Friday, December 22, 2006

My 2006 Security Predictions Review

So, no, you are not getting my predictions yet, but here is something fun: a review of my last year's predictions. They were:

1. Viruses, worms, bots and spyware will remain the main concern; malware commercialization will continue and thus propel more money-making technologies such as spyware (5,5)

STATUS as of 12/22/2006: Correct (but it was a reeeally easy one)! Recent polls still show that malware tops the charts (even though various forms of regulatory compliance, IP theft [as some has us believe] are challenging that)

2. Data/IP theft and especially ID theft will continue and increase in both severity and occurrence (5,5)

STATUS as of 12/22/2006: Correct (at the very least, the buzz levels about this are skyrocketing); phishing and identity theft - as a type of IP theft - were certainly growing and so was the IP loss in the form of laptop loss.

3. At least one major 0-day compromise story will surface, maybe with Oracle software (5,4)

STATUS as of 12/22/2006: Correct (see recent MS Word 0day stories); Oracle bugs were aplenty, but nobody admitted that they were owned thru one ...

4. Application-level vulnerabilities will grow, service-level ones – shrink (5,4)

STATUS as of 12/22/2006: Correct (see recent SANS Top20 for some illustration); the decrease in network-service level vulns was dramatic, but SQL injection, XSS and other stuff grew like mad.

5. Client (web, mail, chat, etc) attacks will rise and server attacks will fall somewhat (4,5)

STATUS as of 12/22/2006: Correct (see recent SANS Top20 for some illustration), but no credit really - this one was trivial to predict.

6. Major wireless and mobile threats will not come (4,3)

STATUS as of 12/22/2006: Correct (but, again, I see this as an easy one)

7. Endpoint security solutions and NAC-like technologies will experience sharper increase in adoption than other security tools (3,4)

STATUS as of 12/22/2006: Correct; again, if we measure by media buzz levels and [late] company launches, NAC and endpoint security is still heating up

8. Finally, I predict that just as one cannot predict the threats of tomorrow today, one still won’t be able to do in 2006 :-) (5,5)

STATUS as of 12/22/2006: but of course! Indeed, there are many things that I am pretty sure we would all love to predict but just as unanimously missed.

So, I officially upgrade myself to Chief Security Nostradamus :-)


Anonymous said...

The prediction I was most impressed with was the one you were least impressed with. Client-side security could have been predicted but not at the devastating levels of vulnerability we've seen this past year.

Good work for last year! I can't wait to see your predictions for 2007!

i will look at your list (I just added you), but here are a few of my predictions for 2007:

Bleeding-edge malware writers will get smart and start putting malware into browsers only, targeting web applications - especially popular websites - especially social networking sites. XSS's + session ID's (or conversely, CSRF's) will be the new gold standard for trading in the underground, similar to the way botnet C&C's and proxies are traded now.

Cutting-edge malware writers will concentrate on agents, in particular the popular AV, HIPS, and Patch Management applications. I would love to coin a phrase here: "call home through call home". IOW, I think we're going to see covert channels in OS/app default routines such as Windows Update and Mac OS X System Update similar to the way we see covert channels in NBT and MSN today. We're also going to see plenty of covert channels in things protocol capture can't get into easily, such as HTTP cookies.

My last prediction is even more bold - I predict a backlash and the ultimate demise of NAC that will lead to a new (and actually solid) strategy of defense at Layer-2. Exploits for strike-back against automated scanners may agitate this. Cisco will still end up as the market leader in Layer-2 defense, but it won't be called NAC and it's not going to do everything NAC claims to.

Anonymous said...

I take issue with predictions 5 and 6.

"5. Client (web, mail, chat, etc) attacks will rise and server attacks will fall"

I would argue that server attacks have not fallen. Web applications have seen a sharp rise in attacks. Poorly coded web-apps result in many servers being owned and pulled into bot-nets.

"6. Major wireless and mobile threats will not come"

I think the threat of wireless and mobile attacks are high. Almost no mobile devices implement BlueTooth in an intelligent way and this results in the ability to snarf down address books and other private information. Regarding wireless-- the industry is starting to become aware of the dangers of poorly coded Device drivers. Apple and Intel have both released critical security patches for their wireless drivers and software. The threat is there, but it hasn't been exploited much.

Dr Anton Chuvakin