Every year here at Infosecurity we are inundated by lists of predictions from vendors, researchers, analysts, and other parties with a stake in the information and cybersecurity industries. So far, 2012 has been no different.
These predictions run the gamut from recycled soothsaying that could be applied to the year past, to bold new predictions that give reasons for concern. For your information, or in some cases entertainment, we have compiled an inventory of these forecasts for you to consider.
Rather than just regurgitating these lists wholesale, we thought a bit of retrospection was prudent by first holding our own contributors accountable and looking back at what our editorial advisory board said in early 2011. As you will discover, they had us well-prepared for the year to come.
After this trip down memory lane, we will then move forward and discuss some of the common trends we compiled from our predictions lists, in addition to discussing some of the most novel – dare we say provocative – trends we expect to see over the coming year.
Promises Fulfilled
About a year ago our editorial board provided us their collective wisdom by making some security predictions for the upcoming year. Perhaps not surprisingly, given the accumulated decades of experience these distinguished professionals posses, nearly all of them came to fruition in one way or another.
Last year our editorial board sounded off about the M&A trend that heated up at the end of 2010, and which looked like it would continue straight through 2011 – and in fact it did. Most of our advisory board agreed this was a function of the security industry’s infancy, and that larger players would scoop up smaller ones with niche product offerings.
But some of our editorial board members – including Sarb Sembhi (Incoming Thought, ISACA), Marco Cremonini (Universita degh Studi di Milano), and John Colley (ISC)² – expressed their concerns over what this movement might mean for innovation over the long term. Our board correctly predicted this trend would continue.
Consumerization within the enterprise – or bring your own device (BYOD) – was another topic that nearly all of our editorial board members cited as a blossoming trend throughout 2011 and beyond. Once again, these gentlemen were on point – so much so that this very issue of Infosecurity shines a spotlight on consumerization.
Both Raj Samai (McAfee) and John Colley also correctly predicted that more large data breaches with varying degrees of sophistication would be in the news during 2011, although both would likely admit this was hardly a bold projection. Massive breaches at Sony, RSA, and marketing firm Epsilon were just a few of the most notable examples, in addition to well-publicized infiltrations such as Shady RAT.
Talk of blended, sophisticated attacks were all the rage at the end of 2010, and the Stuxnet revelation that closed out the year provided an important example of how damaging advanced persistent threats (APTs) can be heading into 2011. Gerry O’Neill (Inforisca) advised that blended, increasingly sophisticated attacks would continue and they would be “potentially long range in their information gathering”.
So when, as some described it, Stuxnet gave birth to a new son christened Duqu, this transition had a name and face. While reports over who created Duqu and for what purpose have been conflicting at times, one point seems to be consistent: rather than being a cyber weapon – as in the case of its Stuxnet predecessor – Duqu seems to be a tool of cyber espionage intended to gather information on key targets. Somewhere, Mr O’Neill must have flashed a rather tempered smile when reading about this development.
Same Old, Same Old
APT, cloud, mobility, social media – rinse, lather, repeat. It sometimes seemed as if organizations and individuals offering up their insights into 2012’s threat landscape had used the same template, but just changed the words around a bit.
The first on our list of the most repetitive predictions is that of the increasing likelihood of advanced persistent threats. Listing a number of commentators who have highlighted this as a trend in 2012 would be a pointless endeavor – there are simply too many. Important to have on your radar? Yes. New for 2012? Hardly.
In short, if your organization has information of any value (and most do), then you are a target for APTs. It’s just like saying that if you have devices connected to the internet, then they are susceptible to malware. Some threats rise to the level of constants no matter their importance, but this does not necessarily make them new and worthy of a ‘predictive’ status. If I know it has rained in the past, and that it will rain in the future, then would it be news if I were to say it will likely rain this year? You can be the judge of that.
Consumerization meets BYOD meets Android: a legitimate concern, but one that has been highlighted by many observers, including Lumension’s forensic analyst Paul Henry. He says enterprises will increasingly rely on BYOD to improve productivity and efficiency, but with little concern for security. Add to this Android’s ascendancy to the top spot among mobile operating systems, and it creates what Henry has called “a perfect storm for hackers”. Because the Android market does not perform security screenings of its applications (as of this writing), he expects the explosion of malware affecting the operating system to continue right through 2012. Henry has plenty of company regarding this assessment.
"The overall picture is not improving...In the end, users' false sense of security is a cyber-crook's best friend" |
Luis Corrons, PandaLabs |
Numerous vendors have made the same appraisal when it comes to the danger of mobile devices within the enterprise. Among these are Blue Coat Systems, Guidance Software, and AppRiver, just to name a few. But we couldn’t help but be entertained by Vigil Software’s description of the mobile threat as being “the soft under belly that hackers will find irresistible”. Kudos to the people at Vigil for paying attention to their Churchill lesson during history class.
Paul Henry’s colleague at Lumension, the firm’s CEO Pat Clawson, touched upon another common theme in our survey of predictions: the difficulties organizations will face in protecting virtual and cloud environments. Again, the threats are real, but as far as predictions go, this is so 2011.
Clawson is not alone by continuing to bring up the importance of securing organizations’ migration to the cloud. Richard Moulds, vice president of product strategy at Thales e-Security, sees the convergence of cloud and compliance causing some real movement on the encryption front in the near future. This “collision course”, as he described it, requires a solution so that organizations’ interest in what the cloud has to offer does not diminish due to concerns over placing sensitive information in the cloud.
“To better accommodate sensitive and regulated data, cloud providers must turn to encryption, as more and more regulating bodies are declaring encrypted data to be out of scope for an audit”, Moulds noted. “The more the cloud service provider can isolate a customer’s environment and shroud it with encryption, the happier that provider will be with sensitive data”, he added. Almost certainly, this will make their customers happier as well. What remains to be seen is whether cloud vendors offering encryption will drive up the price of their services, negating the cost savings that are so often associated with the cloud.
Wrapping up this list of the most common predictions is the proliferation of social media-based attacks. This includes all of its various forms – from social engineering, to links that re-direct to drive-by download sites. We heard about them all, over and over again, from nearly every person or vendor that offered up an opinion, so no need to embarrass anyone by name for pointing out the obvious.
For an industry that exists in such a dynamic, fast changing environment, warnings about social media threats are a bit ‘old hat’. Sure, they do indeed exist – and will undoubtedly proliferate – but they are nothing new for 2012.
Favoring the Bold
It’s easy to predict what has already happened, or what will continue into the future. It’s an entirely different animal when one foresees that which has no precedent, or that no one else is talking about. While the following predictions are far from unfounded shots in the dark, they do stand out as either refreshingly original concepts or by simply being outside the mainstream thought.
Now we know our readers would never hand over any amount of money to perpetrators of a ransomware scheme, but what about the users they oversee within their own organizations? If a problem such as this occurs at work, then any employee’s first move would likely be a call to the help desk. Yet what happens when such a threat hits their personal mobile device – a device this employee often uses to store and transmit work-related items? Perhaps a call to their employer’s help desk is not the first option.
A warning from Fortinet Labs foretells just such a scenario in the coming year. The firm’s research arm has observed the success of similar attacks on PCs, and believes that multi-layered attacks will lead to root access on mobile devices.
“Mobile malware that utilize exploits have also been observed, along with social engineering tricks that lead to root access on [an] infected device”, Fortinet explained. “With root access comes more control and elevated privileges, suitable for the likes of ransomware”. The company predicted that 2012 will be the year this attack goes live.
Keeping with the mobile theme, our next forecast comes from Trend Micro. You may be asking yourself, ‘but aren’t predictions around mobile threats rather common?’ In fact, you are correct in thinking this. Now ask yourself how many people have warned you about the security of the trusted applications you use every day on both your personal and corporate devices? If we have ruined your day by giving you another thing to worry about, then please send your thank you cards to our friends at Trend Micro.
As previously mentioned, the dangers of BYOD and the security of mobile applications have received ample coverage. The threats they pose are both real and well documented. However, Trend Micro’s report on 2012 predictions focused on one narrow aspect of mobile security that went, for the most part, unmentioned by the other prognosticators we surveyed. Rather than highlighting the pitfalls of rogue applications, Trend Micro believes that cybercriminals will target the vulnerabilities in trusted, widely used legitimate apps.
Numerous warnings have been issued about those dodgy Android Market apps, and others from third-party app stores with obscure developers. Trusting the security of NPR’s news app or the BBC’s breaking news should be a no-brainer. Not so fast, warns Trend’s Rik Ferguson.
“We fully expect cybercriminals to continue the experimentation with mobile malware functionality but also to begin searching for vulnerabilities in legitimate mobile apps instead of concentrating solely on the Trojan approach”, noted the firm’s director of security research. Trend’s annual report on forward-looking threats said cybercriminals will seek vulnerabilities in coding errors of these legitimate and trusted apps that may lead to data protection issues.
In the spirit of Monty Python, our next and final prediction is something completely different. Okay, it’s still related to mobile security, but this time it comes from an organization with a viewpoint that is the polar opposite of most of its contemporaries.
PandaLabs bucked the Android-bashing trend, reminding us that it has been almost a decade since anti-virus companies started their dire warnings over mobile malware. The situation – as they correctly noted – has been far from the doomsday scenario, although there is an obvious uptick in this type of activity. Last year PandaLabs said there would be a marked increase in attacks on mobile devices, and they were spot on. This year, the firm’s research outfit said, “there will be new attacks on Android, but it will not be on a massive scale”. For this prediction, PandaLabs stands alone. With vendors, researchers, and analysts alike all picking on Android, the firm has offered up a bit more tempered advice. At the end of this year, at least someone will have proved prophetic on the Android front.
Nevertheless, Luis Corrons – technical director of PandaLabs – issued a sobering assessment of the year to come. “The overall picture is not improving”, Corrons lamented. “As new technologies advance, cyber-crooks develop new modes of attack sometimes by simply adapting old techniques to the new platforms. In the end, users’ false sense of security is a cyber-crooks’ best friend.”
A Never-ending Struggle
The problem with predictions is that those who look into the future and guess wrong have nothing to lose, yet they are always some of the first people to pat themselves on the back when prognostications turn into reality. Predictions in the information security field, however, have a knack for coming true eventually, likely because those who make such analyses are well aware of the vulnerabilities that both people and organizations face every day. Unlike predictions in other fields – let’s say, sports – things that many assume will go bad in the fields of information and cybersecurity often have far-reaching, dire consequences with some potential for real disaster.
While many of the people we talk to in this industry are top-notch when it comes to awareness, one need not possess a Hawking-type mind to correctly assume that some shady characters will take advantage of unscreened apps in a mobile marketplace, or a known software vulnerability that remains unpatched.
Then there are the unforeseen trends that are the function of IT’s ever-changing landscape. Often we talk of good guys vs. bad guys in this industry, but the most naive discussions center around “beating” these so-called bad guys. Logically, this wonderland of virtue will never be realized (but admitting this simple fact hardly helps sell products). There will always be offenders and defenders, no matter the situation, and the threats we face tomorrow may not even be on our radar. It’s a point driven home by the ISF’s vice president, Steve Durbin, as he looked forward toward 2012.
“Predicting the future of IT threats is always very difficult”, he acknowledged. “Organizations can usually only deal selectively with individual aspects, but we are seeing a convergence of several major security issues that will have a significant impact in the coming months and beyond. You could argue that we are heading towards a ‘perfect storm’, where a combination of threats relating to cloud, consumerization, cybersecurity, and more, will come together at the same time.”
The award for the most sarcastic, if not accurate, prediction goes to our US news correspondent, Fred Donovan. During a recent review of the year that passed, he rather unboldy proclaimed “there will be more data breaches in 2012”. Amusing as this was, and completely accurate, I do hope that someone will go keep Fred company out on that imaginary ledge he has put himself on.
In the final analysis, it’s perhaps the words of our own UK news writer, Kevin Townsend, that ring most true when looking ahead to 2012. He noted that despite all the warnings, “it will be the threat that you didn’t expect that gets you”. This is sound advice, and it may be the most important thing to keep in mind at all times. It appears that the old cliché ‘expect the unexpected’ is indeed timeless counsel.
Welcome all to 2012, a year in which this never-ending struggle continues. Mayan calendars aside, I will likely be able to say the same thing when 2013 comes around.