting addressed. 2011 and 2012 will be theyear of the human.

For more information on human issues of information security,follow Lance Spitzner at his Securingthe Human security awareness blog.RandyMarchany adds, "Security awareness programs such as theSecuring the Humaninitiative will be the most effective long term solution to oursecurity issues. Why? End users and small businesses are the target ofsecurity attacks, as mentioned in another prediction. Awareness helpsreduce the effectiveness of security attacks and at the very least,allow end-usersto detect an attack. End-user awareness increases the chances ofcustomers not accepting vendor software with security flaws embedded inthem."

You Have to Mention Smartphones!

Youcan''t do a 2011-2012 security prediction without issuing a dire warningthat some worm will eat all the iPhones and convert the Androids tobricks. However, the biggest issue seems to be apps with spyware. Eventhe apps that come loaded on your phone are likely to phone home, it isa sure thing with 3rd party apps. AT&T has proved theycannotbe trusted by signing their customers up for Asurion roadsideassistance without even asking them. And it matters big time. CharleneLi, author ofGroundswell,points out that two pieces of information will positively identifyknowledge workers in the future, their email address and their mobilenumber. Claude Burns points out that younger people are usingsmartphones for almost everything and they strongly choosefunctionality over security or privacy. As they move up inorganizations they will expect business functionality to be deliveredto their smartphones. Nick Bilton, author of I live in the future& here''s how it workspoints out that to be successful in the future we need to programcontent to be displayed at 1, 2 and 10 feet, for smartphones, desktopdevices and big flat screens. Your smartphone knows where you are, hasaccess to your email, appointments, phone contacts, it is part of theway you surf the web, soon you will be able to make purchases with itand it has very little security or privacy built into it.You don''t needto be a futurist to call this one!

BarbaraFilkins had an observation that is important. Asurion is best known asa cell phone insurance company. However, the tide will continue toshift so that the hardware becomes less of the value and theinformation stored on the device is the greater value. This is not anew trend, well over 20 years ago, Grace Hopper famously said, "Someday, on the corporate balance sheet, there will be an entry whichreads, "Information"; for in most cases, the information is morevaluable than the hardware which processes it." For the present, thewireless carriers and insurance companies are selling a lot ofsmartphone insurance policies, but they only cover hardware which isdeclining in value while the information becomes of greater value bythe year to the owner, the wireless carrier, marketing firms andorganized crime. Some of that information gets backed up, some may not.By 2012 we will start to see companies selling cloud phone back upsolutions that back up data in the background just like they do forhome computers.The interesting question is whether the insurance companieswillspot this trend early enough to take advantage of it, or will theyeventually lose market share by being the best buggy whip manufacturerin the business.

Memory Scraping Will Become More Common

What I believe Rich is referring to is RAM Scraping. This hasbeen around for a long time, but is more aggressively targeting datasuch as creditcard records, passwords, PIN''s, keys, as of late. The reason they aresuccessful is that they get around PCI/GLBA/HIPAA/ETC securityrequirements thatdata must be encrypted while in transit and at rest. Data in transit isdecrypted on the system and often stored in memory during the lifetimeof a process, or at least during a decryption routine. Depending on howa process cleans up after itself, it may stay resident even after thefact. The data is encrypted on the hard disk, but again, the RAM likelymaintains the clear-text version of the data.

Browsers are notorious for leaving things sitting around inmemory during web sessions. The RAM Scraping malware also targetsencryption keys inmemory to decrypt anything for session data to encrypted files. As faras the emerging security threat part, we are seeing RAM scraping morecommonlynow as attackers focus on client-side attacks, shifting away fromserver-side attacks. Browsers are often misconfigured, allowing malwareto get onto a user''s system, stealing credit card data and passwords.They are mostly an annoyance where if a customer or fraud departmentdetects fraudulent transactions, the account must be credited andchanged. This requires the banks to write-off these transactions, whichcan add up quickly. AV products can''t keep up with the aggressive rateand polymorphic characteristics of this type of malware. We discover aton of new malware every week, reverse it to some extent, and send thedetails to AV vendors to be added as a new signature. The otheremerging component is the threat of RAM scraping malware targetingPoint Of Sale (POS) systems. Note this trend was identified by RichMogull @rmogulland content provided by StephenSims who teaches DevelopingExploits for Penetration Testers and Security Researchers forSANS when he is not playing in his SolidState Logic band.

Update 2/23/2011 Saw this article in Computerworld on the topic

Compliance by Anton Chuvakin @Anton_Chuvakin

As many other observers noted, many of the security activitiesin 2010-2012 will still be defined by regulatorymandates such as PCI DSS, HIPAA/HITECH and others. This will be thecase from the smallest (larger extent) to the largest (smaller extentof complianceinfluence) organizations. I''d love to predict that people will finallyget the spirit of PCI DSS (data security) and not just the letter(assessment readiness), but it is a tall one to forecast.

So, PCI DSS will continue its march. In fact, I bet (like Ipredicted in 2008) PCI DSS frenzy will further spreaddown-market - there is so much more Level 3s and Level 4s compared toLevel 1 merchants. Now they all take payment cards, they are allinsecure - thus, they might all be 0wned! BTW, nowadays nobody ispredicting thatPCI momentum will fizzle, as some did in 2007-2008. While some peoplecriticize it for specific requirements or missing things here andthere, I still swear that those organizations who paid NO attention tosecurity now do it ONLY because of PCI.

On the other hand, just as it was in 2008, ISO17799 (and its2700x children), ITIL, COBIT frameworks likely won''t be ''hot,'' at leastnot in the US. Ad hoc approach (with some use of ideas from the aboveframeworks) to security management will still rule. In fact, more willtry to base their entire security program on PCI DSS.All this"comply-mancing" will bring both good and bad, as far as thoseorganization’s ability to defend themselves from“bad stuff” is concerned. If you''d like more, go toAnton Chuvakin''s 2010 security predictionsor even Anton Chuvakin''s 2020 security predictions.

Monitoring and Analysis Capability will increase, but notEnough

Monitoring capabilities will increase but lag behind therequirements to monitor and store. We have seen a ramp up in featuresand capabilities in the monitoring and analysis space, with Palantir,Netwitness,Xtractrr,and OSSECmaking waves recently.

Regulators are going to ask for more log retention, and morelog analysis. Next step, requiringyou to take action based on the analysis. I also predict that alongwith instrumentation and analysis, we will seethe growth of logs being used for business analytics.

- MikePoor, @Mike_Poor, who provided thisprediction, is the track lead for SANS Security 503 Intrusion Detection inDepth and is afounding partner at InGuardians, Inc.

Wireless Security Issues

Wireless adoption will continue, branching out into a largernumber of purpose-focused protocols that fit the needs ofindividual technology. Wi-Fi technology will continue to grow, butother protocols will also emerge with widespread adoption suiting theneedsof embedded technology with a variety of focus areas including ZigBee,WirelessHART and Z-Wave, as well as proprietary protocols. With thisgrowing alternate wireless adoption, we''re already seeing some of thepast mistakes from earlier failed protocols repeated. Based on thisexposure, and the trend of Wi-Fi failure and improvement, we''ll seehistory repeating itself where vendors are quick to the market tocapitalize on newopportunities, failing to critically examine the lessons from earlierwireless technologies.

- This prediction is by Josh Wright author of WirelessEthical Hacking, Penetration Testing, and Defenses who will hack for sushi.

More Cloud Computing Issues

While there are many possible benefits to Cloud Computing, thehoneymoon will end. Many organizations will soon discover that they donot have theflexibility they need for their businesses, and many others willdiscover that any security issues (from audit to compromise) are farmore complex in the cloud.

- Prediction by John Strand @strandjs.

And I (Stephen Northcutt) would like to add, people are goingto realize cloud computing ispricey. We looked into it for a compute intensive application andblades were a lower cost alternative. Jerry Shenk, a SANS Industry Analyst, adds, "Ijust met with a client last week who is initiating alarge business push right now. We had a meeting to discuss options andsomebody threw out the idea of "doing it in the cloud". It was clearthatnobody understood that this concept involves putting the related dataon somebody else''s network. The owner hadpreviously stated rather emphatically that he wanted to be totally incontol of his own data and his own servers...basically, he wanted tobuild it, own it,manage it all in-house. He has looked into some "cloud options" and ifhis growth predictions are right,he''s better off to build it himself." At SANS, we came to the sameconclusion when we decided to build a new data center.

Many security professionals will come to terms with securityrisks of cloud computing. They will do so under pressure from thebusinessesthey support, as companies will continue to migrate to cloud platforms.Theinfosec community willbetter understand cloud environments, while the technologiesimplementingcloud platforms will reach an acceptable level ofmaturity. Securityprofessionals will continue to apply extra scrutiny to scenarios thatinvolveprocessing sensitive or regulated data in shared cloudenvironments. Prediction by LennyZeltser who discusses security related to cloud security andotherissues on his blog. Lennyleads a security consulting team and teaches how to analyze and combat malware.

The coming of the age of extreme disclosure

Wiki-leaks,backscatter scanners, FOIArevisited and the fallout. Thenext fewyears will bring a rapid increase in forces seeking to exposebusinesses andgovernments alike. Thiswill cause aratcheting down of information management policy, increasedinstrumentation,and massive litigation. This prediction is by MikePoor.

Security Continues to become part of Virtual Infrastructure

Asmore and more organizations add virtualization technologies into theirenvironment, particularly server and desktop virtualization, securitywill be more embedded in the native technologies, and less of an"add-on" after the implementation is complete. For servervirtualization, new firewalls and monitoring capabilities are beingintegrated into some of the leading platforms now. For desktopvirtualization, native integration with remote access technologies andclient-side sandbox capabilities are common. Vendors will continue topush the envelope and offer new tools to enhance virtual environments,but virtualization platforms will evolve to easily allow existingsecurity technologies to interoperate more natively, as well. Inaddition, security architecture design will be a "must have" element ofvirtual infrastructure planning and deployment, not a "nice to have".Prediction is by DavidShackleford, author of SANSVirtualization Security Course.

Want Work? Be an Investigator!

As the quantity of e-records about business and personalactivity skyrockets, the number of official audits and investigationswill grow. And, the granularity of those probes will become ever morefine. We live in the AGE of INVESTIGATIONS. "ProfessionalInvestigator," is a smart career choice. Source Ben Wright.


Update: 6/18/2010

Forensics courses are the hottest selling courses at SANSright now with multiple sell outs. Do not know if the trend will holdall the way through 2011, but for right now Ben is spot on.

Desktop Virtualization to the Rescue

Desktop virtualizationtakes off for its ability to remove sensitive data from the newonslaught of personally owned devices from the iPhone/iPad to homecomputers that are now extensions of many organizations''networks. It also makes inroads as "sensitive" networks--thatwere supposed to be separate from the Internet all along-- use VDI toallow people to get out to the Internet and check email from machineson isolated networks. This trend may accelerate after acompanygets sued for remotely wiping a personal device without theowner’sconsent[1] and/or the Department of Homeland Security gets theregulatory authority to fine companies that do not properly isolate“critical” networks. Prediction by Mason Pokladnik


Social Engineering to Deliver Malware Works as Good as it didin 2010, 2009, 2008 . . .

In 2011, I see a continuation of highly believable and wellcrafted email containing customized malware that exploit zero-day andwellknown vulnerabilities. The attacks will continue to be carefullyplanned and highly successful. Even cautious users will continue to getcaught and mosttypes of host protection will continue to fail protecting the users.Policies are becoming more restrictive and I see a shift to go back toa centrallymanaged the thin client to further put the client in a "box". It is nolonger cost effective to just keep re-imaging workstations to cleanup aclient.Guy Bruneau

Insider Image

More Blaming China

The good news is that an increasing amount of organizationswill be more open about being compromised. The bad news is they will beblaming China everychance they get. It will be interesting to see how this helps or hurtsthe industry. Truly bitter-sweet.

- Prediction by John Strand @strandjs.

The Final Word on Security Predictions in 2011/2012 byRaffael Marty

I believe that going forward, we will be dealing a ton withwireless devices. Just look at the hype around the iPad. There will bemuch morelike that. In addition, the targeted attacks will keep us busy for along long time to come, and I am not sure they will ever go away. It''sjust too hard to prevent all the spear phishing and such. I alsobelieve that we will be facing a larger and larger problem with sitesand users that do not follow the basic security setups; weak passwords,etc. In aggregate, those could turn out to be pretty huge problems.Just think about the cloud and how it enables many more people to dothings, setup services, etc. If all those services are vulnerable tothe most basic vulnerabilities, that''s going to blow up. In fact, thecloud is going to bear a few interesting things: vulnerable baseimages,trojaned base images, weak setups, etc. The barrier of entry is almosttoo low for people.