[WEB SECURITY] Top 5-ish Threats to Watch for in 2009

Pete Herzog lists at isecom.org
Sat Jan 3 14:16:08 EST 2009


For those of you not subscribed to the ISECOM News list, I sent this
out yesterday. Maybe it will give you a laugh. :)

Top 5-ish Threats to Watch for in 2009

1. This continuing trend to invest in the constant reminders of
assumed security best practices screamed at all levels and types of
workers across the work site will continue to eat away budgets,
prevent security professionals from actually enhancing security and
distract employees from working. This includes policy tidbits and
factoids for employees to see everywhere from posters in the bathroom
to mouse pad messages on their desks to screensaver quizzes they need
to answer prior to login.  Even organizations that eschew formal
security awareness for the more often seen "IT guy complaining about
security and stupid users to anyone who will listen" are also part of
this threat.  The security awareness threat will cause a loss of
productivity and cost of materials to businesses worldwide that will
most likely exceed the loss due to un-security-aware employee security
blunders. They'd be better off spending that time and money on user
controls, making security policies simpler so that they can be read by
normal people as a job contingent, enforcing accountability, and
formally certifying (pass a practical) employees who need to do secure

2. This year will continue the wonderful understanding of all the
how-to truths about security that other people post on their websites
and those will become part of the white papers, policies, classes,
documentation, and advice of all the other people who study security
through the search engine. Sorry, you may know it under its common
name, Best Practices. Yes, best practices are all those tidbits that
may or may not have worked for somebody else and now they too can be
yours without ever having to know why! Interestingly, while certain
"facts" about security have long been known, there are nearly no
sizable, formal studies which measure the best practices people are
encouraged or even mandated to apply. And if there is beauty in truth
than marvel at these gorgeous Best Practices:

    "Update your anti-virus every 8 hours"
    "Use a firewall in front of your network"
    "Lick the USB connector before inserting it"

Oh, and compliance is a collection of these best practices. Do what
everyone else says to do or be punished by your peers! Yay for the
capitalistic, democratic legal system! Less for more!

3. Can you tell how many flies are in your home by the number of dead
ones on your front doorstep?  If not then you're using the wrong
metrics.  Study from the masters- that's right, this new year more and
more people will learn metrics from anti-malware or intrusion
detection companies.  As security metrics steps away from being the
little helper in Risk Management to become a booming industry in
itself it needs to wear its big-boy pants (the ones that can hold the
fat wallet). So its status as a threat to business management,
procurement, security decision-making, and the bottom line has never
be higher. That means they want your money. Badly. That makes them a
the same type of nasty threat you can expect from any aggressive yet
savvy televangelist- listen too long and you might be writing them checks.

To be fair, the security industry is trying really hard to get good
metrics but proper metrics are also labor intensive, require counting,
and other types of math beyond the average, disinterested, and
disillusioned security employee. Yes, just as measuring time requires
being able to read a clock, good metrics currently requires reading
security and controls. Watch for more digital watch equivalents in
2009. Unfortunately, like digital watches, it still assure people get
there on time.

4. The vuln hunters are getting more and more afraid of the legal
aspect of their jobs and are neutering their releases more and more
that by 2010 "Full Disclosure" will be about as revealing as a hole
filled with dirt.  But the announcements will be juicier, more
enticing, and more exaggerated getting bigger headlines and bigger
sky-is-falling dance floor time. This of course will cause many people
who are neither lazy nor good security analysts a great deal of stress
and wasted resources reacting to the announcement. Maybe we'll see a
genius console game like "Disclosure Disco Revolution" where huge bug
headlines pop up and you have to tap dance around them while at the
same time stamping out bugs (so contact me for licensing arrangements).

5. Guess what you call a security professional who graduated at the
bottom of their class and with the bare minimum of security trivia
memorized for their professional certification?  A CERTIFIED SECURITY
PROFESSIONAL!! Ha ha? LOL? *ahem* Okay, well, this new year will usher
in a new batch of people who graduate from college as security
experts. Yes, with as little as 4 years of college experience, even
the English major can be a security professional just by memorizing
security stuff! This is STILL happening! And people are STILL buying
into it. But it's better than nothing, you say? Really? Seriously? In
the old days we had to know systems blindfolded and in the rain and
had to get our fingers filthy on keyboard grease before we even began
to get an idea of how to DO it right-- not KNOW it right*.

Not to get all crotchety-old-guy on ya, let me just say that we can
expect that in 2009 there will be more of the same-- people who don't
know what they're doing certified as professionals for what they know.
Sure, you might think this is good for people who work in fields that
require only security knowledge, like law, writing policies or white
papers, or blogging security gotchas for the masses but then maybe
that's just buyer's remorse kickin´ in. No. Trivia, security or
otherwise, is okay for Game Shows and Reality TV but not for any kind
of security practice. It's not okay that your doctor only read the
medical textbooks. It's not okay that your legislation-drafter only
read about security. But this won't change. It'll get worse. Know why?
Because the people who write the legislation are already legislating
even more of their ilk get hired. Yay for the status quo!

* "right" in this case refers to a collection of experienced-based
best practices backed by anecdotal evidence and the statistics of
small numbers which still may or may not make sense but worked in that
specific implementation.

5-ish part 1: We will continue to see the increased production of
websites and new web platforms that increase the speed and flexibility
to which organizations can communicate effectively with the world,
supporting products, creating communities, and delivering support
notices amid marketing propaganda. Then when we contact them for
support they will quickly and effectively send us a generic email
telling us to call them according to their inconvenient times in their
distant timezone. This growing trend to move support to a
quasi-unmonitored support channel will cost those organizations in
returns, future sales, and distribution channels. And it will cost
their customers in lost time, phone bills, and stress-related health care.

5-ish part 2: We will see that people still race around patching their
computers whenever the latest security flaw is found. Seriously? As
this practice continues I feel like I'm visiting the security
equivalent of Amish country. I think there will be more people in 2009
who don't install service packs, patch services, or use fancy
patch-management software because they white-list proper connectivity
and actually configure their systems and design their networks for
their intended use according to their environments. The witness
protection model** is out and the prisoner model is in. Then again,
maybe we'll see the rise of the Patch Management Professional.

** WPM works as long as the user follows the rules and there are no
anomalies where as the PM is designed to anticipate the user is as
hostile as those whom the prisoner may interact with.

5-ish part 3: We will also need to worry more this year about an
increase of cyber "warfare" only because the Internet is really just a
road where there are no guard rails, licensed drivers, or inspected
vehicles and a whole lot of road rage. So any citizen of any country
can launch an international attack against the government of their
choice and incite an international incident. Sure, their country will
say, "They no work for us" (yes even the natively English speaking
ones will talk like that) and why should anyone believe them? This
worry will spawn a studio-backed movie by October 2009 and there will
be a close-up of Metasploit on a PDA and the voluptuous, accented
heroine will say words like "cantenna", "OSSTMM", and "Backtrack"
which will set the blogger world in a tizzy. (The tizzy coming from
people thinking she misspoke "awstim" for "awesome" and wondering what
she meant by following the AWESOME methodology. And I will cry.)

Bonus - the "Black Swan"

Here's the one that will pop out and take us all by surprise and
amassing massive casualties: Obama will call to ask me my opinion
about security improvements for the U.S. and I will tell him the
"Terrible Truth" as it applies to America. Then, as the Germans say,
is "schluss mit lustig". 2009 will become the year of the security
industry bail-out-- a cool trillion will go to feed security
awareness, antivirus and patch management hawksters as well as all the
others latched into the industry to re-invent themselves. And Firewall
people, remember when I promised to kill you last. I lied.


Now quit shaking your head and actually laugh will ya?! Some of this
may actually be sarcastic and in no way represents my views, the views
of my organization, or the future of our children. Satire is still
protected in many countries. I'll avoid the others.

Or maybe I speak the truth?

Happy 2009 to you all!


Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list