Wednesday, December 31, 2008

Review of My 2008 Security Predictions

OK, so other bloggers are not doing it, maybe they are too shocked by The Death of the Internets, 2008 Edition, Rel. 2.0. I will, however!  Namely, I am going to revisit my 2008 predictions, posted here. BTW, I disagree that year-end predictions and reflection are a waste of time. I think  whenever you do it, it is useful to think and reflect about the long term.

So, here are the predictions (in italic) and how they did (in regular) after about 12 months of “facing reality.”

Platform security:

  • Vista makes us secure = no. People start to actually use it (in large numbers) = maybe. And then get 0wned = yes! The volume of Vista hacking (and then Win 2008 hacking) will increase as the year progresses.

This prediction was too safe; and also not too specific! Vista definitely did not make us secure. I can suggest that the part that “people start to actually use it” was a failure and Vista is NOT yet in wide use (definitely not on the corporate side). There was not much public ”Vista hacking” and few critical Vista vulns. On the other hand, Vista is not a security failure; it is just a regular one :-) So, is Vista the new OS/2?

  • Increase in Mac hacking = yes. The story is that Vista drives Mac adoption -> Mac increase in popularity will drive a new wave of Mac "0wnership"

Just as the previous one of his prediction was not too specific. I think we can claim that Mac hacking has increased and few critical Mac vulns crept up.  However, I don't have the metrics to prove it.  Definitely, the idea that “Mac = secure” has shrunk in popularity down to its minimum value: the size of a Mac fandom :-)

  • Web application hacking still on the growth path = yes. As they say, 'it will get worse before it gets better.' I am predicting that 2008 is still the year when it continues to be getting worse.

Yes, yes and yes! As Jeremiah said, web application hacking has finally arrived (after a few false starts).  However, I will call this “a pussy prediction” since it was so easy to get right.  In any case, go check your website for SQL injection, it is probably 0wned already :-)


  • 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who "need" to earn some cash off phishing and other data theft. Thus, "0day use" will no longer constitute news!

I’d say, “a miss,” despite all those fine folks 0wned thru IE 0days: a good zero day attack story still makes news. BTW, check Pete’s “0day tracker” here.

Hacking, data theft, etc:

  • Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!

I wanted to link to Rich’s  Amex example here, but why bother?  The whole root CA fakery is a much, much, much better example (brief, details, for laymen) Fake sites –> fake SSL sites is definitely an ominous possibility (even though this particular issue is not that scary [more cool than scary!], but it illustrates the point)

  • Major utility/SCADA hack = no (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait another year or so for this ...

This one makes for interesting thinking about why it did not happen; surely there is a massive fun factor in sending some sewage towards your enemies.  I'm happy to be correct here, but I was predicting that something major and world changing would NOT happen so Feynman paradox is on my side.

  • Cyber-terrorism = no (again, not yet!) Will it be a reality in the future? You bet! Just not now ...

Do I really have to comment on this one? Is there anybody with a semblance of a brain who expected 2008 to be the year of “cyber terrorism?” This was a safe one; an ultimate “pussy prediction." Easy to get right for the same reasons as the previous one, about SCADA.

  • A massive data theft to dwarf TJX = yes. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.

Ok, I missed this one – no “TJX 2.0”  this year.  I seemingly forgot about the famous Feynman paradox (see book), which says that if you predict the status quo, you’d be right more often than not. Still, I think that the current onslaught of security breaches is not the worst we have seen,  not by far.


  • The year of mobile malware = no (not yet, if you insist!). As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal (not the case yet in the US)

This one was a no-brainer; another “Fuzzer prediction.” In fact, I think that everybody who predicts it either is retarded or has something to sell.

  • More fun bots = yes. Bots are here to stay: they follow an overall trend for IT automation (seriously!). Think of bot infrastructures as "shadow IT" with their own SLAs, business model innovation, performance optimization tactics, etc
  • Fewer worms and viruses = yes (why write one if you can make money off bots?) As the share of "conventional" viruses and worms in the whole malware universe decreases, so will the popularity of "legacy" AV vendors ...

These two go hand and hand! Worms did NOT come back while bots proliferated. Unless folks invent new and cool ways of making money with worms, we are looking at further bot development. I’d say that it slowed down a bit since our defenses are so far behind. BTW, what was the latest infection numbers for bots? 30% of all desktops? 60%? 87%?

  • Facebook malware/malicious app = yes . This one will be fun to see (others agree), and current malware defenses will definitely not stop this "bad boy."On the flip side, there is not that much to steal off Facebook accounts ...

A miss. My guess is that there is still not much to steal from Facebook accounts (well, maybe that picture :-)) I think social networks will become more than an insignificant source of malware, just not today.


  • PCI DSS continues its march = yes. In fact, I bet PCI DSS frenzy will spread downmarket - there is sooooo much more Level 3s and Level 4s compared to Level 1 merchants. They all take CCs, they are all insecure - thus, they will all be 0wned! And then hopefully fined :-)

I am proud of this one, actually, and not only because of my job title. So many sore losers has predicted that PCI momentum will fizzle. No such “luck.”  While some people criticize it for specific requirements or missing things here and there, I swear that those who paid ABSOLUTELY NO attention to security now do it ONLY because of PCI. As a result, PCI DSS –> the world is a safer place for everybody!

  • ISO17799, ITIL, COBIT frameworks = maybe (again); they likely won't be 'hot,' at least not in the US; ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule.

Ok, I took the cowardly route here too, I should have said “no” (not “maybe”) and I’d still be correct.  In fact, I think that even all this work on ISO2700X will NOT make ISO popular in the US.

Risk management:

  • Will we know what risk management actually is in the context of IT security = no. Some people (e.g here) might, but not the majority. And don't even get me started on security ROI :-) This part of security realm will continue to be occupied mostly by loudmouths who will spout, but never define; rant, but never explain; blab, but never clearly state. Sorry to those who are not like this, but you will continue to be in the minority in 2008.

Darn it, I stand by it. We still don’t know jack about how to apply “risk management” (aka “sometimes you think you manage risk, and sometimes the risk manages you” :-)), but there are some really good attempts at it.

Security technologies:

  • eVoting security will flare up = yes. Expect big and bad stories about evoting in preparation to the US elections. Maybe another "chad story", but with an "e-" added to it? Fun, fun, fun! :-)

Yeah, there was some noise, but not as much as I thought. So, maybe we’ll call it a miss.

  • Full disk encryption becomes popular = no. In fact, I predict that in 2008 encryption would be "the new firewall" - more and more people will hide from reality behind "we have encryption - we are safe now!" (check out my piece on encryption mistakes, while you are at it)

Not happened yet, so we will call it a hit. I do think that in 2009 it will get there though (I am typing this on a laptop with an encrypted hard drive! :-))

  • NAC= huh. Huh? The451Group said it best: "NAC has been the 'next big thing' for about four years now – that's a long time in the IT world." Others just say "NAC fallout has started." NAC vs insider attacks? Gimme a break... :-)

A hit, for sure. Was I the first to predict the demise of NAC? Probably not. In fact, Gartner folks make fun of some NAC predictions here. “You know what we said about NAC becoming a $2B market that will achieve 100% enterprise penetration in 2008?” Bua-ha-ha-ha.

  • More whitelisting for host and network security = yes (but combined with blacklisting, which is certainly not going away!) As malware landscape becomes even more diverse, application whitelisting for security will start to shine even more.

Hard to say; I am tempted to say that it is a hit, but the inertia of “Big AV” is still too huge.

  • Academic security research stays ridiculous = yes. Wrong problems, wrong solutions, wrong speed (as in: solving solved problems of day before yesterday...). There will be some exceptions: for example, some of the Project Honeynet academic participants deliver a punch!

Seriously? As ridiculous as ever. I will NOT be shocked if some academic will invent a new anti-worm solution :-) Ya know, to stop Blaster, Slammer and their ilk.

  • Secure coding becomes mainstream = no (definitely, 'not yet' on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won't be hurtling down the highway at full speed. 2009? Sure, may be!

Again, this was an easy one. The tricky part is to predict when it will become mainstream or will the economics keep it in the niche. Here is a thought:  maybe it will become mainstream WHEN somebody will make it easy!

No, no and no. A hit, for sure. Please remind me the latest DoD deadline for IPv6? 2004? :-)

Security market:

  • Mid-market and SMB security = yes! I think 2008 is the year when smaller organizations will start buying the types of security solutions that were only looked at by the large enterprises before. After all, they have the same problems to solve! They have compliance too. They lose data

Well, PCI is making it so, but sooooooo slowly. I guess I phrased it safely (“start buying”)  and so it is a hit, but I’d say that it will take more development before smaller organization will even get a chance to become secure.

  • More security SaaS (software as a service) = yes. It is not just Qualys anymore ... More companies will figure out ways to sell security software as a service. This is especially true due to the SMB security spending increase predicted above!

He-he, funny you’d mention that :-) Of course! Yes, definitely a hit. The question is who will make it work next.

  • 'Consolidation' = no. Whaaaaat? You just said 'no' to consolidation in security market? :-) Well, Vendor X might buy Vendor Z and Vendor N might go down in flames, but I predict that we will celebrate 2009 with just as many security vendors as we have today ...

A hit, a counter-intuitive one for some.

Logging and log management:

  • Database logging = yes. 2008 is the year when database logs will be collected and analyzed just as Unix syslog, Windows event logs and firewall logs are collected and analyzed today by just about everybody.

This is true to a large extent, but I will not say that “everybody is doing it” so it is a partial.

  • Application logging will start = yes. People will start collecting (at least collecting at first) application logs, not just firewall and server OS logs (and database logs, as mentioned above). Maybe ERP, CRM logs, maybe other large enterprise applications will lead the way. Major 'application logging waterfall' will occur later, however ...

Starting – yes, but definitely not en masse. I think log standards work (CEE) has to be more advanced before application logging and log analysis will spread.

  • Now that collection and management are 'taken care of' in many organizations, log analysis will (again...) come to the forefront = yes. In the end of 2008, we will be doing log analysis in a large number of fun, new ways - it won't just be about rule-based correlation and keyword searching anymore (Andrew agrees)

A nice fat piece of wishful thinking on my behalf. Log storage is still largely the state of the art, even though I trust splunk folks will help advance this one.

Dark horses, that will influence security in a major but unknown way in 2008:

  • Virtualization = people talk about hypervisor security and virtual security appliances as well as other fun stuff (e.g. this), but, in all honesty, we can't yet fathom the impact that the coming virtualization wave will have on information security.

This one give a lot of people  a lot of reasons to talk about fun stuff (Hoff comes to mind) Will I call 2008 a year of virtualization security? No, probably not.

  • Privacy = I predict that privacy issues, also privacy laws and public outcry due to privacy violations will impact the world of information security in 2008. However, my crystal ball is refusing to share the details on how exactly, citing "privacy concerns" :-)

This one will also have to wait. If you think about a) security b) privacy and c) compliance, then c) holds MUCH more mindshare today, sadly.

Conclusion: my personality type is hereby labeled “successful but cowardly predictor” :-)

2009 predictions are coming soon!!! Yes, they are!!

Dr Anton Chuvakin