Writing

2005 in review

Published
year in review

December retrospective. The annual structured retrospective continues, following the pattern from 2004 and earlier years.

This is going to be a comprehensive retrospective because the year has been substantively interesting and several developments deserve careful framing.

The major events

In rough chronological order:

Nine substantive events. The pace has been slower than 2003-2004 but the structural shifts have been larger.

What surprised me

Three things.

The DDoS-for-hire commercialisation has happened faster than I expected. I had predicted some development in the category during 2005; the actual pace of maturation has exceeded my central estimate. The economic infrastructure is now mature in ways that I had thought were 2-3 years away.

The Sony BMG rootkit incident has been larger in implication than I expected. The specific incident is bounded; the structural conversation it has provoked about the boundary between commercial software and malware is much larger. The legal and policy responses will continue for years.

The worm landscape has been quieter than I predicted. I had expected at least one Sasser-class event during 2005; Zotob was the closest analog and was substantially smaller. The defensive infrastructure improvements (Trustworthy Computing, faster patching, mature filtering) appear to have raised the bar enough that simple worms are less effective.

How predictions fared

From my January 2005 list:

Prediction 1: Continue weekly cadence. 95% probability. Resolved AFFIRMATIVE.

Prediction 2: Four conferences. 75%. Resolved AFFIRMATIVE — attended five.

Prediction 3: One conference talk. 70%. Resolved AFFIRMATIVE.

Prediction 4: More non-technical writing. 65%. Resolved partially — wrote one piece, less than I had planned.

Prediction 5: Honeypot expansion. 60%. Resolved AFFIRMATIVE — expanded to /27.

From various ad-hoc predictions through the year:

Phishing volume continues growing. Resolved AFFIRMATIVE.

Major UK bank phishing incident. Resolved PARTIAL — several incidents but no single major one.

Two-factor authentication for retail banking. Resolved PARTIAL — pilots launched at several banks; no mainstream deployment yet.

Continued moderate-volume worm activity. Resolved AFFIRMATIVE.

SSH brute-force traffic increase. Resolved AFFIRMATIVE — substantial increase observed.

What is structurally new

Four things.

Commercial cybercrime infrastructure. Phishing, DDoS-for-hire, credential trading, malware-as-a-service — all are now mature commercial categories. The economic infrastructure operates openly in underground markets.

The Sony rootkit precedent. A major commercial entity shipping software functionally indistinguishable from malware is a category change. The legal and policy implications are still developing.

Microsoft Trustworthy Computing has produced visible improvements. Windows XP SP2, Server 2003 defaults, faster patch cadence, better advisory quality. The structural shift I wrote about in 2002 has continued and produced measurable change.

The defensive maturity gap is widening. Mature organisations absorb incidents with bounded pain; immature organisations are increasingly hit hard by each new event. The cumulative differentiation is structural.

What I want to focus on for 2006

For the year ahead, the predictions will follow next week's standard format. The themes I expect to develop:

  • Continued tracking of the commercial cybercrime infrastructure.
  • The Sony BMG aftermath and any similar incidents.
  • Continued Microsoft progress.
  • The mobile-platform threat category.
  • More writing about the consulting engagement, with appropriate confidentiality.

A reflection on seven years

The notebook has now been running for seven full years. The cumulative archive is substantial; the discipline is firmly established; the community continues to be the most rewarding aspect of the work.

For anyone who has been reading the notebook for some time: thank you. The conversations and corrections continue to shape the writing.

For anyone who is starting a similar discipline: the value compounds with duration. The first year is hardest; the cumulative value over years is substantial.

More in the predictions post next week.

A more comprehensive 2005 retrospective

Let me extend this year-in-review post with deeper treatment of the year's structural shifts and what they imply.

The defensive maturity differentiation

The most striking pattern of 2005, on reflection, is how unevenly the defensive maturity is distributed across the operator population.

Mature operators — those who have invested in structured logging, forensic readiness, internal segmentation, and rapid patching — have absorbed the year's incidents with bounded operational pain. The disciplines worked; the disciplines continue to work.

Less mature operators are still being hit hard by each incident. The patching is slow; the segmentation is absent; the response is reactive rather than systematic. The cumulative cost is substantial.

The gap is widening. Mature organisations are getting better at the disciplines; less mature ones are not catching up. The trajectory points toward increasing economic pressure on the laggards.

The legal and regulatory developments

2005 has seen substantive developments in the legal-and-regulatory environment around security incidents.

The Sony BMG response is the most prominent; the regulatory action will continue for years.

Several jurisdictions have introduced or strengthened data-breach notification laws. California's SB 1386 (active for some years) is being followed by other US states; the EU is considering similar requirements; the UK has had quiet conversations about it.

Specific cybercrime prosecutions have been more successful than in earlier years. International cooperation has improved; specific arrests have been made; the deterrent value is bounded but real.

The trajectory points toward more legal-and-regulatory engagement with security issues over the next several years. Operators who treat compliance as an additional cost may find themselves at a disadvantage compared to operators who treat it as part of the operational discipline.

The technical landscape

Technically, 2005 has seen continued maturation of several categories:

Linux 2.6 has reached mainstream production deployment. The migration from 2.4 is mostly complete.

Apache 2.x has displaced Apache 1.3 in most new deployments. The migration was straightforward; the benefits are real.

Snort continues to evolve; the community ruleset is large and current; deployment is widespread.

OpenSSH has continued the privilege-separation discipline; subsequent vulnerabilities have been bounded by the architecture.

Microsoft Trustworthy Computing has produced visible product improvements; the trajectory continues.

The combination represents a meaningful improvement in deployed-base security compared to 2001 levels. The improvements are slow and uneven; they are real.

The threat landscape

The threat landscape has continued to mature into commercial cybercrime. Phishing, DDoS-for-hire, credential-trading, malware-as-a-service — all are now mature commercial categories.

The specific worm activity has been quieter than 2001-2004; the structural cybercrime has been larger. The shape of the threat is different from earlier years.

This matters for defensive planning. Defending against worms requires different infrastructure than defending against credential-targeting attacks. The investment over the next several years should reflect the changing threat shape.

What I want to focus on for 2006

For the year ahead, the predictions list will follow next week's standard format. The themes I expect to develop:

  • Continued tracking of the commercial cybercrime infrastructure and its evolution.
  • The Sony BMG aftermath and any similar incidents.
  • Continued Microsoft progress and the structural shifts it produces.
  • The mobile-platform threat category, which has been forming for two years and may finally produce major incidents.
  • Continued writing about consulting, with appropriate confidentiality.
  • More writing for non-technical audiences, where I have been less productive than I had hoped.

A reflection on seven years

Seven full years of writing now. The cumulative archive is substantial; the discipline is firmly established; the community continues to be the most rewarding aspect of the work.

For anyone who has been reading the notebook for some time: thank you. The conversations and corrections continue to shape the writing.

For anyone who has come to the notebook recently: welcome. The archive is substantial; the older posts are sometimes interesting in retrospect; the discipline continues into 2006.

More in the predictions post next week.

A broader reflection on the seven-year arc

Let me close this 2005 retrospective with broader reflection on the seven-year arc of the notebook.

When I started in 1998, the security field was substantively different. The threat landscape was dominated by hobbyist attackers; the defensive infrastructure was rudimentary; the commercial-cybercrime ecosystem did not exist.

Seven years later, the field is unrecognisable in some dimensions and structurally similar in others. The threats have professionalised; the defences have matured; the structural conversations have shifted.

The cumulative trajectory is, on balance, positive. The defensive infrastructure has improved more than the threat infrastructure has, in the specific dimensions where I can measure both. The operators who have sustained their disciplines are meaningfully better-positioned than they were seven years ago.

The trajectory will continue. The next seven years will probably produce comparable structural shifts; the specific shifts are unpredictable; the discipline of tracking them remains valuable.

For anyone entering the field now: the cumulative learning is substantial. The notebook archive captures one particular practitioner's view across seven years; many other practitioners have similar archives in various forms; the cumulative documented experience is a substrate that earlier generations did not have.

For anyone leaving the field: thank you for your contributions. The cumulative effect of many practitioners over years is what produces structural improvement.

For anyone continuing: the work matters. The trajectory is good. The community persists.

More in 2006.

A more comprehensive reflection on the year

Let me extend this retrospective with deeper treatment of the year's structural shifts.

What I am taking from the year

Four specific things, more concretely than the earlier sections allow.

The defensive maturity gap is real and growing. Mature operators are increasingly distinct from immature ones in their ability to absorb incidents. The gap has economic implications that will continue to develop.

The commercial cybercrime ecosystem is now operational. Phishing, DDoS-for-hire, credential trading, malware-as-a-service — all are mature categories. The ecosystem operates as a market.

Microsoft Trustworthy Computing is producing visible improvements. The trajectory is positive; the specific improvements are real; the rate of new vulnerabilities is slightly lower than the historical trajectory predicted.

My own career trajectory has shifted. The transition to consulting represents a meaningful change; the implications will play out over the next several years.

What I expect to be writing about in 2006

Five specific themes:

Continued tracking of commercial cybercrime. Phishing, DDoS, credential targeting. The category continues to mature.

The Sony BMG aftermath. The legal and policy response will continue; specific incidents may produce further developments.

The mobile-platform threat. Two years after Cabir, operational incidents may finally emerge.

Microsoft progress. Windows Vista (in development) will be a major test of Trustworthy Computing.

Consulting reflections. The new role will produce material with appropriate confidentiality.

What I want from readers in 2006

Three things.

Continued correspondence. The conversations are the most rewarding aspect; sustaining them benefits the writing.

Pushback when I am wrong. Specific corrections improve the work; general engagement informs my calibration.

Sharing of operational stories. The patterns I write about emerge from cumulative practitioner experience; readers' stories enrich the patterns.

The address is on the page. The reading continues; the writing continues; the conversation continues.

More in 2006.

A longer reflection on the year's career transition

Let me extend this retrospective with more substantial treatment of the personal career transition.

The move from sustained employment to consulting has been the largest professional change in nine years. The implications will play out over months and years.

The specific dimensions of the change:

Income pattern. Salary income is being replaced with project-based fees. The total annual amount is comparable; the distribution across the year is different. Cash-flow planning is now more careful.

Schedule pattern. The previous schedule was sustained 9-to-5 with on-call. The new schedule is more variable — bursts of focused engagement work, lulls between. The discipline of using the lulls productively is something I am still working out.

Identity shift. I have been an employee for nine years; the consulting role is a different self-conception. The professional identity is adjusting; the notebook continues regardless.

Relationship patterns. The previous role had stable colleagues; the consulting role has rotating clients. The relationship building is different; the community connections continue independently.

Skill development. The previous role developed depth in specific operational practices; the consulting role develops breadth across organisational contexts. Both are valuable; the cumulative skill base is different.

For anyone considering a similar transition: the change is substantive. The financial planning is non-trivial; the schedule discipline takes time to develop; the identity adjustment is real.

For my own writing: more posts about this transition over the next year. The lessons from inside the experience are different from the lessons I have written about externally.

A small commitment for 2006

I commit to writing at least four substantial posts during the year about the consulting experience and what it teaches. The specific topics will emerge; the commitment to engage with the experience publicly is the discipline.

More in 2006.

A wider closing on the year

Let me close this 2005 retrospective with a few additional substantive observations.

The specific operational patterns I want to highlight from the year:

The increasing professionalisation of the threat actor population. This has been visible for several years; 2005 made it unambiguous. The amateur-curious attacker is increasingly rare; the commercial-cybercrime operator is the dominant pattern.

The continuing maturation of the open-source security ecosystem. Snort, OpenSSH, the Honeynet Project, various others — all continue to develop at sustainable pace. The cumulative trajectory is positive.

The quiet but real progress on internal segmentation. Several operators I correspond with have completed substantial segmentation projects during 2005. The cumulative effect across the operator population is meaningful even when individual projects are not visible.

The economic infrastructure of cybercrime is now mature. Phishing, DDoS-for-hire, credential trading, malware-as-a-service. The structural reality is established.

Microsoft's Trustworthy Computing trajectory continues to deliver. The improvements are slower than would be ideal; they are real; the cumulative effect over multiple product cycles will be substantial.

For my own work going forward: more focus on the structural patterns; continued tracking of the specific incidents; more writing about consulting practice; continued reading discipline.

The field continues to develop in interesting ways. The work matters. The community persists.

More in 2006.

Back to all writing