- Growth of tablet and mobile security - as more and more iPads are sold, we eagerly await the iPad mark 2, a million Android tablets will launch in Q1 2011, the Playbook from RIM (terrible name) and some Windows and MeeGo and HP tablets also no doubt. These are being used more and more in the enterprise and a few big companies have piloted iPhones and Android phones. Securing these devices will become more of a priority, probably after a major data loss incident and fine that follows after that. Designs like this to secure these devices and the connecting infrastructure will gain importance and start to be implemented
- Near Field Communications - NFC is a growing field with the new Android phone supporting NFC and Apple can't be far behind, Visa and Mastercard launching mobile programs and banks like Citibank piloting mobile payment. It would be cool to see some NFC security attacks at Blackhat next year. I'll be the first to admit I know very little about NFC security but I will be doing some reading on it over the cold winter. If you work in infosec I would suggest you do the same
- Cloud security standardization - process has to start somewhere. There is some really good work being done by the Cloud security alliance. Their standard due diligence questionnaire makes a lot of sense, what is the point of the agility of cloud computing if it takes your 3 months and 5 FTE to do your security due diligence before you can start using the services? Hopefully cloud providers will take the initiative and complete this questionnaire, then get it signed off by some independent auditor and everyone can quickly compare apples to apples. It should be as easy as choosing and switching an electricity provider is today
- Data loss and DDOS - as we all know in security: incidents = funding. Wikileaks has been the major news story of the past few weeks so no doubt there will be some reaction to that. Governments in particular around the world will be focusing on how they reduce data loss. The US government recently banned USB devices to reduce risk of leaks via removable media. No doubt major vendors like RSA and Symantec will continue a roaring trade on DLP software. It will be interesting see how this software evolves, for example how Symantec integrates their purchase of PGP into their Vontu product, whether RSA continues with DRM integration. Corporations, especially those that rely on their web presences for direct revenue, should take notice of how easy and effective 4chan and supporters of Wikileaks has been in DDOS attacks. A site being down for even 2-3 hours could mean a lot of financial and brand damage. An knee-jerk to signup for some DDOS protection services and hopefully some thought about an architecture that can absorb DDOS attacks should result
- Stuxnet 2.0 - It would be interesting if we either discovered another Stuxnet perhaps targeting North Korea or Iran again. If it was the West (combination of the US, Germany and Israel the studies say) and you had assembled a crack team and had found success with Stuxnet why wouldn't you continue? A counter attack against the West could also be possible... could Iran, North Korea put something together? Hard to believe that China could not or has not already. On the Advanced Persistent Threat (APT) front Zues 2.0 is also possible, increasingly showing how useless standard antivirus is and how we need to start moving to a fully thin client and/or application white-listing on endpoints and servers as a standard. Whether Intel integrates any security from their purchase of McAfee will also be an interesting development in the battle against malware.
Thats it! I do promise to come back next year and see if any of these came true, or whether my ability to predict the future has proven as hopelessly inadequate as my betting account is showing this year. The above is no doubt placing too much emphasis on continuations of what has come this year and not enough of what will completely surprise us next year. Rumsfeld's famous unknown unknowns or Taleb's Black Swans.
If you have been reading my posts, thanks! You will see it started really well in July when I had two weeks between contracts to do some writing and quite a lot of lessons learned to write about and has slowly been tapering off as I have got busier. I have really enjoyed writing this year though and starting this blog, I hope you have enjoyed reading it and got something out of it. Seasons greetings and hope you have a very enjoyable, relaxing and safe holidays! See you in the new year! Subscribe to the RSS feed or follow me on Twitter if you simply want an alert on new posts.
Some other good crystal ball gazing for 2011: