Cyber threats in 2012: 5 pain points

 

Connecting state and local government leaders

Attackers, whether criminals, industrial spies, hacktivists or nation-states, are highly motivated and will use blended threats delivered through a variety of channels.

Just about everything that could go wrong did go wrong in 2011. From embarrassing smash-and-grab attacks to advanced persistent threats, from high-profile breaches to the advent of militarized malware, the bad guys demonstrated repeatedly an ability to adapt to the rapidly evolving landscape of cyberspace.

Not surprisingly, there are few surprises in forecasters’ predictions for the coming year. Popular technologies that came to the fore in 2011 will continue to be the targets for choice in the coming year. It is a classic case of “If you build it, they will come.”

Attackers, whether criminals, industrial spies, hacktivists or nation-states, are highly motivated and will be using blended threats delivered through a variety of channels to achieve their goals.


Related coverage:

The most critical element of mobile security: you 

Advanced threats: The enemy is already within


“Bad guys will take everything they can get and monetize it,” said Mustaque Ahamad, director of the Georgia Institute of Technology's Information Security Center. “If you don’t give it to them, they will take it anyway.”

Mobile devices finally are fulfilling predictions that they will be the next big thing for malware, social networking is both a business tool and a threat, and cloud computing offers a new platform for hacking. IPv6 has been on the horizon for years, but with new addresses and protocols finally going into use, it is a pretty safe bet that criminals and spies will be taking advantage of them as we try to bring our security infrastructure up to speed.

The one bright spot in the forecast is that the barrage of high-profile attacks and breaches has given cybersecurity a higher priority, Ahamad said.

“I think we are taking the risks seriously,” Ahamad said. “There is recognition of the problem and more cooperation” across government, the private sector and law enforcement. “Unfortunately, security is very event-driven,” so although improvements are being made, we still are responding rather than preventing.

Here is a thumbnail sketch of some of the pain points expected in the coming year. The list is not all-inclusive but represents a consensus of the broad areas of concern that observers are focusing on. If your favorite headache — say, SCADA and industrial control networks or supply chain compromises — is not included in the list, don’t feel bad. It’s sure to pop up in the headlines some time in the coming year.

1. Personal devices

Personal wireless devices have been a perennial on lists of coming threats for several years now, but just about everyone agrees that the threats have finally arrived.

“I think the critical mass has been achieved,” said Patrik Runald, senior security research manager for Websense. That belief is borne out by the thousands of pieces of malware being discovered for a growing array of personal wireless devices, including smart phones, tablet computers and full-featured e-readers.

“Smart phones really are the new computer,” Ahamad said. The difference now is that users who have been cautious about downloading applications and executable code to desktop and laptop PCs are attracted to handheld devices because of the availability of thousands of inexpensive or free applications that take advantage of the always-with-you, mobile nature of the new devices.

“That’s a new twist,” Ahamad said, and it has made applications a primary channel for delivering malware.

Apple runs a tightly controlled market for third-party apps for its products, and it takes a conscious effort for the user to circumvent these controls, so there is a relatively small amount of malware targeting the iPhone. But one of the attractions that have made Android the fastest-selling platform is the more open availability of apps, not all of which are safe.

At the same time, these devices are being touted as ways to improve productivity by bringing them into the enterprise. Many people use personal devices for routine tasks such as checking e-mail and downloading information while away from the office. The combination of malware and sensitive information on the same device could be explosive.

“Mobility is now all about security,” said Susan Zeleniak, group president of Verizon Federal, which is in the business of selling mobile services. “If mobility is going to be the productivity boost it could be for government, it has to be surrounded by security.”

Is that security available? “The capability is clearly there,” Zeleniak said. “I don’t think it has been totally implemented.”

One of the primary challenges for using mobile devices is the ability to authenticate both the user and the device. The mandated government technology for authentication is the Personal Identity Verification Card, which is supposed to be used for both physical and logical access control. The technology exists to use PIV Cards for authentication on mobile devices, but it has not been widely implemented, especially on personally owned devices. Will this be required for all devices accessing government networks?

“I think that question is not yet answered,” Zeleniak said. “They are going to have to decide.”

2. Social networking

This is another double-edged sword. It promises improved communication, information sharing and collaboration, but without the policies and controls in place to ensure that only the right information goes to the right people, it can be a two-way street for incoming malware and outgoing data. As with mobile devices, the dividing line between personal and business tools is not clear.

“In the past, companies could completely block access to social networking sites,” said Ashok Devata, senior manager of data loss prevention products at RSA. “Now, employees expect it.” The challenge is to allow a reasonable level of access while monitoring activity, watching for sensitive information leaving the enterprise, and ensuring that these tools are contributing to productivity.

Websense predicts that in the coming year social networking credentials could become more valuable than credit card information in underground marketplaces. “We believe it will be a really hot item in 2012 among hackers,” Runald said.

The issue is trust. The average Facebook user has about 130 friends, and anyone with a set of Facebook credentials could exploit the trust of those friends, making the networking site a more effective channel for social engineering than e-mail, which has become so full of spam and phishing attacks that it is no longer a trusted medium. Careful social engineering has been an increasingly effective tool for attackers, who have used it successfully in the last year in targeted attacks against high-profile organizations such as RSA and several of the Energy Department’s national labs. A set of valid credentials for an account with a lot of friends could become very valuable.

“We are not going to stop it,” Zeleniak said of the growing use of social networking sites. Making it secure will depend not on third-party privacy policies or security controls but on how users behave. “Of all the technology trends, this is the one on which people have the most influence on whether it is secure or not,” she said.

3. The cloud

Verizon predicts that 2012 will be the year in which the cloud will come of age and begin delivering substantial benefits to adopters. The enterprise cloud is a budget-friendly way to mobilize enterprise apps and redefine the way organizations do business.

This is not surprising, given that Verizon is in the business of selling cloud services to government. But there is no denying that cloud computing is a hot topic and a hot business opportunity in government. “The trend is moving very fast,” said Verizon’s Zeleniak. “I can’t think of any service that Verizon has brought to government that has gotten so much interest so fast.”

Whether the cloud is public, private or hybrid, moving resources away from the traditional dedicated infrastructure to an ad hoc environment where capacity and resources are made available on the fly creates new security challenges. Security tools designed to operate on or with dedicated hardware now find themselves either on the outside looking in or operating in an unfamiliar virtual world.

There also are different issues of responsibility and accountability. Ownership of information and infrastructure are likely to become more fragmented, and those responsible for securing information now will find themselves in an oversight role in which they must ensure that appropriate safeguards are being maintained by third parties providing cloud services, whether inside or outside their organization.

These concerns need not slow adoption of cloud computing, Zeleniak said. “I think the security has caught up with it.”

Whether or not this is completely true, there is a body of work emerging defining the basic elements of cloud computing and its security. The National Institute of Standards and Technology is developing a four-volume Government Cloud Computing Technology Roadmap as well as standards for implementing and securing the technology.

With the traditional infrastructure disappearing in a cloud environment, the move puts an emphasis on data-centric security.

“We no longer are defending in depth in a network,” said Maria Horton, CEO of EmeSec, a government-focused security company. So more attention is being paid to stopping outgoing information rather than simply defending against incoming malware. This is still not a mature area, Horton said. “We have some of the abilities,” but the shift in focus is happening more quickly than the tools can be developed.

Cloud security is part of a broader move to data loss prevention, said RSA’s Devata. Data loss prevention “provides the much-needed content awareness in the information-centric security approach.”

4. IPv6

With the depletion of available address space for IPv4, the current generation of Internet protocols, it is inevitable that networks will begin seeing an increase in IPv6 traffic. Agencies have been mandated to prepare their networks to accept, if not use, IPv6 by Sept. 30, 2014. But until there is sizable amount of real-world IPv6 traffic to work with, administrators cannot be assured that their security tools are up to the task of handling the new packets, experts say.

A study by Infoblox showed that the percent of zones supporting IPv6 traffic in the .com, .net and .org top-level domains increased from just 1.3 percent in 2010 to more than 25 percent in late 2011. Cricket Liu, general manager of the Infoblox IPv6 Center of Excellence, predicted that support for IPv6 could double again in the next year. This does not mean that many people are actually using IPv6 today, however.

“The percentage of IPv6 traffic, while it has been increasing, is still very small,” Liu said.

But distribution of IPv6 addresses is picking up for wireless users in the Asia-Pacific region, and use will increase elsewhere as existing pools of IPv4 addresses dry up. “Three years from now, we will see a very substantial number of IPv6 addresses and amount of traffic,” he said.

Are our security tools ready to deal with IPv6 traffic? Nobody really knows. Most products support IPv6, and the vendors say they will work just fine.

“There are many claims of parity on the part of vendors,” Liu said. “It is very difficult to validate those claims.”

“It is not easy,” to add a new set of protocols to security tools, said RSA’s Devata. When they are added, they need to be tested. This can be done in laboratory and test bed environments, but it is critical to eventually put the products under pressure in a real network, and the traffic does not yet exist to allow that, he said.

This is one more reason for administrators to get as much real-world experience with IPv6 as possible before the inevitable flood of new traffic begins. This will not eliminate all surprises and crises, but it will help to be ready for them when they crop up.

“The underlying message is: You need to do due diligence for security when the vendors are claiming parity with IPv4,” Liu said.

5. Current events

2012 will be a busy year, and we can expect hackers, attackers and phishers to take full advantage of it.

High-profile events coming up include the Summer Olympics in London and the U.S. presidential campaign and election. According to some, the Mayan calendar also predicts the end of the world in 2012, which is likely to generate a lot of interest and chatter. In addition to these, there also will be breaking news stories, celebrity faux pas and the occasional crisis to deal with.

“You name the trend, it’s going to be poisoned,” Websense predicted.

The Georgia Tech Information Security Center also predicts that search engine poisoning, in which the bad guys use search engine optimization to deliver malicious links in query results, will be a growing trend in the coming year. Being able to predict in advance what some of the popular search subjects will be will allow attackers to prepare to exploit them.

As search engine operators develop countermeasures to remove these poisoned results, attackers will also use other platforms to lure the unwary to malicious sites. E-mail probably will continue to be a popular tool for current events phishing, but as e-mail becomes passé, more au courant tools such as Twitter feeds, Facebook posts, LinkedIn updates, YouTube videos, blogs and forums will be exploited.

“We recommend extreme caution with searches, wall posts, discussions and tweets” concerning current events, Websense advises.

That's good advice for any year and any subject.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.