In the movies the government has always got the best toys, the cutting-edge technology and the tightest security standards. Those who have worked on security projects within the government know that in real life government security standards and implementations can vary all across the range from quite serious to laughable.
My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should. As always, take these with a grain of salt.
Whom can you trust? In security, many of us nurture a healthy sense of paranoia and tend to be distrustful. But as human beings, as social beings, we form bonds of trust with those around us.
There's IT, and then there's shadow IT.
I have been very interested in virtualization security since early 2004 and it now seems like it has become a mainstream topic. Most of the focus however is on securing the technology of virtualization (the hypervisor) and providing virtualized security (usually as virtual appliances). My focus nowadays is more on the operational impact of virtualized infrastructure and by extension the impact on security operations. After all, security controls (technology) are essential but without operational controls (people) they are not sufficient. So what is the operational impact of virtualization?
Every year, more than 5,000 laptops are lost in taxis in London, New York, Chicago and other large cities. According to our research, in 2008 companies' topmost security investment was laptop encryption. Laptop hard drives are getting bigger and now can hold hundreds of thousand to hundreds of millions of sensitive records.
I often hear from IT executives that it is hard to recruit and retain "good security people." Many lament the shortage of skills in this area and cannot reconcile the skills offered with the positions that need to be filled. Is there really a shortage of good security people? Or just a mismatch in the skills and the jobs?
In the adversarial environment of information security, new types of attacks emerge constantly. Just recently, a very highly targeted phishing attack against CEOs used the pretext of a federal grand jury subpoena to lure executives to a site hosting malware. Let's face it: Most of the innovation in this industry is on the other side, the "dark" side. We are unfortunately forced to keep reacting to new ingenious attacks every few years.
People don't notice change when it's gradual. Sometimes, however, small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.
Companies are adopting virtualization technologies at a faster and faster rate. They are virtualizing servers, desktops, storage, networks. But one aspect of infrastructure has been lagging -- very few companies address the growing demand for virtualized security.
The scientific field of biology has provided many useful metaphors, such as "virus" and "infection," for the study of malware. Many researchers have used biology and evolution science to create innovative defenses against malware, in many ways simulating the functions of biological immunity systems. I find that biological sciences and especially evolution provide some great insights into the behavior of malware, malware creators and malware defenses over longer periods of time. I also see a lot of parallels between the evolution of malware and the evolution of darknets (stealthy peer-to-peer, or P2P, networks).
Viruses and other malware are getting better at evading antimalware systems despite the sophisticated behavioral-analysis systems that are used to detect them. This week a rogue trader in France was able to hide a growing loss until it reached US$7 billion and was impossible to hide. What do these two events have in common? Both exploit the predictability of defenses to evade detection.
There are two ways to predict the future with 100% accuracy. You either have the power to shape the future to your predictions (the God method) or you make your predictions vague enough so that they fit most conceivable outcomes (the Nostradamus method). For those of us without omnipotence and with a desire to write something meaningful, that leaves the alternative: extrapolate from in-depth research, solid statistics and current trends and hope for minimum volatility (disruptive innovation or externalities) in the outcome.
Remember all those stolen laptops and lost backup tapes?
A popular expression in security circles is to equate critical company intellectual property with the crown jewels. That comparison is apt in more ways than one. I've visited the Tower of London and the crown jewels. The crown jewels are protected by many layers of security, but the truth is that they make very poor targets for theft because they are far too distinctive to fence. To sell such items, a thief would have to take great risks and heavy discounts. If someone was holding the queen hostage, they'd more likely ask for "nonsequential unmarked bills" that the crown jewels. Any item, whether tangible like the crown jewels or intangible like your company's latest flying car design is only worth what a buyer will offer. If the market for such an item is too small or the risk of laundering too high, the item will have to be heavily discounted. Yet, in most information security risk-assessment methodologies we measure the loss impact for the company and ignore the gain potential for the thief.