McAfee recently released their security predictions for 2007 (here) in which they predict that hackers would target mpeg as a means to distribute malware. This is probably the only new thing, the rest of the predictions are yawners. Yours truly has talked to several journalists about McAfess predictions and the threat, for example (here). A potentially scary scenario would be malware injected inside a video feed sent to a wireless device with rapid propagation and a damaging payload. Youtube over Verizon would provide a suitable infrastructure for a new wave of malware (here) – the AV vendors would love that, a whole new class of devices to save their dying cash cow. Hopefully we will be smart enough to force the wireless carriers to provide security in the cloud where it should be.
There is an issue far more important than a new vector for malware distribution though. We have been controlled by reactive security for long enough, drop in a new box, deploy a new prevention mechanism to deal with new threats, as opposed to really improving our security posture. Mobile, IM, VoIP, are all areas that security vendors pushed us to spend in 2005-2006 using fear, uncertainty and doubt as the motivator, reality is that most organizations that spent security dollars in these areas probably did little to improve their security in the long run and forced themselves to remain in that reactive security mode.
As we enter 2007 we need to embrace security as an important aspect of running a business, not just an afterthought. We need to transition from reactive, drop in a new technology and pray, to proactive measures that require a more balanced approach and a focus on pre-incident processes and technologies. Patch and vulnerability management, although still important, become eclipsed by security configuration management – that is deploying devices with security in mind and against a security baseline, as opposed to waiting around for patch Tuesday to work with your Windows boxen. Incident response as the foundation for Enterprise security and the only area where organizations employ useful metrics needs to shift to policy definition, threat modeling, and security business alignment with measurable security service levels. Monitoring as the primary method for compliance adherence shifts to organizations implementing governance and best practice frameworks like ISO 17799/BS 27001, NIST 800-53, or Cobit.
But most importantly we need to elevate security as a critical evaluation criteria for any new process, technology, or product that comes along. The market has power and we need to demand more secure products, not just spend on new technologies to protect all the insecure stuff we let into our environments. We need to hold ISVs responsible for the crappy, insecure products they push out into the market, and if they do not take actions to deliver more secure products with more security capabilities built in we should not do business with them. In the meantime visibility and control are key to improving our security, and if we do not have them then we will be playing catch-up and fighting security fires for a long time to come.