By Dimitri McKay, Log Evangelist

Verizon Security recently posted a set of 10 predictions for 2010 on their security blog. I have my own opinions
about their predictions as you'll read below.

To see Verizon’s original
predictions, click here:2010 Security Predictions

Our friends at Verizon Security feel that services like Facebook, Google, Twitter,
and TinyURL will work to get better controls in place regarding criminal
content. They believe that their business model is at stake if they don’t
attempt to flag or eradicate nefarious activity... advertisers will start
pulling their dinero. And my response to that is "of course they will!"
It's an obvious statement. The online services will absolutely do more to try
to curb illegal behavior. If they don’t do it, who will?

The
recent FaceBook"apps" scandal has made everyone scratch their heads
and realize that they're allowing a number of different programs to have access
to their accounts and with that, some level of personal information. Twitter
has been hacked over and over again. MySpace has vulnerabilities left/right and
center. So to say that services will protect themselves is obvious. Whether
these hacks or illicit behavior take place to them or on their
networks is a variable. It all depends on the vulnerabilities discovered. The
web after all is Swiss cheese. Admitting that is the first step.

Our
friends at Verizon also feel that Malware will not evolve this year, that
Botnets will stay the same as a whole, and there won't be any mass outbreaks or
targeted attacks. Personally, I don’t see evolution as necessary when the same ole
vulnerabilities still exist. Security best practices weren't followed until
specific verticals created requirements to do so. The result was PCI, HIPAA,
SOX, ISO17799, and more pop up every day. If businesses would stop thinking of
security as an outflow of cash, and instead think of it as a necessary cost of
doing business, we'd all be a whole lot safer. The outbreaks will happen when
yet another bored 14-year-old finds a vulnerability and decides he’s going to
be the next big thing. And chances are, he’ll be rewarded with a big security
job somewhere. Funny how that works.

The
security team at Verizon also feel that consumers are getting smarter. The
impression that there are fewer newbies on the internet, and services are more
secure, and that people are generally more aware might be true. In one respect,
however, I wholeheartedly disagree. As P.T. Barnum once articulately stated, "A sucker is born every
minute." This hasn't changed. Sure, people aren't responding to instant messages
on AOL asking for usernames and passwords, but the phishing sites are getting
better, the vulnerabilities are becoming more public and people are still
falling victim. Think back to the days of "Don't open executables!"
which became "Don't open .SCR files!" followed by "Don't open
macros!" and then the ActiveX nonsense for malware. At the end of the day,
although the public is getting a wee bit wiser, the trojan writers are getting
better-er. Claiming that people are more intelligent because your friends
haven't been scammed in a while says little about the state of public
affairs.

Number four on Verizon’s list states that Windows7 (not necessarily IE8) will prove to
be more robust than anticipated (vs. Vista), and that applications are the new
targets. These are two completely different statements, and I’m not sure why
they ended up in the same paragraph together.

First off, I should warn you – take what I’m about to say with a grain of salt as I
am a world-class Windows hater. I will do my best not to let my absolute
loathing of all things Microsoft seep out. Oh well. So much for that.

Windows7 is more robust than Vista, but that's not saying much. It’s like saying a 2009 Honda Civic is more robust than a 2008 Honda Civic just because there's new standard leather trim. It's still a
Honda Civic. It's still the same car. It’s just dressed up prettier. Windows
fans will go on and on about this-and-that device support and stability. We’ll
all stay tuned for that one.

Attacking applications as the next step is fairly obvious. Of course crooks are going to
go for applications. Applications aren't written to be secure. Writing for
security is much more time consuming and therefore more expensive. Coding for
security has to be the next evolution in application development. Write for
security as the first step. Make security the high priority. Don't write the
app, then go back to see if it's secure. This is what causes world class
/fail.

Number
five on Verizon’s list of 2010 predictions is that government and non-tech
organizations worldwide will become increasingly frustrated over SMTP, DNS and
SPAM, and they’ll find phishing more and more difficult to thwart. They believe
that Microsoft’s legal efforts to can-that-spam, along with a high-profile
arrest will somehow cause all the other SPAMMERS in the world to shake in their
boots and think twice about their line of work.

*yawn*

Spammers
are nothing more than ticks on the backside of the internet. They exist. They
suck off their hosts. And then they fall off. If we want to end SPAM tomorrow
we have to make the punishment for spamming so severe that the mere thought of
it will make these hoodlums shake in fear. Follow the money. Who is profiting?
Is it the manufacturer of said product? Is it a reseller? Follow the money.
Then once you get them, go after the people who actually BOUGHT something due
to a SPAM email. The only reason spammers still SPAM is because someone is
buying. Those people should be prosecuted for even responding to SPAM.

Verizon
Security also believes that breaches will increase, but on a smaller scale with
fewer records compromised. They feel that more money theft will take place with
account staff credentials being compromised. And they also believe mid-size
businesses will be hit with some sort of compliance mandate to force them to do
the right thing. Where Verizon and I disagree is that I see this going in the
opposite direction. I see more breaches, more records compromised, more insider
threats, more phishers, and more crooks using Western Union to transfer
money. 

What
I'd love to see is a better than best practices compliance mandate to supersede
all mandates. From small business to large enterprise, make everyone play by
the same rules regardless of vertical, regardless of industry, regardless of
income. One compliance mandate to rule them all. That compliance mandate should
not only represent best practices, but step it up a few levels. 

Also,
if there was blanket worldwide legal policy that applied to ALL cyber-crooks globally,
these scoundrels would no longer go unpunished. A couple of thousand dollars
stolen from an account in the U.S. goes a LONG way in some other countries, and
not only is it relatively easy to commit these crimes, but there are really no
legal deterrents in place to discourage these high tech pickpockets in other
countries. Hoodlums can make millions (yes, millions) without any fear of
prosecution, and the temptation to pick such low-hanging (albeit forbidden)
fruit is very difficult to resist. Let's get downright hardcore on the legal
front. Let’s take down these wrongdoers.

Verizon Security went out on a limb when they stated that
nothing of note is going to happen to phones, PDA’s, and Macs. Really? Uh…no. Just
two weeks ago we all learned about a sneaky little trick to invade unlocked
iPhones who have SSH enabled with default passwords. This is just step one. If
you look at how many iPhones are on the market, you can see the huge motivation
for delinquents to act-a-fool. I see the mobile phone market getting its fair
share of security issues.

Although
I think Verizon Security has a high level view of what takes place on the side
of security, it seems some of the predictions are off in left field somewhere.

One prediction I believe
nobody will dispute though, is that 2010 will be a very exciting year in
security. And if we're lucky, a few people will realize they need log management to keep an eye on the security of their infrastructure. Stay tuned.