Between region-wide power outages and minor personal emergencies (eg. basement flooding), I didn’t get my 2007 Security Predictions finished in the first week of January as planned. In the spirit of better late than never, though, here are my top Security Predictions for the year, in no particular order:
- The Security Industry will continue to grow, with several small new companies becoming more relevant to existing and emerging security problems. This trend will be reinforced by folks wanting to benefit and cash in on another continuing trend, namely:
- Security Company Consolidation will continue, with the major companies continuing to acquire interesting smaller technology companies to get both the technology and expertise needed to be competitive.
- More Enterprise Linux vulnerabilities will be patched than for all supported Windows platforms combined. This is a lay up, since it has been true for a couple of years now.
- NAP/NAC will prove itself to NOT be like PKI. Basically, I think NAC/NAP will have some substantial success stories during 2007 and adoption will be quicker than some people have predicted, driven by the interoperation of the NAP agent in Windows Vista with the Cisco NAC capability.
- Mac OS X Vulnerability Disclosures will continue to grow, resulting in more pressure on Apple to take security seriously and institute some rigor around both their development and security response processes.
- Windows Vista security improvements will become demonstrable as the ASLR, DEP, Service Hardening and other layers of protection combine with SDL-improved security quality to reduce the number and severity of vulnerabilities disclosed and fixed.
- Impact from Targeted Attacks eclipse Malware Impact. The established industry around identity theft, combined with new laws requiring disclosure of successful attacks will bring more attention to targeted attacks and heighten security awareness concerning targeted attacks.
- Ubuntu Maintains Subscription-Free Patching Model. In an effort to make inroads into Red Hat and Novell dominance for Enterprise Linux, Ubuntu will continue to offer a subscription-free access to patches for their “Long Term Support” versions during 2007. While I expect that they will eventually follow Red Hat’s example and use entitlement enforcement for subscriptions, I think that change is a year or two away.
- Continued Focus on Popular Applications. The trend will show that security researchers continue a push “upstack” on applications. Additionally, more malware will be focused on popular applications such as instant messaging, Internet telephony and consumer music applications.
- Linux Vendors Announce Major Lifecycle Changes. As the combination of Enterprise Support commitments intersect with short release cycles, 2007 will see Red Hat developing and releasing security patches for RHEL2.1, RHEL3, RHEL4 and RHEL5 (Workstation, Enterprise Server, Advanced Server, etc) for the hundreds of packages under support. RHEL5 will likely drive a surge of Security Advisories similar to the release of RHEL4, causing a serious burden to the security response team. I consider the most likely possibility to be that release cycles will be quietly lengthened, but other options, such as an early end-of-life for RHEL2.1 could help alleviate the burden as well. Other vendors face similar challenges, so the change could come from any of the ones offering Enterprise Support commitments.
- World of Warcraft Implements Security Upgrade. With an unprecedented 8 Million subscribers, the World of Warcraft money machine has even more reason than ever to protect the internal economy and player’s experience. After considering many options, WoW will likely go with software-based authentication upgrade due to the higher costs of buying and distributing hardware tokens.
Well, there you are. I think some of these are slam dunks and some are stretching a bit, but which is which? We’ll review midyear and see how things are going…
For your enjoyment, here are some other 2007 security predictions by Matasano, Websense, eSecurityPlanet, Informit, eWeek, Techtarget, Net-security.org, Riskmanagementinsight.com, SOXJockey, and Amrit Williams.