A rantbox by Michiel Scholten

Security in 2009

While scrolling through my Bugtraq mail, I came across this tongue-in-cheek mail about the threats of 2009. I hope he doesn't mind me posting it verbatim here, but I thought it was too nice to pass on. To be clear: I didn't write it, Pete Herzog from ISECOM did. Here goes:

Top 5-ish Threats to Watch for in 2009

  1. This continuing trend to invest in the constant reminders of assumed security best practices screamed at all levels and types of workers across the work site will continue to eat away budgets, prevent security professionals from actually enhancing security and distract employees from working. This includes policy tidbits and factoids for employees to see everywhere from posters in the bathroom to mouse pad messages on their desks to screensaver quizzes they need to answer prior to login. Even organizations that eschew formal security awareness for the more often seen "IT guy complaining about security and stupid users to anyone who will listen" are also part of this threat. The security awareness threat will cause a loss of productivity and cost of materials to businesses worldwide that will most likely exceed the loss due to un-security-aware employee security blunders. They'd be better off spending that time and money on user controls, making security policies simpler so that they can be read by normal people as a job contingent, enforcing accountability, and formally certifying (pass a practical) employees who need to do secure gate-keeping.
  2. This year will continue the wonderful understanding of all the how-to truths about security that other people post on their websites and those will become part of the white papers, policies, classes, documentation, and advice of all the other people who study security through the search engine. Sorry, you may know it under its common name, Best Practices. Yes, best practices are all those tidbits that may or may not have worked for somebody else and now they too can be yours without ever having to know why! Interestingly, while certain "facts" about security have long been known, there are nearly no sizable, formal studies which measure the best practices people are encouraged or even mandated to apply. And if there is beauty in truth than marvel at these gorgeous Best Practices:

    "Update your anti-virus every 8 hours"
    "Use a firewall in front of your network"
    "Lick the USB connector before inserting it"

    Oh, and compliance is a collection of these best practices. Do what everyone else says to do or be punished by your peers! Yay for the capitalistic, democratic legal system! Less for more!
  3. Can you tell how many flies are in your home by the number of dead ones on your front doorstep? If not then you're using the wrong metrics. Study from the masters- that's right, this new year more and more people will learn metrics from anti-malware or intrusion detection companies. As security metrics steps away from being the little helper in Risk Management to become a booming industry in itself it needs to wear its big-boy pants (the ones that can hold the fat wallet). So its status as a threat to business management, procurement, security decision-making, and the bottom line has never be higher. That means they want your money. Badly. That makes them a the same type of nasty threat you can expect from any aggressive yet savvy televangelist- listen too long and you might be writing them checks.

    To be fair, the security industry is trying really hard to get good metrics but proper metrics are also labor intensive, require counting, and other types of math beyond the average, disinterested, and disillusioned security employee. Yes, just as measuring time requires being able to read a clock, good metrics currently requires reading security and controls. Watch for more digital watch equivalents in 2009. Unfortunately, like digital watches, it still assure people get there on time.
  4. The vuln hunters are getting more and more afraid of the legal aspect of their jobs and are neutering their releases more and more that by 2010 "Full Disclosure" will be about as revealing as a hole filled with dirt. But the announcements will be juicier, more enticing, and more exaggerated getting bigger headlines and bigger sky-is-falling dance floor time. This of course will cause many people who are neither lazy nor good security analysts a great deal of stress and wasted resources reacting to the announcement. Maybe we'll see a genius console game like "Disclosure Disco Revolution" where huge bug headlines pop up and you have to tap dance around them while at the same time stamping out bugs (so contact me for licensing arrangements).
  5. Guess what you call a security professional who graduated at the bottom of their class and with the bare minimum of security trivia memorized for their professional certification? A CERTIFIED SECURITY PROFESSIONAL!! Ha ha? LOL? *ahem* Okay, well, this new year will usher in a new batch of people who graduate from college as security experts. Yes, with as little as 4 years of college experience, even the English major can be a security professional just by memorizing security stuff! This is STILL happening! And people are STILL buying into it. But it's better than nothing, you say? Really? Seriously? In the old days we had to know systems blindfolded and in the rain and had to get our fingers filthy on keyboard grease before we even began to get an idea of how to DO it right-- not KNOW it right*.

    Not to get all crotchety-old-guy on ya, let me just say that we can expect that in 2009 there will be more of the same-- people who don't know what they're doing certified as professionals for what they know. Sure, you might think this is good for people who work in fields that require only security knowledge, like law, writing policies or white papers, or blogging security gotchas for the masses but then maybe that's just buyer's remorse kickin´ in. No. Trivia, security or otherwise, is okay for Game Shows and Reality TV but not for any kind of security practice. It's not okay that your doctor only read the medical textbooks. It's not okay that your legislation-drafter only read about security. But this won't change. It'll get worse. Know why? Because the people who write the legislation are already legislating even more of their ilk get hired. Yay for the status quo!

    * "right" in this case refers to a collection of experienced-based best practices backed by anecdotal evidence and the statistics of small numbers which still may or may not make sense but worked in that specific implementation.

    5-ish part 1: We will continue to see the increased production of websites and new web platforms that increase the speed and flexibility to which organizations can communicate effectively with the world, supporting products, creating communities, and delivering support notices amid marketing propaganda. Then when we contact them for support they will quickly and effectively send us a generic email telling us to call them according to their inconvenient times in their distant timezone. This growing trend to move support to a quasi-unmonitored support channel will cost those organizations in returns, future sales, and distribution channels. And it will cost their customers in lost time, phone bills, and stress-related health care.

    5-ish part 2: We will see that people still race around patching their computers whenever the latest security flaw is found. Seriously? As this practice continues I feel like I'm visiting the security equivalent of Amish country. I think there will be more people in 2009 who don't install service packs, patch services, or use fancy patch-management software because they white-list proper connectivity and actually configure their systems and design their networks for their intended use according to their environments. The witness protection model** is out and the prisoner model is in. Then again, maybe we'll see the rise of the Patch Management Professional.

    ** WPM works as long as the user follows the rules and there are no anomalies where as the PM is designed to anticipate the user is as hostile as those whom the prisoner may interact with.

    5-ish part 3: We will also need to worry more this year about an increase of cyber "warfare" only because the Internet is really just a road where there are no guard rails, licensed drivers, or inspected vehicles and a whole lot of road rage. So any citizen of any country can launch an international attack against the government of their choice and incite an international incident. Sure, their country will say, "They no work for us" (yes even the natively English speaking ones will talk like that) and why should anyone believe them? This worry will spawn a studio-backed movie by October 2009 and there will be a close-up of Metasploit on a PDA and the voluptuous, accented heroine will say words like "cantenna", "OSSTMM", and "Backtrack" which will set the blogger world in a tizzy. (The tizzy coming from people thinking she misspoke "awstim" for "awesome" and wondering what she meant by following the AWESOME methodology. And I will cry.)

Bonus - the "Black Swan"

Here's the one that will pop out and take us all by surprise and amassing massive casualties: Obama will call to ask me my opinion about security improvements for the U.S. and I will tell him the "Terrible Truth" as it applies to America. Then, as the Germans say, is "schluss mit lustig". 2009 will become the year of the security industry bail-out-- a cool trillion will go to feed security awareness, antivirus and patch management hawksters as well as all the others latched into the industry to re-invent themselves. And Firewall people, remember when I promised to kill you last. I lied.


Now quit shaking your head and actually laugh will ya?! Some of this may actually be sarcastic and in no way represents my views, the views of my organization, or the future of our children. Satire is still protected in many countries. I'll avoid the others.

Or maybe I speak the truth?

Happy 2009 to you all!