Just as the (ISC)² ABA surmised in our projections for 2010, this past year was a ‘perfect storm’ in many ways for information security. The increasing ‘industrialization’ of cybercrime, global recession and financial market turmoil, the ubiquity of access through social networking and smart phones, and record software vulnerabilities combined to present levels of risk previously unseen by governments and corporations. The landscape of information security and the ‘threatscape’ it protects against continued to morph in a fairly predictable pattern.
A Look Back at 2010
Prediction: Insecure Software Development Lifecycle
Last year, the ABA predicted that inadequate security practices in the software development lifecycle (SDLC) would continue to plague the software industry and be at the root of many exploited vulnerabilities. Several large software vendors announced record numbers of patches for vulnerabilities discovered in their products in 2010.
Software vendors in general made little progress in reducing the number of announced vulnerabilities for the year. The security vulnerability intelligence firm Secunia reported that 89% of the vulnerabilities announced in 2009 had already been achieved by mid-year 2010.
Although large software vendors get a lion’s share of the attention from cybercriminals and the media due to the size of their embedded user bases, they are by no means the only vendors experiencing product vulnerabilities. In 2009 (the most recent year with available statistics), Microsoft reported that their own bugs constituted only 2–3% of all major vulnerabilities reported during the year. Although operating system vulnerabilities continued to decline, application vulnerabilities increased.
Although issues such as software complexity, internally developed code versus COTS (commercial-off-the-shelf) products, and time-to-market pressures contribute to inadequate code security, we still believe the fundamental problem can be traced to inconsistent use of secure coding practices in the SDLC, with the record-breaking list of announced patches, vulnerabilities, and security breaches in 2010 validating this belief.
To better understand the level of software security in the commercial sector, do a search for the terms ‘security’ and ‘software development lifecycle’ at your favorite software vendor’s website. If you try this search at any random sample of five vendor sites, then you are not likely to see much. The vendors that do talk about it publicly are likely the ones that are practicing it internally.
Accuracy Grade: A
Prediction: Cell Phone Threats
According to a Nov. 10, 2010, press release from Gartner, the global sales of smart phones grew 96% from the same time in 2009, to 81 million units. Apple claims to activate 275,000 iOS-based devices (iPhone, iPod Touch, and iPad) worldwide every day. Current estimates place the growth of applications available for the Apple market from 100,000 at the start of 2010 to 300,000 in October. The convenience and functionality of these types of devices brings tremendous pressure from business users to allow them on corporate networks.
In September 2010, a cell phone virus infected more than one million phones in China, one of the largest cellular breeches reported to date. We believe this strongly validates our prediction for 2010 and represents the tip of the iceberg for smartphone-based threats.
Other compromises and reports of breaches have become commonplace in 2010. Fortunately, we do see many companies seeking to implement security and manageability for smartphones before proceeding with wholesale deployments. Further, product vendors are delivering better security applications for handsets.
Accuracy Grade: A+
Prediction: Cloud Computing Security and Privacy
The (ISC)² ABA members felt that security and privacy would continue to be of prime concern as the cloud computing industry evolved in 2010. Our opinion was that some organizations will view the risk/reward analysis as acceptable to take the plunge into cloud services, even with inadequate privacy protection from the cloud provider. We felt providers would look to multiple service levels to provide the flexibility and security their customers demand. While this approach is one way to define the larger issue, it was a somewhat myopic view and is not inclusive of the standardization efforts of such organizations as the Cloud Security Alliance.
Accuracy Grade: B–
Prediction: Federation and Trust Zones
We predicted that the use of federation and trust zones by companies, as well as the development of tools from vendors in this space, would gradually expand in 2010. The concepts of security zoning are alive and well in the datacenter arena, most recently driven by the growth of virtualization in the hosting environment. The concept is also associated with the latest in network design but is still slow in adoption due to implementation complexities and lack of standards.
Identity federation continues to grow, driven by increasing interoperability requirements (as noted by the ABA), as well as the growth of cloud-based services and the need to manage access across multiple environments. Federation growth continues to be hampered by multiple vendors offering complex solutions that are difficult to implement.
Accuracy Grade: A–
Prediction: Cybercrime Toolbox
The ABA felt that 2010 would bring improved toolkits for developing more sophisticated exploitation code and making attacks against even smaller targets cost-effective. The use of botnets for cybercrime and espionage would continue to be a primary weapon for organized crime, terrorists groups, and governments. Lastly, a dramatic increase in the exploitation of social networking technology would occur in 2010, even while many corporations would allow unfettered and unmonitored access to social media by employees using company networks.
These predictions have proven extremely accurate in 2010. The commercialization of inexpensive attack tools and services, such as leased botnet services with service-level guarantees, and the proliferation of social engineering attacks on users of Facebook and Twitter are strong indicators of these types of exploits.
Accuracy Grade: A+
Prediction: Security Outsourcing
For 2010, the ABA projected ongoing financial pressures to outsource security capabilities but also expected companies to reevaluate this approach in light of the increasing scrutiny by regulatory agencies, particularly in the area of privacy.
Although by no means indicative of a full year’s analysis, a report issued in May 2010 by the research firm Ovum, which canvassed 500 CIOs globally, showed that only 7% were planning to outsource their security and IT systems management over the next six to 18 months, down from 18% in its previous survey. Lack of confidence and compliance considerations were cited by Ovum as reasons for the drop.
The third-quarter Global TPI Index issued by the research firm TPI points to a global slowdown in outsourced IT services (including security services) in 2010 versus 2009, which would seem to support the Ovum report.
Accuracy Grade: C+
Prediction: Mergers and Acquisitions
The ABA predicted more deal traffic in 2010 based on larger security firms gobbling up smaller firms struggling from the financial crises of 2009. There are numerous examples of large firms grabbing smaller ones in 2010, including Symantec’s takeover of PGP, Guardian Edge, and VeriSign’s security business; HP’s acquisition of ArcSight and Fortify Software; and Intel’s deal for McAfee. While not all of the acquired firms were struggling financially, it is safe to say that one of the prime motivators in all of the deals was access to funding and growth capital by the smaller companies.
Accuracy Grade: B+
That concludes our review of ABA’s predictions for 2010. Let’s now look ahead to 2011.
New Year, New Predictions (or, some revisions)
The upcoming year promises to be a continuation of the perfect storm in terms of the escalation of threats and responses. Technological advances and user adoption of those advances will continue to outstrip the security industry’s ability to match the rate of change. Regulators will continue to tighten the screws of requirements and standards around data protection in an effort to slow the losses. Let’s see what the salient security prognostications are from the members of the (ISC)² ABA for 2011.
Cybercrime and Espionage
The year 2011 will be a record-setting one for organized cybercrime. We believe the proliferation of exploit tools will drive new levels of breaches, loss of intellectual property, and identity theft.
The industrialization of cybercrime will continue, with cybercrime maturing along the paths of more traditional organized crime activities. Cybercrime organizations will continue to fund improvements in their tools and ‘supply chains’ while leveraging relationships with more traditional crime syndicates, terrorist organizations, and the government-sponsored cyberwar activities of rogue countries.
The inventive use of improved exploit tools and processes will force radical changes in the methods countries and governments use to protect themselves. We expect the boundaries between tools and techniques developed by nation-states for espionage and warfare and those of organized cybercrime to blur even further, a la Stuxnet and Aurora.
Defending against cybercrime will continue to lag behind increasing calls for ‘more cooperation’. As long as cybercriminals can launch attacks from any legal jurisdiction in the world, law enforcement will be hobbled in their efforts to investigate and prosecute cybercrime. It is difficult to see how any nation can perform the traditional law enforcement functions on a borderless and uncontrolled internet in 2011.
We see techniques and solutions for secure coding receiving more attention and making incremental improvements in 2011. Insecure coding practices in the SDLC will still present the next greatest threat (after human vulnerability) to information security, particularly for large, more mature commercial software applications.
Vulnerability discovery and exploitation by attackers will grow more automated (e.g., personalized malware variants) and still outrun software vendors’ capabilities to develop and the user’s capability to deploy patches for holes using conventional techniques. The good news here is that we believe the message of secure coding is beginning to reach its intended audiences, and IT executives are now moving to drive development teams in this direction. Unfortunately, the development side of security has been ignored for so long that it needs much more of a critical mass of support than we see happening in 2011.
The growth of threats from smartphones and smart tablet devices will steadily increase in 2011, driven by increased penetrations and evolving functionality. This will impact consumers and businesses alike. We see exploits for smartphones rising dramatically, fueled by rampant demand, unmanaged connectivity, unprotected devices, and insecurely developed operating system software and applications.
The ABA is very concerned about this trend because the situation is reminiscent of the early days of insecure application coding – a legacy still haunting the IT industry. The open application development and delivery model for smartphones will grow unchecked in 2011 as the greatest opportunity for attack and compromise of these devices.
Not surprisingly, in its 2010 third-quarter threat report, McAfee described finding Zeus botnets using cell phone devices as their control targets. The pace of change in this technology is quite dramatic. Only a few years ago, malware for smartphones and cellular devices was unheard of. The malware itself doesn’t exhibit many new tricks – its makers simply seek new avenues of following the money.
The Business Face of Security
We expect to see spending on security services in the US to rebound in 2011, but only by low to mid single digits on average. This will occur in two significant areas: spending on new technology to replace overdue legacy systems and deliver new capabilities, and increased hiring of security professionals.
Even with an improving economy, we don’t expect to see the pace of mergers and acquisitions in the security industry to continue, with one exception. We believe the follow-on effect of Intel’s acquisition of McAfee will be the impetus for another large acquisition in 2011 by an IT services provider or a software vendor. Since the list of targets is relatively short in this space, we will leave the rest up to your imagination.
Security as a Profession
The ABA sees the security profession making employment gains in 2011, driven by improving economic conditions, increased regulatory pressures, and greater fear by business executives of attacks. We believe opportunities will improve for security pros at companies themselves and at IT service providers offering security services.
The best places for growth in the field will be in the areas of risk management and compliance, incident response, security architecture, and secure software coding. We believe risk management expertise to be particularly valuable as more companies move away from threat-based security models toward more robust, and cost-effective, risk-based models.
Evolution of Security Technology
Security technology has been on a rapid climb ‘up the stack’ toward application and content awareness and protection capabilities for the past few years. We believe 2011 will represent a major shift in the number of organizations deploying application and content protection technologies, such as application firewalls and database/content monitoring capabilities. Many of these technologies are the domain of larger corporations; the SMB markets will either continue to rely on more traditional infrastructure-based technologies, such as IPS and log monitoring, or they will move their computing to the cloud.
The upcoming year will mark the beginning of the end for traditional signature-based detection technologies. Although still a mainstay in anti-virus and intrusion detection, this approach has been circumvented by modern attack tools and techniques and will be further undermined by improvements to polymorphic and targeted malware. The vendor community is rapidly moving toward behavioral-based detection and reputation scoring as a way to combat this evolution. It is still too early to tell how viable this approach will remain.
Cloud computing, an alternative to traditional outsourcing, picked up steam this year. As companies move to the cloud, security professionals will be required to change their approach to controls and compliance.
While outsourced security services attempted to perform individual vertical functions, cloud computing may represent more of a layer inside the organization. This could turn the typical security service on its head. Expect some confusion as third-party providers learn how to layer security into the cloud. Also, expect business leaders to put pressure on the CISO to sanction cloud services as a routine part of the business.
Data Loss Prevention & Rights Management
The recent disclosures of confidential and secret information by WikiLeaks will cause many organizations to rethink their DLP strategies. Anticipate more support for information classification and leak prevention inside most organizations, with new programs moving from financial services into government and many other industries.
Because DLP is such a difficult program to establish, many organizations will only begin the long process required to fully protect confidential information from insiders who want to harm businesses. At the same time, insider leaks are likely to become more prevalent, as dissatisfied workers find the opportunities many and punishments few.
Social media’s claimed audience numbers are staggering – 500 million users of Facebook, 100 million users of YouTube, Twitter with 175 million users, 85 million LinkedIn users, etc. The growth of social media represents the type of sea change to personal communication and collaboration that the internet once represented to connectivity.
Although the ABA sees new competitors continuing to enter the field, we don’t believe the larger players will continue to experience the growth rates of the past. We do expect growth rates to mirror penetration increases of the internet, particularly in developing nations. Due to these stabilizing growth rates, the large operators will seek new revenue sources. New revenues will be driven, in part, by the deployment of new technologies for market differentiation from competitors. One such technology is location-based services, where user locations can actually be determined from the mobile device they use.
The popularity and ubiquity of social media makes it an irresistible target for cybercriminals. The threats to social media users are multifaceted – social engineering, malware distribution, botnet compromise, and identity theft, to name a few. We expect the use of social media as a threat vector and exploitation tool to grow in size and complexity in 2011. We believe large-scale attacks will continue, but only ‘under the radar’. We also see the social media operators dramatically increasing their efforts to combat criminals and protect users in 2011.
Regulatory and Political
As losses from organized crime mount and constituents are more impacted by breaches, the ABA sees political pressure mounting on legislators to take action. This action will come in 2011 via more stringent information privacy regulations imposed on internet marketers and companies handling personal information.
As the losses to cybercriminals increase on social media sites, current calls for additional user privacy will likely increase as well. Users may begin to equate privacy with protection on these sites. If that happens, national efforts to implement stricter privacy rules may become reality. Without that level of user concern, we do not see any omnibus federal privacy legislation but do expect states to continue passing more stringent statutes.
The Storm Rages On
Predictions for the coming year abound each and every January. Many of the predictions described in this report are not new or earth shattering. They do, however, present a uniquely correlated view of the coming year.
The art of prediction involves more observation and trend analysis than anything else. Behind that observation and analysis are years of experience working in the trenches of the security industry. We hope we have imparted the benefit of those years so you can begin to conduct your own observation and analysis, and start to develop your own conclusions as to where the industry is headed and how we will weather another stormy year.
Members of the (ISC)² Advisory Board of the Americas Executive Writers Bureau include information security experts from across industry sectors. For more information, visit the ABA Executive Writers Bureau website.