Perfect Ten: Truth and Prognostication
‘Tis the season to compile lists. Not just for the security industry of course: anyone whose job includes a PR dimension has learned by now that the reading public loves a top ten (or top five), a prediction post, or preferably a combination of the two. At any rate, the media do frequently publish such lists, and presumably that enthusiasm is inspired by sound research into what the public wants. A great deal of organizational PR depends on giving the media what they want, and good PR is vitally important to many industries.
So experts (or, as the media sometimes prefer to refer to us when they don’t like our opinions, so-called experts) find themselves reminded at this time of year that an element of soothsaying is implicit in their job descriptions, and that the number ten seems to have a particular significance to human beings – the Ten Commandments, the base 10 (decimal system), the metric system, the ten plagues of Egypt recounted in Exodus, the ten Sefirot of the Kabbalah, and so on.
The Unbearable Triteness of Listing
Sadly, I haven’t attempted a top ten of anything to mark the end of 2010. Instead, I’m going to focus on security and prognostication (OK, soothsaying...)
A Cure for Sooth Ache
Soothsaying is an interesting word in this context: it conjures up images of crystal balls and palm-reading rather than the dry facts and proven (or at least testable) conjectures. Of course, it’s in the world of facts that those of us whose backgrounds are in scientific research are most comfortable. Etymologically, however, it’s a different story: sooth is actually an archaic term for truth, and while most security researchers now avoid the use of animal sacrifice and prefer to use various kinds of analysis (textual, statistical, forensic) rather than reading runes or tarot cards, we’ve become accustomed to looking back in order to look forward, extrapolating from past events in order to predict the future.
Leaving aside the faintly disquieting echo of Orwell’s Ministry of Truth, it was at this point in drafting this article that I stumbled upon a post by Kurt Wismer called “expectations for 2011 and beyond” – disregarding the shift key is one of Kurt’s endearing idiosyncrasies, and you shouldn’t let it distract you from seeing the sense of what he says. Kurt knows a great deal more about security and malware than most, and his sometimes astringent observations on the industry are usually instructive. In this blog post he didn’t resist listing five influencers on attack strategies (and I’m pretty much in agreement with the model he uses it: I recommend that you take a look), but he also observed that he can't imagine “being full enough of myself to actually try to prognosticate on what the future might bring.”
As you might gather from my first paragraph, I have a lot of sympathy with that viewpoint – why set yourself up to be jeered at when you get something wrong, as even a Schneier or Spafford will from time to time? –but I don’t altogether agree with it. Security prognostication isn’t science: it’s more like science fiction, and classic science fiction isn’t about the future, but the present. A view of the future refracted through today’s trends may be through a glass darkly, but it’s not valueless.
Leaves from a Binary Tree
Research teams are often focused on the binary content of malicious files, but less so than the AV research labs that maintain scanner products. While product maintenance is one of the core functions of an AV company, the threat trends that underpin binary content are just as important and, for most people, more interesting. Security researchers from around the world pooled their resources end-of-year reports that look back at 2010 and predicted what's coming next year. But I’d like to kick off my article-writing schedule for 2011 with a thought on the state of the industry that arose from an informal chat I had with one of my colleagues in the Netherlands.
Ports in a Storm
The consumer and business markets were never as far apart as we assume. In fact, twenty years ago many had to do their personal internet business at work – personal ethics and acceptable use policies permitting – because of the costs and unreliability of home connections. Clearly, the explosion in broadband connectivity has made a huge difference. Home connections are orders of magnitude cheaper, faster and more reliable, yet people still mix business and home activity, and any incautious or inappropriate behaviour is a risk to the business that employs them. At the same time, users are exposed to the risk of disciplinary action, and indeed to many other dangers if the employer doesn’t protect its business as well as they might assume.
One such challenge now is that the same messaging and social media that endanger home users to risk are used in corporate contexts now, so that obvious “problem” ports and services may no longer be blocked. Sites that lock down user privileges and still maintain tight control over incoming/outcoming services are at a security advantage, but it’s often hard to maintain business processes in a rigid environment.
The security industry is often dismissive of education and policy, though putting together clear Acceptable Use Policies and (just as importantly) educating the end user on how to observe them and why they’re there in the first place is actually reasonably successful. But they’re no panacea. Unfortunately, I don’t think there is one.
Very few of the constraints that apply in a scrupulously-secured environment apply to the home user. Far too many of them run as administrator, and while there is the occasional “walled garden” initiative that requires them to work from a clean system in order to access ISP or other services, that’s an exception rather than a rule. Home users may not be aware of the service provider policies to which they’re subject, and even if they’re interested in improving their individual security posture, there’s a whole range of good, bad and indifferent security resources available to them: whether they hit on a competent resource is largely a matter of luck.