IT security: What's in store for 2010?

2009 was significant, security-wise. Experts are predicting 2010 will be as well. Michael Kassner reviews some of their predictions and makes a few of his own. See if you agree.

Why was 2009 significant? Criminals figured out they can make a lot of money in cyberspace. So much so, that their underground economy is doing better than the above ground counterpart.

That's going to change in 2010. The pundits say it's going to get worse. Every prediction I read, suggests that cybercriminals are going to continue leveraging existing vulnerable technologies and find new and more effective (for them) vulnerabilities to exploit. Let's take a look at some of the predictions

eWeek's prediction

Mr. Brian Prince in his eWeek article foretells a continuation of current bad guy successes, plus a strong push into the cloud:

  • Pirated software will drive insecurity. Users of pirated software are afraid to download updates, thus exposed to security risks.

  • Social engineering meets social networks, upping the ante for compromises. Criminal organizations are increasingly sophisticated in how they attack social-networking sites.

  • Criminals take to the cloud. In 2010, we will see criminals leveraging cloud computing, increasing their efficiency and effectiveness.
Verizon Security's prediction

Mr. Russ Cooper's Verizon Security Blog post about 2010 should be given special attention. He is a highly-regarded security analyst and founder of NTBugtraq. Here are some of his thoughts:

  • Services will protect themselves. Facebook, Google, Twitter, TinyURL, and the like will gain more control over criminal content.

  • Malware will not evolve. No significant changes in malware will occur in 2010. Botnets won't get more sophisticated, although they may make changes in the way they work.

  • Consumers are getting smarter. The base level of "cluefulness" for consumers will rise in 2010.

  • Serious finger-pointing and frustration over essential protocols (SMTP, DNS) will occur amongst governments and non-technical organizations.
Help Net Security's prediction

Help Net Security enlisted Mr. Michael Sutton, VP of security research at Zscaler for their predictions. Mr. Sutton professes many of the same concerns, but added the following:

  • Apple's increasing market share will force them to finally invest in security, due to increasing attacks targeted at Apple devices.

  • App security testing is limited. Developers are able to slip in apps with undocumented APIs. Attackers will take things one step further and get malicious apps accepted.

  • The arrival of financial DDoS attacks. Cloud-based services charge by actual consumption. Attackers will hold enterprises hostage by artificially inflating costs.

  • Clickjacking has been used successfully for social-engineering attacks and it will become more prevalent.
ITPro's prediction

Mr. Stephen Pritchard of ITPro consolidated the opinions of several security firms for his 2010 prediction. That creates an interesting perspective:

  • Bigger botnets are expected by Symantec, meaning more spam e-mail. Can it get worse? Spam is already over 90% of all delivered e-mail messages.

  • According to IT security firm Imperva, cybercrime is getting organized. The criminals are operating clearly-defined supply chains, similar to drug cartels.
  • Getting users to install scareware that controls their computers is an effective money-making tool for the bad guys. That suggests it will be more common in 2010.
  • Windows 7 is a new operating system. That overrides any security improvements. Being new is a liability, just ask any security analyst.
In agreement

The experts did agree on several concerns, they are:

  • Cloud computing: The cloud offers unprecedented storage and processing power. If more businesses start migrating to it, so will the bad guys.
  • Data breaches: Data centers continue to grow in size and capacity. Yet, security is not keeping up. Data breaches in 2009 were minor compared to what's expected for 2010.
  • Social networks: Social networks are ripe for plundering. That's understandable, considering the popularity of social networks in 2009. Most, except Mr. Cooper, say we haven't seen anything yet.
My prediction

What I view as the biggest security headaches for 2010 are the problems requiring significant effort to fix, such as:

  • Vital, yet broken system protocols, DNS for example.
  • Convincing organizations to implement security/privacy measures on behalf of people accessing the organization's Web presence.
  • Balancing usability with security when new technology is being developed.
  • Becoming proactive, we know mobile devices are on the bad guys' radar, but are doing little about it.
Final thoughts

I'm onboard with Mr. Cooper. We did learn a great deal in 2009. Amazing innovation in IT security also occurred. It's now up to us, so I'm thinking 2010 will be a good year.