Friday, December 31, 2010

expectations for 2011 and beyond

first, this is not prediction or forecast post. this is only a tribute.

no, seriously i hate those posts, they are annoying and i can't imagine being full enough of myself to actually try to prognosticate on what the future might bring.

that doesn't mean i don't have certain expectations for the future, however (though i can't really pin down time frames like those fortune-telling bloggers can).

as far as attackers go i expect that i'm going to disappoint you by not saying what i expect to be the next big thing. long time readers know i can be sensitive about giving the bad guys ideas and i certainly don't want to direct them towards new and annoying avenues of attack.

of course even if i did give them ideas, i'd still expect to mostly see more of what we've already seen - especially more of the things we started seeing this year. attackers seem to change in response to 5 basic influencers
  1. changes in user behaviour: this can be either changes that are meant to thwart attacker (which happen at a truly glacial pace) or adoption of technologies (like twitter for example) that provide attackers with new opportunities.
  2. new efforts by the security industry or authorities to thwart attackers: literally anything that disrupts the status quo for attackers fits in here. reputation systems that treat new unknown things as suspicious would be one example. new cooperative efforts to take down malware gangs would be another.
  3. changes to the computing platform itself: this is pretty strongly related to user adoption of new technologies, but i felt with the way the dominant computing platform seems to be shifting away from personal computers and towards mobile computing devices, the opportunities this would afford attackers deserve be highlighted.
  4. changes to the connectivity of devices: there's little doubt about how big an impact the broad adoption of the internet had on self-replicating malware like viruses and worms and later on distributed malicious computing like botnets. as connectivity continues to change and frankly increase between all sorts of devices it stands to reason new opportunities will present themselves to attackers.
  5. motivational evolution: first it was fame, then fortune, and now we are starting to see a shift towards power being the motivating force behind attacks. there may even be something that comes after the fame/fortune/power triad but that would be too much like making a prediction.
all of those things happen at a pretty slow gradual pace, however, which is why i'm not expecting huge upheavals in the modus operandi of attackers. #2 is probably the only one with the potential to really be punctuated.

now while i may not be keen on giving the bad guys ideas, giving the good guys ideas i'm not nearly so shy about.

i expect to see facebook do something about all the scams. the scam pages and apps are turning facebook into an untrustworthy environment, and in an untrustworthy environment people are less apt to share, which means they're less apt get a real benefit out of facebook, which in turn means they're less apt to use it. i can't imagine how facebook could possible afford to just sit back and let that happen so i expect them to take some kind of action - i have no clue if it will be effective, however.

now that sandboxing and whitelisting are catching on (and in fact 1 well known company seems to have implemented all 3 of my 3 preventative paradigms; oh heck, let's not be coy, kudos to kaspersky internet security - i'm not a customer but at least somebody seems to have either been listening to me or thinking along the same lines) i expect that people will gradually start adopting these technologies in larger numbers (the sandboxes will probably have an advantage since they're getting embedded inside client apps) and maybe even start to realize that these technologies also are limited just like blacklists are. and THEN, maybe i'll have reason to start talking more about strategies for when prevention fails. we can only hope.

speaking of hope, now that at least one vendor has covered the 3 preventative paradigms in some fashion, would it be too much to hope that vendors start looking at the other parts of a proper defensive strategy? prevention is only the first part of the PDR (prevent, detect, recover) triad (which itself seems to me to be incomplete).

back to expectations, i expect to continue to see more examples of authority being exercised - both in official and unofficial capacities - in order to thwart and even arrest attackers. i hope (oh, am i diverging again?) to see greater appreciation for the fact that legislation on it's own has little value. rules mean little if they aren't enforced and enforcement requires detection of violations, attribution, and often (where official authorities are concerned at least) cross-jurisdictional cooperation. i expect at least someone will be highlighting the importance these things played in whatever successes we have and hopefully (there i go again) more attention will be paid to them.

i expect to see some more individual or community-based assistance given to those who exercise authority, probably in the form of detection and/or attribution, much like brian krebs has famously done on more than one occasion.

i also expect, unfortunately, to see people continuing to whine about how AV software isn't effective at anything anymore.  i expect i will continue to make jokes about driving screws with hammers in response.

i expect to see the heterogeneous nature of the threat landscape continue to be underestimated by such verbiage as "today's threats" and "yesterday's threats" (as if yesterday's threats weren't threats anymore).

i expect to hear more about stuxnet. maybe even something that doesn't stretch the limits of credulity (a worm, spreading stealthily for over a year, only managed to hit it's target after it's notoriety reached it's peak???).

i expect i'm going to be holding more people's feet to the fire over marketing bullshit and snake oil peddling.

finally, because these aren't predictions, i expect at least some of these expectations will not be met - at least not in the short term of the upcoming year.