As 2012 gets underway, what can businesses expect on the information security front?
If 2011 was any indication, this year will be anything but quiet. Last year featured seemingly nonstop waves of hacking, malware, and spear-phishing attacks that succeeded in exploiting well-known businesses, including RSA and Sony. All told, businesses’ collective data breaches exposed millions of records.
Expect 2012 to offer more of the same and then some. In particular, keep an eye on these 10 top information security trends:
1. Breaches now inevitable, say businesses. Over the past few years, there’s been a notable change in information security rhetoric: Instead of preventing all attacks from succeeding, many CIOs now acknowledge that getting hacked is a question of when, not if. The chief culprit is the sheer volume of attacks being launched, which makes the chance that one of them will succeed nearly inevitable. According to the “2011 Data Breach Investigations Report” from Verizon, for example, the number of attacks launched online against businesses between 2005 and 2010 increased by a factor of five.
The new mandate, then, is not just to maintain killer defenses, but also to have the right technology and practices in place to quickly detect when the business has been breached, and then to block the attack and ideally identify how the breach occurred and what might have been stolen. “We frequently see organizations with protective measures based on the assumption that they are not a target,” said Alan Brill, senior managing director of the cyber security and information assurance division at Kroll, in a recent report. “Yet 2011 taught us that no one is exempt from attack.”
2. Cyber espionage continues. If there is one guarantee for 2012, it’s that industrial or cyber espionage–often executed via “low and slow” and thus difficult-to-detect exploits–will continue unabated. Such attacks were too effective in 2011 for attackers to not continue their press, especially because the social engineering techniques often employed in exploits are incredibly easy to tap and reuse. For example, “it is estimated that the attack which hit RSA was actually used against over 700 other companies,” said Harry Sverdlove, CTO of Bit9, in a recent report. Likewise, the Nitro attack against chemical and defense companies hit at least 48 businesses, Shady RAT hit at least 70 businesses, and Operation Night Dragon exploited multiple energy companies. Although China often gets the blame for such attacks, arguably every major country–allies or otherwise–practices cyber-espionage.
3. Mobile malware continues to increase. For countless years running, pundits have declared it to be the year of mobile malware. Here’s the reality: to date, mobile malware has largely targeted the Android operating system, full stop, and it rates as little more than a nuisance. Although mobile malware grabs headlines, it’s not very lucrative for attackers because their number-one target is financial information, and that predominantly resides on people’s desktops and laptops.
Accordingly, attackers’ biggest bang for the buck continues to be attacking Windows systems, largely via operating system and application-level vulnerabilities, as well as third-party plug-ins with known bugs. Even so, expect the ongoing, negative headlines associated with Android smartphone hacking–or “smacking,” as Bit9’s Sverdlove calls it–to drive more manufacturers to create locked-down Android smartphones, which would be a boon for securing business users.
4. Mobile devices get anti-theft protection. If mobile devices aren’t under attack to the extent that PCs are, mobile devices still carry a well-known security risk: they tend to get lost or stolen. That fact alone should be reason enough for businesses to take a more rigorous approach to securing mobile devices, including tracking them when they go missing, and ensuring that remote-wipe capabilities are in place should it be too difficult or expensive to recover the devices. With the “bring your own device to work”–a.k.a. BYOD, or the consumerization of IT–trend in full force, expect to see more organizations attempt to add better security to their employees’ mobile devices, including smartphones.
5. Spear-phishing scourge continues. Fast, cheap, and out of control: spear-phishing attacks continue to plague businesses large and small. Witness EMC’s RSA, which experienced a breach that compromised aspects of its SecurID system, simply because an employee opened a malicious Excel file that exploited a known vulnerability and allowed external attackers to create a beachhead in RSA’s network. RSA, of course, is far from the only business or government agency that’s been exploited by these fake–but real-enough-looking–emails. Unfortunately, stopping such attacks is impossible from a purely technological standpoint. Instead, users must be educated–warned, cajoled, trained–to resist such attacks, but even that is not a foolproof strategy. Accordingly, some spear-phishing attacks will continue to succeed.
6. Social engineering attacks hit social networks. All social-engineering attacks succeed based not on technological sophistication, but rather by fooling users. It costs little to send someone an email that redirects them to a fake PayPal website, which tricks them into entering their actual PayPal username and password, which is then passed to attackers. Accordingly, social engineering attacks aren’t going away. Furthermore, with 800 million people now registered on Facebook, and 175 million on Twitter, expect attackers to spend more time targeting social networks. What do such attacks seek to steal? According to Check Point, the primary impetus behind social engineering attacks is financial gain (51%), followed by accessing proprietary information (46%), gaining a competitive advantage (40%), and revenge (14%).
7. Botnets keep infiltrating businesses. According to Panda Labs, three quarters of all new malware strains seen in 2011 were Trojan applications, able to silently infect PCs and make them function as part of a botnet, while also “phoning home” to attackers with stolen information of interest. Cybercrime toolkits now make it easy for any criminal to generate and distribute malware that has a high degree of success at infecting PCs. Such toolkits’ easy availability and the potential profits on offer–which far exceed the toolkits’ initial purchase or rental cost–means that large-scale malware attacks aimed at exploiting PCs and pressing them into silent service as nodes in a botnet will only continue to increase. Ditto for the evolution of botnet-related ecosystems, which offer everything from “malware infection as a service” to leasing botnets by the hour or for the day for use in attacks or scams.
8. Breach notifications gain greater traction. Today, all 50 states effectively require that businesses notify their customers when their personal information has been potentially exposed. But different notification requirements–for example, for medical records–means that although many breaches might be disclosed to government watchdogs, they might never be fully disclosed publicly. (See the RSA breach.) Might Congress finally pass a law requiring that all data breaches be tracked by a single, centralized agency? That doesn’t seem likely, although some other countries now appear to be pursuing that plan. Germany enacted a federal data-breach notification law in 2010, and other European countries have expressed interest. Meanwhile, Canada is weighing changes to its Personal Information Protection and Electronic Documents Act (PIPEDA) that would make data breach disclosures mandatory for that country’s businesses.
9. Critical infrastructure rhetoric keeps heating up. What do you do if you’re the head of a government agency tasked by Congress with protecting the nation’s critical cyber infrastructure, yet said infrastructure is 95% privately owned? You posture, especially where large cyber-security budgets are concerned. Said posturing has been the modus operandi of both legislators and agency heads, notably at the Department of Homeland Security and the Department of Defense. Businesses, meanwhile, don’t seem to have leapt at the chance to let the government tell them how to run their networks. That said, expect industry-led information-sharing agreements to help bridge this gap in 2012, by facilitating freer sharing of threat intelligence information between government agencies and critical infrastructure businesses.
10. Code gets externally reviewed. Attackers often exploit known vulnerabilities in applications, and there are a plethora of such bugs to choose from. Accordingly, this business mandate is clear: Developers must take the time to code cleanly, and eradicate every possible security flaw before the code goes into production. Developers, however, can’t do this on their own. They need top-down support, with everyone from executives to front-line personnel held accountable for code quality, which by the way can be measured. Indeed, both internal development tools and on-demand code-review services can scan code, pinpoint flaws, and recommend fixes. Remediating those bugs, by the way, often takes just a matter of days, and is always less expensive than fixing them after products ship.