From what I see in law enforcement discussions it is that organised crime elements are now turning away from “hard crimes” like drugs, etc, and moving into “softer” light collar crimes. Articles on the web on 0 day exploits being sold on the web are good points. In some dark room we have a computer geek who likes black and grey screens with stuff like subnet masks as their passion. It is these people with their perimeter firewalls that we now relie upon to stop a criminal org bent on stealing 30M USD from Bank Corp, who do you think will win ? 

 

 

I think that we in our community need to start knowing and expecting these types of threats as the “really” evil world start figuring out real and present ways to make money from the fact that the IT world at large is in its IT security infancy, as opposed to the relatively mature physical security world we live in. Easier to “L8 a bank, than to mount a full bank robbery with guns and stuff “ is an example of this.

 

 

Personally, I expect to see a shift away from script kiddie worm attacks of badly constructed attack payloads, towards “designer attacks” crafted with a specific target or segment in mind in a relatively complex multi person operation with hard and fast commercial gain as the objective. Key to this will be the time and maturity of vendors and how long they take to patch, test and remediate their stuff. Some vendors, those that still dont acknowledge they have a "security problem" need to wake up to this reality. All software companies do, and Bill Gates has made this point with the TrustWorthy computing memo of 2001. What happens when there is a 0 day exploit in a platform that happens to run the majority of the world’s payment or financial custodial systems, and that vendor takes 20 days to test and patch, and remediate ?

 

 

 Un-ethical security researchers and vulnerability sellers are now a factor of production to the criminal element, not a criminal element in themselves. They are a new tool to use for the cons, fakes, extortion rackets, and organised criminals that use them. These will be the people that may get caught by the police whilst their bosses go free, like the low level criminals peddling whatever illegal on the streets. If we see this analogy through, the security community needs to do a better job in protecting customers with architectural security features that dont care about specific vulnerabilities and start assuming there will always be vulnerabilities. An IT System without OS, or application vulnerabilities isnt the security holy grail to my customers - after all there could be mis-configuration, bad design, and a variety of other factors that would be "hacked", not just an OS or App 'sploit. In my view a better goal is a well architected system that though is composed of potentially vulnerable systems individually, when aggregated as a whole, collectively isnt exploitable. The answer to this isnt an appliance or any other quick band-aid fix, its thinking, design work, and careful study of what is possible, and fixing root causes as opposed to symptoms.

 

 

Never forget the security "industry" mostly exists to sell stuff(services, subscriptions, etc), not to secure you, security is the product that is sold, it isnt in the best interests of a product vendor that does security only to secure itself out of a job. Its the job of a good security architect to implement solutions that dont just have the word "security" in them.  Most likely they, if well implemented, can do more than super-mega-firewall 2000 could ever do.