In the Information Security field, we're faced with a constant barrage of bad news: new vulnerabilities, exploits, and successful attacks. When we do our jobs well, there's no news at all. Just an absence of bad news as systems hum along normally and the ever-present storm of attacks is deflected. But maybe it's good once a year to reflect on the good news of information security. So let's take a few minutes to give thanks for some pieces of good news from this year.

Sharing Best Practices

Information security has traditionally been a black art. However, we are making progress in this area. The CISSP certification and the CISSP Common Book of Knowledge have established common standards for the industry. The latest advance in the state of the art is the widespread adoption of the SANS Top 20 Critical Security Controls and the Australian DSD's Top 35 Mitigation Strategies. These lists of recommended controls are not just opinions. They're based on analysis of actual incidents to determine which controls were most effective.

Fruitful Cooperation Among Industry & Government

While individual parties can locally block a particular attack, global action generally requires multi-party coordination. This year has seen several examples of such coordinated action: the takedown of the Rustock and Coreflood botnets and the DIB Cyber Pilot. The ISACs continue their good work but it's encouraging to see some demonstrable value coming out of industry-government cooperation. And private companies and security practioners have also been working together to create and improve collective defenses: in ISSA, TSCP, I-4, TCG, and other forums.

Increased Funding for Cybersecurity Research

Today, defending a network or information system is much harder than attacking one. To change these dynamics, we need new approaches to cybersecurity. So it's encouraging to see that DARPA is planning to increase its spending for cybersecurity research from $120M in FY2011 to $208M in FY2012.  This research may not pay off for years but it's good to see that senior executives are giving the problem the attention that it deserves.

Serious Attacks on Embedded Systems

Serious security folks have known for years that embedded systems are rarely secure. But utilities, chemical plants, and manufacturing facilities are critically dependent on embedded systems, as part of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems. The prevalent security control in such environments is to isolate insecure production systems from the Internet and from corporate networks. This year, Stuxnet pointed out the many flaws in this approach. And Stuxnet was just the start. Duqu and many others are rapidly expanding these attacks.
Does this seem like bad news? Well, sometimes bad news can be good news. The first step to solving a problem is awareness. Many eyes have been opened this year and thousands of people are working on creative solutions. Next year should see those being delivered, just as the wave of attacks begins to crest.

Planning for Next Year

As we plan for next year's cybersecurity activities, let's remember the lessons from this past year's successes:

• Share Best Practices With Others
• Work With Others for Maximum Impact
• Raise Awareness of Risks
• Use Increased Awareness to Drive Increased Funding

If we keep these lessons in mind, we may have a lot more to be thankful for next year.