Did security predictions for 2010 come true?
Last year’s predictions of what to expect in cybersecurity were pretty close to the mark
January is typically a time for making predictions about the year ahead, but I wanted to use this column to take a look back at predictions for 2010. One year ago, I offered some consensus opinions about what would be keeping you awake at night in the coming year, and it turns out they were not too far off the mark.
A few unexpected things cropped up, however.
I wrote in January 2010 of “concerns about an increasingly complex and networked IT environment, with new and increased threats coming in cloud computing, social networking and mobile platforms.”
Increasing complexity was something of a no-brainer: If a system is so complex and is changing so rapidly that you can’t effectively manage it, then you can’t secure it. That is still a major concern and probably will be for the foreseeable future. Anybody in the prediction business could safely include this one year after year.
Security issues to fear in the New Year, 2010
Concerns about social networking were also pretty well on-target. Flaws and functions in popular sites have allowed information to leak out, and the sites have become valuable data mines for social engineers looking for the right piece of information to hook you into opening an attachment or clicking on a link. Even the generation that supposedly has grown up online and has no expectation of privacy has begun to rethink the consequences of such openness, and Facebook faces growing scrutiny with every change to its default settings. I guess that’s what happens when you start questioning the wisdom of some of your youthful decisions — privacy begins to sound like a good idea.
But predictions about cloud computing and mobile devices were not as accurate. It’s not that there are not legitimate security concerns about both those environments, but they did not really develop in 2010 as expected.
Hackers have been operating in the cloud for a long time, hosting their own services and applications in botnets. But legitimate cloud computing architectures have not become the targets of exploits to the extent that was feared. Perhaps that is because of a persistent undercurrent of concern about cloud security, which has made administrators cautious about moving sensitive data into the cloud until those concerns are addressed.
Last year, Kaspersky Lab predicted that “the increasing popularity of mobile phones running the Android OS combined with a lack of effective checks to ensure third-party software applications are secure will lead to a number of high-profile malware outbreaks.”
One year later, “next year” is still going to be the year of mobile-device malware. Maybe it will finally happen in 2011. The increasing number and growing functionality of smart devices might make them attractive, viable targets. But so far, the more accurate opinion has been the contrarian view expressed last year by the folks at IBM, who said direct threats against mobile devices would remain scarce. “The reason is simple,” IBM officials said back then. “PCs remain a much more valuable target, thus criminals will continue to focus on them.”
What we missed in our predictions last year were the stealthy, sophisticated and targeted attacks that made headlines in 2010. Both Operation Aurora, which was reported by Google in January 2010, and Stuxnet, which was discovered six months later, had been in place at least as early as mid-2009 but did not come to light right away. The exploits were delivered quietly, for the most part to selected targets, and they maintained a low profile.
Stealthy attacks are not new, but the sophistication and apparent success of those two examples have helped to define the fears for the coming year.
One other prediction from last year was pretty much dead on: ICSA Labs, a testing and certification laboratory, warned that “the Windows 7 operating system, while built to be more secure than Vista, will inevitably be riddled with exploitable vulnerabilities.” As of its December 2010 security bulletin, Microsoft had issued 55 updates for Windows 7.
Have a happy and secure new year.