OK, here they are, in alphabetical order, the six most important words in IT security in 2008: botnets, cyberwar, downturn, DNS, enablement, and Obama.
That's it. You can go about your business now.
Still here? OK, maybe you want a little explanation as to why these words were so important in 2008. Geez, you're a hard person to satisfy.
Well, if you must know, 2008 was a year of tectonic shifts in IT security. The technologies changed, the economy changed, and the role of security changed. Heck, even the people who make the laws about security changed. You could hardly swing a dead server without hitting some major security-shifting event, and most of those events will continue to have repercussions throughout the new year.
Howzzat? Still not enough? Fine. If you need somebody to spell it out for you, we will. Let's look more closely at the six words and what they meant for security in the past year.
No, botnets weren't new in 2008. (Dang, we've hardly started, and you're already arguing with us. Do we have to turn this car around and go home?) But in 2008, botnets emerged as a chief method for delivering unwelcome attacks, from malware infections to simple spam. In 2008, we saw how big botnets could become.
We started out the year with Storm, a holdover from 2007 that was just hitting its stride as we began 2008. In the first half, Storm was blamed for a wide range of crimes, including widespread phishing attacks and illegal pharmaceutical sales. In the end, Storm became more of an ill wind than a hurricane, but it gave us an idea of what a "botnet for hire" can do.
The year also brought the resurgence of other botnets, including Kraken and Srizbi, which both found ways to outdo Storm. The industry also saw how pervasive botnets had become when, on two occasions, the rugs were pulled out from under them. The shutdown of two botnet "carrier networks" -- Atrivo and McColo -- made a significant impact on botnet operations, and actually caused temporary slowdowns in the distribution of spam and malware.
We know, we know, cyberwar didn't start in 2008. (Doggone it, will you just sit down and be quiet? You're going to put someone's eye out.) But the attacks by Russian entities on Estonian government Websites and computers in the spring of 2007 opened a new can of worms that governments and researchers across the world were wrestling with through much of 2008.
For one thing, the attacks from Russia extended to other former Soviet republics, including Lithuania and the Republic of Georgia. Such events, along with ongoing cyberattacks in Iraq and other warring regions, helped demonstrate that cyberwarfare is becoming as standard-issue for modern armies and terrorist organizations as guns and grenades. In fact, as the Russia-Georgia conflict proved, cyberattacks can be a precursor to more tangible military action.
These heated cyberconflicts have led to a wide range of "test" attacks between governments. China, especially, has been accused of wielding its cyberweapons against governments across the world, from neighboring Taiwan to sites in Pennsylvania. The governments of Australia, France, Germany, and the United Kingdom. have also reported successful attacks from China during the past year or so, though the Chinese government generally denies any involvement.
Here in the United States, a number of hearings and reports in 2008 warned that the American infrastructure is not ready to defend itself against sophisticated cyberattacks from other countries. The "big one" didn't come this year, but some experts say it's only a matter of time.
Like every other aspect of business across the globe, IT security has been affected by the historic economic shifts that have occurred during the past year. Aside from the obvious re-evaluations of security spending and the predictions of security market consolidation, perhaps the most game-changing aspect of the economic downturn is the rapid rise of financially motivated cybercrime.
In a nutshell, experts say, a poor economy brings higher rates of crime; as the market for legitimate technologies decreases, the market for criminal exploits increases. These criminal exploits might come from outside the company, or they might be seen in the form of internal attacks from employees and trading partners. Both types of attacks increased in 2008.
Most pundits agree that 2008 represents only the beginning of the increase in cybercrime rates. As long as the economy is in a tailspin, they say, the instance of computer crime will continue to skyrocket.
A look back at IT security developments in 2008 would hardly be complete without mentioning the Kaminsky vulnerability, a design flaw in the Internet's Domain Name Server (DNS) functionality that could potentially allow attackers to hijack sessions and send users to sites that are unintended or malicious. Security researcher Dan Kaminsky, who discovered the flaw, outlined some very real threats posed by the DNS flaw when he finally revealed its details in August.
Kaminsky's process for revealing the flaw might have been as important as the details of the vulnerability itself. For the first time ever, he gathered the major DNS vendors, revealed the flaw to them simultaneously, and then agreed to try to keep the details under wraps until they all had a chance to develop and deploy patches.
The slow rollout of the DNS vulnerability was only partially successful, but it set a new precedent for disclosure that was later used by other researchers during the year, as well. And it raised a firestorm of discussion in the security community as to when vulnerabilities are important enough to merit special disclosure treatment.
It's hard to pinpoint a single event that sparked it, but 2008 was clearly marked by a new message about IT security: It's no longer about limiting access -- it's about enabling it. Security vendors and IT managers alike have embraced this message, setting up the security manager as the guy who sometimes says "yes" instead of always saying "no."
One company that has been consistently preaching this sermon during the past year is Palo Alto Networks, a next-generation firewall vendor that promises to help companies build enforceable security policies by tracking and controlling application access across the enterprise. However, Palo Alto is far from the only vendor now using this message: Industry giants such as Symantec, McAfee, and many others are now using the term "security enablement" broadly in their road maps and product literature.
What's important about the buzzword is that it reflects a shift in strategy around IT security. Rather than building perimeters and shoring up defenses, security departments are now consciously looking for ways that they can give employees access to more data from more places, without creating additional risk. This shift in attitude affects everything from security architecture to mobile and remote access, and may help security managers break down the wall between IT security goals and overall business goals.
At least, that's the idea we saw in 2008. We'll have to wait until 2009 -- or beyond -- to see whether it has legs.
The final word that was on everybody's lips -- and everybody's keyboard -- in 2008 was Barack Obama. (OK, that's two words. Sue us.) The upstart presidential candidate swept offices and Websites into a storm of discussion throughout the year, ultimately climaxing in his November victory.
Much of the security discussion focused on the integrity of candidates' Websites, the rapid rise of spam, phishing, and malware attacks linked to election news and events, and the vulnerabilities surrounding electronic voting machines. Obama's rivals, John McCain and Sarah Palin, both suffered hacking incidents.
Now that the elections are over, however, many security experts are asking more weighty questions about Obama's presidency. A blue-ribbon panel has already made recommendations on what the new president should do about key cybersecurity issues. Further questions about new cabinet posts, including a CTO and cybersecurity czar, also show a growing interest in the new president's initiatives on cyberwarfare, e-commerce security, personal data protection, and user privacy.
And whether you're Barack Obama or the average IT security manager, it's clear that 2009 will be at least as eventful as 2008.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio