10 Security Predictions For 20097:00 AM EST Fri. Dec. 05, 2008
The explosion of malware that experts saw in 2007 and 2008 is not about to slow any time soon. It's no secret that malware targeting Web 2.0 applications is getting more diverse and harder to track. But expect it to be even more complicated, security experts say, as malicious code is written with more variants -- all geared around password and identity theft. Attackers are now able to create hundreds of thousands of unique malware pieces -- most of which are written with no unique signature so they can circumvent traditional signature and reputation-based, virus-detection software. Attackers will also continue to infuse legitimate Web sites with malicious Trojans, causing malware levels to continue to skyrocket throughout 2009.
"That creates a challenge for us," said Zulfikar Ramzan, technical director for Symantec Secure Technology and Response. "There's a lot more bad stuff than good stuff. It might lead to a shifting in the way we do our job."
In tough times, the cybercriminals get tougher. True to form, criminals are taking advantage of the economic crisis and finding new ways to scam users who are worried about their employment and financial status.
Expect to see more legitimate-looking phishing attacks impersonating mortgage lenders and banks offering to give users great deals on loans or offering credit cards for cash-strapped users. Other attacks might request users' passwords and account information, claiming to transfer to their old account information from a bank that has closed.
"I think it's going to be more dramatic than last year," said Anthony James, vice president of products for Fortinet. "Phishing has become so well-architected, it's hard to distinguish, 'Is it my bank or is it not?'"
The popularity of social networking sites has not gone unnoticed by malware writers. Increasingly, users are taking advantage of Web 2.0 sites like Facebook and LinkedIn for much of their online communication with work colleagues, and friends and family. As a result, experts say that attackers will be leveraging that trend with attacks that impersonate social networking sites or spoofing contacts from users' friends list, banking on the fact that users will be more likely to click on a message that they think is coming from someone they know.
"The fact that there is a certain level of trust associated with social relationships is something that attackers are going to start exploiting in great detail," Ramzan said. "We're going to see an uptick in that area."
In 2009, information warfare will get taken up a few notches. The days when cybercriminals launched "spray and pray" attacks with millions of victims are fading in number. In fact, security company Fortinet reported a steady drop of monthly distributed malware in 2008.
Instead, criminals are consistently going for the biggest bang for the buck, launching premeditated attacks with specific objectives, Fortinet reports. And as competition increases, hackers will continue to do their homework in an effort to reach the largest possible number of victims. Consequently, users should anticipate seeing highly targeted, and convincing, cyberattacks launched with custom malware. This also means that there will be more attacks in local languages, instead of just grammatically incorrect English. There will also be more attacks capitalizing on a user's personal information or data specific to the user's company.
Efficiency and affordability will be the name of the game in 2009. As more businesses find ways to cut costs and reduce IT staff resources in the down economy, they will also be looking at ways to adopt technologies with multiple functionalities. Facing increasing pressures to consolidate, businesses will be trading in their plethora of point products for a few affordable, easy-to-install, and easy-to-manage devices. In addition to integrating multiple security capabilities into a single device, companies will look for security solutions that encompass network functionalities, such as WAN optimization and SSL inspection, or storage functions, such as disaster recovery.
"Obviously, we see a big trend in consolidation," said Anthony James, vice president of products for Fortinet. "There's started to be a lot more vendors that have created partnerships or put multiple security applications in a single box. Customers are starting to accept that, either because they're forced to or because they see the value in a multiple threat security device."
It's a fact. Underground cybercrime organizations are becoming stronger and more powerful. In the past few years, large groups of loosely organized hackers have coalesced into well-managed, highly organized and financially-driven networks. And they're looking to extend that network by delegating responsibilities. Experts expect to see more "hacking services" being offered, such as botnet rentals and harvested accounts sold to the highest bidder on auctioning Web sites. Rootkits and exploit kits will be adopted to automate the processes. And more incentives will be offered to "script kiddies," who will provide hacking services to these organizations on a contract basis.
And more will be tempted to join the dark side as the economy worsens and more underground channels are opened up, experts say. "There's just too much darn money to be made," said Dave Marcus, security research and communications manager at McAfee. "And where there's money, there's going to be organization."
Expect inside threats, which have always been one of the biggest sources of data loss, to increase even more. As the economy worsens, companies will be forced to further reduce staff and resources. Consequently, more disgruntled workers will find ways to seek retribution from their employers. And sometimes that retribution will come in the form of taking valuable data, trading company secrets with competitors or pilfering money from the company (remember the film "Office Space"?). And companies that conduct massive layoffs will also have to deal with an onslaught of access issues and open accounts that will open up the door for both internal and external attacks.
The economy may be in shambles, but Payment Card Industry Data Security Standards aren't going away any time soon. In fact, in light of a rash of high-profile data breaches that have graced the front pages of the newspapers this year, credit-card companies are tightening the reins and imposing more stringent regulations on businesses as the economy slows and credit becomes scarce. Attackers are headed straight for the data, forcing businesses of all segments to enhance their security infrastructure in 2009.
Perhaps not coincidentally, PCI compliance deadlines will also be realized for the vast majority of businesses, incorporating Tier 3 and 4 companies. Companies will be forced to enhance their security infrastructure or face penalties, such as stiff fines or loss of credit-card- processing privileges. As a result, companies will place greater emphasis on what were once considered high-end solutions, such as data loss prevention and encryption technologies, aimed at protecting the information stored within the database. Auditing and reporting tools and services will also likely see a rise, experts say.
With the online gaming explosion in Asia as well as in North America comes explosive opportunities for cybercriminals. Those who live, eat and socialize in the virtual world can also get robbed in the virtual world. Online games are a particularly attractive target, due to the fact that many gamers will do almost anything to preserve their winnings -- which includes giving in to blackmail by hackers, experts say. Hackers that break into online games will often hijack a users' game and threaten to eliminate their hard-won prizes or set their account to zero unless the user pays up. And, often, users will cough up money rather than lose their game status.
In addition, security experts expect to see more hackers launching Trojans specifically designed to steal passwords and account information from online games in 2009. And we will only see more of that as the virtual world continues to grow.
It's a sign of the times. As more companies struggle to stay in business, and try to do more with less, they will continually gravitate to a managed-services model for their security needs. From a business perspective, outsourcing security tasks is affordable, reliable and efficient.
Instead of hiring, companies will increasingly rely on managed services for their basic security requirements, freeing up IT staff to work on other mission-critical projects. Plus, security as a service reduces house energy costs and requires less IT personnel resources -- which ultimately translates to fewer IT dollars spent. And not just for small businesses, although the bulk will be at the SMB and midtier levels. The SaaS model for security will become increasingly attractive for all types of businesses looking to cut costs -- which in this day and age is just about everyone.