I think 2008 will be a real year of change for the Security Practitioner and Security field.
2008 Security predictions
I sense a series of changes sweeping through the security world. I read around 75 IT newsletters a week, with a lot of emphasis put on the articles and blogs on this site. What do I see happening? I see a cascade of sorts coming to us.
1. Application, not network security, begins getting actual emphasis and funding. All those firewall and Operating system benchmarks are paying off. Maybe hackers can't access a shell on a UNIX server to go at information? Big deal, many internet apps have junk database security and stored procedures (running as root/DBA) that provide comparable access. Applications are the wiggle room. What do you know about safe coding practices and architectures?
2. The mobile world is here! Several years of Pocket PC's offering a full computing environment, but none of that matters now that the iPhone is here. Wow, I can watch videos and hear music while writing blogs! Ok, I'm done snarling, but I am happy that people are finally realizing the value of the mobile devices. I attended last year's MVP summit, armed with nothing more than my iPAQ. I blogged and did lots and lots without hauling a 50 lbs bag of batteries, manuals, CD's, etc. I want a smart phone. My tablet PC is loads more productive than the 17" boat anchor my daughter uses as a bedroom TV and PC. Expect lots of sales of mobile devices.
3. But what are the security risks of mobile devices? Most people never see them as full functioning PC's, despite these devices carrying company email and often being lost in taxicabs and bars. Seth Fogie did a great review of several apps and their coding practices in the Windows mobile world. Of course, I wonder if the products are significantly more secure in the Palm or Blackberry world (Sorry Seth!). But I think we all agree that significant work must be done in both user security and coding security practices for most mobile architectures?
4. Mobile apps become the opening into corporate systems as other openings are secured better. We're all filtering email and email gateways. We're controlling the admin privilege needed to install apps, often downloaded from the Internet. Some of us have app-layer gateways that recognize and block Java and ActiveX malicious mobile code (or we filter out links to gambling, porn, and p0wn sites that seem to have the worst malicious payloads).
Who's watching for the PalmPilot? You know, the old one that syncs to the company PC that downloads email, while being granted access to send mail to the internet?
Who's got a bluetooth security plan in place that controls bluetooth and its many 'wide-open by design' abilities, often enabled and working as their users walk the public places like restaurants? Can a hacker plant attack code and wait for it to be engaged, via synchronization, once back in the office? Are we able to see the possible puppet master that lurks behind the trusted PC?
Seth Fogie, ya I do respect the guy, showed us all, plainly, the big issues with ancient sync software that is often installed with cheapo, older Pocket PC's bought on eBay. Does your organization have official support and patching for mobile devices? How many are thrown, ad hoc, on your network? If you have no plan, managing your PC's is only part of the battle.
5. Embedded devices and appliance servers get focus--from the wrong crowd. You've heard the story. Brand X infrastructure server is a 'special' version of Linux with a 'custom' kernel that is simply unhackable. In truth, it's RedHat 7.2, without kernel patches, glibc patches, and has all of the old versions of SAMBA and wu-ftpd daemons installed. Rock and Roll Hoochie-Koo!
Also, the kiosk display touch screens you bought and places in malls, the ones that acquaint millions with your products in public settings, these units use a 'special' operating system that needs no patching, right? There's no need to provide secure FTP services to send new content to it?
Indeed, who would ever create a worm that renders your automobile's ECU inoperable? We'll love our IP v6 Refrigerators that track our consumption and order replacement groceries for us. Sure, embed your credit card number in the refrigerator's memory. We know in our heart of hearts that nothing will happen as our devices assume more traditional computing abilities, all the while being increasingly connected to Public networks.
I feel that we didn't learned from the past. UNIX, C, and TCP/IP were the enabling early Internet technologies. As other operating systems (mac OS 7, Windows, etc) hit the Internet, they found themselves victim to lots of attacks tried previously on earlier technologies. Being new though, their patching and other response systems were grossly inadequate to the attacks--logging was tough to come by on the Mac.
I believe we're facing a similar 'Perfect Storm', but with the mobile and embedded devices that increasingly define our modern lives. They have lots of customized designs and applications written in low-level C, using the poorest (security-wise) functions like strcpy.
They're getting on the internet;
the vendors claim their proprietary technologies = actual security; and
everyone's deriving heavily from Open Source libs without insisting on patched, recent versions.
You don't know just what you've bought, but your security scanning tools are reporting that your new security tools are a possible handful of 'magic bean' systems securing your organization's 'cash cows'?
6. Security just isn't important anymore. We in America might feel that we've gone too far with our security responses to 9/11. Americans are cyclical and swing from one extreme to another. Some of us might be a bit uncomfortable with possible abuses to civil liberties, justified by the past threats and attacks. We're ready to go back to 'business as usual' and won't want to hear the same security message. It's no longer necessary to screen travelers and the like. Time to sleep.
And it's that laxity that I believe will set the stage for a security cascade, sadly. Taking out Windows or Mac OS X systems via a worm is more nuisance than political statement. But stopping automobiles or defacing embedded display units, found worldwide, exceeds what might be done by defacing a company's flagship website maybe?
So at a time when we must secure more and more ubiquitous devices, will we want to do the job? We'll see!
7. On the human front, the SuperBugs have found a way to escape the hospitals and laugh off most anti-biotics, often only stopped via a thorough swabbing with of building walls with bleach to kill the contagion.
In response, many organizations neglect Business Resumption Planning and the need to prepare for remote access/work systems being implemented on a massive scale in a few hours. Whether a bout of Avian Flu or a mass quarantining of their building, the neglectful organizations lose days to trying to resume basic business operations. Some poor example organization may have this happen to it in 2008, and we take the topic seriously. Or not--I'm not sure?
http://www.informit.com/articles/article.aspx?p=680830 This one is good at showing the pervasive risks with pervasive computing systems.
Comment below. Maybe I'm just viewing things wrongly, more negatively, than what's reasonable?