In 2004, information security professionals will experience more of the darker side of human behavior, but organizations will also take more control over their network and computing infrastructures, particularly end-user systems.
Here are my predictions on what to expect in information security in the new year.
Spam operators are getting more creative in their efforts to get around spam filters. R.a..n,d,o.,m p,u,,n,c.t,,u_a.t.1..0.n makes it nearly impossible to block spam messages by filtering keywords. Operators are changing to graphics interchange format images with no searchable text. Some spammers send in encoded formats, like Base64, to circumvent keyword filters altogether, and relay through IP addresses that have no Domain Name System domains associated with them. These recent developments are challenging spam-filter vendors and frustrating users.
More organizations will quantify the productivity losses and processing costs incurred by spam. Increasingly, IT security departments will be saddled with solving the problem, since it's a content management issue.
Consumer and office-worker definitions of spam will shift, thanks to the capabilities found on desktop spam-control products. Spam, once the domain of unsolicited junk e-mail, will become plain unwanted e-mail. Mail I requested last week is spam this week. A worker who subscribes to a mailing list in January will no longer want it in April. It will be easier to mark the message as spam than it will be to unsubscribe to the list. The messages will keep on flowing -- at the user's request -- but will be blocked before the user sees it.
Internet access filtering
Speaking of productivity, larger organizations will get more serious about managing and filtering employee access to Internet Web sites. Three justifications will dominate: productivity, security and legal liability. I'll explain these in more detail.
There have been a handful of sexual harassment lawsuits filed by employees who happen to see their colleagues surfing porn sites at work. Employees sue the employer for the distress of seeing these images and for the employers' failure to do anything about it.
Enterprises will begin to clamp down on users' ability to install software and make other configuration changes to their desktop systems. Windows 2000 had this capability, but thanks to the relatively uncontrollable Windows 95 and 98 platforms, users are accustomed to "owning" their desktop/laptop systems, with the ability to make systems configuration changes and install, update or remove software at will.
Unpopular as it will be, this has to change if IT is to regain control of its environment. A sizable portion of IT help desk call volume is associated with "power" users misconfiguring their systems and the problems brought about by non-IT-approved software. As a result, fewer users will have administrator privileges on their systems.
You may ask, what does desktop management have to do with security? An environment that lacks integrity (such as one where PC users are able to make configuration changes at will) will suffer a corresponding reduction in security because users' changes will sometimes make their workstations more vulnerable, and in other cases, user changes may be downright malicious.
Thanks to Blaster, Nachi and perhaps another worm in the final weeks of 2003, personal firewall software on end-user systems will finally get traction. Many companies found that these worms got into their networks via infected laptops that didn't have firewall software. The laptops became infected when connected to the Internet at home, where there was no firewall to protect them.
Senior managers who want to keep their jobs by avoiding a repeat of 2003 are funding enterprisewide personal firewall deployments. Now let's hope that they will be able to effectively manage them and still retain the ability to manage the PCs.
Tools that scrub metadata (change history, hidden text, undo information, internal routing memos and so on) will enjoy wider use. In 2004 or 2005, Microsoft will add a scrub feature to Word, Excel, PowerPoint and other software, perhaps by acquiring a leading third-party tool in 2004.
USB flash drives
One or more major companies will attempt to ban the use of Universal Serial Bus flash drives on the grounds that unscrupulous employees are using them to leak proprietary information. The result will be embarrassing, negative publicity for a policy that's ineffective in the first place.
Seriously, though, this is a problem for organizations. Many will begin to understand that the problem isn't with the technology, it's with the people!
There will be at least one well-publicized break-in to a corporate Wi-Fi network. The cause of this attack will either be because the network was supported by IT but poorly protected, or a rogue access point was installed by an unauthorized employee. Regardless, the incident will shed light on this still-neglected vulnerability and spur companies into action.
The same people who hack computers, send spam, make Pringle-can antennas, and drive funny cars will discover Bluetooth and begin to experiment with its uses and abuses. Negative publicity may cause Bluetooth to go back to the drawing board. Does any of this sound familiar? Will hackers build high-gain Bluetooth antennas from discarded ChapStick dispensers? And what will Bluetooth hacking be called? War nibbling? "Bluejacking?" Why someone would want to carry out such acts within six feet of a potential victim is beyond me, but people with too much time on their hands will figure this out, you can be sure of it.
Mobile phone hacking
Mobile phones are acting a lot more like wireless data terminals with very lightweight operating systems. We're building another monoculture, this time on almost-free devices that may outnumber PCs in a couple of years. Perhaps in 2004, we'll see more malicious code attacks than in years past.
Internet-based instant messaging services by America Online Inc., MSN and Yahoo Inc. are in wide use inside large corporations whose IT departments may be unaware of the extent of IM use and are unable or unwilling to stop it. In most cases, corporate IT has no centralized control over IM. But the greatest concern should be that corporate messages sent via IM are traversing the Internet with no encryption. Any eavesdropper can see all of the messages flying by. I think that there will be at least one well-publicized incident wherein a hacker publicizes big-company proprietary information sent via IM.
Public utility break-in
Many public utilities have connected their SCADA infrastructure to the Internet. It must have seemed like a good idea at the time. SCADA stands for Supervisory Control and Data Acquisition. It's the mechanism that utilities use to monitor and control substations, water systems and power plants. I think that in 2004, a break-in to a public utility's SCADA system will be publicized.
The U.S. Federal Bureau of Investigation and the U.S. Secret Service have made tremendous progress in their ability to track down and apprehend cybercriminals. Cooperation through public/private partnerships such as InfraGard will likewise improve. Those of us on the good side of security have a vested interest in the success of these efforts.
We're already seeing this in Eastern Europe, South America and Southeast Asia: Gangs of hackers extort money from Web site operators and Internet service providers that are unable to defend themselves from denial-of-service attacks. Sadly, we're sure to see an increase in this sort of activity. Hacking for "protection money" and other sources of revenue will become a big business synonymous with drug and credit card trafficking.
Someday, in 2004 or beyond, I think we'll see standard language incorporated into many of the standard treaties between countries that will make it easier to identify and apprehend cybercriminals. Today, it's far too easy for these perpetrators to hide themselves in countries unwilling or unable to ferret them out.
Shorter time to exploitation
This is a fancy term that refers to the length of time (previously measured in calendar quarters, now measured in days or hours) it takes for hackers to build proof-of-concept worms or viruses that exploit recently announced Microsoft (and other vendors') security vulnerabilities.
No kidding, you are probably thinking, everyone knows this. But I have placed this section immediately following organized crime for a reason. I dare say Microsoft recognized this when it developed its Anti-Virus Reward Program. The company is simply balancing the profit motive in order to even the score.
There are three themes that I hope you've picked up on before getting to this paragraph. First, it's not necessarily a good idea to connect something to the Internet just because you can. Second, whenever a new technology comes out, its developers generally do a poor job of designing security into it, but we embrace it anyway. And third, whenever a new technology is available to do good things, there's always someone who figures out how to do something bad with it that the rest of us never thought of.
Peter H. Gregory, CISSP, CISA, is an information technology and security consultant, a freelance writer and an author of several books, including Solaris Security, Enterprise Information Security, and CISSP for Dummies. As a consultant he provides strategic technology and security services to small and large businesses.