Over the past 5 years the information security landscape has changed substantially. New technologies that seamlessly interconnect a wide range of network-able devices over IP protocol-based networks, the rapid adoption of wireless and peer-to-peer networking, the widespread use of web application development frameworks to provide web services and the increasing number of organizations using VoIP solutions for mission-critical communications depict a more complex and technologically dependant new world.
At the core of this interconnected world runs what is perhaps the ultimate human invention of the modern era: Software.
Software, as with any other human creation, is imperfect. This will not be a surprising revelation to the reader; yet it seems hard to accept that the modern world is founded on shaky, and possibly flawed, technology. Unfortunately a handful of the devastating information security incidents of the past years has forced us to come to grips with the reality of our flawed software creations.
The quest for flawless software is futile. Software will always be imperfect, and as information security practitioners, our job is to achieve reasonable security using imperfect tools. To better define what is reasonable security, we would benefit from understanding current and future security flaws of our software and the possible avenues of attack they provide. My premise is that to win the information security “chess game”, any strategy must encompass both the offense and defense viewpoints. With that in mind, let’s examine what proved to be the principal attack trend of the past year.