Attackers, whether criminals, industrial spies, hacktivists or nation-states, are highly motivated and will use blended threats delivered through a variety of channels.
Just about everything that could go wrong did go wrong in 2011. From embarrassing smash-and-grab attacks to advanced persistent threats, from high-profile breaches to the advent of militarized malware, the bad guys demonstrated repeatedly an ability to adapt to the rapidly evolving landscape of cyberspace.
Not surprisingly, there are few surprises in forecasters’ predictions for the coming year. Popular technologies that came to the fore in 2011 will continue to be the targets for choice in the coming year. It is a classic case of “If you build it, they will come.”
Attackers, whether criminals, industrial spies, hacktivists or nation-states, are highly motivated and will be using blended threats delivered through a variety of channels to achieve their goals.
“Bad guys will take everything they can get and monetize it,” said Mustaque Ahamad, director of the Georgia Institute of Technology's Information Security Center. “If you don’t give it to them, they will take it anyway.”
Mobile devices finally are fulfilling predictions that they will be the next big thing for malware, social networking is both a business tool and a threat, and cloud computing offers a new platform for hacking. IPv6 has been on the horizon for years, but with new addresses and protocols finally going into use, it is a pretty safe bet that criminals and spies will be taking advantage of them as we try to bring our security infrastructure up to speed.
The one bright spot in the forecast is that the barrage of high-profile attacks and breaches has given cybersecurity a higher priority, Ahamad said.
“I think we are taking the risks seriously,” Ahamad said. “There is recognition of the problem and more cooperation” across government, the private sector and law enforcement. “Unfortunately, security is very event-driven,” so although improvements are being made, we still are responding rather than preventing.
Here is a thumbnail sketch of some of the pain points expected in the coming year. The list is not all-inclusive but represents a consensus of the broad areas of concern that observers are focusing on. If your favorite headache — say, SCADA and industrial control networks or supply chain compromises — is not included in the list, don’t feel bad. It’s sure to pop up in the headlines some time in the coming year.
1. Personal devices
Personal wireless devices have been a perennial on lists of coming threats for several years now, but just about everyone agrees that the threats have finally arrived.
“I think the critical mass has been achieved,” said Patrik Runald, senior security research manager for Websense. That belief is borne out by the thousands of pieces of malware being discovered for a growing array of personal wireless devices, including smart phones, tablet computers and full-featured e-readers.
“Smart phones really are the new computer,” Ahamad said. The difference now is that users who have been cautious about downloading applications and executable code to desktop and laptop PCs are attracted to handheld devices because of the availability of thousands of inexpensive or free applications that take advantage of the always-with-you, mobile nature of the new devices.
“That’s a new twist,” Ahamad said, and it has made applications a primary channel for delivering malware.
Apple runs a tightly controlled market for third-party apps for its products, and it takes a conscious effort for the user to circumvent these controls, so there is a relatively small amount of malware targeting the iPhone. But one of the attractions that have made Android the fastest-selling platform is the more open availability of apps, not all of which are safe.
At the same time, these devices are being touted as ways to improve productivity by bringing them into the enterprise. Many people use personal devices for routine tasks such as checking e-mail and downloading information while away from the office. The combination of malware and sensitive information on the same device could be explosive.
“Mobility is now all about security,” said Susan Zeleniak, group president of Verizon Federal, which is in the business of selling mobile services. “If mobility is going to be the productivity boost it could be for government, it has to be surrounded by security.”
Is that security available? “The capability is clearly there,” Zeleniak said. “I don’t think it has been totally implemented.”
One of the primary challenges for using mobile devices is the ability to authenticate both the user and the device. The mandated government technology for authentication is the Personal Identity Verification Card, which is supposed to be used for both physical and logical access control. The technology exists to use PIV Cards for authentication on mobile devices, but it has not been widely implemented, especially on personally owned devices. Will this be required for all devices accessing government networks?
“I think that question is not yet answered,” Zeleniak said. “They are going to have to decide.”
2. Social networking
This is another double-edged sword. It promises improved communication, information sharing and collaboration, but without the policies and controls in place to ensure that only the right information goes to the right people, it can be a two-way street for incoming malware and outgoing data. As with mobile devices, the dividing line between personal and business tools is not clear.
“In the past, companies could completely block access to social networking sites,” said Ashok Devata, senior manager of data loss prevention products at RSA. “Now, employees expect it.” The challenge is to allow a reasonable level of access while monitoring activity, watching for sensitive information leaving the enterprise, and ensuring that these tools are contributing to productivity.
Websense predicts that in the coming year social networking credentials could become more valuable than credit card information in underground marketplaces. “We believe it will be a really hot item in 2012 among hackers,” Runald said.
The issue is trust. The average Facebook user has about 130 friends, and anyone with a set of Facebook credentials could exploit the trust of those friends, making the networking site a more effective channel for social engineering than e-mail, which has become so full of spam and phishing attacks that it is no longer a trusted medium. Careful social engineering has been an increasingly effective tool for attackers, who have used it successfully in the last year in targeted attacks against high-profile organizations such as RSA and several of the Energy Department’s national labs. A set of valid credentials for an account with a lot of friends could become very valuable.
“We are not going to stop it,” Zeleniak said of the growing use of social networking sites. Making it secure will depend not on third-party privacy policies or security controls but on how users behave. “Of all the technology trends, this is the one on which people have the most influence on whether it is secure or not,” she said.
3. The cloud
Verizon predicts that 2012 will be the year in which the cloud will come of age and begin delivering substantial benefits to adopters. The enterprise cloud is a budget-friendly way to mobilize enterprise apps and redefine the way organizations do business.
This is not surprising, given that Verizon is in the business of selling cloud services to government. But there is no denying that cloud computing is a hot topic and a hot business opportunity in government. “The trend is moving very fast,” said Verizon’s Zeleniak. “I can’t think of any service that Verizon has brought to government that has gotten so much interest so fast.”
Whether the cloud is public, private or hybrid, moving resources away from the traditional dedicated infrastructure to an ad hoc environment where capacity and resources are made available on the fly creates new security challenges. Security tools designed to operate on or with dedicated hardware now find themselves either on the outside looking in or operating in an unfamiliar virtual world.
There also are different issues of responsibility and accountability. Ownership of information and infrastructure are likely to become more fragmented, and those responsible for securing information now will find themselves in an oversight role in which they must ensure that appropriate safeguards are being maintained by third parties providing cloud services, whether inside or outside their organization.
These concerns need not slow adoption of cloud computing, Zeleniak said. “I think the security has caught up with it.”
Whether or not this is completely true, there is a body of work emerging defining the basic elements of cloud computing and its security. The National Institute of Standards and Technology is developing a four-volume Government Cloud Computing Technology Roadmap as well as standards for implementing and securing the technology.
With the traditional infrastructure disappearing in a cloud environment, the move puts an emphasis on data-centric security.
“We no longer are defending in depth in a network,” said Maria Horton, CEO of EmeSec, a government-focused security company. So more attention is being paid to stopping outgoing information rather than simply defending against incoming malware. This is still not a mature area, Horton said. “We have some of the abilities,” but the shift in focus is happening more quickly than the tools can be developed.
Cloud security is part of a broader move to data loss prevention, said RSA’s Devata. Data loss prevention “provides the much-needed content awareness in the information-centric security approach.”
With the depletion of available address space for IPv4, the current generation of Internet protocols, it is inevitable that networks will begin seeing an increase in IPv6 traffic. Agencies have been mandated to prepare their networks to accept, if not use, IPv6 by Sept. 30, 2014. But until there is sizable amount of real-world IPv6 traffic to work with, administrators cannot be assured that their security tools are up to the task of handling the new packets, experts say.
A study by Infoblox showed that the percent of zones supporting IPv6 traffic in the .com, .net and .org top-level domains increased from just 1.3 percent in 2010 to more than 25 percent in late 2011. Cricket Liu, general manager of the Infoblox IPv6 Center of Excellence, predicted that support for IPv6 could double again in the next year. This does not mean that many people are actually using IPv6 today, however.
“The percentage of IPv6 traffic, while it has been increasing, is still very small,” Liu said.
But distribution of IPv6 addresses is picking up for wireless users in the Asia-Pacific region, and use will increase elsewhere as existing pools of IPv4 addresses dry up. “Three years from now, we will see a very substantial number of IPv6 addresses and amount of traffic,” he said.
Are our security tools ready to deal with IPv6 traffic? Nobody really knows. Most products support IPv6, and the vendors say they will work just fine.
“There are many claims of parity on the part of vendors,” Liu said. “It is very difficult to validate those claims.”
“It is not easy,” to add a new set of protocols to security tools, said RSA’s Devata. When they are added, they need to be tested. This can be done in laboratory and test bed environments, but it is critical to eventually put the products under pressure in a real network, and the traffic does not yet exist to allow that, he said.
This is one more reason for administrators to get as much real-world experience with IPv6 as possible before the inevitable flood of new traffic begins. This will not eliminate all surprises and crises, but it will help to be ready for them when they crop up.
“The underlying message is: You need to do due diligence for security when the vendors are claiming parity with IPv4,” Liu said.
5. Current events
2012 will be a busy year, and we can expect hackers, attackers and phishers to take full advantage of it.
High-profile events coming up include the Summer Olympics in London and the U.S. presidential campaign and election. According to some, the Mayan calendar also predicts the end of the world in 2012, which is likely to generate a lot of interest and chatter. In addition to these, there also will be breaking news stories, celebrity faux pas and the occasional crisis to deal with.
“You name the trend, it’s going to be poisoned,” Websense predicted.
The Georgia Tech Information Security Center also predicts that search engine poisoning, in which the bad guys use search engine optimization to deliver malicious links in query results, will be a growing trend in the coming year. Being able to predict in advance what some of the popular search subjects will be will allow attackers to prepare to exploit them.
As search engine operators develop countermeasures to remove these poisoned results, attackers will also use other platforms to lure the unwary to malicious sites. E-mail probably will continue to be a popular tool for current events phishing, but as e-mail becomes passé, more au courant tools such as Twitter feeds, Facebook posts, LinkedIn updates, YouTube videos, blogs and forums will be exploited.
“We recommend extreme caution with searches, wall posts, discussions and tweets” concerning current events, Websense advises.
That's good advice for any year and any subject.