According to the annual PriceWaterhouseCoopers security survey, nearly two-thirds of businesses will be spending as much or more on security this year as they did in 2009, but with budgets stretched by the recession, it’s more vital than ever to squeeze every ounce of value out of that spending.
The industrialisation of hacking
So, just what are the bad guys going to be up to in 2010? Amichai Shulman, chief technology officer at data security specialist Imperva, predicts that a defining of roles within the hacking community will form a supply chain resembling the drug cartels: from the botnet growers building zombie PC communities and the botnet users who exploit them, to the cybercriminal ‘Big Daddies’ that profit.
|"Cloud vendors in 2010 will have to accept that the key to selling cloud services lies in selling the security of the cloud"|
|Mike Burkitt |
Imperva recently tracked and analysed a single compromise that impacted hundreds of servers by injecting malicious code into web pages cross-referenced with keywords scoring highly in Google searches. This is an attack that simply wouldn’t have been possible without this industrialisation of hacking.
Indeed, the hacker weapon of choice for 2010 is almost certainly going to be automated tools applied via botnets. “We see more and more automated tools being used at all stages of the hacking process”, Shulman warns. This automation stretches right across the threatscape and just as Security as a Service has made a mark in the last decade, Cybercrime as a Service will become well and truly established in this decade.
"We expect to see an increase in the number of crime kits that allow centralised control panels for botmasters"
|Anthony James, Fortinet|
Anthony James, VP of products at network security specialist Fortinet, explains that just as companies have opted to unburden themselves from the complex task of securing their networks, the criminal element are turning to a similar outsourced model. “Crime as a Service serves to both increase their reach and obfuscate their identity”, James says. He predicts, “We expect to see an increase in the number of crime kits that allow centralised control panels for botmasters to anonymously administer their malicious networks. These kits will further evolve in 2010 to include maintenance, help and QA support from the criminal syndicates.” Expect CaaS models to evolve to incorporate consultation, hackers for hire, blackmail attacks on political parties, governments, enterprises and even civilian scenarios during 2010.
This is war
Attacks on political parties and governments? Sounds very much like that old vision of the future tagged ‘cyberwar’ doesn’t it? Ash Patel, UK country manager at network security vendor Stonesoft, reckons 2010 might be the year that science fiction turns into infosec fact.
|"Governments will increasingly be forced to require companies to better protect themselves"|
|Stu Sjouwerman, Sunbelt Software|
Last year there was a measurable increase in politically motivated incidents (remember Russia/Georgia/Estonia/China, etc?) but Patel predicts that things could turn nasty nearer to home. “Terrorists are getting bolder and the severity of politically motivated cyberattacks are likely to increase in 2010”, Patel says, adding that the national utility grid is particularly vulnerable as it uses “old SCADA networks with outdated security systems”.
Patel is not alone in worrying about war. Take Stu Sjouwerman, founder of Sunbelt Software, who insists that “IT security is the soft underbelly of Western society”, and predicts that cyber warfare will be fast and furious once it breaks out. “Governments will increasingly be forced to require companies to better protect themselves”, Sjouwerman warns, “starting with every organisation involved in critical infrastructure”.
"Terrorists are getting bolder and the severity of politically motivated cyber attacks are likely to increase in 2010"
|Ash Patel, Stonesoft|
Reed Henry, a senior vice president with security management solutions provider ArcSight, also says it’s just a matter of time before a cyber incident takes down a portion of a country’s power transmission infrastructure. “Whether that is the result of a malicious insider, a compromised administrative account by an extortionist, a virus outbreak, or a targeted attack by nation-state or terrorist organisation, I don’t know”, Henry says, adding “your guess is as good as mine, but an incident will likely happen in 2010”.
Once more unto the breach
Honestly, we did try and lighten the mood a little by asking our panel of security experts if perhaps 2010 will be the year that data breaches start to dry up. Unfortunately, the infosec sages pretty unanimously rejected that idea by predicting no such thing.
Ann Bevitt, a data protection specialist at city lawyers Morrison & Foerster was typical in her response of “to put it bluntly, anything but a slow down”. Bevitt does have some good news, suggesting that “with the power to fine up to what is likely to be £500 000 coming into force in April 2010, ICO enforcement action will increase significantly”. She warns, “The ICO will be looking to make an example of some private-sector companies, so 2010 may be the year when we start seeing large fines for private-sector breaches.”
Steve Smith, managing director of risk management provider Pentura, reinforces the doom and gloom by revealing that “although some organisations are now deploying technology to start addressing the areas of data security, such as encryption and device control, there are still many that have not”.
The problem seems to be that many just don’t know where to start, Smith continues. “Companies need to gain visibility of how big their data security problem may be, and define a data security strategy that maps out what type of data loss prevention (DLP) solution is appropriate to their business.” Smith says that only then can they start implementing anything that will drive change.
|"Mainstream coverage of Infosec issues will continue to wane in 2010"|
|Nick Lowe, Check Point|
We did find a solitary hopeful voice, that of the UK general manager at identity access management outfit Courion, Stuart Hodkinson. With the publicity that has surrounded data security breaches in the public sector, and the ensuing internal audit reviews coupled with changes by the Information Commissioners Office that will hold individuals responsible for future breaches, Hodkinson predicts that this will “drive change in behaviour moving forward”.
Let’s hope he is right, especially because the media coverage that we saw during the last decade could be a thing of the past if Check Point’s regional director of Northern Europe, Nick Lowe’s prediction that “mainstream coverage of Infosec issues will continue to wane in 2010” proves accurate. Lowe argues that it doesn’t matter much anyway.
“We recently surveyed 135 public and private-sector companies, and less than 50% of them had any encryption on company laptops and mobile devices ... which is the same as it was in November 2007, immediately following the HMRC data loss”, Lowe tells Infosecurity. So it would appear that the bad publicity, and increased powers for the ICO, have had a negligible impact on actual security deployments.
Watch out for Windows 7, Macs and mobiles
The media certainly got excited about the launch of Windows 7 and this year, according to Ash Patel, the hackers will take a mighty interest as well. “Windows 7 will be the new platform to exploit in 2010”, Patel predicts with some confidence, arguing that while Microsoft “has done a good job in improving the security of the platform compared to Vista and XP before it, there will still be core vulnerabilities that can be exploited by cyber criminals”. Quite true, after all we’ve already seen five critical code-led vulnerabilities towards the end of 2009.
|"Windows 7 will be the new platform to exploit in 2010"|
“This will only get worse as hackers become more acquainted with the new platform and more users install it”, insists Patel. What about Macs and mobile phones, surely they are safe from attack, aren’t they? Not according to Paul Wood, MessageLabs intelligence senior analyst with Symantec who admits that while “the number of attacks designed to exploit a certain operating system or platform is directly related to that platform’s market share”, Macs and smartphones are being increasingly targetted by malware authors. “As Macs and smartphones continue to increase in popularity in 2010” Wood predicts that “more attackers will devote time to creating malware to exploit these devices”.
It’s the economy, stupid
Despite some analysts insisting that security budgets will be held or increased this year, while other technology budgets are cut, not everyone is convinced. This could be problematic as the bad guys show no sign of cutting their R&D budgets during the recession.
Daniel Turner, chief technology officer of Vistorm (an HP company specialising in reducing business risk) is typical of the security spend non-believers when he predicts that companies will “continue to delay projects wherever possible unless ROIs are a slamdunk”. Turner argues that competition will continue to be fierce, particularly at the technology layer where “more of the market is becoming a commoditised layer of the industry. Smaller distributors and resellers will be further squeezed, potentially to a popping-point”.
Securing the Cloud
According to the global business accelerator Launchpad Europe’s ‘IT Security Index’, half of those people asked said their organisations were not using or planning to use any cloud technologies this year, and security concerns were cited as the primary reason. Launchpad Europe’s technical director, Mike Burkitt, predicts that “cloud vendors in 2010 will have to accept that the key to selling cloud services lies in selling the security of the cloud – because, as our research indicates, organisational concerns about cloud security are not likely to go away overnight”.
Fortinet vice president Anthony James agrees that securing the cloud will be hotter than ever in 2010, and the “concept of protecting data-at-rest vs. data-in-motion comes into play, forcing organisations to examine various security mechanisms to secure their data, including encryption, SSL inspection, data leakage protection, and anti-virus among others”. 2010 might not be the year of the cloud, but it could be the year that the cloud gets security sorted.
George Hoenig is a director at i365, a cloud-connected storage solutions provider, and unsurprisingly he predicts that cloud storage models will become far more defined, with customers taking more of a hybrid approach coupling on-premise and cloud storage, where cloud-based storage services connect to and augment on-premise storage infrastructure. “Cloud and on-premise storage should not be mutually exclusive”, Hoenig insists. “There is a need for both in order to ensure complete data protection and availability for businesses.”
This means that 2010 will be a good year for mergers and acquisitions in the infosec world, as it remains to be what Turner refers to as a “relatively immature slither” of the overall IT market, meaning there should be continued sector consolidation right across the value chain.
Talking of relatively immature slithers brings us nicely to the final prediction of the piece: social computing will be the catalyst for continuing security migraines and meltdowns. Nir Zuk, CTO and co-founder of firewall gurus Palo Alto Networks sees ‘web 2.0’ as a real threat vector for the enterprise. “Remember how security pundits warned for years that threat developers were going to use SSL, but it never seemed to happen?” Zuk asks. “Well, it didn’t because there was a key element missing – the trusting user who will click on any link (often a shortened and obscured tinyurl or bit.ly link) and think that because the little lock is closed, it’s secure”.
Of course, traditional IPS deployments can’t see inside encrypted traffic, meaning that “this will get ugly in 2010” Zuk predicts.
Graham Smith, security product manager at Cable & Wireless Worldwide doesn’t think it has to be this way, arguing that if employees are encouraged “to use a private social network rather than the public mediums currently available”, then “all the mission critical communications for business can be tied down and secured”. Smith predicts that 2010 “will see the rise of web 2.0 applications for business and social networking which, if implemented with adequate staff buy-in, will transform the view of social networking from a threat into a business enabler”.
Unless Rik Ferguson, solutions architect at Trend Micro, is right that is, and things get turned around so that social computing services such as Twitter, Facebook and Google Groups become used as the landing point for spam campaigns. Ferguson warns that social computing sites are becoming popular in this regard as spammers attempt to bypass email message spam link filters. All of the above services have even been used as surrogate command and control servers for botnets recently. So while users have traditionally felt safe with computers making multiple daily connections to such places and viewed it as harmless activity, Ferguson predicts that “as botnet owners and criminal outfits seek to further dissipate their command-and-control infrastructure and blend into the general white noise of the internet, that is no longer the case”.
Maybe it’s not going to be such a Happy New Year after all.