Security in 2011: The best and worst case scenario

What will 2011 bring? SearchSecurity ANZ thought we’d make sure the security industry doesn’t settle for its usual predictions of gloom by asking some commentators for their best and worst case scenarios in the new year.

It’s nearly Christmas, which means it’s time to think about what might happen in 2011.

Here at SearchSecurity ANZ we decided we didn’t want the same-old same-old from the security industry, which as we all know loves to predict doom, gloom and hacker-led mayhem.

So instead, we asked for some pundits best and worst case scenarios.

Let’s start with the …

Best Case Scenarios

Industry funds big bug bounties

Simon Sharwood, Editor, SearchSecurity ANZ

It is time, I believe, for industry to create a fund to properly reward those who discover new security flaws in software.

At present there’s little incentive for those who find flaws to play nicely: vendors often don’t listen attentively to researchers and the commercial upside that comes from exploiting a flaw is far greater for criminals than it is for researchers.

I therefore believe that software vendors should band together and create an entity that makes sure that the incentive for timely and honest reporting of a flaw is larger than the incentive to exploit it. This entity should also be supremely responsive: researchers we speak to wonder why vendors give them the brush-off when they find flaws, which hardly inspires confidence.

The software industry has shown it can band together - think of the BSA - so why can’t it do the same and create an organisation that doles out cash to those who find bugs?

The incentive on offer to honest researchers could result in higher levels of research and the discovery and repair of more flaws, perhaps thwarting this avenue of criminal attack.

Privacy law reform

Ian Farquhar, Senior Technical Consultant, RSA.

The Federal Government introduces a national privacy policy, based on the extensive recommendations from the Australian Law Reform Commission Report 108. This would give both individuals and businesses certainty around privacy in Australia. Individuals would have confidence that their data is being protected the companies they entrust it with. Companies could invest against a consistent, national framework, which would replace the existing, confusing patchwork of privacy law and regulation.

Consumers demand better mobile security

John Kendall, National Security Program Director, Unisys Asia Pacific

Consumers demand (and manufacturers provide) biometrics and geographic-based protection for mobile devices, resulting in significantly greater and safer use of mobile devices for a new range of applications. As a result, corporations and other organisations embrace these new secure mobile devices and integrate the security features into their enterprise security infrastructure. Productivity soars and the resulting efficiencies enable greater investment in technologies and services – catapulting the economy and boosting both consumer and investor confidence.

ISP reform, international cyber-crime collaboration

Ted Egan, CEO of TrustDefender

Ted offered three elements of a best-case scenario

  1. Remove the financial benefits for ISP’s to earn money from online fraudulent activity, including the situation where malware adopts unsecured devices to perpetuate online attacks (such as the opportunity or incidence where ISP’s take advantage of generating revenue via internet bandwidth and domain registration)
  2. Worldwide accepted legislation for ALL countries to work together in a cohesive relationship, whereby they develop effective structures of international e-crime police to tackle perpetrators of online crime and the development of online criminal tools. The world needs to get serious about online crime as the ease at which criminals can attack or bring down critical infrastructure or business is increasing every day. This is a specific area where governments and banks for example cannot keep up with the innovation of criminals and miscreants but should be reaching out to the innovative companies in their countries, state or region to ensure they have their fingers on the best innovative technologies.
  3. Online businesses actually incorporate technologies that:
    • identify malicious activity which operate on endpoint/customer computers/mobile devices and run in the memory of computing devices or mobile devices (especially as more and more people adopt mobile computing devices –iPhone, Android, etc)
    • inform the customer/user that their computing device or mobile device has been compromised (before the user begins transacting or compromises their own private and confidential details)
    • actively do something about the potential threat in real-time to protect the customers details and the companies themselves
    • enable the device to be secured immediately but give the user time to fix the problem later
    • These requirements will be more obvious and needed as business and governments move to adopt cloud computing solutions.

The resurgence of auditing

Matthew Johnston, APAC Director of Product Management, Quest Software

There will be a shift in focus towards making organisations comply through audit, which means greater accountability to the business and its stakeholders. What this means is better processes, greater efficiency and ultimately a better bottom line.

Worst case scenarios

The resurgence of auditing

Matthew Johnston, APAC Director of Product Management, Quest Software

The need to 'get things right' because they know it will be checked will place increased pressure on organisations. This may lead to the downfall of some businesses as they struggle to quickly put in procedures or simply don't have the resources to keep up.

Stuxnet becomes old hat

Simon Sharwood, Editor, SearchSecurity ANZ

I’m generally pretty sceptical about the security industry’s claims: in what year have cyber criminals not become more sophisticated and determined?

But then I read a detailed analysis of Stuxnet.

It was one scary piece of malware. Not only did it attack three zero-day bugs, it seems to have been devised to attack a specific target after someone physically uploaded the software to the target computer. That means it was written by someone with a lot of resources.

I expect that Stuxnet will remain a standout but a worst-case scenario for 2011 would see this malware recede into ordinariness, with new attacks displaying even more sophistication and hinting at even deeper-pocketed and well-staffed backers.

Five threats are realised

Ted Egan, CEO of TrustDefender

  1. An efficient algorithm is found for factorisation and everybody can break key technologies e.g. SSL, encryption, protections we have previously thought secure - this is mathematically possible.
  2. Key social websites databases, such as Facebook, gets sent to Wiki Leaks, as this will expose email, password and mobile phone numbers of 500+ million people.
  3. Browsers, Windows, Mac and widely used programs such as PDF reader continue to be full of bugs
  4. Scenarios where high profile events such as WikiLeaks, ill informed media scare tactics or targeted criminal activities convince business and government that data in the ‘Cloud’ cannot be truly secured – and business / governments fail to actively identify solutions/technology or actively adopt new innovations which can secure mobile devices, computers and data at the edge of the cloud or within the cloud.
  5. ‘Man-in-the Mobile’ malware achieves the level of growth and distribution that hinders the current speed of mobile service adoption worldwide (i.e. adoption of mobile banking, online purchases via the mobile, etc ...)

Business ignores cloud security

Ian Farquhar, Senior Technical Consultant, RSA

Businesses fail to see that virtualized infrastructure can be as (if not more) secure than physical infrastructure, due to the presence of security controls at the hypervisor layers. Preventing the deployment of far more cost-effective private and public cloud solutions will lead to higher operational costs, which will have a negative effect on business.


Read more on Hackers and cybercrime prevention