It is that time again when security professionals dust off their crystal ball and predict what the next year will hold for security. Looking in the past, I have mostly agreed with what my peers have foreseen, and adding a few predictions of my own to the list for good measure.
To be somewhat impartial, I drafted a list before reading what colleagues were saying. It seems our lists don’t match up to well. So I am going against the collective grain and giving my predictions. Time will tell who is closer to being the true Carnac the Magnificent.
If you are interested in what I foretold for last year, check out my 2011 predictions.
Top 2012 Information Security Predictions
- Mobile attacks. This is the one everyone agrees on. Attacks on mobile devices will skyrocket. They will be slightly different than those found on PC’s but they will be the methods by which attackers pursue their nefarious goals. Mobile is a fertile ground for attacks. The technology is pushing faster than security can catch up. Attackers have the advantage and defenders will follow. This will be the trend throughout the year. Ironically, users will not really care. As these attacks will largely be passive in nature, the mobile devices will continue to operate and therefore the users will be happy. Even if some of their data is copied, bandwidth is consumed, and their personal habits tracked, user will pay little concern to the echoes of security advocates.
I expect this to hold true until 2013+ when banking and point-of-sale is widely integrated into mobile devices and organized attackers can conduct widespread automated financial attacks against users. This will earn the attention and concern of users, financial institutions, and politicians who will create a pull for more mature mobile security.
- Social Media security. 2011 was an unprecedented year for social media to play a prominent role in facilitating regime changes and social awareness across the globe. Such power requires security. Some organizations are looking to block access, attackers are seeking to leverage these vast networks for malicious purposes, and users are expecting to maintain availability and anonymity in the face of persecution. In 2012, the struggles to provide and undermine security for social mediums will be taken to the next level.
- Targeting of attackers will continue. As predicted last year, 2011 was a banner year for worldwide law enforcement in tracking and apprehending cyber criminals. Such agencies have found good footing in the tools and skills necessary to begin combating organized online villains. Their capabilities, techniques, and cooperation will only get better in 2012. Bad guys beware; the Sheriff is in cyber-town.
- Blending of ‘consumerization’. I agree with my peers that consumerization, the use of personal devices for work purposes, will drive new security architectures to keep enterprise assets safe. But, I also believe we will see other blends take firm root. Mobile and PC data/services, cloud and local capabilities, and productivity and entertainment systems will begin to integrate and thus create new vulnerabilities which will drive security demands. I foresee these effects to be more evident towards the back half of the year.
- More security regulation. It will continue to be slow, piecemeal, and inconsistent, but regulations will begin to solidify. All the while, debates on the value and costs will continue, ad nauseam.
- Cyber-warfare embraced. Nations will quietly accept, develop, and integrate cyber-warfare into their defense apparatus. Worldwide, more government money will be spent by nations to develop offensive cyber capabilities. Integration into military forces as part of their command, control, and communications infrastructures will begin by the end of the year.
- Offensive security becomes acceptable. This is where I really climb out on a limb. The industry will dramatically change in 2013. Legitimate and lucrative jobs will open for experts who are talented at creating tools capable of attacking systems. Governments and defense industries will lead the way, opening a new market for smaller shops and independent contractors. Universities will offer courses and eventually degrees in these dark arts, which previously were taboo. Standards and certifications will emerge to prove credibility of the competing labor force.
It will happen in slow motion. Quietly. Malware will actually slow down. No, it won’t stop or even decrease, but we should be able to see a slowdown in the rate of new types of malware in the short term. As authors who would typically share their work with an open community, will now take pause as they may be able to legitimately sell it for profit. Why release to the world, when a tidy profit can be made without fear of persecution. In a weird turn of events, malware will become intellectual property.
Eventually, by 2013 and beyond, malware and other types of attacks will come raging back to unprecedented levels with increasing sophistication. It will forever change the security industry. With demand driving supply, more talent will be creating the very tools security practitioners have been dreading, at an even faster pace with greater potential effects. These will leak to the open markets and such devices will be used for illegal purposes. The defense side of the industry will then react, doubling efforts to manage the new risks. It will be instability until a new balance is struck as equilibrium eventually returns.