2011 has been characterised by highly visible cyber attacks and diversification by cyber criminals to target new platforms, the use of mobile devices for business has come to the fore. 2011 has also seen the UK Government place a heavy focus on the importance of cyber security. The activities of a number of high-profile hacktivist groups without the financial motives of previous years, have made uncomfortable headlines for many companies, raising cyber security as a topic among a much wider audience.
The professionalization of cyber attacks has also become well established, with the availability of commercial tools designed by cyber criminals for cyber criminals. These products and services make mass generation of new malicious code campaigns and exploits trivial and scalable. The net result has been significant increases in the volume of malware and more infections. Businesses will be challenged with managing these threats alongside managing new ways of accessing applications and data, like the cloud. Cloud services will see a resurgence of interest in 2012.
- A throwback to hacktivism
The majority of malicious code and attacks have been financially motivated for some time. This year saw an increase in hacktivist activity ranging from some very basic attacks to serious data breaches. Attacks like distributed denial of service or SQL injection attacks have been widely covered by the media, sometimes leading organisations to focus on mitigating hacktivist attacks rather than the basics and distorting true security priorities.
- Continued massive escalation in the volume of malicious code
SophosLabs now sees over 150k new individual malware samples every day, an increase of over 60 percent since 2010. The use of malware generation engines and toolkits being created and sold by cyber criminals to cyber criminals has become widespread. A significant portion of this malicious code features back doors, determining the payload of malware is difficult.
- Mobile malware: just the beginning but still stuck in the 1990s
Some in the security industry have preached that mobile devices would become the next significant target for years, but nothing ever really happened. In 2011 this began to change, with a greater volume of malicious code and increased awareness of attacks on key platforms such as Android. At the moment these attacks are still somewhat simple examples, much like 90s PC malware, but are also an indicator of what may come.
- Control systems and critical national infrastructure
The bad guys have diversified from their traditional targets and hackers have started to pay more attention to these systems. While the threats were perhaps over-hyped, there are real issues in this area and it is vital to ensure these critical systems are fully protected.
- We got to talk to the bad guys
Cyber criminals in 2011 were active in trying to convince people to give up information and click on links. There were even a number of campaigns where cyber criminals actively telephoned businesses to do live social engineering in order to extract information. Attacks via social media platforms, VOIP and other channels were also widespread.
- High-profile targeted attacks
There were a number of high-profile targeted attacks such as RSA and defence contractors implicated in the same stream of attacks. These high-profile attacks created significant focus on separating different classes of attackers such as the rumoured state sponsored versus corporate espionage and mainstream threats. In many cases, the techniques used were identical also using the same capabilities as mainstream malware authors.
- The basics still go wrong
Some unusually traditional threats like Morto showed us how basics like password management are still a significant challenge for IT security. Infections via the browser, brought about by a failure to patch PDF, Flash or the browser itself, were also commonplace.
- Continued growth in volume of malware and use of social media and the web for distribution
The mass generation techniques of 2011 will remain effective and will continue through 2012. New social media platforms and integrated apps will also be used by cyber criminals.
- Cyber criminal targets will diversify further
Traditionally, the majority of security effort and spend has been directed towards Windows systems, which have been the biggest focus of most cyber criminals. Over the past 18 months the bad guys have been targeting platforms like Mac OSX a lot more, and it is likely we will continue to see some expansion to these targeted platforms over 2012 and 2013. Security really is now about more than just Microsoft. User education and controls will be required to make sure other platforms don’t present an easy backdoor for cyber criminals.
- Mobile devices in the spotlight
The explosive growth in the use of mobile devices will continue to make them a target for cyber criminals. While many lessons have been learned from Microsoft—the architecture of today’s mobile devices are more robust as a result—there are also significant regressions with regard to password security, patching and encryption. InfoSec professionals will need to deal with a growing array of architectures and configuration parameters. This could also mean more focus on the ARM platform by the bad guys, given its widespread use in mobile. Each mobile platform has a unique set of risks and their architecture is still rapidly evolving.
- New web and networking technologies will force us to learn some lessons
Most malware gets distributed by the web using compromised sites. However, web technologies are undergoing interesting changes now, from add-ons like Flash or Silverlight to the funky new HTML5. These new technologies introduce some impressive new capabilities (e.g. http://www.apple.com/html5/) that are exciting for rich web application development, but could also introduce new attack vectors. In particular, many languages or environments provide greater access to local computing power and resources to enhance the web experience, and this could allow bad guys to find new ways of stealing data. IPv6 (the replacement to the major protocol that drives our networks and the Internet) will also require many of us to ‘go back to networking school’ as it is significantly different to its predecessor and brings new security challenges and benefits. Mass migration in 2012 to IPv6 is somewhat unlikely, but given the remaining allocation of IP addresses is dwindling, we are likely to see an uptick in consideration of this.
- Casual consumerisation will cause regression
Many more of us are trying to directly embrace consumerised devices or manage ‘bring your own device’ models. However, in many cases during 2011 (and certainly accelerating for 2012) these devices are being casually accepted in networks without the appropriate controls. This casual shift towards consumerised devices will cause regressions in security capabilities, reopening holes that had previously been mitigated. IT will once again struggle to ensure they have basic controls deployed and reliable measures for the environment.
- Trend of targeted attacks will continue
Crime groups and criminal gangs offering tailored malicious code are widespread, let alone the custom development of malware to steal IP or financial details. Given the low cost of producing relatively high quality malware it is likely we will see more in this area in 2012. With rising awareness of cybercrime as a means of IP theft or intelligence gathering, these attacks will continue to be a priority issue for certain businesses and organisations.
- Continued hacktivism and high-profile threats focusing on control systems
As we embed technology more and more into our lives and homes, (e.g. initiatives like smart grid) we may see new attack vectors or privacy breaches opening up. These attacks will not constitute the largest block of threats, but will likely be high profile. We also need to consider embedded systems being built into devices like cars and their security, since cyber criminals are likely to continue in their diversification from the traditional PC-based platform over the next few years. We can rely on cyber criminals to find creative ways to extort information or threaten us into giving them money.
- Convenience technologies could become new vectors for fraud
There have been interesting new examples of fraud this year, like some of the illicit activities conducted with BitCoin. New convenience technologies could also open up new opportunities for cyber criminals to monetise. We are eagerly waiting for technologies like near field communcations (NFC) to be integrated into mobile devices and made widely available. Increasingly, these devices will allow us to make easy payments and begin to transition from cash, and potentially credit cards, as the main payment methods. These new systems, naturally, have significant focus on payment security and trying to reduce fraud but we can expect focus from cyber criminals as these integrated platforms hold increasing amounts of your life and your money.
- Cloud services back on the list
Certainly not a new theme, but cloud service adoption had dropped off the agenda for many businesses given the challenging economic conditions and a mist of unanswered questions. However, many are now starting to use these services, either casually or explicitly. The net result is a focus on securing the data wherever it flows rather than just protecting the device, or the network. Cloud service providers, as they grow more popular, will be a target for cyber criminals. After all, they can potentially steal lots of data from just one place, making it a juicy target.
The challenge in 2012 will be to ensure that businesses don’t regress in their security capabilities as they adopt new technologies and the cyber criminals expand their focus. Equally, as we change the way that we access information and as users continue to mobilise and access information from different locations, security tools will need to be flexible to new deployment- and use-cases. For example, ensuring web protection works effectively even when users are roaming outside the traditional VPN.
Given the cyber criminals’ techniques and the above trends, organisations need to make sure they have a good focus on remediation and healthcare in their environment. Keeping devices healthy by identifying missing patches in areas commonly targeted by the bad guys will help significantly. Organisations should make sure they evaluate their use of cloud services and consider how they protect data as it flows to a wider range of devices and partners—technologies like file and folder encryption will aid cloud and new device adoption. This year, the focus should be on getting those basics ubiquitously covered in the new deployment models and on any devices being used in the organisation, as well as challenging the organisation’s security tools to solve more of these problems.
James Lyne is the director of Technology Strategy, Sophos. Follow him on Twitter at @jameslyne.