The first decade of this millennium closed out as one of the weakest years economically. Tightening IT budgets at many enterprises forced some security firms to struggle; others closed their doors. The year was also marred with the largest data breach in history and several embarrassing social network attacks. Rather than releasing major security innovations, experts used 2009 to talk about cloud computing insecurities and the need to focus on security basics. In 2010, there could be less hyperbole and more action. All signs point to more security improvements for the payment industry, better methods to lock down social networks, and increasingly savvy attacks aimed at stealing account credentials and other sensitive data. Here are some emerging security themes at the start of this new decade:
End-to-end encryption in the payment industry: When Heartland Payment Systems Inc. announced its data security breach on the day Barack Obama took the Presidential oath, Heartland CEO Bob Carr took an oath of his own. Carr vowed to push for sweeping changes in the industry. About 10 months later, Heartland partnered with Voltage Security Inc. to produce the E3 system, an end-to-end encryption system that protects card data from the time a customer swipes their credit card through its storage in the payment processor's systems; other payment processors followed. (RBS Worldpay, VeriFone Inc; First Data Corp. and RSA.) The Payment Card Security Standards Council has a special interest group studying the issue, which may recommend changes to the standard in 2010.
Social networks and cloud-based security: Over the last two years some in the business community frowned on social networks, but that didn't stop the deluge of investment dollars flowing into them. Facebook, Twitter and others have tweaked their business models and are finding a way to make money, but perhaps the biggest threat to their models is the rising tide of phishing attacks, malware and other schemes that could turn away users. An expert from antivirus vendor Kaspersky Lab warned of an erosion of trust in social networks. To limit liability and continue to build trust with users some social networks may partner with major security firms to support a cloud-based security model within their frameworks in 2010.
DNSSEC deployments move forward: If there's one thing that consumers know least about it's the Domain Name System (DNS), the technical switchboard connecting them to their favorite websites, but it's probably something they shouldn't have to know about. (A video put out by Google in 2009 found that many people can't even define a web browser.) Twitter's embarrassing domain hijacking in December shed some light on the inherent weaknesses in DNS technology. Fortunately there has been a lot of work behind the scenes as top-level domains are deploying DNSSEC, the next generation of DNS that supports encryption. Implementation until now has been slow. Digital signing of DNS requests and responses is already being supported by .gov and .org and universities are also deploying support. The .us zone was signed in December. The largest zone, .com, is not expected to sign on until 2011, but one expert said the domain could move faster, giving even more clout to DNSSEC this year.
Smartphones and tablets on steroids: Google plans to announce its new handset based on its popular Android OS and the ubiquitous Apple iPhones need almost no mention. But in 2010 a wave of more powerful, portable tablets, driven by Apple's rumored iSlate device, may give cybercriminals another target to drool over. It's not necessarily OS vulnerabilities that will be the major attack vector. Some security experts are predicting third-party smartphone and tablet applications containing the weaknesses needed for cybercriminals to find their way in. Phishing is also an issue, with more people using their devices to access bank accounts and make purchases online. In 2009 the Ikee worm found its way into jailbroken iPhones. In 2010 those using authorized devices may not be so immune to malware.
Authentication renovation: If anything was learned in 2009, it's that password management has become a beast. High profile Twitter accounts were hijacked while some Facebook users found themselves locked out of their accounts taken over by spam peddlers. Widespread adoption of OpenID Authentication in 2010 could help tie together commonly used websites and make password management easier for users. While password tokens and biometrics help keep cybercriminals at bay from many security-centric enterprises, Art Coviello, president of RSA, EMC's security division, sees a future in knowledge-based authentication in which a user is challenged with questions about personal characteristics and preferences that only they would know. A combination of knowledge-based authentication and another verification technology could help make stealing account credentials less lucrative for cybercriminals.