Top Security Stories of the Year?
On Wednesday, I’ll be joining a podcast to discuss “top security stories of the year.”
I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?
(I posted this on Emergent Chaos, but forgot to post it here.)
I’ll offer two “quiet” stories. I call them “quiet” because they didn’t generate any headlines or publicity. They are based on judgment and opinion, and less on hard facts, but they aren’t pure conjecture, either.
1) “Antivirus is Not Enough – With the rise of polymorphic threats and the explosion of unique malware variants in 2009, the industry is quickly realizing that traditional approaches to antivirus, both file signatures and heuristic/behavioral capabilities, are not enough to protect against today’s threats. We have reached an inflection point where new malicious programs are actually being created at a higher rate than good programs. As such, we have also reached a point where it no longer makes sense to focus solely on analyzing malware.” From MessageLabs/Symantec http://www.messagelabs.co.uk/resources/blog.aspx?link=http://www.symantec.com/connect/node/1093531 [link no longer works]
2) “…we are adopting technology at a rate far faster than we can secure it.” http://fasthorizon.blogspot.com/2009/11/not-kind-not-gentle-turn-of-decade-in.html
” ‘The thing is that I think we’re advancing too quickly for our own good,’ he said. He argues that new information technologies, online services and so on are being brought to market without enough thought about the security risks and how to address them.” Michael Calce – better known as Mafiaboy, quoted here: http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=52888
“we adopt technology at a rate faster than we can secure it. […] New technologies arrive into the enterprise at a rate that far exceeds the rate at which companies fix existing unsecure components.” https://www.rootkit.com/newsread_print.php?newsid=886 [link no longer works]
These developments represent a fundamental shift in the attacker/defender power balance, not for the good, either.
No cybersecurity tsar for the Obama administration?
One more suggested story: institutionalization and professionalization of cyber crime = permanent parasitic infection in cyber space.
See:
“Global Illicit Economy” video: http://video.google.com/videoplay?docid=3173247273890946684#
Schneier blog on that video: http://www.schneier.com/blog/archives/2009/09/the_global_illi.html
Marc Maiffret podcast interview http://threatpost.com/en_us/blogs/marc-maiffret-modern-malware-code-red-and-state-security-research-121009
Gene Spafford’s comments http://threatpost.com/en_us/blogs/qa-eugene-spafford-121409
“Think about it in the context of the Mexican drug problem. A couple of years ago, Mexico didn’t have much of a problem because all of the drugs were going north and Mexico was just a conduit. Now, their whole police structure is compromised. They’re bringing in the army. They’re staging gun battles in the streets with drug gangs. They just allowed it to go on too long. And that’s a worry that many of us have [about cybercrime]. The problem is that you’re institutionalizing it and allowing a criminal element to get established. How far away might we be from a criminal group extorting a government for money? Who would be responsible for responding?…”