[ISN] [infowarrior] - The Curmudgeon's Crystal Ball: Security Predictions for 2003

From: InfoSec News (isnat_private)
Date: Thu Jan 16 2003 - 22:40:09 PST

  • Next message: InfoSec News: "[ISN] Hackers Humble Security Experts"

    Forwarded from: Richard Forno <rfornoat_private>
    Copyright © 2003 Securityfocus
    After a much-needed holiday hiatus, I'm back for 2003. And what better
    way to kick off the new year than with a series of predictions for the
    Internet security community?
    For better or for worse, 2003 will be an exciting year for information
    assurance professionals and for the Internet in general, particularly
    on the policy and technical fronts. As always, the phrase "never a
    dull moment" will apply to us involved in the security field, which
    will hopefully mean that wečll stay gainfully employed.
    White House Cybersecurity Strategy
    Perhaps the single greatest item to make security headlines (barring a
    major Internet attack) will be the upcoming public release of the
    White House Cybersecurity Strategy in its second, and final ­ for now
    ­ form.  Having seen a draft of the latest version, I'm pleased to
    report that it's more focussed and less sensational than its
    predecessor (released last summer). It also appears to contain much
    more realistic aspirations and security guidelines than the first
    The White House Cybersecurity team sought feedback on its first draft
    from industry and the public and, to its credit, paid attention to the
    comments received, as evidenced in this latest version.  Knowing that
    for any national information security strategy to succeed requires
    further and regular cooperation between industry and government, and
    knowing that this draft facilitates such cooperation, I believe it
    will be the major policy item for 2003. Of course, this assumes all
    involved parties back up their security rhetoric with visible and
    effective action.
    Increased Encryption
    Given the increasing breadth and invasiveness of electronic
    surveillance powers granted to law enforcement under the controversial
    USA-PATRIOT Act, there will be a growing underground community
    developing easier-to-use encryption and privacy-enhancing software
    that the average user can avail themselves of while. PGP and other
    high-end privacy applications will continue to be used by power users.
    In light of the shadowy "war on terrorism", it's likely that
    government officials will try and brand such tools as "supportive of
    terrorism" and attempt to stigmatize them in the public eye. Such
    efforts will mirror previous federal efforts to stifle digital
    privacy, such as the failed attempt to outlaw PGP in the mid-1990s.
    The Digital Millenium Copyright Act will become less of an anti-piracy
    legal tool and, as wečre seeing now with the Lexmark Case, will
    instead be used by large companies to ensure their marketplace
    dominance and force competitors out of business.  Further, in light of
    the legal victories of Jon Johannsen and Dmitry Sklyarov, the courts
    and the public are more frequently realizing, and formally
    challenging, the lunacy of Hollywood's quest for domination of the
    digital environment. This will be a slow, arduous struggle. But it
    will be necessary to ensure the protection of freedom and innovation
    expected by consumers living in the Information Age. It's quite likely
    that 2003 will be replete with DMCA-related stories making headlines
    around the world.
    Corporate Security
    Enterprises will continue paying lip service to information assurance.
    Unfortunately, they will continue to do nothing about it, as the
    prevailing sentiment amongst corporations is that securing systems
    detracts from profits instead of assuring them. As such, corporations
    will continue paying high-priced consultants to conduct vulnerability
    reviews, draft policies, and secure their systems while continuing to
    ignore their recommendations on how to improve security.
    Security of DNS Servers
    Security of the Internet will continue to be a heated and highly
    politicized topic for 2003, as various special interests ­
    governments, corporations, law firms, and ICANN, to name but a few ­
    jockey to make themselves the controlling force in charge of securing
    critical DNS servers around the world. Wečll see frequent references
    to the October 2001 attacks against several root servers as
    justification to make dramatic changes to how DNS works.
    While the ostensible motivation will be to improve the security of the
    Internet, the real objective will be to increase corporate
    profitability. Industry will lobby against the Internet community's
    easy and cost-effective proposals to improve DNS security, and will
    instead prolong the DNS security debate into 2004 and beyond, or until
    a pro- business solution is reached.
    With regard to technical vulnerabilities, I'm wagering that while the
    aggregate number of Windows and *NIX vulnerabilities will remain a
    tight race, the term "Microsoft product" will continue to be
    synonymous with "buffer overflow" and other such programming goofs.  
    As well, the contentious debate over the full disclosure of
    vulnerabilities will continue to rage amongst security stakeholders.
    And Apple will continue ignoring the significant out-of-the-box
    security features Mac OSX provides and overlook a major benefit of
    their product as it continues enticing Windows switchers.
    Allocating Responsibility for Security
    Unfortunately, the practice of avoiding responsibility for information
    assurance will remain the single largest obstacle to effective
    security. The latest version of the Cybersecurity Strategy has no
    provisions for making the producers of security products accountable
    for the failures of their programs. This is most likely due to
    industry lobbying in Washington. As a result, vendors will still have
    neither mandated accountability nor real incentive to provide products
    that are not easily exploited or abused.
    Until an enterprise CIO is fired or the US government issues a public
    'threat warning' suggesting folks avoid a specific product for
    security reasons ­ both of which steps would encourage and force
    accountability on security managers and product vendors ­ the state of
    information assurance really wončt change much for the better.
    Instead, it will be business as usual and security professionals will
    continue to be engaged in their traditional game of digital futility
    as they scramble from one problem to another.
    That's Just My Opinion
    These are a few forecasts for 2003 gleaned from my curmudgeonly
    crystal ball over the holiday season. Some may indeed come true, while
    others may prove me wrong.  All things considered, I'll wager that
    these predictions are more accurate than anything you'll get from Miss
    Cleo or any other per-minute psychic.
    Still, I'm holding out optimism that we'll see real change for the
    better this year. But, as comedian Dennis Miller is fond of saying,
    "that's just my opinion, I could be wrong."
    You are a subscribed member of the infowarrior list. Visit
    www.infowarrior.org/lists for list information or to unsubscribe. 
    This message may be redistributed freely in its entirety.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jan 17 2003 - 00:52:32 PST