The trends have been detailed below:
1. Nation-sponsored hacking: When APT meets industrialization
Nation-sponsored hacking specifically-targeted cyber attacks will incorporate concepts and techniques from the commercial hacker industry. These campaigns will contain a different malware payload than the traditional attacks conducted for monetary gain. However, these attacks will use similar techniques. These Advanced Persistent Threat (APT) attacks will borrow techniques, such as automation and viral distribution, making them all the more powerful and potentially more successful. An example of such an attack is Stuxnet, which was not searching for data to monetize, rather it was focused on gaining control of crucial infrastructure.
Both classes of attack (hacker industry and APT) are going to use some of the same techniques so some security controls are applicable to both. On the positive side, given you’re covered against the cyber mafia you should have some of the controls to be protected from certain APT attacks. As APT is persistent, if a certain attack does not succeed, another one will come into play. The traditional security controls do not deter these relentless, state-sponsored hacker organizations. For the enterprise as well as government, this means increasing monitoring of traffic and setting security controls across all organization layers.
2. The insider threat is much more than you had imagined
In this upcoming year, we expect to see a growing awareness to security incidents of an “insider job” nature. Attention will grow as a consequence of an increased flow of incident reports where data theft and security breaches are tied to employees and other insiders. The cause of this trend will be the emphasis put on new regulations covering the act of notification and disclosure (rather on the actual protection of data).
To deter insider threats, organizations should therefore:
- Enforce access controls such that access is based only a business need-to-know level. This includes eliminating excessive privileges.
- Provide the proper access auditing tools to data centers. These auditing tools should monitor who accesses what data.
Man in the Browser (MitB) attack sophistication is going to increase, as well as moving forward to more types of online applications. As a consequence, more online service providers are going to include this in their list of priorities for 2011, shifting the responsibility for mitigating the risk from the consumers to the service providers.
While avoiding infection by proxy Trojans is presumably the responsibility of consumers, MitB attacks are quickly becoming a concern of online service providers. The actual rate of infection and the proliferation of the many types of MitB malware suggest that providers must be able to serve (and protect) customers who might be infected with one type of malware or another. Just as the evolution of vehicle safety drove manufacturers to include device such as ABS, Air Bags and ESP, rather than rely on us to drive carefully, so will online service providers need to invest in mechanisms that allow them to conduct business with allegedly infected consumers. Among the technologies that we foresee as helpful are strong device identification, client profiling, fast security code evolution, session flow tracking and site-to-client authentication.
4. Misanthropes and anti-socials: Privacy vs. security in social networks
In 2011, we will see prominent social networks, and tools, placing more efforts into security over privacy. This is not the result of resolved privacy issues, but rather an understanding of the real threats to the existence and proliferation of social networks.
There are two key factors at stake: security and trust. While privacy concerns the ability to keep personal information hidden from other application users, security controls the way in which people use the information of others. Trust impacts our ability to make decisions based on the information we receive through social networks.
In today’s social networking platform, both security and trust are in danger. Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities are quickly translating into massive worm out brakes.
Next year, we expect social platforms to invest more resources in improving the security posture of the platform. These measures will provide improved protection against application layer attacks, stronger authentication and account control features, as well as better malware detection systems.
5. File security takes center stage
In 2011, we expect to see a growing number of data breaches where compromised data is in the form of files rather than database records. Consequently, organizations will rush to look for the proper tools to control access to repositories of unstructured data, mainly file servers. We estimate that the number of compromised files, and the number of organizations that suffer a massive file related security breach, will rise. Even PCI 2.0 has recognized the security aspect of storing data in different locations.
With today’s available tools, controlling access and usage of these files can be an extremely daunting task. Since each file is an autonomous entity, with respect to content ownership and access control (contrary to a database record), maintaining control of who can access a file is almost impossible as is keeping track of access to those files that contain sensitive information. The inability to maintain control may result in excessive access privileges and an inadequate audit trail of access to sensitive information.
6. Data security goes to the cloud
We expect to see more application security offerings in the cloud throughout 2011, and predict some early data security in the cloud offerings. Offerings will need to respond to private and public clouds that are either self-serviced or managed as a service. This trend is a late response to the move of many applications and data stores to cloud technologies, and the industrialization of hacking, which dragged many smaller online businesses into the threat zone.
Taking together all the types of cloud forms (private and public, SaaS, PaaS and IaaS) we can see a set of challenges for both providers and consumers. These can be summarized as following:
- Maintaining bulletproof partitions between datasets of different customers
- Providing different levels of data security to applications sharing the same logical or physical platforms
- Protecting customer data from the prying eyes of cloud administrators
- Providing solutions that operate over a specialized infrastructure (VM, Amazon AMI)
- Managing application and data security for a large number of applications inside the cloud.
7. Mobile devices compromise data security
The proliferation of sophisticated mobile devices is going to have a substantial effect on application and data security in the coming years. In particular, we will see organizations struggle to accommodate the increase in number and variety of these devices, while maintaining traditional data and application security practices.
The past couple of years have witnessed a dramatic surge in the number of sophisticated mobile devices being used as access points to online services and enterprise networks. Add to the mix a growing variety of applications that are a gateway to enterprise systems, including CRM, ERP, and document management. While we are used to concerning ourselves with lost or stolen laptops, it turns out that missing mobile devices may be just as big of a pain point.
As mobile devices become mainstream, online service providers will create a special version of the applications to match each device platform. We anticipate this process, will cause older vulnerabilities to surface once again. In particular, mistakes around identification and authentication. Thus, the applications will become vulnerable to mistakenly trusting attributes of the data stream that can be forged by an attacker.
Furthermore, some assumptions regarding “strong” multifactor authentication schemes are becoming obsolete. Take, for example, applications that use a one-time password (OTP) for validation of sensitive transactions being defeated by a Trojan that is able to access the OTP delivered through SMS.
Mobile malware will proliferate as malicious code becomes available for these platforms (e.g. Zitmo) and the complex applications (not to mention the usual human flaws) make it easy, if not easier, to infect a mobile device with malware, as with any standard desktop platform.
We expect exponential growth in the number of incidents related to mobile devices in the next few years. Organizations need to start planning to secure the devices and their interaction with the enterprise networks. Tools and procedures need to be put into place, such as anti-malware, encryption, and authentication. Special monitoring requirements should be set for access of these devices to enterprise resources (databases, files, intranets). On the other hand, application providers need to get their act together with respect to serving these devices, including vulnerability mitigation, reevaluation of trust, and incorporation of new authentication/authorization channels.
8: Hackers feeling the heat
In 2011, the cyber crime landscape will change in two ways. First, more and more smaller cyber gangs will go out of business. Why? Security researchers will continue to look into the hacker operations and will unearth the smaller or less diligent criminals. In general, the hacker industry will react by investing more resources in their attack techniques and detection evasion. The hackers that cannot make this investment will go out of business. Other cyber-criminal organizations will “buy-out” other groups or merge their operations with other groups. This will lead to the second change. The current powerful cyber crime organizations will consolidate their power and grow (after all, antitrust laws don’t apply to them).
As the year 2010 draws to a close, it provides us with all the more examples of this accelerating trend:
- At the end of September, Zeus botnet ring leaders and operatives were arrested. This was the culmination of a year-long investigation that included the infiltration of the C&C servers by security researchers. Similarly, the master mind of the Bredolab botnet was arrested three weeks later.
- During mid October, the Avalanche phishing group completed their 2 year-long move from phishing techniques to distributing MitB Trojans.
- The end of October has seen the Iranian Cyber-Army (ICA), infamously known for engaging politically-motivated DDoS attacks, advertising their bots for rent.
9. Cyber security becomes a business process
The consolidation taking place with security vendors implies, as Intel CEO Paul Otellini put it, “We have concluded that security has become the third pillar of computing.” Vendors are seeing a big shift in security, what about enterprises?
Today, cyber security can't be separated from business operations. For this reason, how security teams must view and approach their roles has changed dramatically. For example, in the past, a CIO’s role was laptop distribution. Today, CIOs build supply chains. In the past, CISOs distributed anti-virus and set up firewalls. Today, they must know where data resides, where it moves and how to protect it, which requires a serious, comprehensive data security practice. This means security teams need to become business process experts to keep the bad guys disarmed while keeping the good guys productive.
10. Convergence of data security and privacy regulation worldwide
As newspapers features more companies that violate data privacy on its front page and security breaches appear daily, government regulators will continue to tighten the legal screws on enterprises.
Continuing data breaches force more and more governments—and even private industries—to consider more in-depth security regulations to protect citizens. But another interesting trend seems to be flying under the radar: as enterprises contend with additional data laws, a consolidation will take place across borders. Recently, for instance, the FTC reached out to the EU to begin the process of investigating where both sides of the Atlantic can unify data security laws. Companies will comply, but will find the task of complying with multiple mandates across borders very difficult. Governments will respond—in fact already are—to define a common framework to make life easier for themselves and for enterprises housing data.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.