December retrospective. The annual structured retrospective continues, following the pattern from 2007 and earlier years.
This is a comprehensive retrospective because 2008 has been substantively interesting and several developments deserve careful framing.
The major events
In rough chronological order:
- Société Générale fraud disclosed (January) — €4.9bn loss from a single trader.
- Cold Boot attacks (February).
- Vista SP1 ships (March).
- Infosec Europe 2008 (April) — DDoS-trajectory talk.
- Mass SQL injection wave (spring).
- Kaminsky DNS disclosure (July).
- Black Hat USA 2008 (August) — Kaminsky's full talk, Pilosov-Kapela BGP work.
- Russia-Georgia DDoS (August) — political-cyber category continues.
- Financial crisis intensifies (September) — Lehman collapse.
- MS08-067 emergency patch (October).
- Conficker A appears (November).
Eleven substantive events. The cumulative shape includes both threat-trajectory development (Conficker, mass SQL injection, political-cyber) and infrastructure-protocol shifts (Kaminsky, BGP).
The cumulative trajectory
Three structural observations from the year.
Internet-infrastructure security became operationally meaningful. DNS (Kaminsky) and BGP (Pilosov-Kapela) demonstrated structural fragility. The cumulative defensive trajectory requires substantial subsequent infrastructure investment; specific deployment of DNSSEC and similar measures is years away.
The bot-architecture trajectory continues toward decentralisation. Conficker's DGA approach is the latest step beyond Storm's peer-to-peer architecture. Specific subsequent worms will continue the trajectory; specific defensive responses will need to address increasingly distributed command-and-control.
The crisis-period operational stress is visible across the field. The financial crisis has produced specific operational pressure across the security operations community. Specific mature operators continue with bounded impact; specific less mature operators face disproportionate cumulative pressure.
The personal trajectory
The year has been substantial.
Continued CISO role at Gala Coral. Specific structural projects through the year; cumulative engagement is productive.
Infosec Europe presentation. The first substantive UK conference talk; cumulative practitioner-network development.
Continued reception of the DDoS book. Specific cumulative cumulative reader feedback informs subsequent decisions.
Continued cumulative writing discipline. Approximately 50 posts at the established cadence.
The predictions, reviewed at year-end
The January 2008 predictions, reviewed:
Continue the weekly cadence. Resolved AFFIRMATIVE.
Continue the CISO role at Gala Coral productively. Resolved AFFIRMATIVE.
Speak at Infosec Europe. Resolved AFFIRMATIVE.
Attend at least four conferences. Resolved AFFIRMATIVE.
Specific follow-up book or substantial extended writing. Resolved PARTIAL — specific subsequent writing in progress; no published follow-up.
Continued mass-mailing at sustained volume. Resolved AFFIRMATIVE.
Major Vista-targeting malware family. Resolved PARTIAL — specific Vista-aware malware; nothing dramatically Vista-specific.
Mobile-platform malware incident. Resolved PARTIAL — specific iPhone research; bounded operational incident.
Continued DDoS-for-hire growth. Resolved AFFIRMATIVE.
Major UK consumer-impact data breach. Resolved AFFIRMATIVE.
Major DNS-protocol vulnerability disclosed. Resolved AFFIRMATIVE — Kaminsky.
Politically-motivated DDoS following Estonia pattern. Resolved AFFIRMATIVE — Russia-Georgia.
Continued Microsoft Trustworthy Computing progress. Resolved AFFIRMATIVE.
The cumulative score: 9 affirmatives, 3 partials, 0 misses. Calibration is reasonable.
What I have been writing about
The 2008 writing has covered:
- Continued CISO operational themes.
- Specific incidents — Société Générale, mass SQL injection, Kaminsky, Conficker.
- Major releases — Vista SP1.
- Industry shifts — political-cyber category continues, internet-infrastructure security.
- Conference engagement — Infosec Europe, Black Hat USA.
- The financial crisis and security operations.
The cumulative volume continues at the established cadence.
What I expect for 2009
The detailed predictions for 2009 will be in next week's post. The high-level expectations:
- Continued Conficker evolution and cumulative cumulative impact.
- Continued internet-infrastructure security work.
- Continued financial-crisis operational pressure.
- Continued political-cyber events.
- Continued Vista deployment and Windows 7 development.
A reflection on the cumulative trajectory
2008 has tested defensive infrastructure across multiple dimensions. Specific events demonstrate structural fragility in DNS, BGP, web-application security, and broader internet infrastructure. The cumulative trajectory toward better defensive infrastructure is positive but slow.
For my own continued work: more on the cumulative trajectory in 2009. Specific events will inform; the cumulative archive grows.
More as the year wraps up.