State-sponsored malware like Stuxnet will hit private enterprise hard in 2013

That’s the top prediction for 2013 from key and certificate management vendor Venafi. "Many pundits, leading media outlets and even some security experts are reporting that enterprises needn't be overly concerned about Flame and Stuxnet-style malware, citing the fact that they were executed by well-funded government intelligence and military groups whose targets were hostile nation-states and not businesses," said Venafi CEO Jeff Hudson. "However, our view is that companies should be concerned, as the tools and techniques used to execute these types of attacks are, unfortunately, now in the hands of common criminals and rogue entities. In the coming year, such attacks are likely to increase, especially against enterprises, and are likely to result in major data breaches, unplanned outages and significant disruptions to businesses."

Venafi said that it is basing its prediction on real-world examples of this kind of “target bleed” already happening. Earlier in the year, oil giant Chevron (No. 3 in the Fortune 500 rankings) said that it found the Stuxnet malware in its systems. Chevron has since publicly stated that it does not believe the US government realizes how far and wide the malware has spread, Hudson noted. That infection was contained before it resulted in damage, but the object lesson remains.

In addition to predicting increased trends in enterprise attacks, Venafi has also researched the overall enterprise security landscape and developed a number of other predictions, including the theory that 4G-driven mobility and bring-your-own–device (BYOD) compliance will cause security and audit nightmares.

“The availability of near-desktop speed on laptops, tablets and smartphones will lead to a larger number of mobile BYOD users accessing sensitive and regulated corporate data,” said Venafi. “Organizations that do not have effective management and controls in place for BYOD and related Wi-Fi networks and VPNs will find themselves spiraling into a security and compliance nightmare that will result in breaches, fines and brand damage.”

Another issue for the coming year is breaches caused by the use of MD5 and other weak encryption algorithms. Venafi said that statistical research has revealed that almost all Global 2000 organizations have deployed weak, easily hacked, MD5-signed certificates in their environments.

As a refresher, MD5 is the broken certificate-signing algorithm used by Microsoft that allowed hackers to bypass Microsoft security and infect thousands of computers with Flame malware. Once in place, Flame was able to gather sensitive information from the targeted devices. “With nearly one out of five certificates deployed across the Global 2000 still using MD5, it is highly probable that related breaches will continue,” the firm said.
The company also predicts – to no surprise – that the cloud will be the target of cybercriminals taking aim at businesses and governments. And that, in turn, will drive regulatory action.

That groundswell is already starting: In the UK, the Information Commissioner's Office (ICO) outlined a plan for protecting cloud data while complying with UK and European Data Protection directives. The ICO can fine organizations £500,000 per violation and states that encryption and "robust key management" are requirements for compliance.

“With these changes, it is clear that in 2013 regulators globally will take action against organizations that fail to protect data in the cloud,” Venafi said.

And, finally, amid the rising threatscape, security budgets will rise. “All signs indicate that most IT security budgets will grow in 2013 due to the increased attention to breaches and to security teams doing a better job articulating both risk and business value,” the firm said. “Security projects that can help accelerate strategic projects and reduce work elsewhere are certain to have the best chances of funding in 2013.”

What’s hot on Infosecurity Magazine?