Security issues to fear in the New Year
This is the season for top, best and worst lists, so it is appropriate to bring you a list of the things that are likely to be keeping you awake nights throughout the coming year. Predictions are risky, however, so in order to spread the risk (and the blame) I have searched for some consensus in what the deep thinkers at some of the large IT and security organizations are worried about.
Everyone has his own point of view and ax to grind, but the patterns show concerns about an increasingly complex and networked IT environment, with new and increased threats coming in cloud computing, social networking and mobile platforms.
Cloud computing was one of the major buzzwords of 2009, but there has been a persistent undercurrent of concern about security associated with it. Those concerns are coming to the forefront as the bad guys are expected to be on the lookout for vulnerabilities to exploit in cloud environments, and for opportunities to use the cloud for their own nefarious purposes. Cost savings will continue to drive a migration of public data to cloud environments, but criminals are expected to follow.
“We have already seen the emergence of ‘exploits as a service,’” the folks at IBM wrote in their year-end musings. “In 2010 we will see criminals take to cloud computing to increase their efficiency and effectiveness.”
The botnet services market is also expected to grow, as herders of these illicit networks look for more ways to leverage their investments in compromised computers.
“My greatest hope for 2010 is that marketing departments will give the term ‘cloud computing’ a well deserved break,” said Michael Sutton, VP of security research at Zscaler. “2009 saw great interest in the development of cloud-computing architectures and one must wonder how often security was sacrificed in order to get to market quickly.”
Wise administrators will delay moving sensitive data to the cloud until security catches up with functionality.
The Web is expected to be a fertile field for developers both good and evil. Browser exploits are old hat, and Web worms are predicted to be a growth area. This leads ICSA Labs, a testing and certification laboratory, to predict increased adoption of Web Application Firewalls as the market for them matures.
The Web is closely tied with platforms such as social-networking sites that are becoming more flexible and powerful, allowing user-created functionality as well as content. This could offer a great playground for hackers and other bad guys as they introduce and exploit vulnerable code, and the site owners will be struggling to combat them.
Last year saw worms such as KoobFace spreading through social-networking sites, and bot attacks spewing fake password reset notices to users. Social-networking tools such as Twitter are being used to distribute malware, and social-networking sites are an ideal place for social engineering. Users without a high level of skepticism could become their own worst enemies as they fall prey to solicitations and messages delivered through and to these sites.
And while we’re online, the proliferation of specialized applications for mobile devices is seen as another growing threat. The availability of these applications, which can range from business tools to gimmicks and toys, help to drive the adoption of new platforms, but security assurance for these applications often is minimal.
“The increasing popularity of mobile phones running the Android [operating system] combined with a lack of effective checks to ensure third-party software applications are secure will lead to a number of high-profile malware outbreaks,” Kaspersky Lab predicted.
Mobile users also will be increasingly targeted by spammers and phishers in the new year, but IBM predicts that direct threats against the devices will continue to remain scarce. “The reason is simple,” IBM said. “PCs remain a much more valuable target, thus criminals will continue to focus on them.”
Keep in mind that new year predictions are not infallible. Sometimes they are not even consistent. Take rogue antivirus, for example, those malicious programs offered to remove supposed malware and which cause more problems than they cure. Their day has passed, says Kaspersky. “The fake antivirus market has now been saturated and the profits for cybercriminals have fallen,” the company said. But ICSA predicts that the rise of legitimate antivirus products being offered for free will be accompanied by an increase in rogue “scareware.”
One prediction made by ICSA seems incontrovertible, however. “The Windows 7 operating system, while built to be more secure than Vista, will inevitably be riddled with exploitable vulnerabilities.”
Have a happy new year.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.