We asked security experts to give us their industry predictions for the New Year. Here's what Ed Skoudis had to say.
Predictions for 2003? Let me put my mind into a quantum indeterminate state, while I align my laptop with the tachyon field at the appropriate resonant frequencies... Ahhh... there we go. It's becoming clearer now. By the end of 2003, we'll see:
A high-profile wi-fi hack against a major organization: War drivers around the world are discovering the joys of illegal, free Internet access through a large company's unsecured wireless access points. Soon, these attackers will move beyond discovery of wireless LANs, and start attacking the networks they find. In 2003, at least one of these events will be high profile, with the major media reporting how an attacker managed to penetrate a big corporate or government network and steal sensitive data. This big-time press coverage and the resulting embarrassment of the target will cause lots of companies to finally get serious about wireless security. However, this focus on wireless security will be only temporary, as memories quickly fade and our attention turns to some other attack du jour.
Two or more worms that really pack a wallop: Through 2003, we'll face at least two widespread worms that disable tens of thousands of systems or more. These worms will include significant new capabilities, including zero-day exploits and meta/polymorphic code, that'll make them more difficult to stop. Major news outlets will give extensive coverage to these worms, and hype the threat of cyber terrorists using this vector to disable the Internet. As it will turn out, the real-world worms we'll face won't be launched by terrorists, but will instead be unleashed by youthful, self-styled computer researchers playing with self-replicating code.
A major hole in each of the predominant Operating Systems: I'm really going out on a limb here;-) but I think we'll see major vulnerabilities discovered in Windows, Linux, Solaris and BSD. Each one will require coordinated efforts to patch, and numerous systems will get hosed because their administrators were too lazy or uninformed to patch their boxes. For one of these exploits (likely the Windows one), the first time we'll see it in the wild will be as a zero-day exploit used by a worm to conquer thousands of systems (see worm prediction above).
Not the 'Year of PKI': It seems that every year is labeled the 'Year of the Public Key Infrastructure.' Like each of the last 6 years, 2003 will not really be the year of PKI. Major PKI initiatives are stalled, and some companies are even abandoning massive PKI projects as they focus their security budgets on basic blocking and tackling such as patch installation. People will realize that PKI is a useful tool, but it's not the end-all, be-all solution to security problems that was sometimes promised.
Microsoft's Trusted Computing initiative beginning to bear fruit: Although people will continue to discover major security flaws in Windows and other Microsoft products, the flood of vulnerabilities from this particular vendor will begin to slow. With products reflecting Microsoft's new focus on security and its Trusted Computing initiative finally reaching market, Microsoft security will significantly improve. This situation will cause some security industry pundits to panic, as they won't be able to make nearly as many jokes about the lack of security in Microsoft's products. The dwindling of this source of humor will cut five minutes per hour from the average information security presentation.
About Ed Skoudis: Ed is the Vice President of Security Strategy for Predictive Systems' Global Integrity consulting practice. Ed's expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. Ed is a frequent speaker on issues associated with hacker tools and defenses and has published several articles on these topics, as well as the Prentice Hall book, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses. Ed received his Master's Degree in Information Networking at Carnegie Mellon University.
Ed is also a frequent contributor to our Ask the Expert program. Read some answers to your questions on Infrastructure and Network Security. Ed also writes our Security Challenge of the Month. Read his latest challenge.