It is that time again when security professionals dust off their crystal ball and predict what the next year will hold for security.  Looking in the past, I have mostly agreed with what my peers have foreseen, and adding a few predictions of my own to the list for good measure.

 

Not this year.Predictions.jpg

 

To be somewhat impartial, I drafted a list before reading what colleagues were saying.  It seems our lists don’t match up to well.  So I am going against the collective grain and giving my predictions.  Time will tell who is closer to being the true Carnac the Magnificent.

 

If you are interested in what I foretold for last year, check out my 2011 predictions.

 

Top 2012 Information Security Predictions

  1. Mobile attacks.  This is the one everyone agrees on.  Attacks on mobile devices will skyrocket.  They will be slightly different than those found on PC’s but they will be the methods by which attackers pursue their nefarious goals.  Mobile is a fertile ground for attacks.  The technology is pushing faster than security can catch up.  Attackers have the advantage and defenders will follow.  This will be the trend throughout the year.  Ironically, users will not really care.  As these attacks will largely be passive in nature, the mobile devices will continue to operate and therefore the users will be happy.  Even if some of their data is copied, bandwidth is consumed, and their personal habits tracked, user will pay little concern to the echoes of security advocates.

    I expect this to hold true until 2013+ when banking and point-of-sale is widely integrated into mobile devices and organized attackers can conduct widespread automated financial attacks against users.  This will earn the attention and concern of users, financial institutions, and politicians who will create a pull for more mature mobile security.
  2. Social Media security.  2011 was an unprecedented year for social media to play a prominent role in facilitating regime changes and social awareness across the globe.  Such power requires security.  Some organizations are looking to block access, attackers are seeking to leverage these vast networks for malicious purposes, and users are expecting to maintain availability and anonymity in the face of persecution.  In 2012, the struggles to provide and undermine security for social mediums will be taken to the next level.
  3. Targeting of attackers will continue.  As predicted last year, 2011 was a banner year for worldwide law enforcement in tracking and apprehending cyber criminals.  Such agencies have found good footing in the tools and skills necessary to begin combating organized online villains.  Their capabilities, techniques, and cooperation will only get better in 2012.  Bad guys beware; the Sheriff is in cyber-town.
  4. Blending of ‘consumerization’.  I agree with my peers that consumerization, the use of personal devices for work purposes, will drive new security architectures to keep enterprise assets safe.  But, I also believe we will see other blends take firm root.  Mobile and PC data/services, cloud and local capabilities, and productivity and entertainment systems will begin to integrate and thus create new vulnerabilities which will drive security demands.  I foresee these effects to be more evident towards the back half of the year.
  5. More security regulation.  It will continue to be slow, piecemeal, and inconsistent, but regulations will begin to solidify.  All the while, debates on the value and costs will continue, ad nauseam.
  6. Cyber-warfare embraced.  Nations will quietly accept, develop, and integrate cyber-warfare into their defense apparatus.  Worldwide, more government money will be spent by nations to develop offensive cyber capabilities.  Integration into military forces as part of their command, control, and communications infrastructures will begin by the end of the year.
  7. Offensive security becomes acceptable.  This is where I really climb out on a limb.  The industry will dramatically change in 2013.  Legitimate and lucrative jobs will open for experts who are talented at creating tools capable of attacking systems.  Governments and defense industries will lead the way, opening a new market for smaller shops and independent contractors.  Universities will offer courses and eventually degrees in these dark arts, which previously were taboo.  Standards and certifications will emerge to prove credibility of the competing labor force.

    It will happen in slow motion.  Quietly.  Malware will actually slow down.  No, it won’t stop or even decrease, but we should be able to see a slowdown in the rate of new types of malware in the short term.  As authors who would typically share their work with an open community, will now take pause as they may be able to legitimately sell it for profit.  Why release to the world, when a tidy profit can be made without fear of persecution.  In a weird turn of events, malware will become intellectual property.

    Eventually, by 2013 and beyond, malware and other types of attacks will come raging back to unprecedented levels with increasing sophistication.  It will forever change the security industry.  With demand driving supply, more talent will be creating the very tools security practitioners have been dreading, at an even faster pace with greater potential effects.  These will leak to the open markets and such devices will be used for illegal purposes. The defense side of the industry will then react, doubling efforts to manage the new risks.  It will be instability until a new balance is struck as equilibrium eventually returns.


Sources for more reading: McAfee, SANS, PC Magazine, Computerworld, Websense, TrendMicro, Net-Security, CRN, Business Computing World

Wasted Spending.jpgSecurity can be an emotional topic, especially if you have been victim or sit on the front lines of the battle as either the attacker or defender.  Discussions can be wrought with moral implications of right and wrong, social opinions of justice and fairness, financial explanations of costs and value, and personal experiences of those who have been impacted.  These perspectives can cloud the cold logic behind the purpose of information security.

 

Setting all emotions aside, in the end, determinations involving security spending comes down to a set of value decisions.  Should investments in security be made, if so, how much and to what level of risk should be sought and sustained? 

 

Security prevents or minimizes losses.  It may seem counter intuitive, but if the risk of loss is acceptable or the cost and negative impacts of security is too high, then additional controls are likely not warranted.  In most cases some controls are desirable, to keep losses in check.  The amount, type, and manifestation may differ based upon the needs of the user and situation.

 

But shouldn’t we deploy security everywhere, crush every vulnerability, close all the exploits, and make the computing environment impervious?  NO!  Even if it were possible, it would be far too costly, both in the expense as well as the residual impact of those tools and processes on the productivity of the environment.  It just does not make sense to overspend on security.  The goal of a healthy security system is to find the right balance of security.

 

In most situations some level of security makes a whole lot of sense.  The average consumer and enterprise computing environment needs security to manage the risks of loss to an acceptable level.  We will never eliminate all loss but we can get to a level where we feel comfortable in the tradeoffs of security and the residual risks.  This balance, which changes over time, is the optimal point of security which we should continually be striving to achieve and maintain.

 

Many see security spending as a necessary evil, others as a potential life preserver.  My perspective is security is an investment in the prevention of loss.  Good decisions around any investment involve making valuable tradeoffs for what is right over time.  Security at the appropriate level is a necessity, but not evil.  It is an investment to manage the losses to acceptable levels.

Warija

Going social with SOA

Posted by Warija Dec 4, 2011

In my earlier blogs, I shared how we can use Social Computing within the enterprise (Enterprise 2.). In this post, I would like to discuss some of the adoption questions on Enterprise 2.0:

 

Will Enterprise 2.0 become as viral as the external social computing platform?

Will employees adopt Enterprise 2.0 platform to collaborate and connect with fellow employees and reduce the "degrees of separation".

Will the investment on Enterprise 2.0 platform bear fruits?

 

As the corporates continue to encourage employees to use the Enterprise 2.0 platform, there are certain challenges in adoption. No single tool can meet all the employees needs and we get feedback on tools not being intuitive or people having trouble leveraging all the capabilities. Does it mean, we need to change the platform?

 

There is a simple answer to this dilemma. Instead of changing th platform, we enable the capabilities through APIs/ Webservices, and integrate them with other line of business applications. Employees have day jobs and tools where they spend most of their time. By making enterprise social computing a component of their tools will automatically allow employees go social without even being aware of it.

 

When we integrated our Enterprise 2.0 with one of the portals that most of the employees used to get the corporate information, we saw a sudden spike of adoption. We are now planning to have such integrations with other tools in place, so that when employees think of collaboration, they don't have to worry about which tool to use.

 

In your opinion, what would you think will make use Enterprise 2.0 for collaboration? Is it a tool that will guide them or the process or intent?

Malcolm Harkins, Intel Vice President and Chief Information Security Officer, was recently selected as one of Computerworld’s 2012 Premier 100 IT leaders. These 100 IT leaders, from both the technology and business sides of companies, were selected for their exceptional technology leadership, creation of innovative solutions to business challenges, and effective management of IT strategies.

 

Malcolm has been leading Intel IT”s new “Protect to Enable” security strategy. To learn more about this strategy, listen to Malcolm in our webinar “Can Information Security Survive?”   at: http://www.eseminarslive.com/c/a/Security/Intel111011/  In this session, Malcolm explains the challenges of balancing Intel’s business needs and growth, while managing and mitigating risks in enterprise security.

 

For more on the Computerworld Premier 100 IT Leaders, check out the press release on Marketwatch: http://www.marketwatch.com/story/computerworld-announces-2012-premier-100-honorees-2011-12-01.

 

Elaine R, ITIntelsme

Filter Blog

By author:
By date:
By tag: