December 30, 2012 By Dan Lohrmann
Over the past week, I’ve been surfing the Net looking for the top blogs and articles that both recap online security trends from the past year as well as offer new cybersecurity predictions for the coming year. Here’s a summary of what I’ve seen that’s memorable so far:
Imperva Trends 2013 – “These trends include hackers adopting malware techniques from "state sponsored" attacks, hackers leveraging cloud infrastructure to conduct attacks and hackers targeting less-protected SMBs; underscoring the need for greater security community collaboration.”
Websense – “A top threat projection is that mobile devices will be the new target for cross-platform threats, facilitated by Web-based cross platform exploits. Attacks will also continue to increasingly use social engineering lures to capture user credentials on mobile devices.
…Cybercriminals will use bypass methods to avoid traditional sandbox detection. As more organizations are utilizing virtual machine defenses to test for malware and threats, attackers are taking new steps to avoid detection by recognizing virtual machine environments.”
McAfee – “…The first areas of focus for the report is the emergence and growth of mobile malware. McAfee predicts an increase in ransomware,…. also predicts a new mobile worm will go on a ‘shopping spree,’ as criminals add the app-buying functions of the Android/Marketpay.A Trojan to a mobile worm…, a decline in the influence of the Anonymous hacktivist group…, an increase in both “crimeware” and “hacking as a service,” an increase in large-scale attacks….”
- “Cyber conflict becomes the norm - In 2013 and beyond, conflicts between nations, organizations, and individuals will play a key role in the cyber world….
- Ransomware is the new scareware - As fake antivirus begins to fade as a criminal enterprise, a new and harsher model will continue to emerge. Enter ransomware….
- Madware adds to the insanity - Mobile adware, or “madware,” is a nuisance that disrupts the user experience and can potentially expose location details, contact information, and device identifiers to cybercriminals….
- Monetization of social networks introduces new dangers - …Symantec anticipates an increase in malware attacks that steal payment credentials in social networks and trick users into providing payment details, and other personal and potentially valuable information, to fake social networks…
- As users shift to mobile and cloud, so will attackers - Attackers will go where users go, and this continues to be to mobile devices and the cloud….”
Trend Micro – Check out their prediction video:
The Youtube link for this video is: http://www.youtube.com/watch?v=yupELaC4Plg
Kaspersky made the following predictions last year:
- Hacktivist groups, who attack computer systems for political or social reasons, would continue to increase their activities
- A higher rate of "advanced persistent threat" attacks, or state-sponsored espionage efforts
- More incidents of cyberwarfare involving customized, state-sponsored malware
- Attacks on software and game developers such as Adobe, Microsoft, Oracle and Sony
- More aggressive actions from law-enforcement agencies against cybercriminals
- An increasing rate in the growth of threats to the Android mobile platform
- Successful attacks on Apple's Mac OS X computer platform
Overall, I’d say Kaspersky Labs did fairly well in their 2012 predictions. Here’s what they think is coming up in the new year:
“As for 2013, "we expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure," Raiu said in a company press release. ‘The most notable trends of 2013 will be new examples of cyberwarfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.’"
Here’s a Brief Summary of Technorati.com Top 5 Predictions –
- More mobile malware than ever before, targeting mostly Android devices. [Android leadership] should continue through 2013 with Google estimating that there are over 1 million new devices, be it smartphones or tablets activated daily.
- More aggressive mobile adware invading user privacy. …Your information (including email, device ID, location, browsing habits and even phone number) is what's being exchanged for that flashlight, calculator, or nifty new game instead. This trend will… raise the conversation about privacy to new levels.
- Online fraud will remain rampant in 2013. …Ransomware is set to skyrocket. Ransomware, which combines malicious code with human panic, basically holds systems hostage by restricting access and demanding a ransom be paid to remove the restrictions….
- Mobile & online shopping will continue to rise, but not without increased risk. …Relying on built-in security measures alone won't protect most consumers, which is why having a mobile security product will become even more important than ever over the next 12 months.
- More advanced persistent threats (APT) will be discovered. …The expectation is that we will hear more about APT's in 2013, either new ones or strains of already known ones.
What was probably the most surprising blog? CIO Magazine blogger Constantine von Hoffman offered his list of 2013 cybersecurity predictions that he described as “all the painfully-obvious and self-serving 2013 cybersecurity-threat-prediction lists on the Web into a single tasty nugget.” Respectfully, I think he fell into his own trap. While he offers an good list, I certainly would not make it the only list you need to review. His top ten threats facing us for 2013 are worth reading. Here are the first five of his ten threats listed:
- “The Cloud – Lots of vulnerabilities out there.
- BYOD/Mobile malware – It’s a problem dealing with all these devices.
- Opportunistic Attacks/Social Engineering – Someone is going to try to get malware on your systems using targeted attacks.
- DDoS Attacks – You might be the target.
- Big Data – Again, lots of vulnerabilities.”
And finally, Maria Deutscher, offers these comments from John Casaretto on noteworthy cybersecurity events in 2012:
“Casaretto … mentions the $60,000 prize that Google recently awarded a hacker for discovering a Chrome exploit. His take is that this approach to crowdsourcing can prove to be a very valuable strategy in increasingly complex technological environments where a problem may be discovered eventually, but not before hackers use it to their advantage.
The second big topic Casaretto chooses to focus on is the Megaupload shutdown, in context of Kim Dotcom’s upcoming venture. The internet entrepreneur plans to launch a new file sharing site in 2013 that, based on early descriptions, will be rather accommodative of illegal content uploads. Authorities will have to bypass many legal and technological barriers to take down the provocative new service, but not before tackling all the existing issues.
My Predictions –
Last year, I took at stab at a few predictions over at CSO Magazine – with specific trends regarding Privacy, Piracy and Parental Controls. I think I was fairly accurate, if not very bold. The major social media sites, websites and mobile apps assume that you want to share your personal information widely as the default.
In state and local governments, we saw the several of the largest breaches in the nation in our corner for the first time. Sadly, I suspect that we will see more of that to come.
Moving forward, I don’t know how I can disagree with any of the major vendor predictions – except to say that the big new prediction that I see all over the place seems to be the coming rise of ransomware (see above). The other predictions about the rise of mobile malware and cloud computing threats are fairly obvious trends that have been building over the years.
What’s missing regarding predictions? No one seems ready to say that this will be the “The Year of the Big One” in which we see a “Cyber 9/11” or a “Cyber Pearl Harbor” that disrupts infrastructure in some major way. Yes, many groups are calling for more major company breaches, but that is really a given. I’m not ready to make that prediction either. However, I do think it will happen within 3-5 years. That event will bring about major changes in the way we secure our data, our corporate and personally-owned technology as well as our critical infrastructure in America.
The bottom line for 2013 is that the bad guys will follow the crowds, and the crowds are going to cloud computing, smartphones and tablet PCs. Get ready...
Happy New Year everyone!
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.