This trend will be driven, we predict, by the not inconsiderable fact that the incredible volume of new security threats seen over the last 12 months will push many of the so-called legacy threats out of the first tier of the attack tables that many IT security applications automatically load into memory.
But 2013 will also, we believe, be marked as a period of adaptive security threats, driven by the continual development of five key areas:
1. Adobe Acrobat and Reader security flaws
2. SQL injection threats
3. Compromised and malicious Web sites
4. Exploit Kits
5. Zero-day Web browser threats.
The four main groups of attackers that will be delivering the main strands of threats will be cyber-criminals, cyber-terrorists, political hacktivists and rogue employees - causing IT security professionals a number of headaches as never before.
Adobe Acrobat and Reader security flaws
The first of our five threats that IT professionals should be on the lookout for in 2013 is the recurrent problem of Adobe Acrobat and Reader security flaws. Although Adobe’s software has been around since the early 1980s, it wasn’t until the company acquired Macromedia in 2005 – when Flash came under Adobe’s wing - that the extensible code threat landscape started to change.
Because much of Adobe's code structures are designed to be executed across multiple platforms, this makes the process of enhancement a tricky one, especially against a backdrop of a constant stream of Patch Tuesdays for Windows - and similar code updates for the Apple Mac and other operating system platforms.
A classic example of this was back in December of 2011 when hackers started tucking into a potentially major Adobe Acrobat and Reader security flaw, with Adobe issuing a warning to its user base about the issue, which affected Adobe Reader X (10.1.1) and earlier versions for Windows and Apple Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for Unix, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines.
Since the security issue extended to include MS-Office users, the problem – just one of many for Adobe over the last couple of years – was a lot more widespread than many of the other Adobe vulnerabilities reported by security research organisations.
The solution to these vulnerabilities is similar in principle to the advice we give our clients about Java in all its shapes and forms: namely the need to constantly patch – and stay on top of patches – in almost any computing environment.
Whilst Adobe has developed its own strategies to deal with these issues – including that of integrating its own updates alongside Microsoft's Patch Tuesday code releases – there may be an argument not to install an Adobe application unless you actually need the facility.
This is especially true where Web browser clients are involved - and it is worth noting that there are a number of browser extensions and apps designed to easily toggle extensible code environments on – and off again – as and when required.
It is also worth noting that, whilst an Adobe install may be required on your laptop computer, there is rarely a requirement for the same application code to be installed on a server environment.