There are three significant issues facing the online security industry in 2011. None of them are particularly new, but they are approaching crisis point.
The first issue at hand is the continued reliance on anti-virus signature scanners as the primary line of defense against malcode. Signature scanners, which search for known malicious patterns in executable code, made sense when the numbers of viruses were relatively small, but these days, every anti-virus lab in the world gets in the order of 250,000 signature samples each day, with 25,000 to 30,000 being new and unique.
Just a few hundred of these signatures actually contain malcode, but the issue for anti-virus labs is … which few hundred out of the 25-30k? This, of course, is a deliberate strategy by the Bad Guys, because they change the stuff they’re actually shooting at the public every day.
The second issue is the rise of social networks, and the resulting decline of privacy. None of the social networks deliberately set out to leak confidential information, but people naturally tend to put more and more information online, and there is no question that there are systematic efforts by unknown parties (ownership of websites is nearly always hidden behind a privacy protector service) to harvest that information. A very basic example is the tendency people have to use just one password for all websites. Combine that with the idea that it’s common on social networking sites to disclose your mother’s maiden name, and the school you went to, and your favorite pet… all questions that banks use to validate your identity. The fundamental idea here is that abundance of information and security exist in an inverse relationship. The more information that exists about you, the less secure you become.
The third factor is that, to this researcher at least, it feels like a dam is about to burst. The dam referred to is both the number of gangs involved in criminal activity, combined with their growing sophistication. For example, most botnets seem to be held to 30-60k in number, and nearly all use a fast-flux control structure, which makes them difficult to both blacklist and shut down. The point of 30-60k in number is that this is a manageable network. You can’t manage 300k to 1m nodes, but 30-60k, you can. And they don’t just mange them… they farm them. They mount a campaign, grab 30k victims, and milk them until it is shut down, and then a few months later, they do it again.
The single best thing that CSOs can do is to stop relying on signature scanners for anti virus. You can’t do without them, as they are a vitally important line of defense, but you have to stop relying on them as the only line of defense. In 2011, you simply have to have behavior blocking, as well as signature scanning.