Ten 2010 IT Security Predictions, Part 2: Schmidt and ICSA Labs

Howard Schmidt, former eBay CISO and vice chairman of the President's Critical Infrastructure Protection Board, and the folks from ICSA Labs, a vendor-neutral testing and certification lab, offer 10 predictions for security in 2009. (Second of 2 parts).

As 2009 draws to a close and a new decade dawns, CSOonline has reached out to some of the industry's best known security pros in search of insight on what the next 12 months and beyond have in store for our IT and cyber infrastructure. We started last week with Mark Weatherford, chief information security officer for the State of California, and Dan Kaminsky, network security specialist, director of pen testing at IOActive and discoverer of last year's massive DNS flaw.

Today we continue with predictions from Howard Schmidt, former eBay CISO and vice chairman of the President's Critical Infrastructure Protection Board, and ICSA Labs, a vendor-neutral testing and certification lab for hundreds of security companies.

Editor's note: Five predictions from Oracle CSO Mary Ann Davidson were originally scheduled to be in this installment, but schedule conflicts forced a change of plan.

Howard Schmidt, former eBay CISO and vice chairman of the President's Critical Infrastructure Protection Board

1. Malware Goes Mobile

Malware for mobile devices/smartphones will escalate as more apps are provided that facilitate users ability to do more things related to e-commerce, travel and financial apps. Given that many end users feel less vulnerable on their mobile devices it could be a steep learning curve to convince them they need to take similar protections as they would on their PCs.

2. The Cloud As Security Enabler

While we have been doing some form of Cloud computing for more than 10 years 2010 will be the tipping point as to much wider adaption in all sectors. The overall net effect will give us a better chance to develop more security in the cloud using better vulnerability management/reduction, strong authentication, robust encryption and closer attention to legal jurisdictions.

3. Software Will Be Tested -- For Real

Procurement actions will require more robust testing of software and firmware to insure significant reduction of many of the vulnerabilities that we are dealing with today. This might even rise to the level of some sort of software "certification" schema to show consistency of best practices.

4. Two-factor Authentication Becomes the Rule

2010 will be the year for wider adaption of two-factor authentication for the end users. With federation of the many various types of two factor authentication that are around today we will finally see strong authentication become the rule NOT the exception.

ICSA Labs, testing and certification lab

1. PCI Compliance Continues to Drive Adoption of Web Application Firewalls (WAFs)

The WAF market is maturing. WAFs are pushing into the cloud more and more, and Gartner, Inc. is planning for the first magic quadrant on WAFs.

2. Network Attached Peripheral Security (NAPS) Threats Grow

With more network-attached devices than ever before, there are even more opportunities to cause harm. This year's uncertain economy spurred an unprecedented number of layoffs and the risk of disgruntled employees stealing confidential company information is greater than ever. Using unsecured printers and network-connected security cameras that can be manipulated, employees are able to cover their tracks when accessing restricted areas.

3. Social Networking Threats Skyrocket

As more and more businesses turn to social networking sites to extend their customer reach and build brand awareness, sensitive data becomes even more available and vulnerable. This past year, the KoobFace worm spread like wildfire through several social networks including Facebook, MySpace, Friendster and Twitter. In October, a massive bot-based attack, Bredolab, affected three-quarters of a million Facebook users by sending fake password reset messages. Vendors and purveyors of social media sites need to take a more active role in educating their users about threats like Bredolab in 2010.

4. Windows 7 Flaws Revealed

The widespread adoption of the Windows operating system naturally makes it a key target for malicious threats like viruses, bots and worms. In fact, just last week on December 8th, Microsoft issued patches for three critical bugs found in Internet Explorer 8.

5. Spam, Phishing Go Mobile

While spam comes from all over the globe, more and more of it will originate in Asia during 2010, based on our weekly anti-spam product test reports.

6. Free AV and the Rise of Scareware The New York Times website.

While free anti-virus products are great to decrease the growing amount of malware threats out there, users need to be cautious about rogue anti-malware products -- otherwise known as "scareware" -- that organized crime rings will use to take advantage of end-users and disable their computers. Scareware reared its ugly head this year through fake advertisements (malvertising) for antivirus on

Copyright © 2009 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.