Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Security Predictions: All Hat, No Cattle

Post by Marc Maiffret December 13, 2011

This is the time of the year where holiday parties are had, gifts are exchanged, and everyone and their brother in the security industry write blog posts and press releases about their predictions for the coming year. This time of the year reminds me of how important eEye’s message of “Security in Context” is given the sheer volume of “experts” making predictions which really are thinly veiled marketing agendas to tie in the scary threats of 2012 to some solution, product or service.

The reality is that making predictions of any type can be an extremely difficult thing to do. I am asked all the time by people what I think the future of security will hold. While I have plenty of opinions, I try to preface the answers with the fact that security is a reaction to how businesses evolve to leverage technology in their practices and how consumers consume information and interact with technology in their day to day lives.

Years ago no one would have made the prediction of how social networks would change security because people did not understand how social networks themselves would become popular and ubiquitous. No one made predictions about how smart phone malware would impact the world because the idea we would have a phone with equivalent processing power to that of our computers was too farfetched years ago.

I thought this year rather than making the usual predictions blog post I would look back at the predictions made last year about 2011 to see how those predictions faired. The hardest part in writing this was of course trying to find specific predictions. Most security companies made very generic predictions that are equivalent to guessing the sun will rise and set. (Me, personally bet both rise AND set in Vegas, but that’s just me). My point being is that most predictions are not new ideas, but rather the predictions foretell more of the same security breaches, just bigger and scarier.

  • Critical Infrastructure Attacks to Increase – From anti-virus vendors to university research labs one of the big predictions made about 2011 was that there would be an increase in attacks on critical infrastructure, SCADA systems, etc… The reality is we saw no dramatic increase in documented attacks in 2011 and the only big news was when it was incorrectly assessed and later reported that hackers using computer systems in Russia had breached the SCADA systems of a facility in Springfield, Illinois. Kim Zetter of Wired of course set the record straight on this rather comedic “sky is falling” incident.
  • Apple botnets and Trojans become common – This was a prediction made of course by a lot of companies in the malware/AV space and for the most part it never rang true. The fact is that in 2011 there was no major explosion in OSX botnets and Trojans and Microsoft Windows still remained a favorite. Steve Jobs, rest in peace. Your baby is safe. For now.
  • Explosion in mobile attacks – Many companies predicted an explosion in mobile attacks but for the most part that explosion never happened. When you take the Android mobile platform out of the mobile equation there was not only a lack of an explosion but the only mobile attacks happening were a couple of security conference hacking demonstrations. Having a plan around mobile security is indeed important when having overall visibility of your computing environment but hackers are still more likely to steal data from your desktops and servers, being that they’re the low hanging fruit compared to mobile.
  • Hackers Feeling the Heat – Some companies predicted that in 2011 hackers would have a lot more pressure on them and more of the smaller hacking groups and individuals would be “stamped out” both by law enforcement and other cyber-crime organizations. This of course was not the case as 2011 saw the explosion of individual hacktivists and smaller groups under a larger cultural umbrella of things like Anonymous. Do not count out the little guy.

These are just a few examples of where predictions went sideways. We all love to try to predict the future as it is part of our human nature to feel good about thinking beyond the now and being right about it. Who will win the Oscar, the Grammy, or when is the Rapture this year? But the stakes are high in security given the ever increasing sophistication and number of attacks we see every single day. Making a bet on what you should do for security in 2012 based on the same gleeful off-the-cuff predictions of who might win at the Oscars is not how you want to approach information security for success.

Have fun with the prediction blogs and press releases this holiday season but remember no one will know how your business will be evolving next year to use new types of technologies and what risks that might create. In IT security you must not only know the security of your business but the business of your business. Without understanding how your business will evolve you will not understand how your IT security program should evolve with it.

How good are you at predicting the future? Tomorrow, during our Vulnerability Expert Forum, we’re going to be announcing that  we’re picking two winners based on who has the best prediction on what new threats they think we might see in 2012 and also predictions on how businesses usage of technology will evolve in 2012. Enter your submissions in the comments below. 

I look forward to hearing from you and hope you stay safe this holiday seasons.


Leave a Reply

Additional articles

smart rules manager for vulnerabilities

Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

Post by Morey Haber April 21, 2014
, , , , , ,

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
, , , , , , , ,

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
, , , , ,