Saturday, December 11, 2010

Back on my 2010 security predictions

For an ITsec worker, every year comes with some pieces of satisfaction and a lot of frustration. For instance, you'll hear about rocket-science ITsec techniques and observe that your neighbour's techniques are more snail-like, ostrich-like or dodo-like :-(

I did a few predictions at the beginning of the year of what would happen in the ITsec field, let's see if they actually happened.
What I wrote back then is given in yellow and today's comment is in white.
  1. Linux systems will become an interesting target for hackers because of Google's OS.
    The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
    Did not happen. There are traces of some attacks on Google's OS but nothing the depth of what happens on Windows. (so far)
  2. Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
    It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
    Did not happen. But I hear Symantec is on the subject and it's quite promising.
  3. Viruses will spread to Mac and iPhones up to the same level as that under Windows.
    Clearly did not happen, though there are a few examples of such viruses.
  4. Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
    There will be a fashion for it and a lot of blunders will be made in the beginning.
    Happened. I saw many examples of considering fingerprints as a good means of authentication, which it often is not, and worst of all: some companies start relying on "private questions" to enable users self-resetting their passwords.
  5. There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
    Certainly happened, though those companies will not make a failure report before they've withdrawn, which is no easy thing ^^ The funniest story I heard (nothing written, sorry) is that of a web development company whose managers decided to cloud infrastructure, thus turning Apache settings, PHP settings and so on into read-only, contractual, data.
  6. There will be an overflow of non-browser software using SSL.
    Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
    Happened, even Microsoft got into the market.
  7. Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
    Happened, see Day's comment on the original article: pleaserobme.com, a site that harvests Twitter to guess whose homes are empty and easy to rob. One could also quote personalized ads or so many articles on the web.
  8. Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
    • The web is too huge for any current government to master it, or even understand it.
    • The free software community will sidestep any technical measure towards censorship.
    I don't know yet whether governments will fail, but the current wikileaks wars certainly are an example.
  9. There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
    Did not happen, so far as I'm aware.
  10. PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.
    Did not happen, I just read too many people interested in that.

And now a few wishes:
  • That people stop thinking I work on viruses when I say I work on ITsec.
    There's certainly some change, but I can't identify it so far. People seem to start being aware of the "information-side", as opposed to the "technology-side"...
  • That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
    No change.
  • That service managers start budgeting time for service reviews and corrections, not only service implementations.
    No particular change.
  • That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
    They didn't, though they reacted by adding sandboxes to the software. Makes me think of old families that had many children to "avoid" child mortality...
  • That my government stops being such a liberty killer about IT.
    Not happening before the next election...
  • [...]
  • That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?
    I don't know whether my readers did consider this situation. Did you?

Wednesday, December 8, 2010

Monthly ITsec Leadership Quotes and Articles: November 2010

The New CISO: How the role has changed in 5 years, on the Security Leadership section of csoonline.com, about the more business-oriented nature of security positions these days.

[FR] Certification: mandatory way for CISOs (La certification, passage obligé du RSSI ?), forum chat on the certification of CISOs.

A security evangelist shares his best practices, on NetworkWorld, with good insight about what really matters when you're responsible for the security of a big, heterogeneous, sometimes hostile network... very much of what I would say on the same matter.

Jason Fried: Why work doesn't happen at work, on TEDtalks, about a better time management suggestion: just cancel your next meeting!
(via Windancer - Stairway to ...Heaven?)

The Value of Cyber-Awareness Campaigns, on Healthcare Information Security Blogs, about a subjet on which I have very little experience and I'm happy to read insights

Schneier's approach to changing passwords, rational, as usual.

Why Your Next CISO May be an Attorney, on Healthcare Information Security Blogs. Though I may not agree with the content, I think it's a good reading.

Relationships in Corporate Security, Do They Matter?, on SecurityRecruiter.com's Security Recruiter Blog, about the importance of human skills in security positions.

[FR] The era of the non-technical CISO (L'ère du RSSI non technicien), on the French community site Security Vibes, about the evolution towards management people in security.

"There are three ways to deal with climate change: Adapt, manage, or suffer.", Admiral Thad Allen, HBR Nov 2010.

"Make the objectives clear, but avoid micromanaging those who will execute on them.", Michael Useeem, HBR Nov 2010.

"Management attention is your scarcest resource.", Robert Simons, HBR Nov 2010.

"People think that focus means saying yes to the thing you've got your focus on. But that's not what it means at all. It means saying no to the hundred other good ideas.", Steve Jobs according to Robert Simons, HBR Nov 2010.