Computerworld - In 2004, information security professionals will experience more of the darker side of human behavior, but organizations will also take more control over their network and computing infrastructures, particularly end-user systems.
Here are my predictions on what to expect in information security in the next year.
Spam operators are getting more creative in their efforts to get around spam filters. R.a..n,d,o.,m p,u,,n,c.t,,u_a.t.1..0.n makes it nearly impossible to block spam messages by filtering keywords. Operators are changing to graphics interchange format images with no searchable text. Some spammers send in encoded formats, like Base64, to circumvent keyword filters altogether, and relay through IP addresses that have no Domain Name System domains associated with them. These recent developments are challenging spam-filter vendors and frustrating users.
More organizations will quantify the productivity losses and processing costs incurred by spam. Increasingly, IT security departments will be saddled with solving the problem, since it's a content management issue.
Consumer and office-worker definitions of spam will shift, thanks to the capabilities found on desktop spam-control products. Spam, once the domain of unsolicited junk e-mail, will become plain unwanted e-mail. Mail I requested last week is spam this week. A worker who subscribes to a mailing list in January will no longer want it in April. It will be easier to mark the message as spam than it will be to unsubscribe to the list. The messages will keep on flowing -- at the user's request -- but will be blocked before the user sees it.
Internet access filtering
Speaking of productivity, larger organizations will get more serious about managing and filtering employee access to Internet Web sites. Three justifications will dominate: productivity, security and legal liability. I'll explain these in more detail.
There have been a handful of sexual harassment lawsuits filed by employees who happen to see their colleagues surfing porn sites at work. Employees sue the employer for the distress of seeing these images and for the employers' failure to do anything about it.
Enterprises will begin to clamp down on users' ability to install software and make other configuration changes to their desktop systems. Windows 2000 had this capability, but thanks to the relatively uncontrollable Windows 95 and 98 platforms, users are accustomed to "owning" their desktop/laptop systems, with the ability to make systems configuration changes and install, update or remove software at will.
Unpopular as it will be, this has to change if IT is to regain control of its environment. A sizable portion of IT help desk call volume is associated with "power" users misconfiguring their systems and the problems brought about by non-IT-approved software. As a result, fewer users will have administrator privileges on their systems.
You may ask, what does desktop management have to do with security? An environment that lacks integrity (such as one where PC users are able to make configuration changes at will) will suffer a corresponding reduction in security because users' changes will sometimes make their workstations more vulnerable, and in other cases, user changes may be downright malicious.
Thanks to Blaster, Nachi and perhaps another worm in the final weeks of 2003, personal firewall software on end-user systems will finally get traction. Many companies found that these worms got into their networks via infected laptops that didn't have firewall software. The laptops became infected when connected to the Internet at home, where there was no firewall to protect them.
Senior managers who want to keep their jobs by avoiding a repeat of 2003 are funding enterprisewide personal firewall deployments. Now let's hope that they will be able to effectively manage them and still retain the ability to manage the PCs.
Tools that scrub metadata (change history, hidden text, undo information, internal routing memos and so on) will enjoy wider use. In 2004 or 2005, Microsoft will add a scrub feature to Word, Excel, PowerPoint and other software, perhaps by acquiring a leading third-party tool in 2004.
USB flash drives
One or more major companies will attempt to ban the use of Universal Serial Bus flash drives on the grounds that unscrupulous employees are using them to leak proprietary information. The result will be embarrassing, negative publicity for a policy that's ineffective in the first place.
Seriously, though, this is a problem for organizations. Many will begin to understand that the problem isn't with the technology, it's with the people!
There will be at least one well-publicized break-in to a corporate Wi-Fi network. The cause of this attack will either be because the network was supported by IT but poorly protected, or a rogue access point was installed by an unauthorized employee. Regardless, the incident will shed light on this still-neglected vulnerability and spur companies into action.
The same people who hack computers, send spam, make Pringle-can antennas, and drive funny cars will discover Bluetooth and begin to experiment with its uses and abuses. Negative publicity may cause Bluetooth to go back to the drawing board. Does any of this sound familiar? Will hackers build high-gain Bluetooth antennas from discarded ChapStick dispensers? And what will Bluetooth hacking be called? War nibbling? "Bluejacking?" Why someone would want to carry out such acts within six feet of a potential victim is beyond me, but people with too much time on their hands will figure this out, you can be sure of it.
Mobile phone hacking
Mobile phones are acting a lot more like wireless data terminals with very lightweight operating systems. We're building another monoculture, this time on almost-free devices that may outnumber PCs in a couple of years. Perhaps in 2004, we'll see more malicious code attacks than in years past.
Internet-based instant messaging services by America Online, MSN and Yahoo are in wide use inside large corporations whose IT departments may be unaware of the extent of IM use and are unable or unwilling to stop it. In most cases, corporate IT has no centralized control over IM. But the greatest concern should be that corporate messages sent via IM are traversing the Internet with no encryption. Any eavesdropper can see all of the messages flying by. I think that there will be at least one well-publicized incident wherein a hacker publicizes big-company proprietary information sent via IM.
Public utility break-in
Many public utilities have connected their SCADA infrastructure to the Internet. It must have seemed like a good idea at the time. SCADA stands for Supervisory Control and Data Acquisition. It's the mechanism that utilities use to monitor and control substations, water systems and power plants. I think that in 2004, a break-in to a public utility's SCADA system will be publicized.
The FBI and the U.S. Secret Service have made tremendous progress in their ability to track down and apprehend cybercriminals. Cooperation through public/private partnerships such as InfraGard will likewise improve. Those of us on the good side of security have a vested interest in the success of these efforts.