torsdag den 15. januar 2009

Cybercrime Predicitions

As is usual around the change of year a number of specialists in all disciplines try to make predictions of what is going to happen in the year to come. And also the ‘security specialists’ have been very active. Before we turn to the actual predictions it may be worthwhile to see what really happened in 2008 in terms of cyber attacks and cyber crimes.

To find evidence we can turn to Bernard Kwok, Senior Vice President, Symantec Asia Pacific

His analysis for what happened during 2008, described as ‘the best of the worst in 2008’ pointed to the following major observations:

  1. New Malware Variants and new Families of Threats – millions of distinct threats that mutate as they spread.
  2. Fake Applications – ‘Scareware’ – fake secure sw applications that install together with a Trojan horse.
  3. Web attacks galore – Symantecs figures point to the web as the prime area for attacks
  4. Underground Economy – hard to estimate the real size of this, the investigators claim that in a year they noticed stolen goods traded on the Internet at the value of more than 276 million $, but this is probably only a very small fraction.
  5. Data Breaches – this of course includes company specific data as well as public stored personal information. Particularly in UK and US some really extraordinary data losses of public data have been noticed.
  6. SPAM – Still very active and annoying, but in fact because of more advanced spam-filters down to some 60-65% of what it was at it’s height
  7. Phishing was also a major threat in 2008 – various techniques and baits used in different economies, Obama’s election was but one example.
  8. Browser and plug in vulnerabilities – cyber attackers are carefully studying loopholes and vulnerabilities and even if Microsoft Explorer’s total domination may be going away, there are still room for improvement also in other browsers.

Symantec Asia’s forecast for threats in 2009 point at 5 key areas:

  1. Explosion of Malware Variants – according to Symantec’s analysis, there is now more malware programs being released on the internet than legitimate programs! This calls for new types of detection programs needed.
  2. Web Threats – It is expected that web services will be the next area for introduction of threats. This points toward the need for some certification scheme for web services.
  3. The Economic Crisis will give rise to new types of fraud promising people to get rid of their loans or offerings , or maybe web sites promising new jobs. These types of fraud typically hits the weaker and poorer.
  4. Social Networks – phishing for username and account info. Based on the rapidly growing success of social networks also as a part of normal enterprise web sites, it is inevitable that more threats will come in this area.


Other highly competent sources of knowledge of security threats include SPAWAR – The US Space and Naval Warfare Command Centre in San Diego. Among their tasks they will provide: "…revolutionary information superiority and dispersed, networked force capabilities to deliver unprecedented offensive power, defensive assurance, and operational independence to Joint Force Commanders."

SPAWAR also holds a research center for Cyber Warfare which probably is the best equipped research center in the World. Mike Davis is the Information Assurance (IA) Technical Authority (TA) at TEAM SPAWAR, and a Vice President of the Information Society Security Association.

In a recent meeting, he pointed at the following key trends that he could see:

- Growth of Malware and Botnet attacks - SQL Injections, Denial of Service Attacks – especially in the mobile use!

- Increased number of insider attacks

- Focus on protecting the infrastructure – ICS/PCS/SCADA Attacks (See conferences like this ‘Black Hat’ Event)

- Outsourcing Security Threats including Cloud Computing issues

- Focus on Host based Security

- Increased use of encryption in many more areas than previously

- Regularity Compliance tools and information lock down (PCI Compliance, HIPAA, SOX) and requirements for privacy

- Social sites will be new playing fields for DLP – Data Loss Prevention.

- General move towards ‘information centric security’ with data as the focal point as opposed to the traditional user/application rights management focus.

- More focus on inter-domain SOA-technology and federated security.

SC Magazine

The SC Magazine for Security Professionals published a forecast mainly based on inpur from Sophos:

“What seems certain, concludes the Sophos report, Security threat report: 2009,” is that the variety and number of attacks will continue to escalate, compromised PCs will remain the primary source of spam, and web insecurity and SQL injections will remain the primary distribution method of malware. “

Infected web pages are cropping up three times as fast this year as compared to last, while the number of infected web pages increased from one every 14 seconds in 2007 to one every 4.5 seconds in 2008, according to Cluley.

“There's a real challenge in how businesses big and small will manage this problem and ensure that their web sites are properly secured and hardened from SQL injection attacks,” he said.

In addition, malicious emails with a greater proportion of legitimate looking attachments, or web links aiming to infect unpatched users, are likely to be sent. Data leakage and identity theft resulting in decreased customer trust and loyalty will continue to pose problems for enterprises, Cluley said.

On the bright side – security software is getting better and more proactive.

For enterprises, Cluley recommended dealing with the security risks with a tiered defense against attacks, including up-to-date anti-virus software, firewalls, security patches and policy control and user education.

In another article from SC Magazine they described the innovations in cybercrime activities under the heading of: 2008: A year of cybercriminal innovation.

And the Danish TeleCom consultant John Strand also had his go at the threats in 2009:

John Strand not surprisingly, points to Wireless risks first:

Wireless risks continue!
There are so many ways to attack a client system via wireless vulnerabilities, as you can see just by looking at Karma, a set of tools for assessing the security of wireless clients, and karmetasploit, a tool that acts as a wireless access point and responds to all probe requests from wireless clients.

I believe that many organizations are about five years behind the curve when grappling with Wi-Fi threat vectors” ….

“ ..vendors implement new protocols and authentication schemes like TKIP, LEAP and PEAP in different ways. We need to fully research the protocols used by our vendors before implementing them in our organizations.”

But John Strand also predicts that new interest for hackers will be directed to the Operating Systems:

“While operating system attacks have not reached the effectiveness and prominence they had from 2003-2005, malicious hackers will most likely discover operating system vulnerabilities again. There has been a tremendous amount of research over the past few years in browser-based attacks like cross-site scripting (XSS), cross-site request forgery (XSRF) and clickjacking. But what if these techniques were used in conjunction with an operating system vulnerability?”

Finally John Strand points to a possible blind spot in the convergence taking place between Web servers and Browsers.

Ponemon Survey
Also the Ponemon Institution conducted a study – 2008 security Mega Trends Survey – where they concluded the following predictions for 2009:

“Cybercrime and outsourcing were named the top security concerns for 2009. In addition to uncovering a changing view of how IT organizations are becoming less siloed and more collaborative, key findings from the Security Mega Trends Survey include:

  • Outsourcing IT is a Major Concern
  • Data Breaches and Cybercrime
  • Workforce Mobility Contributes to Data Loss
  • Web 2.0, P2P, Virtualization and Cloud Computing are Growing in Prevalence “

The Study was conducted by Lumension Security and can be found here.

So the overall picture from all experts – with some variations – points to the same areas or issues. Or is it just that everybody is picking everybody’s brain that this seems so very identical? I will almost be willing to bet that CyberCriminals are more innovative than the sum of all the experts, and that some – until now unseen – types of threat will occur in 2009. With the growing number of computers in everything maybe a new type of crime will be focused on this ‘internet of things’ phenomenon?

The easiest thing of course is to project threats in the areas where you have some remedies and tools to cope with the known – and to sell!.

What we have to fear most is probably not what we know but those areas where we are not even aware of not knowing anything.

Ingen kommentarer: