We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.
The answers were candid, diverse and often cynical and comical — just as expected.
Sometimes our panel is in agreement, other times diametrically opposed. But take note: Their forecasts may help prepare you for what's
coming next.
— Dan Kaplan
EXPERTS:
Phil Cox, SystemExperts
Nancy Edwards, State Auto Insurance Companies
Markus Jakobsson, Indiana University
Rob Lee, Mandiant
John Pescatore, Gartner
Mike Rothman, Security Incite
Nick Selby, The 451 Group
Johannes Ullrich, SANS Internet Storm Center
Chenxi Wang, Forrester Research
Ira Winkler, Internet Security Advisors Group
What will be the big security concern for businesses?
Selby: The insider threat — particularly, the chore of separating the data leakage committed by the stupid, careless and uninformed from that of the skilled, malicious and motivated insider.
Rothman: It will remain application security issues.
Wang: Data security for the time being.
Jakobsson: Crimeware, especially using social context a la spear phishing to enhance the likelihood of exposure and infection.
Winkler: What they should be worried about is the small losses they ignore that add up to the major losses. What they will worry about is compliance.
Edwards: Really knowing who touched the data.
Who gets acquired in 2008: McAfee or Symantec?
Winkler: McAfee is in a more vulnerable position.
Rothman: Neither. Symantec is too big and (newly named CEO David) Dewalt is in the middle of rejuvenating McAfee. McAfee is acquired in mid-2009. Though for the right price, everything is for sale.
Edwards: Probably both. We're bummed with all the acquisitions. We find the larger companies harder to do business with. We become just another customer.
Pescatore: Neither, but of the two, McAfee is certainly more likely just because it is smaller and easier to swallow.
Lee: Better question: Who cares? Both vendors should be more concerned with improving their products.
What emerging threat will become a true risk?
Pescatore: Attacks against Web 2.0 applications.
Ullrich: IPv6, if it ever gets established.
Jakobsson: JavaScript-based attacks.
Winkler: Data leakage from peer-to-peer file-sharing.
Lee: SCADA attacks.
Rothman: I don't think we'll see a truly “new” attack vector in 2008.
Wang: Information leaks over non-traditional channels, e.g. mobile, P2P.
Selby: Virtual machine security. As businesses try to virtualize everything from applications to the lunch-room staff, somebody smart has just gotta kick out some kind of exploit. It needs to be messed with at a level that is deployable in the mainstream.
Do security budgets rise or fall in the forseeable future?
Rothman: Fall. We've spent a lot of money over the past five years and most organizations don't feel more secure. The golden goose will be cooked sooner, not later.
Wang: Rise.
Cox: Rise, due to regulatory compliance demands.
Pescatore: Rise as a percentage of the IT budget, but the rate of increase will be slower than in 2007, and security groups will face pressure to justify new expenditures.
Lee: Rising, resulting from compliance and litigation.
Jakobsson: They better rise. Or let me change my answer to the first question, and say that falling security budgets is the greatest threat against businesses.
Ullrich: There will be a slight rise.
What emerging threat will be all bark and no bite?
Rothman: Virtualization security.
Wang: Image spam.
Jakobsson: Attacks on hand-held devices or radio-frequency identification (RFID) chips.
Ullrich: RFID. Also, lawmakers will start to talk about meaningful legislation with international cooperation in mind, but I may be dreaming.
Pescatore: The hype over the “convergence” of physical and information security will still be hype, and the real action will be simple integration of some of the technologies.
Lee: The Defense Advanced Research Projects Agency (DARPA) discloses that the internet is indeed connected via a series of tubes.
Do you think software coding will get any more secure?
Pescatore: More secure, but not secure enough. In 2008, more enterprises will make proof-of-vulnerability testing a requirement in all software development contracts, but new trends like Web 2.0 and SOA will mean that more code will be quickly pushed out without going through a formal-enough software development lifecycle.
Cox: No. More programs equals inexperienced
coders equals same mistakes equals holes.
Edwards: It has to. It's too expensive to fix later.
Winkler: It is getting more secure, but some people will never accept that there will always be security vulnerabilities no matter how good the development processes are.
What problem needs to be solved in the IT security field?
Jakobsson: Wouldn't it be terrific if we all had embedded devices that could perform authentication in a zero-knowledge manner? Snap your fingers and touch the screen, and you're logged in.
Rothman: Data security.
Edwards: Easier two-factor authentication. Tokens are a pain, expensive and don't add that much security. They just make a compliance expert happy. Biometrics aren't yet cheap and reliable, but are getting closer.
Lee: Everytime a user performs an action that opens their organization up to potential threats, a sound will come out of their computer saying, “That was stupid.”
The answers were candid, diverse and often cynical and comical — just as expected.
Sometimes our panel is in agreement, other times diametrically opposed. But take note: Their forecasts may help prepare you for what's
coming next.
— Dan Kaplan
EXPERTS:
Phil Cox, SystemExperts
Nancy Edwards, State Auto Insurance Companies
Markus Jakobsson, Indiana University
Rob Lee, Mandiant
John Pescatore, Gartner
Mike Rothman, Security Incite
Nick Selby, The 451 Group
Johannes Ullrich, SANS Internet Storm Center
Chenxi Wang, Forrester Research
Ira Winkler, Internet Security Advisors Group
What will be the big security concern for businesses?
Selby: The insider threat — particularly, the chore of separating the data leakage committed by the stupid, careless and uninformed from that of the skilled, malicious and motivated insider.
Rothman: It will remain application security issues.
Wang: Data security for the time being.
Jakobsson: Crimeware, especially using social context a la spear phishing to enhance the likelihood of exposure and infection.
Winkler: What they should be worried about is the small losses they ignore that add up to the major losses. What they will worry about is compliance.
Edwards: Really knowing who touched the data.
Who gets acquired in 2008: McAfee or Symantec?
Winkler: McAfee is in a more vulnerable position.
Rothman: Neither. Symantec is too big and (newly named CEO David) Dewalt is in the middle of rejuvenating McAfee. McAfee is acquired in mid-2009. Though for the right price, everything is for sale.
Edwards: Probably both. We're bummed with all the acquisitions. We find the larger companies harder to do business with. We become just another customer.
Pescatore: Neither, but of the two, McAfee is certainly more likely just because it is smaller and easier to swallow.
Lee: Better question: Who cares? Both vendors should be more concerned with improving their products.
What emerging threat will become a true risk?
Pescatore: Attacks against Web 2.0 applications.
Ullrich: IPv6, if it ever gets established.
Jakobsson: JavaScript-based attacks.
Winkler: Data leakage from peer-to-peer file-sharing.
Lee: SCADA attacks.
Rothman: I don't think we'll see a truly “new” attack vector in 2008.
Wang: Information leaks over non-traditional channels, e.g. mobile, P2P.
Selby: Virtual machine security. As businesses try to virtualize everything from applications to the lunch-room staff, somebody smart has just gotta kick out some kind of exploit. It needs to be messed with at a level that is deployable in the mainstream.
Do security budgets rise or fall in the forseeable future?
Rothman: Fall. We've spent a lot of money over the past five years and most organizations don't feel more secure. The golden goose will be cooked sooner, not later.
Wang: Rise.
Cox: Rise, due to regulatory compliance demands.
Pescatore: Rise as a percentage of the IT budget, but the rate of increase will be slower than in 2007, and security groups will face pressure to justify new expenditures.
Lee: Rising, resulting from compliance and litigation.
Jakobsson: They better rise. Or let me change my answer to the first question, and say that falling security budgets is the greatest threat against businesses.
Ullrich: There will be a slight rise.
What emerging threat will be all bark and no bite?
Rothman: Virtualization security.
Wang: Image spam.
Jakobsson: Attacks on hand-held devices or radio-frequency identification (RFID) chips.
Ullrich: RFID. Also, lawmakers will start to talk about meaningful legislation with international cooperation in mind, but I may be dreaming.
Pescatore: The hype over the “convergence” of physical and information security will still be hype, and the real action will be simple integration of some of the technologies.
Lee: The Defense Advanced Research Projects Agency (DARPA) discloses that the internet is indeed connected via a series of tubes.
Do you think software coding will get any more secure?
Pescatore: More secure, but not secure enough. In 2008, more enterprises will make proof-of-vulnerability testing a requirement in all software development contracts, but new trends like Web 2.0 and SOA will mean that more code will be quickly pushed out without going through a formal-enough software development lifecycle.
Cox: No. More programs equals inexperienced
coders equals same mistakes equals holes.
Edwards: It has to. It's too expensive to fix later.
Winkler: It is getting more secure, but some people will never accept that there will always be security vulnerabilities no matter how good the development processes are.
What problem needs to be solved in the IT security field?
Jakobsson: Wouldn't it be terrific if we all had embedded devices that could perform authentication in a zero-knowledge manner? Snap your fingers and touch the screen, and you're logged in.
Rothman: Data security.
Edwards: Easier two-factor authentication. Tokens are a pain, expensive and don't add that much security. They just make a compliance expert happy. Biometrics aren't yet cheap and reliable, but are getting closer.
Lee: Everytime a user performs an action that opens their organization up to potential threats, a sound will come out of their computer saying, “That was stupid.”
