In no particular order:
We Are Doomed
There is Hope
- Bot networks seem to be growing in size.
- Many web developers don't understand XSS, CSRF and SQL injection-type vulnerabilities.
- Anti-virus vendors are starting to send signature updates several times per hour.
- It takes a reboot to update Adobe Acrobat and updating VMware Workstation requires a 330MB download.
- Criminals are becoming more aggressive about protecting their enterpises via DDoS.
- Targeted attacks easily bypass organizations' defenses.
- DNS remains a weak link.
- Passwords suck.
- Wi-Fi is becoming more common, even though securing it remains a challenge.
- People are becoming anesthetized to security breaches, because they happen too often.
- It's too easy to ignore the findings of security assessments.
- First-time users throughout the world are flocking to the Internet, increasing the "low hanging fruit" attack surface.
- Prescriptive compliance requirements (e.g. PCI DSS) are making it harder for executives to ignore IT security.
- Security technologies are becoming smarter (e.g., web application firewalls) and more powerful (thanks to cheaper ASICs and disk space).
- Anti-virus vendors are paying more attention to behavioral protection and performance.
- The community's expertise in analyzing malware is becoming more sophisticated.
- Search engines are starting to warn users about potentially malicious sites.
- The law enforcement seems to be getting better at catching alleged cyber-criminals.
- It may be getting harder to host malicious sites on a large scale.
- The media is improving security awareness by advertising security breaches.
- The developers of operating systems and web browsers are paying more attention to security of their software, and are providing safer default settings.
- Microsoft is making a version of their anti-virus free for home users.
- Companies are starting to include security throughout the SDLC and offer developers training on security issues.
Any suggestions for the lists above? We'd love to hear them. It's probably easier to come up with the items for the "Doomed" column, but consider what we can build upon to tip the scales in the defenders' favor.
Update: Thanks to everyone who wrote in with their perspectives, including: Mark Buchanan, Chris, Swa Frantzen, Tom McFadden, Frank Mellon, Jeff Martin, and David Rundle.
Security Consulting - SAVVIS, Inc.
Lenny teaches a SANS course on analyzing malware.