A quarter into 2012 may be a good time to take a hard look at the state of online security.
Many high-profile data breaches made the news in 2011. According to the Privacy Rights Clearinghouse, more than 550 US breaches affecting more than 30 million records occurred last year. These breaches affected all kinds of public and private-sector organizations. One could almost call them a great equalizer.
And let’s not forget the appearance of DuQu, which is thought to share common code and characteristics with Stuxnet. DuQu, which we’ve discussed before, is a Trojan horse-based botnet that attacks Windows systems using a zero-day vulnerability that exploits the Win32k TrueType font parsing engine. It then uses the peer-to-peer SMB protocol, along with a 54×54-pixel jpg file (364.5 bytes) and encrypted dummy files deployed as containers, to smuggle data to its command and control center. Code is still being analyzed to determine what information the communications contain.
As bad as things were in 2011, look for them to get worse in 2012. Here are a few things IT and security professionals can expect the rest of this year:
Geolocation will remain in the spotlight as controversy continues over its use/misuse.
Hactivism will continue to spread as more and more people dissatisfied with political parties and practices voice their opinions through less-than-legal but highly public ways.
Industrial threats will rise as more vulnerabilities come to light in the infrastructure. Web interfaces into the Supervisory Control and Data Acquisition (SCADA) System will give hackers a potential door. With more SCADA services migrating to the cloud, securing these systems will get more complicated.
Advanced persistent threats (APTs), also known as targeted attacks -- another topic we've covered previously -- will become more pervasive.
Social networking will get riskier as hackers become more savvy. Facebook, with more than 800 million members worldwide, will remain a prime target. But Twitter and LinkedIn also will get their share of attention.
Attacks on the cloud will also increase as cybercriminals hope to find vulnerabilities in an effort to plunder the myriad data hosted there. As a result, data breaches in the cloud will highlight the problem service providers pose to forensic analysis and incident response. Some consider this part of the maturing process of a new technology, but efforts should be made to avoid becoming the victim of a service provider dropping the proverbial ball.
Android threats will continue to increase. With the number of smart devices increasing exponentially, Android devices offer opportunities with little risk for cybercriminals.
Personal devices in the workplace will increase, and the headaches associated with securing the devices and data will increase right along with them.
You can expect growth in malware. Zero-day vulnerabilities will be exploited almost before there are patches to fix them. Hacking tools will grow more refined and sophisticated, though ugly, brute-force attacks still have their place in the cybercriminal arsenal.
Adoption of virtualization is slowing, but risks are increasing -- partly due to the lack of security offerings that can apply policy within a private and public cloud environment.
One thing: Predictions should be taken with a grain of salt. They are not and cannot be certainties. Instead of calling these predictions, “expectations” will work.
— Karla Marciszewski is a 19-year veteran of IT in county government, beginning her career in mainframe operations. She has held several positions and now works in IT security.
Hactivism will continue to spread as more and more people dissatisfied with political parties and practices voice their opinions through less-than-legal but highly public ways.
Seeing as the Verizon breach report shows hacktivists as the leading cause of stolen records this trend will continue to be an issue.
What are new areas of security that you predict will be an issue?
Shawn Henry : The Federal Bureau of Investigation's top cyber cop
The Computer Business Has Matured
or at least it is being used as though it had. As such some changes are appropriate and particularly regarding security
A report this morning indicated 45% of US financial institutions have been hit by cybercrime. Disgraceful, and certainly adequate reason to make some regulations regarding liability, as suggested by Bruce Schneier, earlier
it is time to separate computers into two types: (1) commercial and (2) developmental. And to set up proper procedure for the certification and maintenance of commercial computers.
The practice of blasting the universe with software has to end. Commercial software needs to be signed and approved, with appropriate liability for malpractice defined.
It is time for this matter to be referred to the Dept. of Commerce.
Comment: I think MSFT has come a very long way in their first 10 years emphasising security. And they should be commended for their efforts, heartily
I found the presentation very encouraging: we have technical tools that work; we need a lot more user training, particularly on defending targeted attacks -- such as the one that penetated RSA
I see in this the possibility of a brighter path. But taking that path will need a commitment to Best Practices already established and a concerted effort to help users identify Targeted Attacks.
Security will need teamwork: good tools and good user training.
I did think that the significant business costs of needing to mandate changing tens of thousands of passwords, or provide credit monitoring services for countless breached accounts, would begin to make an impact. Sony must have lost a staggering amount from the PSN breaches.
K.D.="the tipping point may be further away than we anticipated"
I think that depends on your point of view. as long as it's happening to somebody else it's easy to say the risk is "part of the cost of doing business"
my issue right along has been exactly that: The cavalier disregard for the safety of the consumer\customer on the part of the industry is just plain wrong.
so what happens? we just run rough shod over the little guys until the hackers hit the merchants and banks hard enough to make them cry for change ?
perhaps we should check with some of the many businesss that got hit hard recently
I guess what I was saying, Mike, is that the tipping point may be further away than we anticipated. After all, Zittrain thought we were reaching a tipping point in 2008: while the environment is much scarier now, there still doesn't seem to be any willingness to accept increased inconvenience, and - as you say - expense, if that's what security requires.
Individuals and enterprises still prfer to gamble that it won't happen to them than adopt the kinds of procedures and restrictions which might truly help protect them. I know you've listed some of these measures before - white lists, sandboxing, audits, and so on.
K.D.=" Is it possible that enterprise and individuals have unexpected tolerance for security breaches?"
"unexpected" ? a different word, perhaps?
Bruce Scheneier pointed out that cost of insecure software is born by the users. As we know this is because software has been held exempt from product liability.
so I would not have used "unexpected". Rather I would note: we don't have much choice. Some of the "tolerance" derives from the notion that security is "impossible" or "too costly".
the internet operates in the marketplace, along with most everything else. will the cost of fraud exceed the benefit of the open net? If we approach this "tipping point" what actions might be taken?
This is a very good thread and I would like very much to hear where our various correspondents think this is going.
Thanks, -- all!!
a Quick Word about Clouds and Virtual Environments: hacking is normally accomplished in the endpoint computers: either in your desk-top, iPad, or SmartPhone -- or in the Vendor's Server Farm. A "Cloud" hosting many business environements is going to present as a high-value target.
Great blog, Karla. The point you make about virtualization becoming ever more important, and therefore more of a security target, is key, I think. I am sure we'll be hearing more in this vein, and I hope the news is that protection designed for virtualized environments has been strengthened.
the Critical Question which we must all now consider: can the internet continue as a viable tool, given the state of dis-repair?
A very fair question, Mike, and one of course which Jonathan Zittrain answered in the negative four years ago, when the security environment was much better than it is now. Is it possible that enterprise and individuals have unexpected tolerance for security breaches?
Karla, thanks for this great write-up of what you suspect is ahead. Your point about the cloud struck me. People are just beginning to trust the cloud and to see it as the wave of the future. What you say makes sense to me... this year, as more and more data heads cloud-ward, will be the time for hackers to really strike.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
One day after the extensive Internet blackout protest of SOPA and PIPA, the Department of Justice announced that it had charged the owner of the file-sharing site Megaupload with online copyright infringement.
Why isn’t more heard about National Cyber Security Awareness Month? There is an abundance of material for downloading. There are publications available for free. But it seems as though, outside a relatively small number of businesses and organizations, it is a relatively unknown event.
Today’s entire e-commerce world runs on the assumption that encryption is solid and not breakable. To keep things secure, there are two kinds of encryption algorithms used in enterprise-level communication security: symmetric and asymmetric.
Threats are abundant on the Internet. They make up a vast, varied, and colorful tapestry of surreal dangers -- surreal, that is, until your PC becomes infected or your personal data is compromised.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
