Ready or Not, Here Comes 2007!

Jan 17 2007

By Jim Reavis

What do you call billions of spam messages, millions of lost customer records, thousands of new viruses and hundreds of governments asleep at the wheel? In our business, we call it 2006, just a normal year in the information security industry. As we put last year in the books and gird ourselves for another year defending our digital frontiers from an array of threats, we wanted to provide some guidance in the form of predictions by some friends of Risk Bloggers. These are not just any random hacks with Magic 8 Balls, we scoured the industry and hand selected experts with a solid 50% track record on heads or tails. Our sages of the security scene include CISOs, former CISOs, Industry Analysts, CTOs, CTOs who wish they were CISOs, Risk Management Experts who think they understand technology, and others we struggle to categorize. If you have been around the block a couple of times, you know that our industry’s thought leaders can sometimes be a little pessimistic. But while you might not want to take this crew into the hospital to pep up Grandma before that hip replacement operation, being prepared to protect our organizations’ viability and even our way of life does require facing unpleasant probabilities from time to time.

If our experts are right, 2007 does look to have a few rough patches in the road. Increasingly, sophisticated criminal organizations are able to exploit technology to stay ahead of corporate and consumer defenses and steal billions of dollars and disrupt whole economies. Botnets, web application holes and uncontrolled mobility loom large as villains in this tale. Skepticism about the government’s ability to be relevant in face of these challenges abounds. Perhaps most disturbing is not the technology or regulatory challenges, but the lack of a hospitable environment for CISOs in the modern corporation. The revolving door CISO appears to be bound to continue, as for whatever reason executives too often are not able to appreciate and leverage security to improve and accelerate their business.

At the same time, there are some hopeful signs. The possibility of regulatory compliance coalescing around industry standard frameworks could be a boon to information assurance programs. The IPO may be returning to the security industry, providing much needed market validation to our space. The rise of collaboration and other technical enablers will provide additional tools for the good guys to take arms against a sea of troubles. We hope you enjoy these prognostications, and your introduction to Risk Bloggers as well. I predict that some of these predictions will come true, some won’t, but that we will entertain and inform you throughout the year.

Crime, Law and Punishment

The “bad guy” will be worse in 2007. As terrorist, criminals, violence, true evil increases, our society finds itself numb and less than responsive. Without a radical change, which I do not see on the horizon, the bad guy will gain ground on many fronts in 2007. Radical change will not happen until our society is very fearful, and then the question is whether it will be too late. If a large terrorist event occurs and society is fearful, there will be an over reaction to a military state and heavier government regulation and controls. Jeff Spivey, Outgoing President, ASIS International, Director of Security Risk Management and co-founder, Alliance for Enterprise Security Risk Management

For the last couple of years, I have predicted that this year would be the year that Congress would pass a national breach protection law. I’ve been proved wrong every time. So this year, I’m going to predict that Congress will not be able pass such a law this year and hope that Fate isn’t smart enough to see through this cheap trick. Jon Callas, CTO, PGP Corporation

Organized crime (yes, it is now “the Sopranos”) is funding computer criminals to create new ways to perpetrate fraud. These capabilities will be used to attack not just banks, but any organization that can be victimized by fraud.

Attack methodologies will become dramatically more sophisticated and dangerous. The risk of cyber-terrorism will continue to increase as world tensions increase. Lack of preparation and plans to deal with the consequences place countries and businesses at significant risk. Dave Cullinane, Award winning CISO and co-founder, Alliance for Enterprise Security Risk Management

Attacks will continue to be more concentrated and focus on larger transactions. One of the top 10 banks will experience a loss of $100,000,000 on a single transaction. As a reaction to this, financial institutions will create a working group to focus on addressing these issues. The silver lining on this is security will continue to be elevated to a higher level on the organization chart. Bob West, Former CISO, Founder and CEO, Echelon One, LLC

One or more Congresspeople will get phished and make an unholy public stink.

Richard Stallman will, in earnest, begin his legal steamrolling of Linux. It’ll raise more questions than answer. Larry Hughes Jr., Former CISO, Founder, Infosec Introspect

Congress will remain impudent with regard to Internet Security. The fact is that security is generally regarded as a should, and not a must. To become a “Must” it has to be regulated or required by insurance companies. Congress needs to write legislation to make Internet security measures implemented. Voluntary security is not working. PCI standards are definitely a strong step forward, but they do not address the most likely attacks, such as those related to botnets. For Internet security to improve, endpoint security must be regulated. Likewise, ISPs, which are currently considered immune from responsibility as per the COPPA act, are the gatekeepers to vulnerable systems and the facilitators of the resulting criminal activities. They can control spams, distributed denial of service attacks, etc. at the source. Congress however will continue to bow to lobbyists and “Let the Internet regulate itself.” We have seen how well that works. Ira Winkler, Author and Security Expert

The Corporate Response

The plight (flight?) of the CISO continues . . . expect more churn as exec management continues to struggle with how to integrate security as a business imperative rather than a bolt-on. Consultants will continue to play an important role as this churn continues and quality security professionals (with both business and technical experience) remain in short supply.

Compliance frameworks converge on ISO 27001 - why invent different processes for SoX, HIPAA, GLB, Basel, PCI/DSS, etc.?

The Universal CISO Security Dashboard remains a glimmer in the eye, postponing desperately needed enterprise contextuality at least another year. Joel Scambray, Chief Strategy Officer, Leviathan, Co-founder of Foundstone, Co-author of “Hacking Exposed”

The discipline of Risk Management will unveil its’ “one” model from which to management enterprise risks. The challenge of the security profession in 2007 will be recognizing Security’s Role in the Enterprise Risk Management Model. The development of this role inside a proven enterprise model will further security’s position at the table. Being at this table managing all risks will fundamentally change security’s long heritage and the true value of making our world more secure and safe. The commoditization of security will divide from security risk management’s new higher role. Jeff Spivey

27001 certifications will increase in the United States by 1,000 percent in 2007. Jim Reavis, President, Reavis Consulting Group, LLC

Security will continue to be a top IT priority in 2007. New project areas of priority for IT security customer spending in 2007 will include: compliance, database security, end-point encryption, identity and access management, information leakage prevention, intrusion prevention, messaging security, network admission control and web security. Asheem Chandna, Partner, Greylock Partners

Data leakage for public companies becomes a huge issue. Most organizations don’t realize that their IP, customer lists, etc are traveling outside the enterprise, usually via unsecured methods. Taher Elgamal, CTO, Tumbleweed, Inventor of SSL

Technology

Apple will announce a major OS X security initiative, amidst Microsoft taking even more serious heat for Vista than they’re already getting. Rather than hiring a slew of BSD gurus, Apple will generously fund open source initiatives in order to leverage their fruits. OS X will push 7.5% market share by year end.

Google will launch an anti-browser (for pc’s) plus a bevy of mobile apps. By anti-browser I mean a real web application platform intended to supplant legacy browser technology altogether. It won’t sport much security but it’ll be shiny enough that most people won’t notice. Larry Hughes Jr.

This will be the year “Collaborative Technology” will make leaps toward being a viable contributor to the security arena. As we have seen Intel and IBM concentrate on collaborative technology for business and intelligence groups embracing some of these same technologies, so will our specific sector of the universe - security. The proverbial “village” will increase its’ speed toward creating specialized communities of knowledge and the challenge will come in keeping it “real”, valid. The efforts attempted by the governments to share information or alert those that “need to know” will be passed on the superhighway by the market. Jeff Spivey

The interface to the world is now in the web browser and with the creation of massive javascript exploits the vulnerabilities will lie in finding every way possible in order to get a web technology to execute code. Since social networking (user driven content) is the big rage and will continue to do so these browser vulnerabilities become an amazing attack vector. The exploits in flash, quicktime, jscript, plugins etc.. will be the major focus.

The web application of course plays an important role in security and will continue to do so as more and more local applications move to become web based. The security of the web application becomes the #1 concentration of security teams. No longer do firewalls/DDOS/IDS/HIDS take up time. Code review and web app security assessment and protection are the new hole and guess what.. you can’t patch this and you can’t write rules to fix it. This will be a long battle. Caleb Sima, CTO, SPI Dynamics

Application security continues to be the big challenge in 2007, although commoditization will creep slowly up from the infrastructure layers to automate some assessment and protective functionality at “Layer 7.”

Outsourcing of app dev and “auto-fill” dev tools will dramatically increase the importance of security in the development lifecycle (SDL); vendor SDL compliance frameworks gain more prominence in 2007.

Developer security training will concomitantly move up the priority list a few notches (if not already at the top for some orgs).

The perimeter will become irredeemably brittle (”hard crunchy outside”) as apps and data continue to perforate everything (inbound and out) and mobility proliferates beyond anything we’ve yet imagined, thanks to omnipresent WiFi, EVDO, Edge, Bluetooth, etc.

“Microperimeterization” down to the data level becomes a true buzzword, possibly with good reason.

Layer 3/4 security solutions (NAP, NAC, IPSec, etc.) will risk early obsolescence unless they get more agile in this environment.

The Universal ACL Language will take root (XACML), focusing initially on enabling the consumer to define simple ad hoc containers — e.g. “friends,” “family,” “work” — to ACL individual messages or resources like My Calendar, probably within a web service. Joel Scambray

Zero Day Vulnerability Identification/Exploits. We can expect to see more of these…not only with Microsoft products but with other applications often used by enterprises. Of concern in my prediction is a Zero Day “attack” using the “ubiquitous” PDF application carried across to the attachments we receive via email and download on the Web. It will be interesting to see how people react to this issue..especially when it will affect almost 50% of their emails and 80% of their downloads on the Web. Why will we see more of these? Because the organized cybercriminals are focusing on dissection of applications, identification of vulnerabilities, and selling the vulnerabilities on the black market. In other words, there is money to be made in this arena.

Web Applications – Or How We Shoot Ourselves in the Foot. Web applications continue to be the focus of enterprises in order to help reduce business costs, improve customer satisfaction, and generally expand corporate presence. However, these are being built without adequate controls and security oversight by developers rushing to get the product out the door. Web 2.0 and Web 3.0 concepts are bandied about in conferences and conference rooms; however, the appropriate controls and oversight – even the simple implementation of the OWASP Top 10 list – are missing. As a result, more faulty applications will be put on the Web thus increasing the targets of opportunity for the organized cybercriminal. Ernie Hayden, CISSP and member of AGORA, ISSA and Pacific NW CISO Forum

Botnets will create the largest losses and potentially large scale Internet outages. Botnets enable spam, spim, phishing attacks, distributed denial of service attacks, extortion, etc. The attacks result in billions of dollars of thefts, millions of dollars of extortion, and billions of dollars in productivity loss. From a more devastating perspective, botnets are also the source of the distributed denial of service attacks. Previous DDOS attacks have created scattered outages and significant delays throughout the Internet. These botnet problems will continue and escalate throughout the coming year. Ira Winkler

The spam problem will continue to grow and be increasingly profit-driven. Most spam will be focused on relatively few categories with the most profit potential. For example, 60% of spam at end of 2006 was for stock tips or drugs – both areas where there is a clear profit motive.

Spammers will continue to adapt and exploit new ways to circumvent spam filters. For example, spammers will seek every possible means to randomize images and avoid detection. The most recent example is “logo gibberish” – legitimate graphics thrown into an email to throw off image filters.

Spammers will likely look for other types of files to embed virus, mask messages and avoid detection. These may include video and audio files.

The use of botnets to deliver spam and avoid reputation filters will continue to grow. There are far too many vulnerable Internet-facing machines with far too little security. Taher Elgamal

A major private sector initiative will be announced to use grid computing types of technologies to apply massive amounts of computing power to attempt to solve several types of security problems requiring data correlation. Jim Reavis

Wall $treet

It has been several years since we have seen any security companies go public. We will see 3+ security company IPOs on Nasdaq in 2007.

The security sector will remain over funded though we will see a decline of new venture dollars into the security sector in 2007. 2007 will continue to be an active year for security M&A. Asheem Chandna

Security tech deals continue, possibly 1-3 big ones in 2007 (SYMC and MFE, anyone?), but professional services remains intriguing after IBM gobbled ISS. Joel Scambray

Cisco will make significant acquisitions in the security space. IronPort is the first of these transactions and expect at least three more. Microsoft will make acquisitions of small but key security companies as well. Bob West

Dichotomous M&A Heats Up. Spending priorities are shifting from securing infrastructure to securing information (users and data). Companies that capitalize on this change will likely fare well, including those in identity management and strong authentication (securing users) and in messaging, data and application security (securing data). However, many of the over 800 existing security vendors, particularly those focused on commoditizing, mature markets, will likely become victims of an industry shakeout in 2007. We will likely see the three C’s play out:

Convergence – of functionality (onto fewer boxes) and of vendors
Commoditization – of more mature markets, creating pressure on large, established vendors to find newer, higher growth markets (often through acquisition).
Consolidation – of resources, data centers and vendors. This will accelerate as non-security vendors increasingly enter the market, again, mostly through acquisition.

As a result, look for both high-multiple acquisitions (of top vendors in emerging information security markets), as well as fire-sales (of second-tier vendors in commoditized markets) to make for a busy, interesting year in security M&A. Zenobia Austin Godschalk, Principal, ZAG Communications, Former sell-side analyst, Morgan Keegan

HP Acquires Dell, cements lead in PC manufacturing. Since HP already subsidizes its own PC manufacture with profits from its printer ink business, their strategy would be to acquire a larger market share and hope to be able to increase margins an ultimately raise prices. Traditional competitors are also rethinking their strategy - except for Lenovo. Non-traditional competition, Linux and Apple, is making inroads in the overall share, too. The biggest competitor, Lenovo, is subsidized by China - and IBM’s exit to them was absolutely brilliant - they got billions and a 19.9 percent interest in the organization that was poised to take over their business! William J. Malik, CISA, Founder, Malik Consulting, LLC

IBM, HP and VeriSign will be the top acquirers of security companies in 2007 as they build out their strategy to put customers’ entire security function “in the cloud” - except the CISO (hopefully). Jim Reavis

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.