Security Predictions for 2006
By Seth Ross, CISSP
Computer security is inherently unpredictable because attackers are unpredictable. They seek to bypass controls and defenses by novel methods. Nonetheless, it’s possible, though risky, to extrapolate from current trends into the near future. Here are six predictions for the year 2006.
Breach by Email
Reports of the breaches at data broker ChoicePoint made news during the RSA Conference 2005 in San Francisco. Since that initial report, there have been hundreds of unwelcome breach reports, some small, some large, some important, some not. Many of these announcements were triggered by California’s data breach reporting law — in the past, information about data security breaches were routinely buried out of public view. The pattern of data breach reporting kicked off at the 2005 RSA Conference will continue in 2006. In particular, a significant breach of email confidentiality will be publicly reported. In 2005, millions of data records were lost from a variety of sources: desktop computers, laptops, backup tapes, and network servers. But there wasn't a single high-profile breach that involved the interception or abuse of email. Email breaches are difficult to detect — unlike a laptop theft, there is no physical object that is missing — but that doesn't mean they don't happen. Sometime in 2006, someone will send confidential information via email, without encryption, and someone else will intercept and abuse that information, forcing a breach report and re-evaluations of email security.
PC industry leaders like Intel, IBM, HP, and Microsoft — along with specialized encryption firms like GuardianEdge Technologies — have been working with an open security chip design since the late 1990s: the Trusted Platform Module (TPM). The TPM provides basic encryption services and a secure method for storing cryptographic keys. TPM chips have shipped embedded in the motherboards of tens of millions of personal computers — in most cases, without the owner’s knowledge since most TPMs are not activated. By the end of 2006, the market move to make the TPM ubiquitous and useful will start. Expect to see the first web sites and other services that require "remote attestation" by the chip, a method to authenticate machines over the Internet.
Vista Improves Internet Security
After following a long and winding development cycle, Microsoft will make a stable release of Windows Vista by the end of 2006. The shipping version of Vista will benefit from Microsoft's Trustworthy Computing Security Development Lifecycle, which calls for regular training of programmers in secure programming techniques, the insertion of security experts into the design and implementation cycle ("security buddies"), and the across-the-board use of secure default values. Microsoft claims these security processes are responsible for a significant reduction in the volume and severity of security flaws in the company’s products. Vista will be the most secure Microsoft operating system to-date, and the overall security of the Internet will improve as "end point" clients are upgraded to Vista machines.
Apple makes Security Pay
While the world waits for Vista, Apple will gain market share, maybe over 5% in the US. Apple has seeded an entire new generation of customers with the iPod. Apple also delivers a security win in Macintosh OS X, a Unix-based system with redundant built-in defenses: encryption, firewalling, and account security. The company will continue to attract Windows defectors weary of virus and other malware attacks. It will continue to demonstrate that good security is good business.
More Pain for Sony BMG
It’s all too easy to overlook the fact that security is oppositional — a gain in security for one party often represents a loss in security for another. Sony BMG is threatened by loss of revenue due to unauthorized copying by consumers, so in 2005 it deployed and installed rogue copy protection software on millions of consumer machines. That software has proved to be an exploitable “rootkit” that leaves a Windows PC in a weakened security state — Sony’s security gain is a security loss for the company’s customers. Sony BMG will feel a whole lot more pain over the rootkit, which is still being installed from CDs that were supposed to be pulled from the market. Audio discs are not a traditional source of threat, but Sony BMG has managed to place them on the map. This is a classic lose-lose situation. Neither Sony nor its customers will come out ahead. Expect additional conflicts over copyright protection, which could be exacerbated by the nascent Digital Rights Management capabilities of the TPM chip.
No Terrorist Attacks in US
One of the most vexing aspects of the security business is performance measurement: how do you know that you’re doing a good job? You’re doing a good job when nothing happens. Defining positive performance in terms of absence is always a trick. In any case, we can be thankful that there were no major attacks in the US during 2005. While there is no way to know who deserves credit or whether the crazy quilt of security initiatives since 9/11 is working, no news is good news. It's altogether possible that things are under far better control than they appear.
Good tidings for the New Year. See you next issue ...
About the Author
Seth Ross is the Chief Security Officer at GuardianEdge
Technologies and author of the book, _UNIX System Security Tools_