The crystal ball gazing has started early this year. Usually you have to wait until after Christmas for the tech prediction pieces to start rolling out, but the first 'security trends for 2011′ missive has already dropped into my inbox. So what does the somewhat premature Imperva Application Defense Center think we are going to be most worried by on the IT security front next year? I predict the list will include more Stuxnet-alike attacks, something about how the cloud is either a good or bad thing and a broadside about mobile device security. Let's see if my crystal ball has been successful in predicting the predictions.
Imperva ADC says the top 10 IT security trends for 2011 will be, with my comments in parenthesis:
Nation-sponsored hacking: (yay, strike one – Stuxnet worm clones prediction right at the top) these will build on concepts and techniques from the commercial hacker industry to create more powerful Advanced Persistent Threats (I predict someone will get a Buzzword Bingo full house with that one)
Insider threat awareness to rise: In this upcoming year, we expect to see growing awareness of security incidents due to insiders. Attention will grow as a consequence of an increased flow of incident reports where data theft and security breaches are tied to employees and other insiders. (I'm wondering just how more aware of the insider threat the average enterprise can be, it's certainly already high on the data security agenda of most companies that I talk to)
Man in the Browser Attacks: growth in the role played by "Man-in-the-Browser" attacks in cyber-criminal activity. As a consequence, more online service providers are going to include this in their list of priorities for 2011, shifting the responsibility for mitigating the risk from the consumers to the service providers. (I predict that the banks will maintain that it is either the customers fault or nothing bad actually happened and they must have made the transfer of funds themselves)
Social Network Security: this will improve, with prominent social networks, and tools, placing more efforts into security over privacy. (Or, put another way, social networks will put a lot of effort into telling the media that they are all about user privacy while at the same time mining as much private data as possible)
File Security Takes Center Stage: greater number of data breaches where compromised data is in the form of files rather than database records. (You mean you are not already properly securing your file servers? I predict you will get all you deserve by way of breaches in 2011 and beyond then)
Mobile Devices Compromise Data Security: (strike two!) proliferation of sophisticated mobile devices is going to have a substantial effect on application and data security (but no more than in 2010 when sophisticated mobile devices were already pretty prolific, surely in 2011 enterprises will be more prepared than ever for the mobile security threat?)
Data Security Goes to the Cloud: (strike three!) an increase in application security offerings in the cloud throughout 2011, we will see some early data security in the cloud offerings (there are already plenty of early security in the cloud offerings, and have been all year – does something which has already happened really count as a prediction?)
Cyber Security Becomes a Business Process: CISOs and security professionals will need to become business process experts to better protect data as it flows through enterprise systems (see above, this is not a prediction but rather a reflection on what already is – Intel buying McAfee was evidence of this, and IT security has been joined at the hip to business operations for the longest time anyway)
Hackers Feel the Heat: the hacking industry will consolidate as amateurs shut down and consolidation among larger, organized groups takes place (erm, again, not a prediction but a current reality methinks)
Convergence of data security and privacy regulation: as more and more governments implement data security and privacy laws, a convergence will take place worldwide (convergence is defined, in my book, as a common agreement or view and to be totally honest I cannot see data security and privacy regulation moving towards any globally similar view next year nor, I have to say, in the next decade. This is, I think, less of a trending prediction and more of a security day dream!)
Amichai Shulman, the Imperva CTO, anticipates that "the threat landscape will evolve in many directions, making data security more challenging than ever" and that's one security prediction, which while not being difficult to make, I cannot argue with.