Thursday, January 01, 2009

Predictions for 2009

I better get with the program and post my 2009 predictions before any more of the new year slips by. I plan to build on my Predictions for 2008 in Hindsight and add a few new thoughts.

  1. Expect greater government involvement in assessing the security of private sector networks. I wasn't inventing this a year ago, and I'm not inventing it now. I'm extrapolating from a trend line. My post Letters You Will Need to Know: 201 CMR 17.00 is just the latest example of increasingly aggressive government involvement in private sector security matters.

  2. Expect to start learning about IPv6, or be confused quickly. 2009 is not the year of IPv6, but we're getting there. The US Department of Defense is already grappling with IPv6, despite the compliance charade of mid-2008. Wider adoption of Microsoft Vista and its tunnel mechanisms, along with IPv6-active consumer devices, are driving IPv6 in one form or the other into our lives.

  3. Expect at least one cloud security incident to affect something you value. This is not the great Cloud Security blog, but I know many of us are already depending on cloud services. In 2007 and 2008 we started suffering denial when services suffered problems of availability. Next will be disclosure and then degradation. For more on these terms read First They Came for Bandwidth...

  4. Expect network security to matter again. I may be a little late on this one, given problems we had with DNS, BGP, and even SSL in 2008. I think these sorts of problems demonstrate that there's lots of vulnerability left outside the platform, operating system, and applications. As IPv6 becomes more important this one is going to the top of the list, probably in 2010.

  5. Expect to buy fewer "new" security products. We need to get back to basics by answering the sorts of questions that appeared in my post Marcus Ranum on Network Security. In tough economic times, managers are not going to spend on new equipment if they still don't know what the stuff you just bought does. Spend more time on consolidation and specialization and less time on looking for the next security silver bullet.


Good luck in 2009 everyone. It's going to be a good year -- "fine in '09"!


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

4 comments:

John Ward said...

I was thinking you you should have

"6. You, or someone you know, will get hacked, and it will cost someone their job."

Shock tends to get people attention. Maybe a sub-prediction under #4?

aiyipianni said...
This comment has been removed by a blog administrator.
aiyipianni said...
This comment has been removed by a blog administrator.
Anonymous said...

Two more trends to consider:

1) "There is no perimeter"... the continued migration from securing networks and infrastructure to securing data.

2) Continued emergence of social networking as a business tool, and the impact this has on our very notion of company communications and information protection