My predictions for 2007 revolve around information security
testing -- that is, what's vulnerable within the network and within
business operations in order to minimize organizational risks.
For starters, I believe compliance and IT governance will
continue to drive the momentum to test for information security
vulnerabilities. Year after year, I still think it's interesting
how otherwise successful business people only test their
information security when government and industry order it done.
It's too bad business risk isn't the major driver. But, hey, at
least they know that testing must be done!
I especially think we'll see an increase in testing wireless
networks, mobile devices and Web applications. That said, I think
most tests will continue to be too high-level to be of any
value.
We'll continue to see the "auditor checklists" that look at
information controls from a passive perspective instead of actively
ferreting out and exploiting vulnerabilities like the bad guys are
going to do. Case in point: I had an executive at a financial
institution tell me recently that his company's auditors tested
their Web application for security holes and everything came up
clean. Come to find out, what their auditors actually did was run a
generic vulnerability scanning tool against the server -- not the
Web application itself. So, in effect, no Web application-specific
scanners were used and no manual poking and prodding around within
the Web app was done to find vulnerabilities. No wonder everything
came up clean! I'm confident that more of this same type of
elementary security testing will continue in 2007, but I'll stay
positive. At least something is being looked at!
In 2007, in-depth information security testing will continue to
focus on the technical aspects of software and systems rather than
the people and operational issues of the business. The former is
where the fancy exploits will be found (hence, the popular focus)
and the latter is where the real weaknesses lie (what most managers
and executives have yet to figure out). I do have hope, though,
that business leaders will start to come around this New Year and
support the testing of both sides of the security
equation.
I also think a larger percentage of IT managers and executives
will start to abandon the widespread practice of testing
their information security once and assuming everything will be
good for the next few years. They'll see that there is indeed value
in periodic and ongoing security testing to root out new
vulnerabilities and make sure their networks continue to be
secure. Notice I said start to abandon. I'm guessing it'll
take the next decade or longer before information security testing
is actually treated as any other serious business program.
Finally, I believe source code analysis -- you know, finding the
technical flaws where they start at the source code level -- will
pick up some steam as well. The tools are maturing, developers are
starting to get on board with security, and (most importantly)
managers are starting to see the value of integrating information
security at this point in the game.
Regardless of my predictions, one thing's for sure: Information
security-related vulnerabilities aren't going away, and
preventative technologies are only going to help so much. So now's
the time -- more than ever before -- to develop a security testing
schedule and methodology to help ensure your systems are safe and
secure no matter what's to come in 2007.
About the author: Kevin Beaver is an independent
information security consultant, speaker, and expert witness with
Atlanta-based Principle
Logic, LLC. He has more than 19 years of experience in IT and
specializes in performing information security assessments
revolving around compliance and IT governance. Kevin has
authored/co-authored six books on information security including
Hacking For Dummies and
Hacking Wireless Networks For Dummies
(Wiley) as well as
The Practical Guide to HIPAA Privacy and
Security Compliance (Auerbach). He's also the creator of the
Security On Wheels audiobook series. Kevin can be reached at
kbeaver@principlelogic.com.