2010: what the security industry predicts will hurt us in the next 12 months

Last week we looked back at 2009 and with the New Year only 16 days away we take a look at predictions for 2010.

There is no doubt that trends will continue into next year, only bigger and worse than they were in 2009. Rodney Joffe, senior vice president and senior technologist of Neustar, claimed that there will be new vectors next year, we just do not know them yet, and there is a need to change processes and look at it from a totally different point of view.

So let us start with the threat landscape, and how commentators think it will develop in 2010. Gerhard Eschelbeck, chief technology officer at Webroot, said: “The malware attacks of today are different than in recent years. Hybrid malware, combining the use of web and email to carry out sophisticated attacks, will become even more prevalent in 2010.

“Narrowly targeted malware, which requires the presence of specific applications or data to engage in malicious activity, will also be on the rise. Finally, the increasing ‘real-feel' of phishing sites and emails - as evidenced by a recent Verified by Visa scam - are keeping security vendors, IT directors and consumers on their toes.”

Predictions from M86 Security showed that it believed that botnets will grow in their sophistication, and will continue to be a major problem, driving the majority of spam output and mass website attacks. It also believed that scareware, a tactic that grew in popularity in the second half of 2009 because of its effectiveness, will see attacks escalate in 2010 as the look and feel of scareware pages get updated and criminals find new ways to reach users.

Bradley Anstis, vice president of technical strategy at M86 Security, said: “Looking back at some successes in 2009, the security industry was successful in disabling the Mega-D botnet and eliminating significant spam hosting and service providers.

“However, the volume of spam and web requests continues to grow and eclipses the levels seen before these takedowns. The first step in preventing serious web abuse and widespread infection through the web and other means is awareness of the threats.”

Paul Wood, MessageLabs intelligence senior analyst at Symantec, previously claimed that when McColo was taken down it saw a drop in spam levels. He also said that phishing spam fluctuated over the course of the year, but we were left with a strong version as versions of toolkits had backdoor Trojans.

However he predicted that phishing attacks would be focused around the financial crisis and that there will also be an increase in non-English language spam as the bad guys applied using top-level domains in a specific country. “This is a fairly rudimentary approach. With a .com it is less trusted than .de by a German recipient and the only way to know is to look at who owns the domain so they are using other information in the public domain,” said Wood.

In agreement on this was Trend Micro that believed that as domain names are becoming more internationalised and the introduction of regional top-level domains (Russian, Chinese and Arabic characters) will create new opportunities to launch age-old attacks through lookalike domains for phishing. It predicted that this will lead to reputation problems and abuse that will challenge security companies.

So what about spam in general? Leslie Forbes, F-Secure's technical manager for UK and Ireland, claimed that the problem of malware will not be going away any time soon. He said: “As software design takes on a greater appreciation for security, there are likely to still be vulnerabilities discovered, but less commonly.

“New threats will continue to emerge, and will focus on new technologies. Most new technology development is in the area of services and enablers, and these are easy pickings for threats. Lots will be based on social engineering: technology is continually improving, but the human does not.”

Symantec believed that spammers will continue to ‘break the rules', with organisations selling unauthorised email address lists and more less-than-legitimate marketers spamming those lists.

Echoing the earlier comments by Paul Wood, it also predicted that spam volumes will continue to fluctuate in 2010 as spammers continue to adapt to the sophistication of security software, the intervention of responsible ISPs and government agencies across the globe.

As for specialised malware, Symantec claimed that highly specialised malware was uncovered in 2009 that was aimed at exploiting certain ATMs, indicating a degree of insider knowledge about their operation and how they could be exploited. It expected this to continue in 2010, including the possibility of malware targeting electronic voting systems, both those used in political elections and public telephone voting, such as that connected with reality television shows and competitions.

It is not a happy fact, but it is the case that this sector will be hit by recession further, which will impact technology and staffing, but is it all negative? Forbes put a positive spin on the recession, claiming that ‘new ideas, products and services' will come out of this as people being either unemployed, or being employed in uncertain circumstances will be looking for all sorts of ways to innovate.

Forbes said: “Some will be determined to make the provision much less expensive (directly attributable to the recession), whilst others will be ‘all-in-one' bundles – hoping to make capital out of cash-strapped buyers (less attributable to the recession).”

John Colley, EMEA managing director of (ISC)2, believed that information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in 2010 and beyond.

Colley said: “After the cutbacks in 2009, most businesses will be eager to re-engage business initiatives. They should beware of rushing in without giving proper consideration to the security requirements however especially since security teams and projects have been pared back to minimum requirements it will take time to build them back up.”

Guy Churchward, CEO of LogLogic, claimed that from a purely recession standpoint, organisations that ‘hunkered down and weathered the recession' will have provisioned well for coming out the other end in 2010. At the same time, for organisations that went into denial the lesson is clear, they will recover much slower.

Churchward said: “For 2010 and after speaking to a lot of customers and prospects over the past few weeks, I firstly predict a change in IT spending patterns. Don't get me wrong, enterprises are cautiously optimistic about the market, they do want more technology but through less partners. They're looking for a deeper relationship with technology vendors – a more strategic relationship.

“Also on the list is for providers to expand their portfolios to encompass more offerings to help clients - they don't want to deal with 20 different companies any more. In short they'll be working with fewer vendors, but more with the right ones.”

A major trend of 2009 was the rise of cloud computing, be it virtualisation, Software-as-a-Service or hosted security. It led to various opinions on its security, capability and reliability.

Colley pointed to an autumn 2009 survey that found that 92 per cent of its members believe that employees will circumvent the IT department to trial cloud-based solutions.

“On the one hand, a carefully controlled migration to cloud-base services with suppliers that can demonstrate a real appreciation for security can enhance a company's security stature,” said Colley.

“On the other, the newly developed do-it-yourself ability for all risks uncontrolled placement of data with cloud service providers of all abilities. We face a significant learning curve during which the opportunity to put data at risk will multiply.”

Eschelbeck predicted that cloud computing, as the computing platform, will be the next generation of the internet. He said: "Computing will become like a utility, similar to how we use electricity today. We will pay for what we use; the PC will become the visualisation tool we look into for applications in the cloud. More cloud computing platforms will become available as we capitalise on this economical, scalable model."

Dave Jevans, CEO of IronKey, said that he felt that the cloud ‘was great', but the reality is that people are figuring out the security risk and it is significant.

Jevans said: “Companies are saying ‘let me outsource' but they have not considered authentication, no one is offering strong authentication that is comparable to a company's requirements.

“That is one thing that has got to happen and we have got to look at data coal mining with one user seeing another user's information, this is a coding area. Data coal mining and data convergence, it has got to be addressed with cryptography and key management has got to be considered.”

A doubtful eye was also cast by Fortinet, that warned companies to ‘get your head, not your security, out of the cloud'. It said: “Adopting cloud-based services opens organisations up to many risks and vulnerabilities as information travels to and from protected networks via a public pipe, creating many more opportunities for data infection or theft.”

The rise of social networks was a major factor in security, with attacks on them an increasing problem in 2009. Eschelbeck believed that this would continue to increase in volume and scope, targeting communities such as Facebook and Twitter as well as those that emerge.

Eschelbeck said: “Social networks present a very good return on investment for cybercriminals using them as a platform for perpetrating URL-based attacks. This trend will intensify - through shortened links, user-generated content, videos, and so forth. Friend, Follower, Tweeter, beware.”

Wood also believed that in 2010, social networking, phishing and fake accounts will be sending spam and the area to be considered is third party applications on social networking sites.

Wood said: “As they open up the platforms to developers, the web-based applications are hosted on websites and therefore just as vulnerable as any other sites. Some social networking sites have different services, so if any site becomes attacked then the social networking site does too.”

Symantec believed that with sites poised for another year of unprecedented growth, it was expecting to see fraud being leveraged against site users to grow. However users will not be left unprotected, as it predicted that owners of sites will create more proactive measures to address these threats, although this will lead to attackers turning to vulnerabilities in third party applications for users' social networking accounts.

Tony Dyhouse, director of the cyber security programme at the Digital Systems Knowledge Transfer Network, claimed that this was ‘huge' and was gathering pace, and it is not an option to disallow it within companies. He said: “We have to look at the expectation of the younger generation and look at how to manage that. This is a huge issue that will affect all of UK business.”

New operating systems were seen in 2009, primarily with Windows 7 and earlier with Apple's Snow Leopard, while the introduction of Internet Explorer 8 saw a stronger focus on browser security.

Websense believed that there will be more targeted attacks on Microsoft and with the expected fast adoption of Windows 7; we will see more malicious attacks targeting the new operating system with specific tricks to bypass User Access Control warnings, and greater exploitation of Internet Explorer 8. 

It claimed that while Windows 7 tries to reduce the pop-ups by allowing four levels of User Access Control, security challenges to the interface and the operating system still exist. 

Symantec also believed that as the first patches were released for Windows 7, it will come into the cross-hairs of attackers. It said: “As long as humans are programming computer code, flaws will be introduced, no matter how thorough pre-release testing is, and the more complex the code, the more likely that undiscovered vulnerabilities exist. Microsoft's new operating system is no exception, and as Windows 7 hits the pavement and gains traction in 2010, attackers will undoubtedly find ways to exploit its users.”

With regard to Mac, it has been a talking point not only in 2009 but further back with an aim to convince Apple users that they are vulnerable to malware and attacks. Websense claimed that 2010 will prove once and for all that Macs are not immune to exploits, as hackers have noticed Apple's rapid growth in market share in both the consumer and corporate segments.

It said: “There exists additional risk for Mac users because many assume Macs are immune to security threats and therefore employ less security measures and patches, so attackers have additional incentive to go after the OS X platform.

“During 2009, Apple released six large security updates for Macs showing the potential for attacks. In 2010, there will be even more security updates as hackers ramp up attacks targeting the platform. There is also the potential for the first drive-by malware created to target Apple's Safari browser.”

Michael Sutton, VP security research at Zscaler, believed that 2010 is a year when Apple will be forced to climb the security learning curve. He said: “Apple has for some time been considered to have a safer operating system in OS X as it is less often targeted by attackers. While that may be true, it is less secure overall and Apple's increasing market share will force them to finally invest in security due to increasing attacks targeted at Apple devices.”

There is no doubt that attacks on mobile devices will increase, data loss will get worse and search engine results will be hit to ensure that the victims of cybercrime continue to increase in their suffering.

To leave this overlong prediction, and with a slight anticipation that the first week in January will bring a whole new vector of attack that was not even covered here, let us finish on a slightly more positive note in contrast to the rest of this article.

Eschelbeck claimed while the afore mentioned threats ‘may seem like a daunting list of threats and predictions, the good news is, the security industry has never been stronger'.

He said: “The level of innovation, the raised awareness, the healthy competition among vendors - together make for an optimistic outlook.”

Sign up to our newsletters