Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


Future Internet Security: Predictions, Wishes

by David M. Piscitello, President, Core Competence, Inc.

We are now four years into the new millennium, and network security doesn't feel very "twenty-first century." In fact, nearly all the problems we struggled to solve last millennium haunt us still: viruses and worms, spam, denials of service, Trojans, rootkits, cross site scripting, flawed software and protocols, and so on.

We get an extra day in 2004. Let's begin the year optimistically and imagine that all those vested in advancing the state of Internet security will use the extra day wisely. WatchGuard asked me to speculate on exactly what "wisely" might be, so here are my predictions for what we might expect (or hope) to see in the near future of security.

#1. Rapid miniaturization and integration of hardware firewalls to network interfaces. The strategy of defense in depth will mature beyond personal firewall software on clients and "prophylactic" software on servers, to hardware firewalls on clients as well as servers. Form factors for these firewalls will evolve from "dongles" to network interfaces, and ultimately, to chip level integration on systems. The driver for this evolution will be performance rather than security. As we begin to deploy more interactive and latency-sensitive applications like Voice over IP and HDTV-quality streaming video, software firewalls will impede performance. Since administrators can almost always justify investments in performance, they'll be able to piggyback security improvements in the process. Since we'll have an easier task assigning and protecting digital certificates at the hardware level, we may finally begin to shed at least one level of password use.

#2. Evolution of security from a reactive methodology to a proactive one. Organizations will tire of the "cat and mouse" style of protecting networks and systems, and realize that directing the preponderance of funds to intrusion detection and blocking technologies is a self-fulfilling prophecy: if you choose to play this game, you'll always find willing adversaries. Instead, vulnerability assessment and mitigation will become more mainstream, and the security mantra for 2004 and beyond will be, "Eliminate the damn problem at the root cause, and be done with it!" Organizations will adopt better processes for software maintenance and security policy implementation. Investment capital will flow to companies developing innovative methods to centralize security policy definition, patch management and change control. Initially, products in this space will fall somewhat shy of expectation, but they will improve over time.

#3. The confluence of networked computing and home entertainment will stimulate investments in security. As consumers adopt products that integrate computers, broadband networks, and entertainment systems, home networks will become targets for attacker mischief. Think about an incident where a home is hacked, and the hard drive inside the ReplayTV/TiVo is used to host a kiddie porn site. Now imagine an incident where a smart home is hacked, and the homeowner's video monitoring equipment is turned on the occupants, then broadcast over the 'net. A few highly publicized incidents of this nature can erode consumer spending in what is expected to be a multi-billion dollar growth industry. Vendors will be forced to improve security to preserve the consumer/entertainment market opportunity, which is too lucrative to let slip away because of sloppy code.

#4. Hacking (cracking) will lose its glamour and newsworthiness. Perhaps this is a wish rather than a prediction. History tells us that the media and the entertainment industry have short attention spans, and even shorter love affairs. Hackers (and hopefully, reality TV) will lose their appeal, because the "cool" hackers of the 80s who attacked faceless megacorporations have been replaced by common thieves, who steal identities and bank accounts of people we know. As popular sentiment turns, the press, TV, and movie producers will instead launch a campaign to eliminate hacking. TV shows of the CSI and Law & Order ilk will offer us drop-dead gorgeous babes and buff guys in the roles of ultimate anti-hackers, tirelessly pursuing and apprehending pimply, anti-social, totally unlikable cracker-characters.

#5. A legal definition of "industry best security practices" will emerge from landmark and test cases. This is the closest thing to a "can't miss prediction" I can offer. Attorneys will prosper as organizations seek civil damages, not from the crackers, but from other organizations that will fail to meet said best practices. Vendors whose products are demonstrated to fall short of prudent and satisfactory development and qualification practices will be targets as well. Attorneys are even more aggressive than capital investment firms in ferreting out new revenue streams, and the combined impacts of Predictions 3 and 4 are a green field of opportunity. It will be interesting to see how technology lobbyists fare in the inevitable political battles over what constitutes "best practices."

#6. The insurance industry will offset losses resulting from terrorist attacks and natural disasters through premiums for computer and network liability. This is a direct consequence of Prediction 5. The threat of civil litigation and runaway compensatory damage awards will provide insurers with a desperately needed revenue stream. Organizations and individuals alike will purchase security liability insurance to protect themselves. Think how twisted this is: as a consumer, I have to buy insurance to protect myself from being sued because the computer in my home was used in the commitment of a crime, and I'm at fault because I didn't secure it according to industry best practices. Is this really that farfetched?

#7. A Software Underwriters' Laboratories will emerge from the rubble. Everyone will conclude that an independent laboratory, dedicated to the review and assessment of source code, is essential to promoting and sustaining consumer confidence. Software manufacturers will raise their standards for the competitive advantage of earning this "seal of quality" on their products. In parallel, ISO 9xxx and other international standards will emerge for large organizations. This will spark research and innovation in programming language development and source code evaluation techniques. Products will mature, and we'll finally put an end to buffer overflows, underruns, patches that break what they should fix.... Admittedly, this one's a stretch....

You may have noticed that few of my speculations describe technological innovations. This is intentional. The biggest problems security faces are social, not technological. Consider a medical analogy. A physician examines a patient with flu symptoms. Following a thorough examination, she advises the patient that he also suffers from hypertension, obesity, and early onset of diabetes. The physician doesn't recommend that the patient seal himself in a bubble-suit and obsessively monitor vital signs, but instead emphasizes rest, diet, exercise, moderation, and stress management. We need to begin to think in a similarly holistic way about security. We can't really build a bubble around our network, but we can propagate smart practices. With any luck, many influences will converge and convince us to do so. ##

Give Me More Dave!

If you enjoy Dave's insights, be sure to visit his excellent blog. WatchGuard retains him to comment only on certain topics. Dave's blog offers a more unleashed, freewheeling version of Dave that is always worth a read. Check it out at http://www.securityskeptic.com/weblogindex.htm.

Dave's company, Core Competence, also publishes an e-newsletter that steers you to newly published writings on computer security. For a free subscription to Cornerstone, visit http://www.corecom.com/html/cornerstone.html.

Copyright© 2004, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.



Copyright © 1996 - 2004 WatchGuard Technologies, Inc. All rights reserved.