For example, the three big themes you'll see in many IT and security discussions are the following.
- Web apps
If you're not dealing with those three areas, you're a dinosaur, man! Forget all that other stuff you've learned!
The problem with that attitude is that it sees the world through a tunnel of shiny newness.
Consider the following list of recent security issues and see how many of them deal with those three hot topics.
- CPU-level attacks (e.g., Attacking Intel® Trusted Execution Technology)
- MPLS attacks (e.g., All Your Packets Are Belong to Us - Attacking Backbone Technologies)
- BGP attacks (e.g., Defending Against BGP Man-In-the-Middle Attacks
- IPv6 security (e.g., Attacking IPv6)
- Anti-forensics (e.g., SQL Server Anti-Forensics)
- Various nontraditional rootkits (e.g., .NET Framework Rootkits)
- Attacks on cryptography (e.g., MD5 considered harmful today: Creating a rogue CA certificate)
- DNS attacks (e.g., DNS 2008 and the New (old) Nature of Critical Infrastructure)
- Router attacks (e.g., multiple presentations on exploiting Cisco IOS at Black Hat US 2008)
I could continue. The point is there's a lot more to our security problems than Web, VM, and Cloud. It might be simpler to think of only those three problems, but there are at least a dozen more that require attention. This problem makes our security lives more difficult, but also more interesting.
Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.