« Citibank, Cyber-Goons and SEM | Main | Verizon Thinks You'll Evolve »

Top 10 Security Predictions for 2010

Verizon Security recently posted a set of 10 predictions for 2010 on their security blog. I have my own opinions about their predictions as you'll read below.

To see Verizon’s original predictions, click here:2010 Security Predictions

Our friends at Verizon Security feel that services like Facebook, Google, Twitter, and TinyURL will work to get better controls in place regarding criminal content. They believe that their business model is at stake if they don’t attempt to flag or eradicate nefarious activity... advertisers will start pulling their dinero. And my response to that is "of course they will!" It's an obvious statement. The online services will absolutely do more to try to curb illegal behavior. If they don’t do it, who will?

The recent FaceBook"apps" scandal has made everyone scratch their heads and realize that they're allowing a number of different programs to have access to their accounts and with that, some level of personal information. Twitter has been hacked over and over again. MySpace has vulnerabilities left/right and center. So to say that services will protect themselves is obvious. Whether these hacks or illicit behavior take place to them or on their networks is a variable. It all depends on the vulnerabilities discovered. The web after all is Swiss cheese. Admitting that is the first step.

Our friends at Verizon also feel that Malware will not evolve this year, that Botnets will stay the same as a whole, and there won't be any mass outbreaks or targeted attacks. Personally, I don’t see evolution as necessary when the same ole vulnerabilities still exist. Security best practices weren't followed until specific verticals created requirements to do so. The result was PCI, HIPAA, SOX, ISO17799, and more pop up every day. If businesses would stop thinking of security as an outflow of cash, and instead think of it as a necessary cost of doing business, we'd all be a whole lot safer. The outbreaks will happen when yet another bored 14-year-old finds a vulnerability and decides he’s going to be the next big thing. And chances are, he’ll be rewarded with a big security job somewhere. Funny how that works.

The security team at Verizon also feel that consumers are getting smarter. The impression that there are fewer newbies on the internet, and services are more secure, and that people are generally more aware might be true. In one respect, however, I wholeheartedly disagree. As P.T. Barnum once articulately stated, "A sucker is born every minute." This hasn't changed. Sure, people aren't responding to instant messages on AOL asking for usernames and passwords, but the phishing sites are getting better, the vulnerabilities are becoming more public and people are still falling victim. Think back to the days of "Don't open executables!" which became "Don't open .SCR files!" followed by "Don't open macros!" and then the ActiveX nonsense for malware. At the end of the day, although the public is getting a wee bit wiser, the trojan writers are getting better-er. Claiming that people are more intelligent because your friends haven't been scammed in a while says little about the state of public affairs.

Number four on Verizon’s list states that Windows7 (not necessarily IE8) will prove to be more robust than anticipated (vs. Vista), and that applications are the new targets. These are two completely different statements, and I’m not sure why they ended up in the same paragraph together.

First off, I should warn you – take what I’m about to say with a grain of salt as I am a world-class Windows hater. I will do my best not to let my absolute loathing of all things Microsoft seep out. Oh well. So much for that.

Windows7 is more robust than Vista, but that's not saying much. It’s like saying a 2009 Honda Civic is more robust than a 2008 Honda Civic just because there's new standard leather trim. It's still a Honda Civic. It's still the same car. It’s just dressed up prettier. Windows fans will go on and on about this-and-that device support and stability. We’ll all stay tuned for that one.

Attacking applications as the next step is fairly obvious. Of course crooks are going to go for applications. Applications aren't written to be secure. Writing for security is much more time consuming and therefore more expensive. Coding for security has to be the next evolution in application development. Write for security as the first step. Make security the high priority. Don't write the app, then go back to see if it's secure. This is what causes world class /fail.

Number five on Verizon’s list of 2010 predictions is that government and non-tech organizations worldwide will become increasingly frustrated over SMTP, DNS and SPAM, and they’ll find phishing more and more difficult to thwart. They believe that Microsoft’s legal efforts to can-that-spam, along with a high-profile arrest will somehow cause all the other SPAMMERS in the world to shake in their boots and think twice about their line of work.

*yawn*

Spammers are nothing more than ticks on the backside of the internet. They exist. They suck off their hosts. And then they fall off. If we want to end SPAM tomorrow we have to make the punishment for spamming so severe that the mere thought of it will make these hoodlums shake in fear. Follow the money. Who is profiting? Is it the manufacturer of said product? Is it a reseller? Follow the money. Then once you get them, go after the people who actually BOUGHT something due to a SPAM email. The only reason spammers still SPAM is because someone is buying. Those people should be prosecuted for even responding to SPAM.

Verizon Security also believes that breaches will increase, but on a smaller scale with fewer records compromised. They feel that more money theft will take place with account staff credentials being compromised. And they also believe mid-size businesses will be hit with some sort of compliance mandate to force them to do the right thing. Where Verizon and I disagree is that I see this going in the opposite direction. I see more breaches, more records compromised, more insider threats, more phishers, and more crooks using Western Union to transfer money. 

What I'd love to see is a better than best practices compliance mandate to supersede all mandates. From small business to large enterprise, make everyone play by the same rules regardless of vertical, regardless of industry, regardless of income. One compliance mandate to rule them all. That compliance mandate should not only represent best practices, but step it up a few levels. 

Also, if there was blanket worldwide legal policy that applied to ALL cyber-crooks globally, these scoundrels would no longer go unpunished. A couple of thousand dollars stolen from an account in the U.S. goes a LONG way in some other countries, and not only is it relatively easy to commit these crimes, but there are really no legal deterrents in place to discourage these high tech pickpockets in other countries. Hoodlums can make millions (yes, millions) without any fear of prosecution, and the temptation to pick such low-hanging (albeit forbidden) fruit is very difficult to resist. Let's get downright hardcore on the legal front. Let’s take down these wrongdoers.

Verizon Security went out on a limb when they stated that nothing of note is going to happen to phones, PDA’s, and Macs. Really? Uh…no. Just two weeks ago we all learned about a sneaky little trick to invade unlocked iPhones who have SSH enabled with default passwords. This is just step one. If you look at how many iPhones are on the market, you can see the huge motivation for delinquents to act-a-fool. I see the mobile phone market getting its fair share of security issues.

Although I think Verizon Security has a high level view of what takes place on the side of security, it seems some of the predictions are off in left field somewhere.

One prediction I believe nobody will dispute though, is that 2010 will be a very exciting year in security. And if we're lucky, a few people will realize they need log management to keep an eye on the security of their infrastructure. Stay tuned.

Posted December 28, 2009 in Security , Top10 | Permalink

Visit loglogic.com

Subscribe to this blog’s feed

• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• Whatever Compliance
• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Internet and Web Security Review
• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• Verizon Business Security Blog
• SANS
• IT Manager's Journal
• CIO Insight
• Security Focus
• TechWeb
• Slashdot
• InformationWeek
• The Reg
• C/Net
• OSF DataLossDB | Data Loss News, Statistics, and Research