My predictions for 2007 revolve around information security testing -- that is, what's vulnerable within the network and within business operations in order to minimize organizational risks.
For starters, I believe compliance and IT governance will continue to drive the momentum to test for information security vulnerabilities. Year after year, I still think it's interesting how otherwise successful business people only test their information security when government and industry order it done. It's too bad business risk isn't the major driver. But, hey, at least they know that testing must be done!
I especially think we'll see an increase in testing wireless networks, mobile devices and Web applications. That said, I think most tests will continue to be too high-level to be of any value.
We'll continue to see the "auditor checklists" that look at information controls from a passive perspective instead of actively ferreting out and exploiting vulnerabilities like the bad guys are going to do. Case in point: I had an executive at a financial institution tell me recently that his company's auditors tested their Web application for security holes and everything came up clean. Come to find out, what their auditors actually did was run a generic vulnerability scanning tool against the server -- not the Web application itself. So, in effect, no Web application-specific scanners were used and no manual poking and prodding around within the Web app was done to find vulnerabilities. No wonder everything came up clean! I'm confident that more of this same type of elementary security testing will continue in 2007, but I'll stay positive. At least something is being looked at!
In 2007, in-depth information security testing will continue to focus on the technical aspects of software and systems rather than the people and operational issues of the business. The former is where the fancy exploits will be found (hence, the popular focus) and the latter is where the real weaknesses lie (what most managers and executives have yet to figure out). I do have hope, though, that business leaders will start to come around this New Year and support the testing of both sides of the security equation.
I also think a larger percentage of IT managers and executives will start to abandon the widespread practice of testing their information security once and assuming everything will be good for the next few years. They'll see that there is indeed value in periodic and ongoing security testing to root out new vulnerabilities and make sure their networks continue to be secure. Notice I said start to abandon. I'm guessing it'll take the next decade or longer before information security testing is actually treated as any other serious business program.
Finally, I believe source code analysis -- you know, finding the technical flaws where they start at the source code level -- will pick up some steam as well. The tools are maturing, developers are starting to get on board with security, and (most importantly) managers are starting to see the value of integrating information security at this point in the game.
Regardless of my predictions, one thing's for sure: Information security-related vulnerabilities aren't going away, and preventative technologies are only going to help so much. So now's the time -- more than ever before -- to develop a security testing schedule and methodology to help ensure your systems are safe and secure no matter what's to come in 2007.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at firstname.lastname@example.org.