In security, we live a tactical life. Problems lead to responses and we hope that at any given time our resources aren't overwhelmed. We seldom have the luxury to anticipate, much less take advantage of the months or years it often takes to analyze and deploy protective measures.
Still, with all that in mind, let's catch our collective breath. From here, we can look out across the horizon at some of the major issues we'll need to deal with in the next few years.
Google: The Next Big Attack Vector
IBM was where we started with IT security; it was the most common platform in the '80s. But even then, we discovered that penetrating a secure IBM site could be done in minutes if you could find a trusted third-party system that wasn't secure. Assuring trust became a critical part of assuring security.
In the '90s came Microsoft and the target became the Windows platform. I'd hazard a guess that this is where most of us spend much of our time today with security solutions, patches, and monitoring tools. The result is an environment that's more secure and difficult to penetrate. In addition, attacks are shifting more toward end users and seem to increasingly be based on social engineering rather than the electronic methods we've grown to know and hate.
It appears that now the attacks are shifting up the application stack and going after things that users use widely but which aren't protected by a multitude of IT security layers and offerings (think iTunes and Google). This is simply because they are widely used and relatively consistent user to user. For iTunes the attack appears to consist of a hostile payload. With Google, the process involves tricking Google into taking the user to a hostile Website that looks similar, or identical, to the one for which they searched. Either case could result in the unintentional installation of a rootkit, key logger, or other malware.
In both cases, perimeter security would probably not adequately protect the company because the user may access these sites with a laptop while working on the road or at home, then bring the infected or otherwise compromised machine back to work to do more damage. With the laptop market growing sharply, and an increased focus by the criminals on users, we clearly need to start looking at the desktop differently.
Desktop Defense in Depth
I'm struck by the parallels between what we seem to be going though and the transformations in the real world between the ages. We moved from small groups to walled towns because we felt, for a time, more secure with walls around us. I traveled to South America a few months ago and visited homes that were surrounded by 10-foot walls topped by razor wire, an attempt to create multiple layers of defense against break-in. The homeowner was one of those defensive layers, a response to inadequate police coverage.
Symantec has coined the phrase Security 2.0, which I think goes as far as any security vendor can to describe the kind of solution we're moving toward, one very similar to the walled homes I saw.
In this emerging model, there will have to be multiple layers of security around every user because we've moved beyond the time when a perimeter system around the company can be expected to provide the necessary defense.
This means we will likely have to go much further then we already have to ensure trust. If you aren't familiar with the Trusted Computing Group, you soon will be. Its latest initiative is to ensure cross-vendor interoperability for creating and maintaining a secure pipe from where the data is created or read to where it's stored or sent.
Created by a collective of the strongest companies in technology (with the exception of Cisco, which is driving a competing technology), this should form the basis for the high quality foundation we will need in the future. I personally feel strongly enough about this that I volunteer as an adviser for the TCG.
Assuring the End Points
Passwords as a means to authenticate users is unacceptably insecure. We know users get fooled all the time, so simply asking for a password, no matter how basic, goes beyond foolish into negligence. The bad news: It will only get worse.
If you don't have at least a good dual-factor security method and you have a breach, you probably will be held accountable for the loss (and should be). Business laptops are increasingly coming with built-in biometrics and smart-card options. One or the other connected to a password is vastly more secure than a password alone. I'm often surprised at how many companies seem to have deployed laptops (like IBM's Thinkpads, which have excellent biometrics) and not actually turned on these solutions.
That will likely change in a few years, and getting ahead of this change will probably help keep you out of the news if a laptop is stolen or lost. But even with all this, we will likely remain overmatched by the bad guys.
Next Page: Page TwoEnforcement
Identity theft has grown massively over that last few years and can't be effectively addressed with software tools or services like Intelius alone. I think vendors like Microsoft and Google will quickly realize they cannot stay ahead of attackers and will shift significant portions of their security budgets toward law enforcement and bringing criminals to justice. In fact, Microsoft already appears to be doing this today.
This enforcement will increasingly hold accountable service providers and middlemen who either host this illegal activity or benefit from it (by doing things like forwarding merchandise purchased with stolen credit cards).
There's a growing realization that mitigation simply isn't working by itself and that more aggressive enforcement will be needed to get ahead of the problem. This dynamic, coupled with an increase in identity theft, should eventually start to spark the attention of Congress. Look for some dramatic changes in enforcement, particularly as political priorities shift from foreign wars to domestic exposures.
I also expect that it won't be long until identity protection, like Life and Health Insurance, becomes a core employee benefit. And given the impact, maybe this is the way it should be today.Security Loses Independence
Whether it is Microsoft baking it into the operating system or Symantec building it into a robust systems management architecture, security will increasing be seen as something that is a feature of something else. That is probably as it always should have been because separating security from an offering has resulted in too many products which were unsecure from the start, resulting in both painful exposures and security solutions that created reliability and availability problems while trying to correct problems that shouldnt exist in the first place. Recall how much we grew to hate the old Symantec Personal Firewall product, youll be pleased to know the new Norton 360 offering is vastly better.
Security will increasingly become more about peace of mind and less about having to constantly consider buying new tools to address exposures which were mistakenly designed into products.
In effect, security will simply become a required feature in most every product both to address attacks which are moving up the application stack and to address the security in-depth requirement noted above.
Of all the changes, this may come the closest to helping us respond to threats more effectively and to preventing them in the first place. Building security in from the start, in short, is how it always should have been, but clearly wasnt. Thats getting fixed but well likely see conflicts between products increase as parts of offerings from different vendors run each other as they try to do the same things. Fortunately, products are now designed to update on the fly, and I would expect these conflicts to drive a number of rapid product updates.
Clearly, these next few years will be full of change. Vendor changes, security focus changes, and technology advancements both in terms of tools and products. It is our job to help you stay up to date, but we could use your help. Let us know the trends you are seeing, the changes we may not be aware of yet, and how you are effectively maintaining the security of your own site. We are a community, and one best protected if we all work together to protect each other.