CYBEREYE

Cyber threats easy to predict, so why do they still surprise us?

It didn’t take a crystal ball to predict the threats we would be facing in 2011, and the experts making the predictions 12 months ago were able to give us fair warning.

“In general, malware is becoming more sophisticated, criminals more professional, the target environment richer, and the stakes are becoming higher,” I wrote last January in an annual look at what the year ahead would bring. This was all true, but it hardly required going out on a limb. This has been the trend for some time now. Still, when the worst occurs, we always seem to be taken by surprise.


Related coverage:

2011: The year of the breach

Cyber threats in 2012: 5 pain points


Here is how the predictions from last year played out.

The consumerization of IT and the proliferation of mobile devices were listed as separate looming threats. In retrospect, they probably should have been combined, as the introduction of personal devices such as increasingly smart phones and tablet computers into the workplace have posed a challenge to administrators who need to manage an enterprise that is increasingly out of their hands. Routine data consumption by users grew into the gigabyte range, and the line between social media and business tools became increasingly blurred.

Long-standing predictions of an explosion of malware for personal mobile devices finally were realized in 2011. This has not yet translated into a flood of new malware into the enterprise, but it has eased the way for more sophisticated social engineering attacks.

A focus on targeted, political attacks was another prediction that came true, in large part due to social engineering.

“We will see more cyber espionage and potentially cyber sabotage,” said Kevin Haley, director of product management for Symantec. Rather than being broadcast, these attacks often depend on tricking a target or a middle man, making them more difficult to defend against.

Advanced persistent threats

This prediction was spot-on. The most embarrassing breaches of the year, such as those of Energy Department laboratories and at RSA the Security Division of EMC, were perpetrated with advanced persistent threats believed to have been introduced through targeted attacks by social engineering.

Politically motivated espionage and sabotage naturally lead to thoughts of cyber war, and this was predicted to be a consuming issue in 2011. So far we have managed to avoid all-out cyber warfare, but the threats posed by asymmetrical online attacks and the efforts by a growing number of nations to develop offensive and defensive capabilities has made this an issue that policy-makers and strategists have been wrestling with.

The U.S. Cyber Command reached full operational capability in October 2010 and spent much of its first year defining cyber war and establishing the rules of engagement for cyberspace.

The one prediction from last year that hasn’t been so fully borne out was the threat of manipulation in the supply chain, the intentional introduction of backdoors or vulnerabilities into hardware or software by developers, manufacturers or vendors.

That is not to say that supply chain security is not a real concern and that effort is not going into assuring the reliability of our sources for mission-critical IT. We just haven’t seen the attack yet that takes the issue to the headlines. But if such an attack were carried out well, we wouldn’t see it. So our bliss may just be ignorance.


Reader Comments

Sun, Jan 22, 2012 Clive Robinson

Hmm, "The one prediction from last year that hasn’t been so fully borne out was the threat of manipulation in the supply chain, the intentional introduction of backdoors or vulnerabilities into hardware or software by developers, manufacturers or vendors" I rather think that one was a definate hit when you think back to november and the revelations about "engineering support" software from the likes of CarrierIQ whiich some quickly came to call "surveillance ware". The fact that Carrier IQ's "marketing director" says it "doesent do..." did not fill me with confidence nor as it turns out was it particularly true either, infact anything but. It also did not help their moral high ground stance when they tried to "shoot the messenger" by starting legal proceedings against the researcher. I think it's safe to say that any "smart phone" with such "engineering support" software is most definitely "a spy in your pocket" just waiting to bug you one way or another. What few people picked up on was that the inclusion of this software actually provided a nice clean API for malware writers either directly through the software or through the logfile it created and was sending tthings like user credentials across the "on air interface" in "plaintext" even though the user thought they were using SSL etc...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above