Top Five Security Predictions for 2012
To get 2012 off to a start, I have five security predictions for the year ahead:
I predict a major brownout to occur during 2012. By brownout I mean a critical failure in a key system due to over-capacity, with far reaching consequences. Something somewhere is going to be overloaded and fail spectacularly due to under-engineering and failure to take a practical approach to business continuity and systems availability. With the Olympics coming up in the UK, which has had known system problems already, I just feel something is just going to stop working. What can you do? Well. Security has focused far too much on Confidentiality, with a spot of effort around Availability and a miserable attempt at ensuring Integrity. We have already seen last year with RIM (the Blackberry guys), that their business continuity plan failed with regards to a key server. The whole Blackberry network went down for days as a result. A regular service restoration test of critical components (and of course, working out what should be termed critical) is essential for any business with reliance on IT systems. There is too much reliance on “high availability” which makes companies lazy when it comes to taking and testing backups. Why “Security” do you ask? Well, availability is there in the CIA triangle and whether malware or a systems outage cause availability issues – they still need to be prepared for accordingly. Also, an adversary can attack your systems with a denial of availability attack, which perhaps causes you to move to insecure, untested systems in your backup data centre, or take steps to restore systems that leave you wide open for a number of very simple to execute attacks.
2) The Cloud is Not Enough
Cloud based services were originally created in order to make use of spare capacity in data centres, that had been over-engineered to cope with high demand over particular periods, for example the retail boom over Christmas, major news events and major sporting events. Bit by bit, this spare capacity is being sucked up. It would be very expensive for a cloud provider to invest in new hardware to improve the performance and availability baseline 365/24/7 for all customers. So what happens when the troughs of availability that cloud providers effectively “sell” get filled up? Will the market start selling based on contention ratios as the ADSL market did ten years ago? Without a doubt, expect to see a rise in prices of cloud based services that have the SLAs that you need. Anything too cheap is likely too good to be true and you will be moved to more expensive service models once you start feeling the effects of other customer’s services taking up your CPU and Memory!
3) Teenage Hackers
LulzSec and Anonymous seem to have quietened down following a series of arrests over 2011, yet new organisations are cropping up. Only recently this year a Saudi based hacking group exposed details of “zionists” on the web, so those they thought were pro-Israeli / anti-Arab. Extremist organisations could do a lot of damage with this information. Well that’s not quite a prediction as it has already happened, but as security knowledge spreads far and wide and with an ever changing world economy, there are no doubt an increasing number of disillusioned school kids that seek to impress the world with their anarchic hacking skills. The bigger threat is state sponsored hacking, or economic information theft that China can use to her advantage. We’ve seen blueprints go missing, an unquantified hack on critical information systems at the International Monetary Fund, the odd economic collapse preceded by suspicious overseas trading activity, trade secrets and bid information being stolen, all allegedly by Chinese companies.
Some company that really should have known better is going to suffer a big breach. At least one well known retailer will suffer a breach and lose credit card information and I suspect one or two third party payment service providers will be defeated by the ever advancing knowledge of our adversaries.
5) Security in the core
Silver bullet solutions and vendors that pitch them are going to struggle in 2012, unless they take a holistic approach to security and play ball with the joined up thinking we are starting to see from the Microsofts and Ciscos of the world. Security is being built in to our systems as we speak and the value add of security vendors is dwindling. Vendors are starting to sing the 2-sec message – Simplifying Security, even though it was them that complicated the whole thing in the first place! Consultancies and testing houses will be doing well, but is there still a place in our hearts and wallets for magic bullets?
Whatever my predictions bring, we must all look at raising the bar for 2012 and ensuring we have a decent level of measurable baseline security controls in place. As with brakes on a Ferrari, good security makes sure your company can go faster!