Wednesday, December 22, 2010

Checking My 2010 Security Predictions

People should be banned from making new industry predictions before checking how their past predictions fared – and possibly embarrassing themselves again and again (see “The Year of Mobile Malware” Smile)
My 2010 predictions were here:
Proceeding to check them below!
Compliance: as many other observers (Joshua at 451 Group comes to mind) noted, many of the security activities in 2010 will be defined by regulatory mandates such as PCI DSS, HIPAA/HITECH and others.  […]
Sadly, this is as true as ever. As security moves downstream/downmarket, compliance plays bigger role. WIN – but an easy one. BTW, some people did predict “the death of compliance”, but this sure isn't happening any time soon…
Bad shit: what we have here is an intersection of two opposite trends: rampant, professional cybercrime and low occurrence of card fraud (as a percentage of card transaction volume). I explain this conundrum by predicting a scary picture of huge criminal opportunity, which still exists unchanged.  […]
Shit is indeed pretty bad. WIN – but an easy one; no fame points getting this right. This will get worse before they get better and we are in the “climb to REALLY bad shit phase”, IMHO.

Intrusion tolerance is another trend (and its continues existence is in fact my prediction for 2010) which helps the “bad guys”: it is highly likely that most organizations have bots on their networks. What are they doing about it? Nothing much that actually helps. It is too hard; and many businesses just aren’t equipped – both skill-wise and technology wise – to combat a well-managed criminal operation which also happens to not be very disruptive to the operation of their own business.  […]
Same thing – predicting this was like taking candy from a baby. WIN, but with no extra credit. Organization will likely stay owned, despite regulations, media attentions, big security budgets, etc.
Cloud security: I predict much more noise and a bit more clarity (due to CSA work) in regards to information security requirements as more and more IT migrates to the cloud. The Holy Grail of “cloud security” – a credible cloud provider assessment guide/checklist – will emerge during 2010.
A WIN here too - more clarity on cloud security is here. CSA work (CSA 2.0 guide,  recent cloud compliance matrix and CloudAudit releases) are helping.  Still, there is a lot of delusional cloud noises from many vendors….

Platform security: just like Vista didn’t in 2007, Windows 7 won’t “make us secure.” The volume of W7 hacking  will increase as the year progresses.  Also, in 2008, I predicted an increase in Mac hacking. I’d like to repeat it as there is still room there :-) […]
And, only the truly lazy won’t predict more web application attacks. Of course! It is a true no-brainer, if there ever were one. Web application hacking is “a remote network service overflow” of the 2000s….
So, a partial WIN here, but then again – predicting “more attacks” is stupidly easy. BTW, Windows 7 is holding pretty well and there is no dramatic rise in public W7 vuln releases. Are people hoarding them (possible) or the vulnerabilities just aren’t there? Or maybe everybody is owning Adobe now (NEWFLASH: Adobe 2 days without a 0-day vulnerability!)


Incidents: just like in 2008, I predict no major utility/SCADA intrusion and thus no true “cyber-terrorism” (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait at least few years for this one (see my upcoming predictions for 2020!) Sure, it makes for interesting thinking about why it did not happen; surely there is a massive fun factor in sending some sewage towards your enemies.  I'm happy to be correct here and have no such incidents happen, but I was predicting that something major and world changing would NOT happen so Feynman paradox is on my side. […]
WIN – but a reluctant one. I still won’t predict it for 2011 (predictions out soon), but even thinking about this one freaks me out…

UPDATED: in comments, Alex has [likely] correctly called me on this one - what about Stuxnet and Iran's nuclear control gear? Won't this qualify as "major industrial control incident"? OK, maybe - but we don't know what damage they suffered, beyond annoyance. In any case, I am changing this for partial FAIL from WIN.

UPDATED2: this prediction is an official FAIL. It was reported that Stuxnet DID in fact significantly impact Iranian nuclear facilities by accelerating an unknown number of centrifuges to beyond safe limits, and likely causing their breakage. We have proof - sort of - that you can blow up sensitive equipment nicely using malware. So...the future begins...NOW?

A massive data theft to dwarf Heartland will probably be on the books. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.
FAIL. No such breach materialized – at least not publicly.

UPDATED3: as pointed out in comments, Wikileaks is just such a breach - big, wide-ranging; it matters even though I thought it would be a PII breach and not a confidential document breach. Changing FAIL to partial WIN.


Malware: sorry guys, but this year won’t be the Year of Mobile Malware either. As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal – but it is just not the case yet in the US. There will be more PoC malware for iPhone, BlackBerry, maybe the Droid, but there will be no rampage. On the fun side, maybe we will finally see that Facebook malware/malicious application (that I predicted and consequently missed in 2008). This one will be fun to watch (others agree), and current malware defenses will definitely not stop this "bad boy," at least not before it does damage.
WIN. Read my lips: no..year..of…mobile…malware! Yes, I know AV vendors want it badly (in their ongoing fight for relevance) and keep predicting it  but it ain’t coming. Sorry!

Risk management: more confusion. Enough said. In 2008, I said “Will we know what risk management actually isin the context of IT security? No!It sounds like we know no more now.
WIN, but maybe not for long. Growing amount of security data might change it in the next few years. Maybe. For now, as Mike said it, "Risk scoring is still a load of crap"

Conclusion: I can predict, but mostly easily predictable stuff. I am an extrapolator, not a Nostradamus.
Possibly related posts:

Dr Anton Chuvakin