Thursday, December 31, 2009

The Last List of 2009 - Predicting Security in 2010

As the guy in charge I've been too busy with the day-to-day operations of the Sourcefire VRT to create the cliched, annual "Top 10 List" of things that have come and gone, or things that will happen in the future. However I've procrastinated long enough on this topic, so without further ado, here are my predictions for 2010. I only managed to come up with five, but I hope you will enjoy them. If it turns out that I'm wrong, I expect you to hold them against me in 2011.

1. The Cloud Bubble Will Burst - We've seen the initial technical problems in this space. Twitter going offline, the loss of all the T-Mobile SideKick data, EC2 having terrible up-time and Gmail outages. These failures reflect the standard trend of all new or emerging services. Next comes the predictable trend of using these services for nefarious things, which we are already starting to see with EC2 and Twitter being used as C&C. Soon I predict we'll see a compromise of a prominent Cloud provider that spews forth data at a volume never before seen. Finally, watch out for snake oil in the Cloud security market, in 2010 everything is going to have the word Cloud in front of it. The great thing about the Cloud is you don't have to deal with how it works, the worst thing about the Cloud is you don't get to know how it works.

2. The Apple Honeymoon is Over - I love apple. I have my Mac, my iPhone, my iPod, my Airports, and all manner of other Apple devices either on my person or in my house. These devices do what I tell them, don't break very often, and have the features I use all the time. The only real problem I have with them is every single applications has 1000 vulnerabilities waiting to be discovered. For years Apple has pounded us with the message that they are more secure than Microsoft, and that if Mom and Dad buy one of these shiny devices they won't have to worry about malware and viruses any more. Well Mom and Dad listened, and now Apple owns a large segment of the high-end laptop market and just about the entire smart phone market. This means that Apple now has market share, and with market share they become an attractive target. As Windows 7 makes exploitation difficult, and bad guys increasingly rely on social engineering in their mass attacks, this segment of the market won't be forgotten. Expect more vulnerabilities and malware for Apple in 2010.

3. Mobile Device Targets - In a similar light to Apple, watch out for the emergence of mobile phone vulnerabilities and active threats. We've started to see people dip their toes into this segment (remember the hacked iPhone worm?) with some targeted pieces of malware for various platforms. Also, Charlie Miller probably has all our iPhone data at this point. But that's no matter, as at least you know where your data is. I'm willing to bet we'll see a number of other vulnerabilities and more sophisticated targeted attacks against your favorite mobile phone in 2010.

4. Prolific Desktop Software Takes a Beating - Adobe represents the first major crack in the dam of vendors who are going to take a security beating in 2010. If you make software and lots of people use it, you are going to be a target for vulnerability hunters. There is just too much money in it to pass up, either through programs like VCP (iDefense) or through some grayhat/blackhat vulnerability purchasing program. Once the first vulnerability shows up in any prolific software package, expect a hundred more to come shortly thereafter. If you are a vendor and you are not prepared for this onslaught, be prepared to lose market share and take a PR beating. Make sure you have your bug triage process in place, and have a plan for communicating with your customers about problems and getting them timely updates.

5. Critical Infrastructure Goes Sideways - The debate over critical infrastructure security, controls, and hype spins out of control in the political sector. If most of Congress believes the Internet is a bunch of tubes, it'll be beyond funny how this plays out in the media and in the compliance space. If you're classified as a critical infrastructure provider, I suggest you start getting your ducks in a row when it comes to security. If you don't, Washington is going to have O-Scope IDSes sitting on your analog controls before they're done making the world safe. Also, expect at least one garage door opener to turn off some neighborhood, now that everyone is rolling out Smart Meters.

While these are just predictions I can give you some things that will happen in 2010. It's a complete guarantee that the VRT will blow something up, film it, and post it on the Internet for your enjoyment. I can also guarantee that in 2010 one of us will do something completely genius (stupid may be a better word) that will once again get a substance or kids' toy banned from the office. Until then, I'm off, it's late, and it is time for a drink.

No comments:

Post a Comment