This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
Information Security's fifth anniversary issue was spot-on.
With a half-decade under its belt in 2002, Information Security dared to look ahead in its fifth anniversary issue, also known as the Crystal Ball issue. Several experts were given space to pontificate on what may come in the next five years. And know what? For the most part, guys like Gene Spafford, Marcus Ranum and the editors of Information Security were spot-on in their prognostications.
While Ranum writes and speaks with wit and candor, his barbs are laced with brutal honesty. In 2002, he told Information Security readers that among other things, autopatching would be predominant and that software should not be bought, but rather subscribed to.
In light of Microsoft's Patch Tuesday and Oracle's massive quarterly updates, automated patching has indeed removed the pain of maintaining system patch levels, and minimized exposure to vulnerabilities and exploits. While zero-days are a constant threat, automated patch tools help security managers keep pace.
Software as a service, on the other hand, is gaining steam, and perhaps Ranum's prediction needs a couple more years to season.
Spafford, meanwhile, signed off with eight prognostications in 2002, most of which were on the mark. For example, he said a rush-to-market for new features would create new holes and force developers to shove aside security to accommodate these demands. Spam would continue to be a problem, as would consumers' insatiable need for fad technologies. But he did miss on two predictions: that insurance companies and liability lawyers would be-come more involved in cybersecurity incidents, and that appliance-based computing would take off.
Spafford says the economics of liability and insurance prevented that prediction from coming true. For now, companies are passing the costs to consumers, he says.
"That prediction may still come to pass when the TJX class-action suits begin to be filed against them," Spafford says. "We could see that as the beginning--courts finding favor and handing out substantial damages. Once that happens, that's more than companies can pass on to consumers. We'll see third parties come into play."
As for appliance-based computing, Spafford says he didn't foresee the trend of virtualization; that coupled with the immaturity of integrated management products. It's much easier for a smaller company to roll out its own Linux-based appliance and fill that space, Spafford says.
Cover story Information Security celebrated its fifth birthday in 1997 by doing a double-take on its first five years and peering ahead at what might be the most influential companies and prominent attacks of the coming five years.
Here's how we did:
Influential companies '97-'02
Predicted influential companies '03-'08
- Check Point Software Technologies
- Computer Associates
- Internet Security Systems
- Network Associates
- RSA Security
Also Information Security readers were polled for the fifth anniversary issue and asked to rank the five worst attacks and predict the most ominous threats ahead.
- Tripwire and Sourcefire
5 Biggest Attacks '97--'02
Predicting 5 Biggest Threats '03--'08
- Code Red
- Melissa and LoveLetter viruses
- Distributed denial-of-service attacks on Yahoo, eBay, et al
- Remote control Trojan horses
- Super worms
- Stealth attacks
- Automatic update exploits
- Routing/DNS attacks
- Combined physical/cyber threats
This was first published in January 2008