2007 will be another year of rising security problems for three reasons. First, there is a lot of unfinished security business from 2006 including the Spam and Rootkits tsunamis, combined SocialEngineering/Trojan attacks on data sources, and the huge wave of newly released Vista/Office/Exchange software. Second, hackers are broadening their point of attack from OS/browser/email to more of the network based or popular apps such as Adobes PDF and Flash or Autocads DWG. Already Adobe has seen an uptick in Acrobat vulnerabilities. Ditto for Cisco.
Third and most important, organized crime sees big opportunity with continued vulnerabilities in software. Pump and dump (see Information Week p26, Oct 30, 2006), confidential data looting for blackmail and fraud, plus the whole botnet framework for launching attacks is an organized crime and/or terrorist paradise. And since the whole security trade-off – Ease of Use versus Following Stringent Security procedures works in the attackers favor – do expect a full set of Security Banner Headlines.
Bottom line – where before in doing system design or upgrade work, one could sort of rely on the client and operational staff to supply a Security framework. No more. Now all projects must have a security review as part and parcel of the whole risk assessment. And the critical phase is not deployment, but how a project fits into an overall organizational Security framework. This sometimes is not fun when no scaffolding, let alone framework is to be found in an organization.