Security issues will always exist 
At a recent tech show I was asked a question as to what I think the future trends will be in security. I think that security will always be an issue for a number of different reasons. First one of the key features of computers is also one of their downfalls when it comes to preventing malware from running on a computer. Computers are flexible and are meant to run programs, and on top of that programs one person runs are likely very different from the programs another person runs, so the idea of determining what good software is pretty well impossible. While digital certificates and signing code add to the level of user confidence in a program there is no way to programmatically determine that software is not malware. For example typically how anti-malware detection software works is to look for some known code signature within the program, which while effective means the malware author has period of time before the malware is discovered, analyzed and signatures generated and distributed, and often this period of time is sufficient for the malware to generate favorable results from the malware authors perspective. So what Iím driving at is malware will never totally disappear, sorry to say.

Now if we look at trends within attack vectors we see that some vendors have made great strides in securing their software. For example Microsoft has done a very good job at securing their operating systems, in that we have not see a purely technical attack in a very long time (Sasser I believe was the last major worm of this type) By technical attack I mean exploiting a vulnerability which exists in the OS and only requires the vulnerable system be connected directly to the internet, it requires zero user interaction (other then the user doesnít patch their system). All global attacks we have seen lately requires some form of user interaction, to click on the attachment, go to some web site, fall for some phishing scheme, etc. Our inability to fix or otherwise totally education users and human nature is another reason why security issues will never disappear in that users are just to easy to exploit. A good social engineering attack is always easier and better then a good technical attack.

Since the OS has become much harder to exploit one trend that is on the increase is the number of attacks which focus on third party software or on internally developed software. Very few companies have invested in training their developers in secure coding practices or have made security a fundamental consideration in every phase of software development. The unfortunate result of this is most companies develop software which is full of potential exploits like SQL or script injection, cross scripting, privilege/authentication issues, canonicalization, etc. The list is almost endless and far to many corporations are vulnerable to far to many of these types of attacks, so until corporations and third party developers start investing in secure code by design and development, their security issues will never go away.

New technologies and practices are always a source of new exploits. For example wireless networks continue to be a security issue and despite the progress of secure protocols such as WPA, far too many wireless networks remain unsecured. Things like home or otherwise remote workers can have huge impact on security. We live in a world of constant change both in technology and human issues, and where there is change there is opportunities for security exploits.

Hacking itself has changed radically over the years, and given it has evolved far beyond a mere curiosity or hobby to become a very profitable business, security issues will not go quietly into the good night but will be exploited in every fashion possible which will benefit the black hats. If nothing else as security gets better, hackers have gotten better, and more creative. Certainly the advantage belongs to the black hats as typically security is a Ďreactioní based process (it typically hasnít matured beyond being reactive yet), so black hats still sit back and pick apart software, processes, etc looking for vulnerabilities to exploit and white hats try to keep up with patching code etc. Certainly the secure by design and development helps reduce the number of vulnerabilities and layered security minimizes their impact but we still large depend on reactive process to secure systems.

Microsoftís Vista presents some very interesting changes in the concept of security, and while I very much like Vista and think it represents a huge step forward in security, it also presents some interesting challenges to both users and corporations. Vista is not only a very secure OS, but it can treat data in a very secure fashion and for the first time corporations can have the security they have always dreamed of, but I sometimes wonder if they find instead that their dreams are in fact too restrictive. So certainly for the first time corporations will have to confront security not just at a systems level, but on other levels as well. For example they will really have to think their processes through and find that balance between security, productivity, creativity and user involvement. This is totally new terrain to most corporations and will no doubt take companies a very long time to figure out what to do and while they are evolving there will be security issues. I very much look forward to the release of Vista and seeing the impact it has on security as I think it will be substantial, but yet very interesting in that it will create a number of new issues we havenít even considered yet.

So are we winning the so called war of security, I think so, but I donít think itís truly possible to fully win this war and security issues will remain with us forever.


Blake

[ view entry ] ( 265 views )   |  permalink  |  $star_image$star_image$star_image$star_image$star_image ( 3 / 439 )

<<First <Back | 1 | 2 | 3 | 4 | 5 | Next> Last>>