What Will Matter in 2011

Published: 2011-01-03
Last Updated: 2011-01-03 03:49:37 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Information Security has easily been too fast of a field to provide reliable predictions. Sometimes it is hard to predict what you find if you come back from a long lunch. But lets try and play along with new years predictions. What will matter to your job this coming year?

We got a running list of various ideas from SANS Instructors [1]. Let me point out two that are sort of my personal favorites:

IPv6: Who would have guessed :) ... I think IANA may run out of IPv4 space sometime this or next week and regional registrars sometime this year. We will keep pushing IPv4 space to the limit and ignore IPv6 for as long as possible. But as usual with procrastination: What we will end up with is a lot of rushed out and broken implementations.

Social Malware: I think we will see less bots that spread via exploits but instead we will see smarter bots that find the right context to trick the user into executing them. Some of it we have seen with bots like Koobface. But there will be more, smarter, versions. Something that assembles an e-mail based on your browser history or facebook groups / pages you "like" to make it match your interest. You just went to see "Tron" in the theater? You will get an e-mail or facebook message with a secret second ending as a video file to play. Kind of like spear phishing, but more automated.

Now if you follow what I am doing, you may expect application security as one of the topics. I will skip application security prediction for 2011. I think progress will be incremental and that will be ok. People make plenty of money with "secure enough" software. There isn't currently a big change that I see coming in 2011. New software will be incrementally better as more developers figure out how to use new tools right. But legacy code will still be a huge problem and it will not be fixed in any big new ways, just one line at a time.

Wikileaks, Cyberwar, Cyber Terror: No big shifts here. It will continue to happen just like in 2010. No big new defenses either. Maybe a bit more international collaboration in fighting malicious actors.

Please feel free to add your predictions as comments below.

[1] http://www.sans.edu/resources/securitylab/security_predict2011.php

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: 2011 predictions
3 comment(s)


"Wikileaks, Cyberwar, Cyber Terror: No big shifts here. It will continue to happen just like in 2010. No big new defenses either. Maybe a bit more international collaboration in fighting malicious actors."

How can we "Collaboration in fighting malicious actors." when "we" can't even work out who was behind "Stuxnet"?

What "we" need to do in 2011 is work on better forensics and live forensics in real-time.

If we can't get the forensics correct, we can't even start to think about "Collaboration in fighting" against malicious actors.

I am currently starting to do a honours thesis (and hoping to continue on past it) based on digital forensics in the cloud, what challenges are there, and how can it make forensics more collabrative because these days it is unlikely one system in one central location will be affected,there could be systems all over the globe. Would also love to look at the impact of things like the new Chrome OS laptop.
WikiLeaks was a big phenomenon in 2010, but the difference is that in 2011 major corporations – not just mostly governments – are key to their hit list. That means if you work for a Global 2000 corporation, you could be next.

From an IT security perspective, WikiLeaks isn’t just a website. WikiLeaks set the precedent and if it were shut down, another would take its place. For us – what we need to prepare for – is the web-enabled model of making security leaks of privileged information by insiders more convenient than it’s ever been before.

Strong internal controls applying the principal of least privilege are the defense against the WikiLeaks-inspired form of insider threats. You can never prevent the chance of this kind of leak completely, but by reducing the number of people with access to the kind of information that could be leaked, the volume of information that is leaked goes down in direct proportion to the reduction in access.

-Jim Zierick, BeyondTrust

Diary Archives