Sunday, November 22, 2009

Not Kind, Not Gentle. The turn of the decade in security.

The decade in review: The most painful thing we learned is that computer security hasn’t worked. We are, at this very moment, MORE insecure than we were in the year 2000. Billions of dollars were wasted on security technology that isn't working. In the last ten years, true cybercrime was born. Maybe we were just naïve about the coming storm. At the turn of the century, it was hard to get past the romantic idea of a university student hacker who prowled systems harmlessly for fun. Blocking ports and preventing network based buffer overflow attacks seemed so important. None of this technology prevented true criminals from pulling off the biggest heist in computer history – the massive theft of identity and subsequent banking fraud of the last few years. The traditional hacker is dead. Hackers are now called terrorists. The Russian mafia pays developers six figure salaries to write rootkits and malware. Independent researchers can and will sell a reliable working exploit of Internet Explorer for more than $50,000 USD. It began to hurt so bad that even Microsoft had to jump on the secure coding bandwagon, declaring a massive effort to make their code more secure. But this isn’t working either. You see, we are adopting technology at a rate far faster than we can secure it. By the time we have secured something, the landscape has changed and the attackers have moved on. In fact, that is why desktop exploitation has become the dominant attack vector. Over the last few years, malicious documents and media, especially “rich content” that contains embedded logic, parse-able metacode or script, and other logical constructs that can be malformed, emerged as the dominant method of exploitation. The API’s, COM objects, and other hoo-hah piled sky high on your windows workstation is a garden of carnal delights to a skilled attacker. Exploits of this nature have been mostly delivered via Internet Explorer and email. In fact, Internet Explorer is quite possibly the largest software disaster ever. As a software program, it has probably caused over a hundred billion dollars in damages since its release. This isn't about blame - if IE wasn't there, someone else's browser would have been the target. The browser is the portal into the Enterprise, so it's going to be where the bad guys focus. Finally, even before all this was going on, every nation state on the planet was standing in the shadows scared out of their britches. Smart people in high (low?) places could see the writing on the wall. It is TRULY AMAZING that a terrorist hasn’t hacked into the SCADA systems of a municipal power utility, started a cascade failure, and shut down half a state in the dead of winter. It’s because of this that I think [most of] those so-called terrorists aren’t very bright. As we close out the first decade, we must realize we have just entered one of the biggest arms races in the history of warfare. In fact, one can easily say that true cyber warfare was birthed in the last ten years.

So, now my predictions for the next ten years: Very early in the next decade, online identity theft and banking fraud will replace drug trafficking as the dominant criminal problem worldwide. Cyber cartels will make more money annually than drug cartels. Exploitation will continue to be focused on content-based delivery – that is, malicious documents & media. This will be coupled with a massive growth in online social networking. Trust, as a human concept, will be exploited as a means to spread malware throughout social networks via your online digital identity. Again, we will adopt new technology at a rate faster than we can secure it. The largest domain of attack will be software running on cellular phones. The phone will truly evolve into a network terminal – a slightly thicker thin client, loaded with more software in the palm of your hand than you could cram into a Windows 95 box in the year 2000. Yep, you guessed it, another garden of carnal delights – these new platforms will arrive unsecured – the development tools to make software will be insecure, and the people writing the code aren’t going to give a bug’s butt about secure coding practices. So, cyber crime is going to get a lot worse. Meanwhile, we are going to see at least one major SCADA based terrorist attack. We may have no idea that a terrorist did it, because the authorities will never admit it if they can plausibly lie, but it will happen. In fact, it may have already happened. Security spending will shift as well. Starting now, and reaching a heyday in about 6 years, security spending will shift towards host based security solutions. First the government, and then commercial enterprises, will realize that netflows and gateway solutions are not going to stop malware – it’s just too hard to predict what software will do without actually running it. And, online social relationships will be an extension of our professional identity - in other words, when an employee sits down at his workstation, his entire social network sits down with him. Network based security cannot hope to analyze complex documents and media, much less who to trust and when. Because everything will be hosted online, blocking content will effectively break the Internet, and looking inside the content will never happen at the network gateway (don’t invest in companies that think they can solve that problem). Concepts like malware-tolerance will become a hard reality, people will realize you can't keep the bad guys out. While the majority of online crime will continue to be in banking fraud, we are going to see industrial espionage and state-sponsored attacks in the press more than once. And, while banking fraud hurts the individual, the scope and damage of espionage is far far greater. Whether its classified state secrets or the recipe for Coke makes no difference, when the criminals out there figure out the value of information, they WILL steal it. The next ten years are not going to be kind or gentle to the security space. The hardest hit are going to be the biggest in the space – AV vendors are going to take the hardest fall. Their signature based solutions don’t work today, but not everyone knows that yet. But over time, that truth will seep farther into the IT space. So, perhaps my biggest prediction is this – AV will lose their place as the #1 security expenditure in the Enterprise. I’m not sure what will replace it exactly, but I do know that people are going to stop throwing good money after bad.