5 cyber threats to watch out for this year
(Plus a couple of bright spots)
Threats in cyberspace don’t disappear; we can probably expect all of the headaches from 2010 to remain with us in 2011. But some security pros have identified a handful of problems that have raised their heads in the last year or so that they believe will be the major trends in the coming year.
They range from the personal, such as the proliferation of mobile and consumer devices that continue to make their way into the work place, to the global, such as cyber war and politically motivated espionage. In general, malware is becoming more sophisticated, criminals more professional, the target environment richer, and the stakes higher.
How Google attacks changed the security game
Stuxnet story is high-profile but still out of reach
But although security pros again find themselves playing catch up in areas where functionality has outstripped security, there are some glimmers of hope. Law enforcement might be getting better and the cloud might even improve security. Here are some predictions of what to expect in 2011.
1. Supply chain security
Vulnerabilities traditionally have been flaws in software discovered by researchers — either white hat or black — and then exploited. But who’s to say a vulnerability has to be a flaw? Why can’t it be something planted on purpose?
“Software security has increased quite a bit, and it’s getting tougher to find mistakes,” said Hugh Thompson, chief security strategist at People Security, a software security company. “What’s the next step? Putting it there yourself.”
A recent study by the Enterprise Strategy Group, commissioned by Microsoft and Hewlett-Packard, found that many organizations in the critical infrastructure sectors were unprepared to ensure that the supply chains on which they depended for IT resources were trustworthy. The study concluded that supply chain security should be a high priority for the foreseeable future.
Vulnerabilities introduced through the supply chain can be particularly dangerous because they can be purpose-built to attack a specific target and can easily avoid detection by code scanners used to detect vulnerabilities.
“Building vulnerabilities to avoid code scanners is not that hard because scanners are built typically to look for mistakes, not intentional things that have been hidden,” Thompson said.
The Open Group, a government and industry consortium promoting standards-based interoperability, announced in December the formation of the Trusted Technology Forum to identify best practices for securing a global technology supply chain. In addition to private-sector heavyweights such as IBM, Cisco Systems and Microsoft, founding members of the task force include NASA and the Defense Department.
“We’ve defined a trusted technology provider framework based on existing open standards and best practices,” said Andras Szakal, IBM distinguished engineer and Open Group board member. The task force is identifying practical programs that are grounded in reality and are already used by organizations with mature supply chain security, he said.
The Protecting Cyberspace as a National Asset bill (S.3480), which failed to make it out of the last Congress, included procurement reforms that would promote cyber supply chain security.
As cybersecurity legislation that did not make it through the last Congress is reintroduced in the current session, several bills are likely to include provisions for ensuring the integrity of supply chains on which government IT systems depend.
2. Consumerization of IT
Computers long ago passed from being strictly business machines to consumer commodities, but the pace of innovation and the disappearance of the line between the home (or the coffee shop) and the workplace further opens an enterprise to threats.
“The trend is to bring more and more unmanaged devices into the network,” said Uri Rivner, head of new technologies, identity protection and verification at RSA, the security division of EMC. “That is going to create a huge challenge. This increases the attack surface.”
Not only is the attack surface growing, but the value of consumer devices as targets is growing as well, said Unisys CIO Patricia Titus. “2009 and 2010 were the USB years,” she said. “The next year, we’re going to see consumer devices skyrocketing. I think we’re going to see a significant increase in attacks targeting consumer devices, using them to gain access to corporate resources.”
It's a matter of supply and demand, Titus said. When Microsoft owned the market for consumer software, Microsoft was the hackers’ target of choice and the public’s whipping boy. With the development of increasingly powerful non-PC platforms that can be used in the workplace, the attackers are following.
There is not yet enough forensic analysis available to say how common malware is for personal devices such as laptops, tablets and smart phones, Titus said. Tracking their use and their security status is difficult because they often are not managed as part of the enterprise. But as they become Internet-enabled and support multiple applications, “we are seeing a steady increase in the amount of data consumption,” she said.
Data consumption for some users has risen to more than 30G a day. And with organizations now relying on Facebook, YouTube and Twitter as well as the Web and internal databases for mission-critical activities, not all of those bytes are personal. “The more you use the devices, the more value they have” for attackers, Titus said.
As is so often the case, the tools that are making their way into the enterprise were not built with security in mind. Security is evolving, particularly for the more mature technologies such as Microsoft Windows CE and BlackBerry devices. But too often, available security tools are not being used. Devices are not protected by personal firewalls and antivirus software, and communications are not secured by encryption and VPNs.
This puts the onus on administrators to enforce policies on which devices can and can't be connected to the network and to manage those devices that are allowed. “The perimeter is blurred, but it is not gone,” Titus said. “That is a decision that has to be made based on the risk.”
Because of the difficulty of managing personal devices being used for work, educating users is more important than ever. Education can empower users so that they benefit from the convenience and increased productivity of these new tools without opening new security holes.
Government organizations have one advantage in adapting to these new tools, Titus said. “They have a tool we don’t have in industry, and that is the authority to dictate policy and enforce compliance.” Many agency system administrators might argue that point.
3. Mobile devices
Closely tied to the issue of consumerization is mobility, because so many of the new consumer devices coming into the workplace and connecting with the enterprise are mobile devices such as smart phones.
“We’ve been saying for five years now that next year will be the year of cellular telephone malware,” said Kevin Haley, director of product management for Symantec. But the devices finally are reaching critical mass, both in the number of them in the workplace and in functionality. In 2011, “we are going to see it,” he said.
Haley said two types of threats have emerged for mobile devices. GPS trackers, disguised as a game or other application, are a form of geospyware using a device’s Global Positioning System functionality to follow the device’s location. Used legitimately, trackers can deliver targeted advertising or other information. Surreptitiously, it could be used for stalking. Another type of malware uses the devices as a platform for sending text messages or making phone calls, driving up bills for connections to an unscrupulous service.
“We’re seeing a number of these happening,” particularly in China so far, Haley said.
Now, many phones are still not easy to attack. But with increased computing power and multiple types of connections, they will become more attractive targets, said RSA’s Rivner. “There is going to be a tremendous growth in mobile Trojans over the next year,” he predicted.
One bright spot is that downloadable applications often are controlled and vetted by the device’s vendors, “so it’s a little bit better,” Rivner said. But with increased attention from hackers, holes will be found. “We will see more of these issues in 2011.”
“With the beginning of malware, we’re seeing the beginning of security solutions for smart phones,” Haley said. Symantec has several such offerings, he said, although “they are not widely used at this point.”
Because static defenses will be targeted and evaded by attackers, “flexibility and intelligence are key,” in defending smart phones, Rivner said.
4. Targeted, political attacks
“We will see more cyber espionage and, potentially, cyber sabotage,” Haley said.
Cyber espionage is not new, but 2010 saw two high-profile examples of sophisticated, specifically targeted attacks with the Google hack revealed in January and the discovery of Stuxnet six months later.
The Google attacks targeted that company and about 150 other organizations in an apparent effort to gain sensitive, high-value information. China is suspected of being behind the attack. The Stuxnet worm, which remains something of a mystery, apparently targeted industrial controls at a uranium enrichment facility in Iran but also spread around the globe.
Those attacks are distinguished by the amount of effort that went into making them stealthy and difficult to get rid of, and they are members of an emerging class named advanced persistent threats, or APTs. “We are going to see more of these APTs,” Rivner said.
Rather than being broadcast, ATPs often depend on social engineering — enticing people to click on a link — to hit their targets, making them more difficult to defend against.
“The most striking thing about these sophisticated attacks is that, unlike the last three years, the network wasn’t the immediate target,” Rivner said. “That is no longer needed.” By compromising a human through social engineering for delivery of malware, “you’re already inside the network.”
Targeted attacks make the coveted zero-day vulnerability more valuable. Attackers who want to slip into a system and sit quietly while gathering data, may well be willing to pay more for these vulnerabilities than security researchers who create patches for them.
Both the Google and Stuxnet malware exploited multiple zero-day vulnerabilities. “With a targeted attack, you don’t want to be discovered,” Haley said. “You’ve only got one chance to get it right.”
Identifying the motive for these attacks is difficult. Are they politically motivated? “We don’t know, of course,” Haley said. “We can guess, but we really don’t know.”
What we do know is that there are people, organizations or nations out there with the resources and the motivation to invest a lot of time and effort into crafting attacks that can slip past defenses to hit high-value targets. There is no reason to believe nations will not take advantage of them.
5. Cyber war
With the issue of politically motivated attacks comes the issue of cyber war. The United States has recognized cyberspace as a new virtual theater of war, along with land, water, air and space. Now security leaders have to decide what cyber war is and how to fight it.
Not only is cyberspace new, it also is not a physical domain, and things happen quickly there and at a distance. This makes it difficult to tell who is attacking you or what exactly is being attacked, which makes it difficult to respond in a timely manner without hurting your friends as well as, or instead of, your enemies.
“It’s a difficult issue to grasp for policy makers,” People Security’s Thompson said. “We’re making policy decisions in an environment where we don’t know what the situation will be in six months.”
Thompson, who also is the program committee chairman for the RSA security conference, said the operational aspects of cyber war were a big issue at RSA’s European conference in late 2010 and that it will be a major topic at the U.S. conference coming up in San Francisco in February.
The ability to do forensics investigations to identify the source and nature of attacks is improving, but it still is not quick enough to allow nuanced responses in real time, and there are no bright lines between warfare, criminal activity, political or industrial espionage, or garden-variety hacking.
On the other hand, military conflicts since the end of the Cold War have become more like those evolving in cyberspace. The enemies are not necessarily nations using traditional military organizations. Political borders no longer define battlefields, and it is difficult to distinguish between enemies and allies, victims and attackers. Perhaps most confusing, we don’t know how to tell when a war is over and who has won it.
Protocols for waging war in cyberspace will be informed by the lessons we have learned fighting terrorism and ideologies in the real world and vice versa.
On the bright side ...
“It’s not all doom and gloom,” RSA’s Rivner said.
Although cybersecurity often requires running as fast as possible just to stay in the same place, there are occasional signs of progress.
Justice is neither swift nor sure in the civil and criminal court systems, but legal action is emerging as a practical weapon against hackers and spammers.
Operation Bot Roast, an FBI program to track down and prosecute bot herders, has resulted in a number of arrests and convictions in the past several years. And in October, feds arrested more than 30 people for their alleged involvement in the Zeus botnet that was used to steal millions of dollars from bank accounts, part of a larger crackdown that had been going on since the summer. There were similar arrests in the United Kingdom.
In February 2009, Microsoft offered a $250,000 reward for information leading to the arrest and conviction of those behind the creation and distribution of the Conficker worm. This year, a U.S. District Court judge for the Eastern District of Virginia has recommended that ownership of 276 Internet domains used by the Waledac botnet be turned over to Microsoft, which would effectively cut off the botnet’s command and control network.
These actions will not by themselves stop cyber criminals, who have shown themselves to be resourceful and resilient in the face of the best efforts against them. But legal consequences can effectively raise the stakes of engaging in online crime, which until now has been a low-cost, low-risk and high-return endeavor. Fortinet, a vendor of network security appliances, predicts that in 2011, there will be greater international collaboration to shut down the bad guys through the courts.
Finally, the move to cloud and virtual environments might have positive effects. They won’t come automatically, but as the proper use of the new environments is understood, security and the control of data will be better understood and addressed, Rivner said.
“Visibility and control are so important to security, and it is becoming more and more difficult” to achieve them in the traditional enterprise, he said. More unmanaged devices are creeping into enterprises, and even managed devices are becoming harder to protect.
“If you have the right cloud infrastructure, you can have better visibility and manage things better,” Rivner said. “But it will take planning and policies.”