Friday, December 22, 2006

My 2006 Security Predictions Review

So, no, you are not getting my predictions yet, but here is something fun: a review of my last year's predictions. They were:

1. Viruses, worms, bots and spyware will remain the main concern; malware commercialization will continue and thus propel more money-making technologies such as spyware (5,5)

STATUS as of 12/22/2006: Correct (but it was a reeeally easy one)! Recent polls still show that malware tops the charts (even though various forms of regulatory compliance, IP theft [as some has us believe] are challenging that)

2. Data/IP theft and especially ID theft will continue and increase in both severity and occurrence (5,5)

STATUS as of 12/22/2006: Correct (at the very least, the buzz levels about this are skyrocketing); phishing and identity theft - as a type of IP theft - were certainly growing and so was the IP loss in the form of laptop loss.

3. At least one major 0-day compromise story will surface, maybe with Oracle software (5,4)

STATUS as of 12/22/2006: Correct (see recent MS Word 0day stories); Oracle bugs were aplenty, but nobody admitted that they were owned thru one ...

4. Application-level vulnerabilities will grow, service-level ones – shrink (5,4)

STATUS as of 12/22/2006: Correct (see recent SANS Top20 for some illustration); the decrease in network-service level vulns was dramatic, but SQL injection, XSS and other stuff grew like mad.

5. Client (web, mail, chat, etc) attacks will rise and server attacks will fall somewhat (4,5)

STATUS as of 12/22/2006: Correct (see recent SANS Top20 for some illustration), but no credit really - this one was trivial to predict.

6. Major wireless and mobile threats will not come (4,3)

STATUS as of 12/22/2006: Correct (but, again, I see this as an easy one)

7. Endpoint security solutions and NAC-like technologies will experience sharper increase in adoption than other security tools (3,4)

STATUS as of 12/22/2006: Correct; again, if we measure by media buzz levels and [late] company launches, NAC and endpoint security is still heating up

8. Finally, I predict that just as one cannot predict the threats of tomorrow today, one still won’t be able to do in 2006 :-) (5,5)

STATUS as of 12/22/2006: but of course! Indeed, there are many things that I am pretty sure we would all love to predict but just as unanimously missed.

So, I officially upgrade myself to Chief Security Nostradamus :-)

Dr Anton Chuvakin