The Security Catalyst

By Joe Knape 

Prediction is very difficult, especially of the future.
- Niels Bohr

Apparently, drinking too much eggnog and watching a giant ball made of lights drop from the sky gets people in the in the mood to make predictions for the future. Speaking of which, where’s my flying car?!?

When it comes to security predictions, most of them are redundant, asinine, or just plain wrong in my opinion. But with so many vendors, media commentators, and wonks out there, you’re bound to come up with a diamond or two if you dig around long enough. One such diamond this year for me was Anton Chuvakin’s predictions, which you can find over at http://www.oreillynet.com/sysadmin/blog/2007/01/my_security_predictions_for_20_2.html.
Now, even if Anton Chuvakin’s predictions didn’t come out until January 14th, his article is still one of the few worth reading. We just won’t give him credit for anything that occurred in the first few weeks of January!
If you don’t see a prediction listed below it is because I agree with it and didn’t feel the need to jump on the “me too” wagon. However, others in the list definitely deserve some additional commentary.

IV.    Anton is frustrated at the numerous and sometimes contradictory ways that exist to rate and measure risk.

No standard emerging can be both bad and good. The “bad” means that enterprises will continue to use programs with little or no aid forthcoming from “industry best practices”. The “good” means that security professionals who are willing, will be able to continue taking the best information available and develop programs that best represent the concerns and careabouts of their specific organizations without worrying about fitting square pegs into round holes.

V. According to Anton, 2007 will not be the “Year of NAC” mostly due to the fact that it means so many different things to different people.

There’s a difference between a well-run network and a well-implemented one (not well-architected or designed). Operations groups all over the world are running the networks they are given to the best of their ability. Most of the groups that I have personal experience with are doing a phenomenal job considering what they have to work with.
They deserve better and it is up to us as security professionals to work with the designers, architects, and implementers to make sure that the networks that are being handed over are put together with security in mind in the first place. Easier said than done I know, but if we don’t make the effort we don’t make progress.

VIII. There is a question in Anton’s mind about how voluntary compliance frameworks such as ISO17799 or ITIL will fare in 2007.

These standards will continue to be touted by consultancies and even some internal compliance/audit groups. Enterprise wide implementation will hold steady or decline due to all the effort and money that will have to be put into MANDATORY compliance. It’s still all about prioritization and use of limited resources. It’s our job to make sure that we are prioritizing on the things that are right for our companies, even if that means being nice to the auditors.

IX.    Apparently security awareness is a topic of great amusement, (dare I say derision?) for Anton.

This reaction is unfortunate but all too common. We here at The Security Catalyst and ultimately you the reader can change this for the better in 2007. Let’s prove Anton wrong on this one.

X. And finally, Mr. Chuvakin apparently made some predictions for 2006 (I’ll assume they were made around late 2005 but you never know with these PhD types!) which he thinks are still appropriate, such as client and application based attacks outpacing server and platform based ones.

I agree. At the same time, I couldn’t let you, dear reader, go without giving you something to help you justify the time you spent reading this far. I want you to ask yourself whether or not your organization’s 2007 security projects are focusing on the REAL risks to YOUR organization or are they still trying to address the theoretical “threat of the month”. You know the one; it gets printed up on every infosec magazine cover and written up in every online security article that month (almost as if they copy each other’s editorial calendars).

If you, your security organization, or your upper management, are still not looking at risks, threats, and mitigations from a company specific perspective, stay tuned to this space because the next few posts will highlight some steps you can take to begin “changing the way people think” (and possibly even yourself) about applying security principles while keeping your particular company in mind.

Are there any security predictions you’ve read that are particularly interesting or disconcerting to you? Leave a comment or send me an email to jdknape@gmail.com. Please keep in mind that I reserve the right to publicly post and respond to anything I get unless I’m explicitly asked to refrain from doing so, but don’t worry I will change any and all names to protect the innocent…and the guilty. Thanks for reading and I look forward to hearing from you.

If you enjoyed this post, make sure you subscribe to my RSS feed!