Yes this could be a 500 page book, but I’m going to try to present the future of security in fewer than 1,200 words.
Up to now in this anniversary series, my fellow Symantecites have been discussing what has happened over the past 25 years around security and how Symantec and the industry have grown to meet these challenges in a number of areas, from malicious code and vulnerabilities through to modern day threats such as phishing. We’ve come from a world of floppy disks and modems into a world so connected and converged that few of us could have imagined how it would have become so in such a short time. The rate at which technology has evolved and been adopted has, at times, left security analysts scrabbling to catch up – which, in turn, has created significant risks.
First a little history: I’m one of the many people who came to work for Symantec via acquisition. I used worked for @stake in Europe for a number of years before the acquisition as a consultant to numerous sectors. Over those years, I think it’s fair to say there has been a meteoric shift when discussing security. What was once a problem for the great-unwashed, sandal-wearing brigade, as well as bank and government risk departments, today is simply an unavoidable topic for just about any company or organization.
Security today is definitely acknowledged and being addressed from the highest echelons of management down in most sectors. Why? Well the problem has become ever more complex and important as investment into IT and communications has increased. The result is that the availability, integrity and safeguarding of intellectual property among other aspects are now paramount if organizations expect to operate effectively and competitively. For better or worse, much of the world is wired. As well, the passing of legislation by governments and industry bodies has forced many sectors to address (or, at least, play lip service) to laws and rules which carry requirements for IT security compliance.
And, while progress has been made in educating businesses and users that a problem exists, solving it is a completely different issue. The world of IT still has many security challenges to deal with; something I’m afraid isn’t going to change in any short order. Vendors are still developing devices and applications that contain easily discoverable and exploitable security vulnerabilities. Yes, every vendor should have a well developed SDL (Secure Development Lifecycle); but alas, security is seen as a cost that, for companies under terrific pressure for first-mover advantage, or market space, or who simply can’t afford it, it is down on the list of priorities somewhere behind posh chocolate biscuits for managers and free soda for the minions.
Let’s take an (obvious enough) example: we have seen significant improvements by Microsoft in terms of investment and responsiveness when dealing with security (I think even their biggest critics have to acknowledge that). Yet even today, five years since the infamous rocket (aka, management memo) from Bill Gates, Microsoft still has security issues in their most secure version of Windows yet (Vista, if you hadn’t guessed); this, even after investing resources that small countries would be glad to have access to. This shows us that even the largest software vendor in the world finds it difficult to address such a complex problem, even with their huge resources. So what chance does OllieSoft have with its three employees who work out of a shed in south London?
Part of the issue is that security is going to get a lot more complex at a technological level before it becomes easier. This is in part due to the continual and ever-increasing stream of technologies arriving. Plus, there are going to be more researchers and attackers alike looking for vulnerabilities than ever before. Attackers after the cash aren’t always going to use the most technically advanced means, but instead, will continue to try and find a mixture of confidence tricks, social engineering and technology exploitation in order to have the greatest affect.
As security improves in certain areas, attackers also adapt, change their habits and move to new or emerging technologies. Attackers are going to continue to investigate and leverage new technologies as a source of new targets or victims. The tool-sets used by researchers and attackers are going to continue to improve, thus easing the discovery and reliable exploitation of flaws within software and hardware. In some cases, we can expect certain classes of security issues to be reduced or, in very rare cases, eradicated on certain platforms and in certain programming languages as improvements are made; however; on the whole they will never be truly eradicated due to legacy interoperability, old systems, old languages, and old developers still kicking around. And if that weren’t enough, with all of this comes the continual stream of fresh targets in parts of the world that only now are going through their Internet booms.
All of this makes it sound like a horrible place to be, and by my own admission, I’m not particularly optimistic. That said, we have to look at it positively and see the improvements being made. Security is making its way into curricula in schools. Risk models will continue to evolve to help organizations set up the most cost effective and adaptable networks. Efforts will continue to address raw technological issues around code quality, logic flaws and suchlike. Research around tracking improvements (i.e. metrics) will continue to show if organizations are getting it right or not. Security companies like Symantec will continue to identify, understand and, where appropriate, develop protection for new and emerging technologies. Yes, there are comprehensive, grassroots efforts being taken to understand and minimize the dangers of a world online. It’s just going to take a little longer to redress 40 years of rapid evolution in a field so complex, combined with an ever-moving target.
At a time when some organizations still run Windows NT 3.51 (when was the last security patch for that released?) and many consumers still run Windows 95/98, we have to accept that there is no easy answer for security just yet. We have industries such as the power and energy sectors only now really getting to grips with the possible issues from years of investment in Internet Protocol-enabled equipment running on core services. Also, as our computing becomes more diverged from the PC to include media PCs, game consoles, set-top boxes and mobile devices we have to accept that all of these will become data silos and windows into to our home and organization networks. These windows (much like barn doors) will need to be protected if they or the data they hold becomes important enough to the individual or enterprise.
Here’s to the next 25 years!