//
you're reading...
Security

Blog Tag: Top Ten Security Predictions for 2007

Okay, I know it took days before I was able to post this. I had a lot of deadlines to meet before Christmas. Over at his blog, Mike Murrray posted his security predictions for 2007, and since he tagged me, this is what I came up with.

Security nowadays is very very hard to accomplish since everything is now being increasingly digitalized and more importantly, networked. As 2007 approaches, Security professionals can not just roll over and play dead. We have to keep trying to because the alternative is worse. So here are my predictions for the coming year:

1. Inefficiency will continuously breed profit. Security professionals will continue to enjoy a surge in business and growing salaries yet the dismal situation that we are facing will continue. In the land of the blind, the one eyed man is king.

2. We might finally see be a major ActiveX security breach. The security weaknesses of Active-X controls have long been known. Yet they are still highly popular. And its about to get worse. I agree with the Yankee Group when they say, “Retire ActiveX — now.”

3. Product Life cycles will be shortened to three months. More organizations will continue to rely on “beta test” codes, that is not even “alpha test” quality. Internet time has killed the concept of software testing. With the current system, the policy is: make the promise, grab their money, then, promise fixes in future releases and since you have their money, they will wait. Running the beta will win over running a code that works.

4. Usability will still win over security. Most of the major application will still use defaults that do not promote security. Still, people will think they are secure due to false advertising. It took 25 years worth of UNIX security bugs to create a market perception that it is insecure. But it took only a year of Microsoft marketing to make make a market perception that NT is secure. And it will take 3 – 6 months worth of Microsoft marketing clout to create the notion that Vista and IE7 is secure.

5. The patent office will be even more hopelessly naive in keeping up with technology and patents will contradict or overlap huge areas of technology. Small companies won’t be able to afford to play.

6.Still no security model. More spaghetti software. And because of this everything layered above a system with no security model will remain insecure. And the market share and mind share will remain driven by who gets out there first. Whatever gets out there first is not likely to be good – just first. More to the point it is almost certainly going to have security left out.

7. The epidemic of cybercrime will grow even more. We might see the number of organizations falling victims to DDOSA (Distributed Denial of Service Attacks) extortions rising from approximately Six or Seven thousand up to Nine to Ten Thousand in the coming year. And many companies will continue to pay because it could cost them millions in lost revenue and public relations damage.

8. More Web Apps Vulnerabilities. Mercedes Benz, Fuji Film, Panasonic, US Navy, US Army, Greenpeace, Coldwell Banker, Microsoft, Google, Standford Electric, the National Oceanic & Atmospheric Administration, The SCO Group, the National Weather Service, Stanford University, SANS Institute, Symantec, Mcdonalds, Sandia National Laboratories, the U.S. Geological Survey, Bottom Line Technology, Association of Chief Police Officers, Midwest Express Airlines, the Space and Naval Warfare Systems Command, the Office of Secretary Defense, the Defense Logistics Agency, NASA Jet Propulsion Laboratories, Department of Education (Philippines), Department of Science and Technology (Philippines)…. what do all these have in common? Their web site were recently defaced. This year alone, there have been a staggering number of exploits in vulnerabilities of E-bay, Yahoo! Mail, Google’s Gmail, MySpace among others. We might even see the number case of identity theft going higher.

9. Patch management will get even worse.
From SecurityAbsurdity.com:

The security company Scanit recently conducted a survey which tracked three web browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were “known unsafe.” Their definition of “known unsafe”: a remotely exploitable security vulnerability had been publicly announced and no patch was yet available. Microsoft Internet Explorer, which is the most popular browser in use today and installed by default on most Windows-based computers, was 98% unsafe. Astonishingly, there were only 7 days in 2004 without an unpatched publicly disclosed security hole.

It doesn’t take a genius to know where patch management heading. Do the math, read the last statement if you have to. Why continue a battle we cannot win? If patching really works, why are there still bugs in IE?

10. An idiot with a compiler might be the one who will write the next killer virus or malware. Yet, as always, safety technology is often developed much later. Seatbelts for example were developed 120 years after the car was introduced. I just hope that the millions of dollars that the industry is losing today will be enough as a wake up call to the security community. Let us not forget that the security community’s mandate is to protect, once and for all. And let us not wait for the time when it is too late before we realize that the code is potentially life-valuable and life-risking.

So here summary scene number 1 for 2007: Unless we do something, we’re doomed. And summary scene number 2: On the bright side, the security professionals will continue to enjoy job security. I came up with these predictions by looking at the current trend. So, unless someone will turn the steering wheel 180, we’re pretty much doomed.

Now, for the blog tag!

I am listing five blogs, those that aren’t on Mike Murray’s list, for them to give their own prediction for 2007.

The Armorer’s Codex

ISAW

Ryoga Chronicles

tech ramblings

Advocrazy

So, what about 2007, guys? What do you think?

Advertisements

About princess of antiquity

Abbi Cabanding is a member of the Security Bloggers Network and had been blogging on information security since 2006. She is also a member of the Association for Computing Machinery. She studied Computer Science and Fine Arts at the University of the Philippines - Diliman.

Discussion

9 thoughts on “Blog Tag: Top Ten Security Predictions for 2007

  1. “8. More Web Apps Vulnerabilities. Mercedes Benz, Fuji Film, Panasonic, US Navy, US Army, Greenpeace, Coldwell Banker, Microsoft, Google, Standford Electric, the National Oceanic & Atmospheric Administration, The SCO Group, the National Weather Service, Stanford University, SANS Institute, Symantec, Mcdonalds, Sandia National Laboratories, the U.S. Geological Survey, Bottom Line Technology, Association of Chief Police Officers, Midwest Express Airlines, the Space and Naval Warfare Systems Command, the Office of Secretary Defense, the Defense Logistics Agency, NASA Jet Propulsion Laboratories, Department of Education (Philippines), Department of Science and Technology (Philippines)…. what do all these have in common? Their web site were recently defaced. This year alone, there have been a staggering number of exploits in vulnerabilities of E-bay, Yahoo! Mail, Google’s Gmail, MySpace among others. We might even see the number case of identity theft going higher.”

    You know what’s interesting about the above? I wasn’t aware of most of these defacements. If I’m not alone in my ignorance, wonder what that means to the executive perception of the risk surrounding web defacement…

    Posted by Alex | December 24, 9:19 pm, 9:19 pm
  2. The mere fact that their site were defaced, it lost them a couple thousands of dollars even if it was only for a few hours. And for these reason, they are paying the extortionist for a hundred bucks or so. And besides, they don’t really publicize these things.

    Posted by abbi | December 27, 4:13 pm, 4:13 pm
  3. Well, that was depressing, Abbi. I’m going to go hide under my desk now.

    In all seriousness, this is a really great list.

    I wasn’t aware of the defacements either. And that quote from SecurityAbsurdity was brilliant.

    Posted by Mike Murray | December 27, 11:06 pm, 11:06 pm
  4. meron na prediction sa ISAW 🙂

    Posted by Jun | January 12, 1:38 pm, 1:38 pm
  5. How do I contact you?

    Posted by technews | January 12, 2:08 pm, 2:08 pm
  6. @Mike Murray: Thanks. 🙂

    I want to hope that none of these will come true. Although something tells me that that would be optimism to the point of foolishness.

    @Jun: I saw the list. 🙂

    So true. I agree, we really need to educate the users and put the right people in the right position.

    @technews: I hope you received my e-mail. 🙂

    Posted by abbi | January 13, 3:07 am, 3:07 am
  7. Thank you for the sensible critique. Me and my neighbour were just setting up to do some research about this. I am very grateful to see such great information being shared freely out there.

    Posted by Charleen Charpia | December 23, 4:09 am, 4:09 am

Trackbacks/Pingbacks

  1. Pingback: Serious CISCO Vulnerability « Princess of Antiquity - January 25, 12:25 pm

  2. Pingback: On UIS (CRS) Security « Princess of Antiquity - March 24, 2:14 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Sin of Silence E-Book


SIN OF SILENCE:
THE STORIES OF OUR DAYS
download:
single-page view
two-page view

On Wordpress

  • 94,875 readers

Subscribe via FeedBurner

Enter your email address to receive notifications by email.

Princess of Antiquity on Twitter

  • RT @AltTeamAFP: The quickest way to acquire self-confidence is to do exactly what you are afraid to do. Sleep well Philippines, we got your… 1 week ago
  • I have a limit and when you reach it I dismiss you from my life. It's that simple. 2 weeks ago
  • I don't get mad. I get distant. 2 weeks ago

RSS Princess of Antiquity on Tumblr

  • An error has occurred; the feed is probably down. Try again later.

Creative Commons

Creative Commons License
Original content in this work is licensed under a Creative Commons License.
%d bloggers like this: