10 Predictions for 2010: Kaminsky and Weatherford

As 2009 draws to a close and a new decade dawns, CSOonline has reached out to some of the industry’s best known security pros in search of insight on what the next 12 months and beyond have in store for our IT and cyber infrastructure. Each participant was asked to make five predictions.

We begin with Mark Weatherford, chief information security officer for the State of California, and Dan Kaminsky, network security specialist, director of pen testing at IOActive and discoverer of last year’s massive DNS flaw.

Tomorrow we’ll continue with predictions from Oracle CSO Mary Ann Davidson and Howard Schmidt, former eBay CISO and vice chairman of the President’s Critical Infrastructure Protection Board.

Mark Weatherford, chief information security officer, State of California

1. So, You Think You’ve Got Talent?

2010 should be the year organizations begin to truly focus on recruiting, training, and retention of cyber security professionals. One of the critical and growing problems those of us running security organizations face is the shrinking pool of technical cyber-security talent. There is more and more evidence (anecdotal though it may be) that organizations with weak security skills simply cannot protect their systems and information from the current level of hacker and attacker skills. A recent report by Booz Allen Hamilton stated that “the pipeline of potential new talent is inadequate” and that “there are concerns that America is not developing enough IT experts, creating labor shortages in both the public and private sector.” In the public sector where I work, the ‘retirement-bubble’ we’ve been hearing about for a couple of years now is becoming very real and we need to begin growing the next generation of cyber-security experts now. Despite the economic and funding challenges facing most organizations, those who choose ignore this issue do so at their own great peril.

2. Social Media — It’s not just a fad, but a fundamental shift in the way we communicate!

I think we all understand by now that the security issues around social media aren’t so much technical in nature but are, well, Social. Because social media is all about the weakest link and hardest to control aspect of the security chain (people), phishing and the growing array of tactics cyber-criminals use to exploit, dupe and deceive will continue to expand. So, while the traditional hackers are still out there (see prediction 4), cyber criminals have figured out that it’s easier to just let us hack ourselves. The result will be a vast increase in the number of incidents related to loss of Personally Identifiable Information (PII) and consequently, new and more regulations for both business and government to protect PII and other sensitive data.

3. Critical Infrastructure — is it really that important?

There will be increasing discussions in the government of new compliance mandates on private sector companies operating critical infrastructure such as power generation, power distribution, water distribution, and others. The growing talk might even include intervention or granting of emergency authority. There’s been too much media coverage to continue ignoring it and the same security deficiencies we see every day in our home and work computers are vulnerabilities that can impact control systems within the nation’s critical infrastructure arena. And even though some may consider it hyperbole or FUD, no one can deny that the attack surface is growing. The federal government will begin discussing the lack of comprehensive oversight and address it with new regulations requiring more frequent audits and more security controls including training of staff and perhaps even certification of critical infrastructure security professionals.

4. Security in the Cloud.

Managed security services (MSS) in the cloud is not yet the nirvana many of us want to see but it’s going to become more and more accepted as the very good security companies continue to expand their security service offerings. Budgets are going in the wrong direction and organizations simply can’t afford to ignore the significant savings afforded by consolidating and putting some of your security services out there. Email hygiene (anti-spam filtering and anti-virus scanning) is a good example of a relatively low risk solution that works well in the cloud. MSS for IDS/IPS monitoring, vulnerability scanning, and web application scanning start to look like very rational decisions when the budgets are decreasing and internal staffing is down or the skill of the staff isn’t adequate (see prediction 1).

5. Cyber Crime.

Hackers writing viruses, hackers breaking into systems by circumventing security controls, hackers compromising the integrity of data, and hackers causing cyber vandalism are still out there and still doing their dirty deeds. This type of computer hacking however tends to fall into a different category than the new era of cyber criminal whose sole motivation is money. The bad news about these cyber criminals is that you can’t simply call them opportunists because they are both creative and smart, and the one thing that hasn’t changed throughout human history is that criminals congregate where the money is – Willie Sutton said it first! Cyber criminals are no different and as long as the barriers to entry remain low (they are) and the risk of getting caught is almost zero (it is), cyber-crime is going to blossom. While the on-line economy grows, so do the cyber crime opportunities.

2010 will see continued growth in crime and the exploitation of people through social media technologies that allow cyber criminals to prey not only on the naïve, but all of us by means of credit card fraud, phishing, identity theft, and distribution of child pornography. Crimeware such as keystroke loggers and those programs that steal passwords and compromise web browsers that then point to fake websites are the cyber crime de’ jour. Ransomware is a particularly nasty form of cyber crime where victim’s computers are infected, the data and/or files are encrypted and the victims are forced to pay a ransom for the encryption key. A new variation of Ransomware adds a twist that blocks internet access and requires the victim to send a text message (at a premium rate of course) for the code to free the data.

Dan Kaminsky: Network security specialist, director of pen testing at IOActive, discoverer of last year’s massive DNS flaw

1.) Economics will cause a few members of the “Old and Hoary Prediction Club” to finally come true.

One of the defining laws of security in general can be thought of as: “What could possibly go wrong is much more than what actually does.” Most bad things do not happen because they’re prevented. They don’t happen because “the bad guys” simply do not choose to do them. But this is truly the first major economic recession of the Information age, and whatever the numbers say, a lot of people are struggling. That’s motive. People who struggle get creative, by which I mean “start doing creative and profitable things they heard about”. Not everything that’s been predicted in previous years will come true, but at the end of 2010, look back to predictions for 2007, 2008, and 2009. Some of the wrong ones will have happened.

2.) Prosecution for cybercrime will begin in earnest, starting with the sloppy rich.

Albert Gonzalez, one of the hackers behind the Heartland and 7/11 attacks, reportedly spent over $75,000 on a birthday party. The worst of the worst know to have far lower profiles, but what that party should tell you is that there’s a lot of low hanging fruit for law enforcement to scoop up, with some serious ill-gotten gains to recover. As a corollary to this, the international jurisdiction problem that has stymied prosecutions in the past will be dealt with — possibly by agreement, maybe by treaty, and maybe even (if you will forgive me speaking about things I truly know little about) the application of anti-terrorist compacts to cybercriminal activity. Put simply, there aren’t enough terrorists, and the ones there are, are political hot potatoes of the first order. The cybercriminals will have far less baggage.

3.) Data sharing will struggle, but will actually begin — driven by compliance requirements and the push for “public/private partnership”

One of the great challenges of security is operationalization: Sure, there are small cadres of attackers and defenders who know how this field works, but spreading them thin across the industry as consultants doesn’t scale. To make a real difference, the knowledge of a few must be pushed into process for many. Existing efforts along these lines — involving compliance regimes — have actually achieved more penetration than they’re given credit for. People are actually doing what the rules say. But the rules, without naming names, can leave something to be desired. In the face of deep compromises of fully compliant systems, the standards bodies will lay the blame on insufficient data sharing between victims. Right or wrong (and, given the terrible state of data in security, more the former than the latter), this will lead to American legislation centered on funding a LE clearing house for, and a yearly report on, attacks seen against American cyber assets. Compliance standards, by in large, will compel participation in this regime. (There’s a small chance this effort will be fast-tracked by end of 2010, but only in the face of a front-page-news scale attack — if I was to predict an example, electronic interference with military-related logistics within a civilian supplier. Otherwise, it will be a program that is well underway, but not operational by end of year.) Europe will follow.

4.) Ineffective security technologies will finally get called out as such, but not without cost

Many cyber defense technologies do not work. Specifically, given a large sample of environments with the defense, and a large sample without, differences in infection rates in the former and the latter will not in fact be statistically significant. Some that do work, only work through the multicultural effect: The defense simply doesn’t have enough market share to spawn evolution in attackers. Figuring what doesn’t work, what won’t work in the long term, and what’s a genuine defensible security boundary will become a major driver for the next generation of compliance standards. Given the money at stake, expect this process to be brutal and politicized.

5.) The Cloud will get worse before it gets better. But it will get better.

The Cloud is going to win. I don’t know how else to say this: It’s faster. It’s better. It’s cheaper. But there are security issues, and they’re not simply the sort of problems that can be worked out by taking a CIO out to golf and promising everything’s going to be OK. Genuine, technical security faults in cloud technology will garner a huge amount of attention. It may appear to some that all is lost. But the faults will be addressed, because existing investments are so very high. And anyway, it’s not like the status quo is anything to be proud of.