The “next year” predictions has begun. McAfee issued their list of top threats for 2007. While they are driving their own market, they also take the easy road and state the obvious. It reminds me of the Top 20 Attack Targets from FBI/SANS which covered just about every broad base in the digital world that you can. Great, talk about useless.
For my part, rather than just rehash the same old, I thought I would just issue out some thoughts I had for the coming year and beyond, by going out on just a little bit more of a limb than saying, “spam will rise.”
convergence of culture on security policy – In the coming year and years we will see more of our digital culture permeating every aspect of our lives, and workplace policies will need to adjust or become obsolete or even barriers to getting good talent. Web filtering, Email filtering, IM controls, device restrictions, and the like will all be challenged as the Internet generation continues to fill more and more roles in the workplace and the digital lifestyle fills up and moves beyond just personal time. Companies need to embrace these changes and technologies now, instead of waiting until the pot boils over. It might be tough to properly handle IM, but it should be started now anyway. And dare I mention continued DRM and copyright troubles? Naa, that’s obvious.
pockets of wireless driver exploits – The wireless world did not see huge gains this year in tech, but it did collectively hold its breath for news on wireless driver vulnerabilities. Granted, we had to wait longer than expected, but they are obviously present. And who updates drivers anyway? (Only three groups in Windows: gamers, people reinstalling their system [albeit usually from a disc], and us geeks…a vast minority of users…) Because of this, and the continued trend for municipalities to roll out widespread wireless access, I expect some pockets of wireless exploits to be had, whether it be a muni, airport, or university or corporate campus. Considering how deep the vulnerabilities get and how often people do not update their drivers, I expect something like this to be wormable, especially from an airport or location where the infected laptops migrate offsite. Issues like this might not be found out for days, when it is too late.
Managed security and IT takes a strong hold – More and more companies will realize that IT and security is expensive. It is difficult to manage, and even more frustrating for the professionals who know what to do but don’t have the time to perform the needed tasks, or for the professionals who don’t know what to do but have to take time to become experts. Ask any pro who has had to juggle their daily tasks while also researching the viability of blades and/or virtual systems. Suddenly you have to be an expert. Why do all this when this can be outsourced or at least managed by a third party. And as this continues, the industry will grow as well, by experiencing scales of economy and being able to best utilize expert knowledge and quality talent properly. Why should one awesome security pro manage only one client, when they might be able to effectively manage 5 with some extra hands to help? This is a classic fully mutual economic growth where companies will fuel this and providers will get better.
More disclosure debate – The disclosure debate will get hotter, especially just today with announcements of the Week of Oracle Bugs being cancelled due to some external pressures and Vista coming out. This debate will get ugly before it gets better, especially if something else comes out that really exposes government, critical infrastructures, or large swaths of people. And if people start exposing exploits, will someone finally sue for having spoken out about it? Should we pretend they don’t exist until someone uses them and gets caught or detected? Hopefully this stays out of the mainstream media otherwise we’re all in trouble.
laptop theft and data disclosure not going away – Ever since we’ve had laptops, we’ve had lost laptops and data on those laptops. The media keeps acting like this is some new amazing trend we’ve never seen before, but it is as old as the concept of possessions. This will not be going away because we continue to make laws to disclose losses, we get better at detecting and tracking these things, and the number of mobile devices and expectations of mobile work is still growing at a huge rate. I just hope the media stops reporting every single one, thus numbing everyone about it.
the rise of the browser – The web browser is already an over-powered computer application. It has become almost bigger than the OS itself, and will keep going until all you need is an OS and a web browser to access all you need. This is dangerous and illustrates how technology is pushed and pulled without regard to security. Web 2.0 has assured this.
the decline of the OS – The OS is slowly going to fall out of vogue. People hate upgrading and the insecurities, people don’t want to pay money to have their known and accepted OS replaced with yet another interface that must be learned. And with the rise of the browser, there is a very real chance that security just gives up on the end system and moves security into the network. Next year will be a dangerous time for the OS and browser, and Vista right now holds the reins.
Mac will have malware – The Mac will finally get hit with some definitive malware, which can finally shut up all the Mac fan boys (my next laptop will be a Mac) who keep dodging around and protecting their precious “no malware on Mac” claims. This will occur next year, and we can all finally move on with life and get some great things done without this marketing zealotry always muddying the waters of the blogs and media.