10 Security Predictions For 201310:00 AM EST Tue. Jan. 15, 2013
Every year, security companies issue their predictions for the types of issues they expect will impact systems and make headlines for the next 12 months. Understandably, many of them are quite similar if not exactly the same. As such, CRN has pulled together its "best-of" list, looking at everything from zero-day threats, mobile malware and hacktivism to SCADA, cybercrime and cyberlegislation, to name a few, to determine what 2013 will have in store.
With that, here are CRN's top 10 security predictions for 2013.
Some of the vendors are expecting a steep increase in the volume of malware targeting browsers during 2013. As online purchases and online banking continue to gain momentum, the browser becomes a very useful target, given that much of the sensitive data will travel through it. In addition, most AV products are focused on traditional malware that target the operating system. The presence of various plug-ins and browser extensions further extend the attack surface. Therefore, man-in-the-browser (MitB) attacks belong on the radar screen of every security-conscious channel partner.
In 2012, malware developers targeted mobile devices far more than the previous year, and this trend is expected to escalate during the new year. Be on the lookout for ransomware through which cybercriminals will be able to lock down the device until a specified fee is paid. There are no guarantees that the device will be unlocked when the funds are received. And then, of course, the bad guys will then have the credit card number of the victim if the ransom is paid. The BYOD phenomenon increases this threat still further due to the growing number of devices that now have access to both personal and business resources.
The use of hacktivism, or cyberattacks by groups attempting to further their political agenda, is likely to increase during 2013. By some accounts, these attacks tend to be fairly basic and some predict an actual downturn in their frequency and effectiveness. But others expect that the hacktivists are far more likely to raise the bar as the security technologies strengthen. In many respects, technology functions as an equalizer between well-funded organizations with extensive economic reach and grassroots groups who have far fewer resources at their disposal. This environment tends to support the likelihood of increased hacktivism in the near future. In some cases, nation-states may also become involved as attackers as well as defenders.
The growing sophistication of information technology has spawned a new cottage industry, cybercrime as a service, involving cybercriminals who launch attacks for their non-technical counterparts in exchange for a fee. The advertising for such services is a little bit more tricky than most ad campaigns, given that whole against-the-law thing. But, a growing number of invitation-only criminal forums have begun serving as a highly effective conduit between supply and demand. This trend is expected to continue to grow during 2013. Many of the attacks are launched from international locations, including Eastern Europe and Russia.
Security has been one of the main inhibitors of cloud services. Look for cybercriminals to make more progress in legitimizing those concerns. With more sensitive data traveling the cloud and being stored within the cloud, the opportunity becomes more ripe than ever before. In addition, the same benefits of the cloud that appeal to legitimate businesses also appeal to the bad guys who are increasingly using the cloud to support their exploits. Cybercriminals can just as easily scale-up or scale-down their capacities depending on the type of attack that is being waged. Costs of crime are more effectively contained, and servers can be quickly taken down if the plan is discovered.
It is widely known that Macs have increasingly been targeted by cybercriminals, given that platform's expanded presence in the business environment. But, 2013 is likely to be the year that malware authors focus on developing attacks that can target both Windows and Mac systems simultaneously, as well as most mobile devices. Such attacks would likely focus on vulnerable technologies that are used across the board, such as Java and Flash. This trend began to emerge in 2012 and is likely to pick up steam as time goes on.
A number of industry watchers expect that 2013 will see a sharp increase in consumer applications that violate user privacy. Some of these incursions may be more sinister than others, but examples run the gamut from tracking user locations to accessing corporate resources such as email. Such attacks can also be successfully launched through phishing by fooling the victim into clicking on a link through which the malicious code can be downloaded.
As people are becoming more in tune with the subtle clues associated with spearphishing, criminals have begun to amp-up their game by using a two-pronged approach. The tactic involves an initial outreach that promises a particular follow-up. At the appointed time, the follow-up actually occurs in the form of an additional message, oftentimes with the infected link or attachment. The two messages sent in tandem lends credibility to the exploit, which tends to yield a higher rate of success. Users are advised to be more careful in considering the context of those messages and matching them up with the patterns of the apparent sender.
Attacks on critical infrastructure have long been speculated to be the next, and arguably most fearsome, step in the use of technology to cause harm. These concerns have become more pronounced with the emergence of Stuxnet, Flame, Shamoon and similar weapons that have been used for sabotage and other purposes. In a few notable cases, nation-states, potentially the United States and Israel, have also been involved in their development and use. The likelihood of similar attacks during 2013 is considered to be quite high, given that these weapons are also seen as a great equalizer between those with substantial economic resources and those with fewer such resources.
Legislation aimed at protecting critical infrastructure and information security failed on Capitol Hill in 2012. With the new Congress recently seated, look for new initiatives to begin floating around committees in preparation for another big push. Any forthcoming legislation will have to walk a very fine line aimed at providing protection without being perceived as a threat by the business community and civil libertarians. This is no small order, but many vendors, as well as policy wonks in Washington, expect continued dialogue in 2013. Given the higher profile of state-sponsored cyberattacks, such an initiative might stand a stronger chance of success than it did last year.