Over the past few weeks I have received and heard many thoughts and predictions on what 2011 could bring after a fairly chaotic 2010.
From the predictions received, I have been able to determine some key subject areas for debate. To begin, probably the most prominent has been the talk about the threat, prominence and challenge posed by the evolving mobile device.
There was complete agreement that there will be an increase in targeting smartphones by cyber criminals; Owen Cole, technical director at F5 for UK, Ireland and Sub-Saharan Africa, said that hackers are using mobile devices such as smartphones and tablets as a new attack platform, particularly as mobile applications (CRM, Salesforce, Access to work emails) become more prominent, they will become more susceptible to attack.
Likewise, TrustDefender predicted that ‘man-in-the-mobile' malware will dominate, where malware is being developed to run in the memory of the mobile device that can go undetected while having the ability to infiltrate internet transactions, hack professional email accounts and steal personal data and identification.
Chris Wysopal, CTO of Veracode, predicted that in the next 12 months, a mobile application will cause a major enterprise security breach. He said: “The rapid growth of mobile applications will continue on enterprise-connected mobile devices. Inevitably, attackers will leverage this juicy new attack vector to penetrate corporate perimeters and gain access to sensitive data. It will also turn out that the malicious application that enabled the attack was downloaded through a well-known and trusted app store.”
Gareth Maclachlan, chief operating officer at AdaptiveMobile, said: “This trend towards more sophisticated attacks is set to shake up the telecoms and security markets as traditional approaches to protecting subscribers can simply no longer provide adequate protection. As these compound threats continue to emerge, so does the need for an intelligent approach to mobile security, keeping the industry one step ahead of the criminals to ensure that such threats do not reach mobile users in the first place.”
Luis Corrons, technical director of PandaLabs, said that there is an eternal question of when, not if, malware for mobile phones would take off. “It would seem that in 2011 there will be new attacks, but still not on a massive scale. Most of the existing threats target devices with Simbian, an operating system which is now on the wane. Of the emerging systems, Panda Labs' crystal ball tells us that the number of threats for Android will increase considerably throughout the year, becoming the number one target for cyber crooks,” he said.
Colin Bannister, VP and CTO of CA Technologies for UK & Ireland, said that as there is a continued consumerisation of IT tablet devices will begin to displace laptops as the device of choice for employees.
He said: “While many enterprises have tried to resist the deployment of these devices, user demand has been too strong to resist. As a result, technology and services will be delivered differently and there will be an array of new IT challenges, specifically security and authentication to be managed.”
This Christmas will likely bring more mobile devices to users. Neil Fisher, VP of global security solutions at Unisys, claimed that this Christmas we will probably reach the tipping point in the acquisition of mobile devices in the UK and as a consequence, we will see increasing use of facial biometrics on mobile phones, aided by the integration of better resolution digital cameras.
He said: “Biometrics are effective in locking down a device, whilst enabling secure access via strong authentication. We are already seeing this technology on laptops; expect all kinds of biometrics to become pervasive in 2011.”
Also promoting the biometric cause was Nick Ogden, CEO and founder of Voice Commerce, who said: “Biometric technology, such as voice verification is one solution that is set to meet these needs as one of the most advanced methods of identity verification and payment authorisation.
“Using this technology, identity verifications can be delivered remotely as the authorisation process is conducted over the mobile network which means that a user can authenticate a transaction on the move and at their convenience. Furthermore, the risk of fraud and phishing attacks is negated since card details don't need to be entered online when making a purchase and the transaction is split over two channels (online and mobile). As a result, biometric voice verification over mobile provides a very appealing solution to the industry and consumers as we enter 2011.”
Staying with hacking, threats and infiltration; Cole claimed that hackers will begin to be caught more due to the industrialisation of hacking, leading to hackers raising their professional bar by ‘buying' other smaller groups or merging, leaving the more sophisticated hackers in business.
Derek Manky, project manager of cyber security and threat research at Fortinet's Fortiguard Labs, agreed with Cole, claiming that as money mules are taken offline in the coming year, there will be a need for immediate replacements. He said: “Additional jobs we see growing in demand include developers for custom packers and platforms, hosting services for data and drop-zones, CAPTCHA breakers, quality assurance (anti-detection) and distributors (affiliates) to spread malicious code.
“As demand grows for these resources in 2011, criminal operations will effectively expand head count. New affiliate programs will likely create the most head count by hiring people who sign up to distribute malicious code. Botnet operators have typically grown their botnets themselves, but, we believe more operators will begin delegating this task to affiliates (commissioned middle-men) in 2011.”
Trend Micro believed that social engineering will continue to play a big role in the propagation of threats as there will be fewer infiltrated websites and a stronger cyber criminal focus on malware campaigns.
Gerhard Eschelbeck, CTO of Webroot, also agreed that social engineering scams have become so convincing that it is a wonder IT administrators ever get a good night's rest. “It doesn't matter how comprehensive your patch and update schedule is, when a sufficiently convincing spam email reaches a gullible employee, all bets are off. With targeted attacks becoming more common, the best defence against this threat continues to be education – training in identifying and avoiding fraudulent email and other messages, harmful file attachments and internet behaviour that can lead to trouble,” he said.
TrustDefender predicted that 2011 will see a strong increase in cyber activity including malicious malware threats, stolen identities and data infiltration. CEO Ted Egan said that the move of applications and work environments into the cloud, along with the growing use of mobile devices and online transactions, will pose a growing risk to enterprises and makes individuals more vulnerable online and without adequate attention to online security, malware attacks will continue to become more sophisticated and targeted to take advantage of these channels.
David Harley, senior research fellow at ESET also predicted that with stronger malware like Stuxnet and the Boonana Trojan, which targeted social networking sites in November, there is a clear indication of where things are likely to go.
He also predicted more cross-platform threats using OS-independent vectors like Java while Windows will remain the main target and while there will not be a big shift towards specific targeting of other operating systems, as more people start using them there will be increased interest in finding weaknesses.
In relation to Stuxnet, Harley said: “While not quite the super bug sometimes suggested, it is pretty complex. It takes a range of expertise, resources and sheer man-hours to pull off something that sophisticated and it is unlikely that the entire black hat community will unite in tiger teams to attack hard targets when there is lower-hanging fruit around.
“However, we've already seen a wide range of malware families ‘borrow' vulnerabilities from Stuxnet. These don't have the ambition and innovation or the sophistication of Stuxnet or Zeus, this is just the bad guys adding an approach that seems to work for other attackers. The next big attack will probably be significantly different to Stuxnet, but it will come.”
To cause a social engineering attack requires the user to be caught unawares and there is no better place than on the social network to catch them off-guard. Surprisingly there was little commentary on the development of current social networking giants like Twitter and Facebook, although we expect to see more interest in new websites liked Diaspora and Yammel, the latter of which Imperva CEO Shlomo Kramer said was like ‘Facebook for the workplace'.
Cole said that in 2010 social Networks have started to blur the notion of privacy and security and 2011 will bring even more confusion when it comes to security and the trust people put in social networks. While Proofpoint predicted that at least one major social media site will experience a major breach as with more people on social networks and more personal information available via those networks, the potential for the exposure of data is likely.
Fran Rosch, vice president of trust services at the Symantec enterprise security group, also pointed to a new challenge of e-commerce within social networks, particularly as Facebook now allows this.
He said: “Within the NBA application on Facebook you can now buy merchandise. This is a whole new challenge as people will never leave the social network and these are fast-growing eco-systems and they want to keep growing. If it becomes a point of fraud they will have to increase security.”
Data loss prevention (DLP) has been a major theme for 2010 as companies wrestled to gain some control over data leaving the perimeter. Franklyn Jones, director of marketing, EMEA at Palo Alto said that the recent WikiLeaks incident should cause corporate IT departments to look at how damaging data loss can be.
“After all, much of the WikiLeaks drama started with a disgruntled federal employee who leaked classified documents via file transfer. DLP systems are only effective at blocking the ‘crown jewels', trying to classify data beyond that is infeasible. IT teams need to look to managing data using application-based controls, and in doing so can cast a much wider and more feasible net over protecting its organisation from threats and data loss,” he said.
Wysopal predicted that government and corporations will stock up on anti-leak security products in 2011 to defend against insider attacks, but high profile leaks will continue.
He said: “The insider threat problem is so huge that a single security product category such as DLP, coupled with new policies on removable media, fails to make a dent on leaks. The comprehensive security programs focused on internal applications and internal networks take years to implement. New organisations copy the WikiLeaks model to give more outlets for leaked information.”
Staying with government, Proofpoint predicted that stricter data privacy regulations will be passed worldwide and there will be more data breach notification laws similar to those in Massachusetts and California.
It said: “Next year at least one company will be prosecuted under the broad-reaching Massachusetts Privacy Law. In March of this year, the Massachusetts Privacy Law went into effect, mandating that any company that ‘owns or licenses' personal information, whether stored in electronic or paper form, about Massachusetts residents must comply with its privacy requirements, including notification of breaches and encryption of stored or transmitted personal data.
“Although the state has yet to enforce the law, 2011 will likely be the year that companies begin seeing penalties. In addition, we may see more laws of this type passed in 2011.”
Steve Morton, vice president of enterprise product marketing at Symantec, said that the ‘exponential level of data growth is impeding organisations' ability to effectively manage and recover data' and in 2011, storage administrators must regain control of information, lose their ‘pack-rat' mentality and categorise what information is most important for retention purposes. “Also as data goes mobile and becomes less centralised, regulators will start cracking down in 2011 to drive organisations to implement encryption technologies, particularly for mobile devices,” he said.
In terms of regulation, 2010 was a big year for both PCI DSS, with version 2.0 released and the Information Commissioner's Office (ICO) with the ability to fine for data loss introduced.
Jon Geater, director of technical strategy at Thales, said: “In payments security, we anticipate an important year ahead for PCI DSS. Another generic update to the standard will not answer people's questions and instead we look forward to the specific validation guidance documents that are slated for release in 2011.
“With these developments happening, companies need to remember that PCI compliance is only a piece of the security landscape. It requires much more than PCI DSS to keep up with the evolving security threats against their data.
“In 2011, organisations will start preparing for the cloud but they will not fully migrate. Organisations now recognise a need to focus 2011 security budgets on enhancing private security infrastructure before they can take advantage of the scalability, efficiency and financial benefits that cloud computing will ultimately bring.”
Amichai Shulman, CTO of Imperva, said: “PCI is not perfect but it works, but only one body controls it and takes stuff out and puts it back in but it is a global standard. This will happen with other regulators and we expect it to happen and become a must for businesses to operate globally. They have to pay attention to every branch and ask if their branch complies with US regulation, UK regulation or both?”
Tony Dyhouse, director of the cyber security programme at the Digital Systems Knowledge Transfer Network, claimed that the lessons are not being learned from ICO regulations as steps are not normally taken until things go wrong and companies do not have the resource to be proactive.
“They are doing their best to pick up the pieces and tracing the symptoms rather than the cause, if everyone is doing their job correctly then they have no problem but it can be difficult to tighten up on the premises,” he said.
The recent WikiLeaks reprisals, where attackers working under the Anonymous group umbrellas took down the likes of Visa, MasterCard and PayPal, also features heavily in predictions for 2011. The term ‘hacktivisim' has been coined from this activity and Joona Airamo, chief information security officer at Stonesoft, claimed that there will be more ‘information warfare'-type attacks on nation states particularly as the political motivation in the attacks will increase, even though he said that the attacks with a financial motivation will clearly remain dominative.
Cole said that while hacktivism has been much targeted, hacktivists are learning from the success of industrialised hackers and will soon follow in their footsteps with attacks moving from restricted targets to a wide range of targets.
Corrons said that cyber-protests have become popular because users with limited technical know-how can join in the distributed denial of service attacks (DDoS) or spam campaigns.
Finally a forward-looking theme that has emerged over time is the cloud, certainly not a new concept but one that could take off next year. Cole said that 2011 will bring a change in the cloud industry proposition, while Eschelbeck said that there has been a demand for cloud-based services increasing across all segments of the business.
“Particularly with the private cloud in the enterprise architecture, as it offers the performance benefits and features of a cloud solution, while satisfying regulatory constraints on how companies move or store data,” he said.
Bannister commented that while 2010 may have been the year of cloud talk, 2011 is the year of cloud action and that as a barrier to cloud adoption, security will be a concern of the past as identity and access management capabilities are offered as a cloud service.
He said: “In 2011, the talk will become a reality and cloud computing will become the predominate way that organisations operate. Organisations will uncover realistic, practical uses that give them the flexibility and speed they require to better meet the fast-changing needs of the business. Service providers will prove to be the guidepost for enterprises, as IT pros look to them for lessons learned.”
Looking at the future of identity and access management as a cloud service, Bannister said that it will shift the security perception from cloud barrier to cloud enabler. He said that identity and access management capabilities such as advanced authentication and fraud prevention, single sign-on and identity governance will be offered as a cloud service as they are easily adopted, deployed and managed by both growing enterprises and very large enterprises, and they give users the confidence that they can control who has access to what.
This time last year the predictions were generally pessimistic about botnets, advanced malware and improved spam. A year on it would seem that there is little to be cheerful about: attacks on mobile platforms; more advancement in malware; large scale attacks; and regulatory enforcement for when it goes wrong.
However there could be some bright spots too and with the unknown ahead of us, it could be an interesting look back in 12 months time to see just how true the above became.