Not Another 2011 Security Predictions Post

Well, it’s that time of year again. I’m not talking about “vacation’s over and now we have to actually work” or the “let’s all resolve to exercise until Feb 1”. I’m talking about the annual tradition of making security predictions for the coming year. It seems that every year more companies use this time to look for problems in the upcoming year. Everyone says pretty much the same things: malware is going to get worse, mobile devices will be targeted, social media will be targeted, a big company that’s generally low on the radar will get hit big time, millions of dollars will be lost, cyberwar will knock us back to the stone age, and there’s a monster at the end of this post. (I may have made up the last two.)

It happens every year, and frankly, I’m tired of it. There’s little significantly different between 2011 and 2010, just like there was little different between 2010 and 2009, or any previous year. In fact, there are only two big trends that matter.

Big Trends

• Defenders will try to defend the best they can with limited resources.
• Attackers will try to attack the best they can with limited resources.

Of course, there are subtle effects as these trends play against one another. For example, if the defenders all invest in antimalware, the attackers will get better at writing malware. If the defenders all focus on monitoring their logs, the attackers will get better at hiding what they from the logs. It’s your classic arms race… with one exception. Every time the defenders put a defense in place, they lose resources and ever time an attacker wins, they gain resources. Sadly, this brings us to the two differences between 2010 and 2011.

Differences: 2010 and 2011

• The defenders will have fewer resources.
• The attackers have more resources.

See, every time an attacker successfully hits a business and steals half a million dollars, that’s half a million dollars that goes straight into attacking other businesses. As the successful attacks build upon one another, the attackers can build their infrastructure and fine tune their operation. Sadly, as time goes by, the defenders lose out. If they were successfully attacked, resources were either stolen directly or will be slowly leached away in terms of higher insurance premiums, lost customers and the like. If they were not successfully attacked, they often face the difficulty of explaining why they need still more resources when they have nothing to show for what they spent in the previous year.

So it appears as though the game is rigged. The attackers are going to win and the defenders are going to lose… right? Well, kinda. Fortunately, there is one single magic mitigating factor.

Magic Factor

• No two organizations are identical.

This, right here, is what is going to help the defenders. See, if you have two people defending their business and one person invests in security and the other one doesn’t, the attacker is going to go after the one that didn’t. Burglars only rob a house with the security system if there’s either some pretty fancy stuff in that house or if all the other houses have security systems. Lions and wolves go after the sick and the old in the herd. There’s less risk and therefore a greater potential reward for doing so. As the old story goes, if you’re hiking in the woods with a friend and are attacked by a bear, you don’t have to outrun the bear… just your friend.

The same thing applies to business. You don’t need to invest in every single security technology. Your office doesn’t have to look like the lair of a Bond villain. You don’t need your computer to read your fingerprint, scan your retina and get a drop of blood to log in. You just have to invest a little bit more and a little bit smarter than the average.

… which brings me to my security predictions of 2011.

• The majority of businesses will continue to under-invest in many aspects of their business, including security.
• Of the businesses that do invest, many will do so reactively and without proper analysis, in effect throwing good money after bad.
• A great many businesses will be breached… far more than we’d like, but by no means all of them.
• Some attackers are going to get rich and retire. Others will get caught. Those still at it will learn from others and get smarter about attacks.
• The handful of businesses that learn from one another and get smarter about defense will be in a much better position than those that do not.
• Many businesses will continue to believe themselves secure because they purchased a firewall/antimalware/magic box. Security is not bought, it is created day to day, month to month and year to year through intelligent investment and operations.

In short, the strong and smart will survive, the weak and lazy will not. It’s the way of the world.

Of course, those don’t help you to decide what to do, as we’ve still not discussed what “average” is. What do you need to do to be one better than your competitors? While I clearly can’t speak for your business specifically, in general…

• If you don’t have antimalware, get it and check it daily. – Malware is one of the prime tools in the attackers’ arsenals.
• If you don’t have web filtering, get it, tune it and check it weekly. – A shocking number of attacks come in via the web.
• If you don’t have antispam and email encryption, get it and check it monthly. – Email is right up there with web for attack vectors.
• If you’re not patching your systems, start and do it (at least) weekly. – If you’re not fixing your problems, it’s just too easy.
• If you’re not reviewing your logs, start or outsource it. – Most attacks show up in logs, but if you’re not looking you won’t see them.

There’s a lot more I could go into, like vulnerability assessments, security training, etc. However, if you’re not doing all five of these you’re behind the curve and are a prime target. Fix these first to buy the time to make the bigger changes.