Here are my answers to a thread going around from ISSA about security in 2009
1. Most Significant Breach in 2009
Bank breach but not the one you think. The breach is banks breaching consumers by passing on losses from their own weak ACH security to the consumer/small business, Brian Krebs has been following this story for some time, he asked the right question yesterday - what happens when you bank manager uses IE6?
(Side note - how crazy is it that in this day and age when newspapers are hanging on for dear life *and* infosec is gaining in importance, that Brian Krebs is no longer at Washington Post?!? Call me crazy but I think tech is a pretty interesting and strategically important sector, don't you think we want *more* coverage of this area not less? Its like Oilers sending Wayne Gretzky to play in Los Angeles, it makes zero sense and we are all worse for it.)
2. Most Overhyped Security Story of 2009
Its got to be the Cloud
3. Most Significant Vulnerability of 2009
Not Microsoft, not Oracle, the Most Significant Vulnerability in 2009 is clearly Your Enterprise. An Enterprise system takes a bunch of applications and services that were never designed/built for an distributed systems threat model like the Internet threat model and connects them together without refactoring and then being surprised by what happens. Its not so much any single bug in vendor provided software, its much more the unique combinations that are cobbled together that give the attacker their entry points.