We know that humans aren’t that good at objectively evaluating threats and our myths can mislead us into underestimating or overestimating threats. As the IT profession starts to enter middle age, we’re starting to get our own myths – things that may once have been true, but are no longer so accurate.
One pernicious myth is that virus writers are teenage hackers with substantial amounts of time on their hands. That’s certainly been true in the past. What we’re seeing now, with Stuxnet and Duqu is malware that shows a more disciplined approach to software engineering. Analysts have found that both Stuxnet and Duqu are highly sophisticated products, not the sort of thing banged out by some angsty teen only fuelled by Red-Bull and Cheetoes.
While the majority of malware authoring is still performed by anti-social teen males, the more effective and pernicious malware is authored by disciplined teams of coders. Similarly, with vendors now integrating better security processes into their products, the search for vulnerabilities has turned from a hit and miss amateur affair into something that requires substantial time and effort. In the security arms race, just as it’s costing vendors more to strengthen the security of their product, it’s costing attackers more to develop effective exploits.
In the long run it might not be that vendors release perfectly invulnerable products, but that instead the effort required to build effective exploits for vulnerabilities that do exist in products will be so substantial that few other than the most dedicated and motivated will attempt the task. There will still be the angsty teen-male hackers, but that they’ll move on to easier tasks should finding an exploit to a professionally engineered product prove too time consuming and without reward.
Which is why the development of malware will become more professionalized. Of course the question then becomes how is the professional development of malware monetized, but that’s a completely different question!
Follow me on twitter: @orinthomas
