My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.
We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.
We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In fact, business is just too good for the cybercriminals. With the tremendous growth of new mobile platforms, bad guys will have even more new avenues to attack and unchartered social engineering tricks to engage in to continue to steal from us.
But, Stuxnet is a marker. It a clear indication that the world is changing and the 2011 threat landscape will be different than the years previous.
With all this in mind, Symantec has put together our top Internet security predictions for 2011. From attacks on critical infrastructure, to the security challenges of managing an always-connected mobile workforce, to the race to control the digital arms race, we cover the key trends to keep an eye on throughout the coming year.
We would like to get your opinions on our trend predictions and also on what you think will make headlines in 2011. We’ve put together a short survey that should only take a couple of minutes to complete. Let us know what you think by taking the survey here: http://bit.ly/9SxUiF.
Critical Infrastructure Will Come Increasingly Under Attack and Service Providers Will Respond, but Governments Will Be Slow to React
Attackers have likely been watching the impact the Stuxnet threat had on industries using industrial control systems and are learning from it. We expect them to take the lessons learned from Stuxnet—the most significant example to date of a computer virus designed expressly to modify the behavior of hardware systems to create a physical, real-world impact—and launch additional attacks targeting critical infrastructure over the course of 2011. Though slower to start, expect the frequency of these types of attacks to increase as well.
As evidence of this trend, Symantec recently conducted a study asking critical infrastructure providers about their opinion of cyberattacks against their industries. Forty-eight percent of respondents said they expect to come under attack in the next year and 80 percent believe the frequency of such attacks is increasing.
The overarching messages taken from the study’s findings are that there is a high level of awareness among critical infrastructure providers of the threat that exists and that critical infrastructure protection (CIP) is top of mind. Thus, expect to see these providers move forward with cybersecurity precautions. These precautions will focus not only on simply combating an attack, but on resiliency to survive an attack. This will include backup and recovery, encryption, storage, and information management initiatives.
The Symantec study also found that the majority of critical infrastructure providers are supportive of and more than willing to cooperate with their government in CIP initiatives. However, do not expect to see a lot of movement in this regard from governments this year. For example, it’s unlikely that the U.S. government will pass CIP legislation in 2011. Evidence of this is the widespread changeover that recently happened in the U.S. Congress and the current presidential administration’s lack of indication that it will be making CIP a priority. CIP legislation and government initiatives in other countries face similar challenges.
Zero-Day Vulnerabilities Will Become More Common as Highly Targeted Threats Increase in Frequency and Impact
In 2010, Hydraq, a.k.a. Aurora, provided a high-profile example of a growing class of highly targeted threats seeking to infiltrate either specific organizations or a particular type of computer system by leveraging previously unknown software vulnerabilities. Attackers have been using such security holes for many years, but as these highly targeted threats gain momentum in 2011, plan to witness more zero-day vulnerabilities coming to light in the next 12 months than in any previous year.
Symantec has already seen this trend begin to develop. In all of 2009, Symantec observed 12 zero-day vulnerabilities. As of early November 2010, Symantec has already tracked 18 previously unknown security vulnerabilities this year that were or are actively being used in cyberattacks. Nearly half of these—possibly more—have been used by targeted threats such as Stuxnet (which exploited a record four zero-day vulnerabilities), Hydraq, Sykipot, and Pirpi (which was identified just this month.)
The key driver behind the growing use of zero-day vulnerabilities in targeted threats is the low-distribution nature of such malware. As opposed to traditional widespread threats that achieve success by attempting to infect as many computers as possible, targeted threats focus on just a handful of organizations or individuals (perhaps even only one) with the goal of stealing highly valuable data or otherwise infiltrating the targeted system. In such scenarios, the challenge for attackers is ensuring that they hit their target on the first try without getting caught. Using one or more zero-day vulnerabilities is an effective means to improve their odds that the targeted device(s) or computer(s) will be largely defenseless against their attack.
There is no traditional security technology that excels at detecting this type of threat. Traditional protections require security vendors to capture and analyze specific strains of malware before they can protect against them. The stealthy, low-distribution nature of targeted threats severely decreases the likelihood that security vendors will be able to create traditional detections to protect against them all. However, technologies such as Symantec’s SONAR, which detects threats based on their behavior, and reputation-based security, which relies on the context of a threat rather than the content, turn the telling behavioral characteristics and low-distribution nature of these threats against them and make detection possible.
The Exponential Adoption of Smart Mobile Devices that Blur the Line Between Business and Personal Use Will Drive New IT Security Models
The use of mobile devices such as smartphones and tablets that meet both business and personal connectivity needs is growing at an unprecedented pace. Analyst firm IDC estimates that by year’s end, new mobile device shipments will have increased by 55 percent and Gartner projects that in the same timeframe, 1.2 billion people will be using mobile phones capable of rich Web connectivity. Since this proliferation shows no sign of slowing in the coming year, enterprises will gravitate to new security models to safeguard the sensitive data that will be on and accessible through these devices.
Increasingly, the same mobile devices are being used for personal as well as business use. This creates complex security and management challenges for three key groups: IT organizations, consumers, and communication service providers.
• IT organizations: Consumers are driving the innovation of mobile devices and bringing them into the enterprise—evidence of the ongoing consumerization of IT. This is especially true as organizations cut costs and require employees to use their personal devices for business. However, many enterprises lack an all-embracing solution that can keep enterprise data and application access safe on the many mobile operating systems in use, all the while allowing the use of personal devices.
• Consumers: The “IT-ization” of consumers means that consumers today have more technology in the home that they are using every day, but no dedicated IT staff to manage all these devices. This means that more often than not they lack the tools to adequately protect their personal information from threats or their device from theft or loss. In fact, the physical security of consumer mobile devices will be a real pain point this coming year. This will spur the need and adoption of locate, lock, and remote-wipe services.
• Communication service providers: Carriers are seeing continued decreases in subscriber satisfaction, which results in increased customer turnover and costs associated with out of control mobile bandwidth increases, network misuse, malware proliferation, and spam. Carriers need a single solution to manage customer preferences and security across all types of services, including voice, email, SMS, MMS, Web, IM, and P2P.
Traditionally, cyber criminals have paid only a passing interest in mobile devices, electing instead to focus their efforts where the greatest return on their investment could be had: the PC. Aside from a lack of feature-rich devices, a major barrier to creating successful mobile threats has always been the lack of a clear market leader, resulting in an attacker having to create multiple attacks, one for each platform, in order to develop a high success rate. However, IDC estimates that by year’s end, Android and Apple iOS devices are expected to own 31 percent of global market share.
As devices grow more sophisticated and while just a handful of mobile platforms corner the market, it is inevitable that attackers will key in on mobile devices in 2011 and that mobile devices will become a leading source of confidential data loss. Research by mobile specialist Mocana indicates that attacks against smart mobile devices already require or will require by year’s end the regular attention of IT staff for 65 percent of enterprise organizations surveyed.
IDC also estimates that 1 billion workers will be mobile at least part of the time or remote from their firm’s main location by the end of 2011. As this happens, enterprises will have to address the associated challenges by adopting new models, such as security in the cloud, for suitable solutions that will work seamlessly across multiple platforms and devices. Expect IT managers to be forced by business necessity to implement more granular and refined Web security policies as well.
Regulatory Compliance Will Drive Adoption of Encryption Technologies More than Data Breach Mitigation
The explosion of mobile devices in the enterprise not only means organizations will face new challenges in keeping these devices and the sensitive data on them accessible and safe; they also must comply with various industry data protection and privacy regulations.
Enterprises are under ever-increasing pressure to meet a veritable alphabet soup of regulatory compliance standards. In the United States, this past year saw the enactment of the healthcare industry regulation (HITECH) and legislation in several states—all aimed at protecting data. Internationally, PCI DSS was updated to 2.0.
Despite regulations, many organizations do not currently disclose when mobile devices containing sensitive data are lost, as they do with laptops. In fact, employees do not always report these lost devices to their organizations. This year, we expect that regulators will start cracking down on this issue and this will drive organizations to increasingly implement encryption technologies, particularly for mobile devices.
The Ponemon Institute’s 2010 Annual Study: U.S. Enterprise Encryption Trends study revealed that for the first time, regulatory compliance has surpassed data breach mitigation as the top reason why organizations deploy encryption technologies. Organizations are getting ahead of the curve with their encryption strategy before the breach occurs, not after.
In 2011, we will see organizations take a more proactive approach to data protection with the adoption of encryption technology in order to meet compliance standards and avoid the heavy fines and damage to their brands a data breach can cause.
A New Frontier in Politically Motivated Attacks Will Emerge
In the Symantec CIP study, more than half of all firms said they suspected or were pretty sure they had experienced an attack waged with a specific political goal in mind. In the past, these politically motivated attacks primarily fell in the realm of cyber espionage or denial-of-service types of attacks against Web services. As a recent example, distributed denial-of-service attacks were levied against blogs and forums criticizing the Vietnamese Communist Party. However, with Pandora’s Box now opened due to Stuxnet, expect to see these threats move beyond spy games and annoyances as malware is weaponized to cause real-world damage.
A highly complex threat, Stuxnet’s purpose is to reprogram industrial control systems—computer programs used to manage industrial environments such as power plants, oil refineries, and gas pipelines. It is the first known malware to specifically target such systems. Stuxnet’s ultimate objective is to manipulate physical equipment attached to specific industrial control systems, causing the equipment to act in a manner dictated by the attacker and contrary to its intended purpose. Such an outcome could have several underlying goals, but sabotage—which could result in real physical harm—is the most likely.
Though the exact target of Stuxnet is still unknown to this day, circumstantial evidence suggests Iran, or some organization or facility within Iran, was most likely the target of whichever well-funded group or nation state created the malware. Given these facts, it is not a stretch to assume the threat was politically motivated, potentially making Stuxnet the first politically charged cyberattack attempting to accomplish real-world destruction.
In reality, Symantec thinks Stuxnet is possibly only the first highly visible indication of attempts at what some might call cyber warfare that have been happening for some time now. In 2011, more indications of the ongoing pursuit to control the digital arms race will come to light.
In the coming year we will see many new cyber security developments; however, perhaps most important is that we expect the security industry to continue to rise to meet the challenge of a constantly evolving threat landscape. You can be sure that new security technologies will continue to emerge and billions of computer users will be protected from threats that would otherwise compromise their computers and networks, steal their sensitive information, and take them for all they’re worth. Indeed, know that the overall forecast is not one of doom and gloom; though the battle against cybercrime will go on, security companies such as Symantec will remain in the trenches, ready to give fight to cybercriminals on every front.