Security Predictions: All Hat, No Cattle

This is the time of the year where holiday parties are had, gifts are exchanged, and everyone and their brother in the security industry write blog posts and press releases about their predictions for the coming year. This time of the year reminds me of how important eEye’s message of “Security in Context” is given the sheer volume of “experts” making predictions which really are thinly veiled marketing agendas to tie in the scary threats of 2012 to some solution, product or service.

The reality is that making predictions of any type can be an extremely difficult thing to do. I am asked all the time by people what I think the future of security will hold. While I have plenty of opinions, I try to preface the answers with the fact that security is a reaction to how businesses evolve to leverage technology in their practices and how consumers consume information and interact with technology in their day to day lives.

Years ago no one would have made the prediction of how social networks would change security because people did not understand how social networks themselves would become popular and ubiquitous. No one made predictions about how smart phone malware would impact the world because the idea we would have a phone with equivalent processing power to that of our computers was too farfetched years ago.

I thought this year rather than making the usual predictions blog post I would look back at the predictions made last year about 2011 to see how those predictions faired. The hardest part in writing this was of course trying to find specific predictions. Most security companies made very generic predictions that are equivalent to guessing the sun will rise and set. (Me, personally bet both rise AND set in Vegas, but that’s just me). My point being is that most predictions are not new ideas, but rather the predictions foretell more of the same security breaches, just bigger and scarier.

• Critical Infrastructure Attacks to Increase – From anti-virus vendors to university research labs one of the big predictions made about 2011 was that there would be an increase in attacks on critical infrastructure, SCADA systems, etc… The reality is we saw no dramatic increase in documented attacks in 2011 and the only big news was when it was incorrectly assessed and later reported that hackers using computer systems in Russia had breached the SCADA systems of a facility in Springfield, Illinois. Kim Zetter of Wired of course set the record straight on this rather comedic “sky is falling” incident.
• Apple botnets and Trojans become common – This was a prediction made of course by a lot of companies in the malware/AV space and for the most part it never rang true. The fact is that in 2011 there was no major explosion in OSX botnets and Trojans and Microsoft Windows still remained a favorite. Steve Jobs, rest in peace. Your baby is safe. For now.
• Explosion in mobile attacks – Many companies predicted an explosion in mobile attacks but for the most part that explosion never happened. When you take the Android mobile platform out of the mobile equation there was not only a lack of an explosion but the only mobile attacks happening were a couple of security conference hacking demonstrations. Having a plan around mobile security is indeed important when having overall visibility of your computing environment but hackers are still more likely to steal data from your desktops and servers, being that they’re the low hanging fruit compared to mobile.
• Hackers Feeling the Heat – Some companies predicted that in 2011 hackers would have a lot more pressure on them and more of the smaller hacking groups and individuals would be “stamped out” both by law enforcement and other cyber-crime organizations. This of course was not the case as 2011 saw the explosion of individual hacktivists and smaller groups under a larger cultural umbrella of things like Anonymous. Do not count out the little guy.

These are just a few examples of where predictions went sideways. We all love to try to predict the future as it is part of our human nature to feel good about thinking beyond the now and being right about it. Who will win the Oscar, the Grammy, or when is the Rapture this year? But the stakes are high in security given the ever increasing sophistication and number of attacks we see every single day. Making a bet on what you should do for security in 2012 based on the same gleeful off-the-cuff predictions of who might win at the Oscars is not how you want to approach information security for success.

Have fun with the prediction blogs and press releases this holiday season but remember no one will know how your business will be evolving next year to use new types of technologies and what risks that might create. In IT security you must not only know the security of your business but the business of your business. Without understanding how your business will evolve you will not understand how your IT security program should evolve with it.

How good are you at predicting the future? Tomorrow, during our Vulnerability Expert Forum, we’re going to be announcing that  we’re picking two winners based on who has the best prediction on what new threats they think we might see in 2012 and also predictions on how businesses usage of technology will evolve in 2012. Enter your submissions in the comments below. 

I look forward to hearing from you and hope you stay safe this holiday seasons.