Bugwatch: Out with the old, in with the new

This week, vnunet.com's security correspondent Iain Thomson gazes into his crystal ball and offers his predictions for 2003.

Predictions are risky at the best of times, unless you make them so flexible that they'll fit anything (horoscopes) or just unintelligible (Nostradamus).

However, in the spirit of the new year, here's five predictions for security in the coming year:

1. Reporting of electronic crime will improve - but not by much
Companies have traditionally been unwilling to involve the police if they have been electronically breached.

This is either because they don't want the public to know that their systems have been compromised, or because they are scared that the ensuing police investigations will be so disruptive that they'll lose more than they gain.

However, insurers are now being more forceful about companies including an IT security audit as part of their coverage, and are offering increasingly attractive insurance against attack.

Either way companies are going to have more problems trying to hush up failings in IT.

2. Open source is the new target
For years Microsoft's software has been targeted by virus writers and hackers, in the main because of the company's overwhelming domination of the market. This will continue as long as Microsoft holds its position.

Open source, by contrast, has had an easier time of things, but in the coming year we're going to see more attacks on vulnerabilities in open source code.

How quickly the community reacts could be a decisive factor in the struggle between proprietary and open source take-up.

3. Out with the worm, in with the hybrid
Worms are fading as a serious problem but will continue to wreak havoc on email systems worldwide, but the rate of attack from new sources will decline overall.

In their place will come more hybrid viruses: code that uses a combination of attacks.

This is nothing new. The same happened to macro viruses and no doubt the same will happen to hybrids once antivirus software vendors, application and operating system developers get up to speed and find ways to block the attacks.

As ever, all we can do is patch, hope and practise safe computing.

4. Meet the new boss
For those of you thinking of the next career move you might want to consider moving to the board as the security director.

Companies are increasingly coming to the conclusion that they need a specific post to organise security policy and make sure it is implemented.

This will be good news for harassed IT managers (or those that want to move up) and is an encouraging sign that companies are taking security more seriously.

Having a good security officer will also make disaster recovery a lot easier.

5. You are the weakest link
Despite all the latest software patches, despite warnings and training sessions and endless emails from the IT department, I can safely predict that someone in a company you know is going to make a stupid mistake and pass on a virus.

In part this will be due to a poor understanding of proper computing practice, but it is also down to the improved social engineering skills of the virus writers.

In the main, however, it will be carelessness that starts the ball rolling.