[Infowarrior] - Fwd: Looking ahead at security trends for 2009

Richard Forno rforno at infowarrior.org
Wed Dec 24 03:18:45 UTC 2008 

As always, I agree w/Jericho 100%.  If I was not otherwise busy today  
I'd have probably been saying the same thing.  Great evil minds think  
alike, I guess.   --rf

Begin forwarded message:

> From: security curmudgeon <jericho at attrition.org>
> Date: December 23, 2008 9:13:20 PM EST
> To: Richard Forno <rforno at infowarrior.org>
> Subject: Re: [Infowarrior] - Looking ahead at security trends for 2009
>
>
> I don't know about you, but we've had years of these IT or Security
> trends/prediction mails now, and they are getting old and more  
> irrelevant.
> It's hard to take any of these seriously if they don't reference a
> previous years predictions and how they turned out.
>
> : Looking ahead at security trends for 2009
> : Posted by Jon Oltsik
> :
> : http://news.cnet.com/8301-1009_3-10128133-83.html?part=rss&subj=news&tag=2547-1_3-0-20
> :
> : In spite of the global economic recession, information security will
> : continue to be a dominant IT priority in 2009. Why? There are  
> simply too
> : many threats and vulnerabilities creating a perpetual increase in IT
> : risk.
>
> "Continue" to be a dominant IT priority? So all of the articles i've  
> seen
> for years about security making up 5% of an IT budget counts as
> 'dominant'?
>
> : 1. The evolving definition of endpoint security: Some analysts have
> : declared that, antivirus software is dead. I disagree and submit  
> that
> : endpoint security is simply evolving as a function of the changing
> : threat landscape. This is the primary reason why Sophos (a legacy
> : antivirus company) bought Utimaco (a data security company) in 2008.
> : Look for traditional antivirus, anti-spyware, and firewall  
> software to
> : merge with endpoint operations, data loss prevention, and full-disk
> : encryption in 2009.
>
> 1. Anti-virus is a completely catch-up market that lives off  
> subscription
> fees more than new sales. As such, signatures (responsive) are  
> priority,
> not heuristics (proactive) development.
>
> 2. We've heard about this full-disk encryption crap since 1995 and  
> the PGP
> bandwagon was just getting moving. Solid encryption has been around  
> for a
> long time. Software has been around for a long time. Yet, we haven't  
> seen
> this become a reality. Why not, and why will that change this year.
>
> : 2. More emphasis on cybersecurity: This year began with the
> : establishment of the Comprehensive National Cybersecurity Initiative
> : (CNCI), an effort to strengthen government networks. While well-
> : intended, CNCI has received minimal funding and support. In  
> December, a
> : Center for Strategic and International Studies report, further  
> described
> : the sorry state of cybersecurity and called for drastic  
> improvements.
> : Look for President-elect Barack Obama to get behind this effort in  
> a big
> : way with funding, a real public/private partnership, and cooperative
> : intelligence and law enforcement with a growing list of foreign  
> nations.
>
> A lot of big pretty words that make up the same prediction we see  
> every
> year, while .gov security continues to be dismal at best. Some new  
> acronym
> initiative isn't enough to make it a reality. We've had our share of  
> these
> groups/bodies/standards, we haven't had our share of .gov security.
>
> : 4. Security in the cloud: While "cloud" has turned into a vague  
> industry
> : security blanket term, I do believe that 2009 will be a strong  
> year for
> : managed security services. Many organizations simply don't have the
> : capital budget dollars or security skills to take on the  
> increasingly
> : sophisticated bad guys themselves--good news for IBM and Symantec.
> : Additionally, companies like Blue Coat, Cisco, and Trend Micro will
> : supplement on-site security equipment with scalable reputation and
> : update services in the cloud.
>
> Wait, you said that security will be a dominant priorit, and now you  
> say
> organizations simply don't have the budget or skill. Pick one.
>
> I like your term "Scalable reputation", as it's something I have been
> using for a long time. As vulnerabilities in products from IBM,  
> Symantec
> and Cisco are released, my perception of their reputation drops.
>
> : 5. Virtualization security: As server and desktop virtualization
> : continues to proliferate, we will need better security tools for  
> things
> : like role-based access control, virtual server identity management,
> : virtual network security, and reporting/auditing. Citrix,  
> Microsoft, and
> : VMware will lead this effort with partnering support from others  
> like
> : IBM (Project Phantom), McAfee, and Q1 Labs.
>
> Plug all of those names in your favorite vulnerability database,  
> then ask
> why you think they will lead anything in the realm of security.

More information about the Infowarrior mailing list