mercredi 18 décembre 2013

The magical list of security predictions for 2014

A lire sur: http://blogs.csoonline.com/pandemic-preparedness/2869/magical-list-security-predictions-2014
to Pandemic Preparedness 

About this time every year, journalists covering the InfoSec beat start seeing prediction lists being pitched. Sadly, we will see the same pitch, from the same vendor, several times, often because we're on multiple blast lists. Thus, our inbox is clogged with pitches and follow-up emails asking if we've seen the pitches, plus the follow-ups to the follow-ups.
Not everyone is a fan of prediction lists. (Other than the vendors who make them.) For example, Martin McKeay, who works at Akamai as a Security Evangelist, holds an opinion shared by many security professionals when it comes to the vendor-driven prediction lists:
"Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least. With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year. The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading..."
Dave Lewis, fellow CSO blogger and Security Advocate for Akamai, pointed out that many of the prediction lists from years gone by could just as easily apply to the here and now. In fact, in his blog post on the topic, he proved it. His list comes form the year 2000.
As for me, I gave up on prediction lists years ago. They don't predict anything, and are typically just used to promote new buzzwords and bandwagon topics. This year, I'm going to take some of the predictions I have so far, and break them down into three categories. I'll share my thoughts, but I encourage you to share yours in the comment section, because feedback makes the world go round.
So without any further delay, here's my massively magical list of security predictions for 2014.
Expected:

Cloud applications will be recognized as being business critical...
News flash, this happened already.

Cloud app security and policy creation will become a high priority...
Well, given that the last cloud-based prediction is true, this had better happen or we're in trouble.

Advanced malware volume will decrease...
Mistakes will be made in "offensive" security due to flawed attribution...
Attackers will find new opportunity with professional social networks...
These almost went under comical. However, they are expected, because LinkedIn is a soft target, and assigning proper attribution to an attack is nearly impossible now, so that won't change next year either. However, "advanced" malware is more FUD than anything. Malware is malicious software, a tool for a criminal to use, nothing more - nothing less.

A large global brand will get hacked from an employee's mobile device...
This will happen. Eventually. However, I'll take the other bet too. It's already happened, but the knowledge isn't public.

Rise in consumer fraud will occur as consumers suffer ‘data breach fatigue,’ and show less interest in protecting themselves against fraud and identity theft...
Umm. Isn't this already happening?

Scams like ransomware will become more common...
Social networks will be targets...
Spear Phishers will widen their nets...
Data is EVERYWHERE, and it’s going to need protection...
So, I guess being overly generic and basic is an easy way to claim a win in 2014. If so, this little list of predictions will do just fine.

Bandwagon:
A major data-destruction attack will happen...
This prediction came about due to the attacks earlier this year in South Korea. That's the only logical reason I can see for it being mentioned.

The NSA will drive encryption efforts and further distrust of the government...
Collaboration amongst security professionals and with the government could suffer a setback...
Public trust, compromised by revelations of state-sponsored monitoring, will result in a variety of efforts to restore privacy...
There is no way a prediction list for 2014 could be created without reference Edward Snowden or the NSA in some fashion. It had to be done, otherwise a potential mention in the news cycle could be lost.

Increased frequency of state-sponsored attacks and cyber-espionage...
You have Mandiant's report on APT 1 to blame for this.

Comical:
Incumbent (legacy, non-cloud, non-mobile) technologies will face increased scrutiny due to lack of security features...
Really? Something with no security, that was developed or produced when security wasn't even a consideration, will catch flack because it isn't secure? Seriously?

Attackers will continue to bypass organizational perimeters and will do so in increasingly ingenious ways involving social engineering...
Some jargon, a bit of flare, and boom, a prediction that looks smart, but really says: "Hey you. Yea, you in the cube. Criminals are going to lie to you, and you'll believe them. Then bad things will happen."

IT leaders’ who fail to embrace key trends will face more tangible consequences...
That's right. If you don't jump on the bandwagon, and purchase products based on today's headlines, you'll face consequences. Tangible consequences I tell you. Tangible.

HTML5 will have no significant increase or impact on the mobile app ecosystem...
That's good. I didn't know HTML5 was having an impact on anything at all this year.

Adoption of cyber insurance is expected to see double digit growth in the coming year...
So why is this one comical? Because the company that made it sells cyber insurance, so their bottom line depends on this coming true.
And finally.....
Security risk will be elevated to the board level in "risk councils" and, as a result, to better understand risk boards will seek to quantify risk levels...
What does this even mean?!
Looking forward:
So that's my massively magical list of predictions for 2014.
On a serious note, next year will be exactly like this one. Security and IT professionals will be forced to do more with less, and will spend their days between putting out smaller fires from the helpdesk and walk-up requests, and worrying about incidents that have likely already happened, but just haven't been discovered yet.
So my prediction for 2014? IT and InfoSec will be fueled by caffeine, nicotine, and Tums.

Aucun commentaire:

Enregistrer un commentaire