Internet Security Systems - AlertCon(TM)

Week of (everyone else’s) Security Predictions 2009 – Day 1

Posted by Gunter Ollmann on January 05, 2009 at 12:43 PM EST.

As we kick off a brand-spanking new year, it’s already pretty clear that 2009 is going to be a roller-coaster of a year. What with global economic problems, organized cyber crime threats, commodity prices yo-yoing away, and nations squaring off for fisticuffs, perhaps the only thing to look forward to are cheaper new car prices?

Now, if you’re anything like me, you’ve probably got an inbox crammed with the usual spam and maybe have a recursive 80:20 email prioritization plan for the stuff that isn’t obviously junk based upon its subject line. What you’ll have probably already spotted (if you haven’t already been inundated with…) are supplier emails wishing you a Happy New Year on one hand, and dropping a few pessimistic 2009 security predictions with the other.

Given that security predictions for 2009 seem to be so plentiful this year, and how contradictory or irrelevant they often appear to be, I figured that instead of just supplying an obligatory list of my own predictions (and the de facto IBM/ISS/X-Force ones), it’ll be more valuable (and fun) to just pick through everyone else’s.

Since, over the last couple of years we’ve observed all these “Month of… whatever” vulnerability disclosures, my first thought was that I could just do a “Month of everyone-else’s Security Predictions” – there’s certainly enough vendor predictions to do that – but then I figured I’m traveling internationally all of next week and, more importantly, both you (the reader) and I would get bored rather rapidly. So a compromise was in order. Hence I welcome you to the “Week of (everyone-else’s) Security Predictions 2009”.

Kicking things off
To kick Day One off, I’ll take a gander at Cisco’s “Top Trends to Expect in 2009” – the ones they recently published in their 2008 annual security report.

Incidentally, I tip my hat to Cisco’s first real effort in producing an annual security report. It’s a very pretty, well constructed, and it’s an excellent primer for non-security people in to the bulk of 2008’s threat landscape. I’m not sure who they got their data from (since Cisco aren’t known for having the internal teams that harvest or analyze this kind of threat data on a daily basis), but it looks to be fairly consistent with what X-Force have been observing in 2008 – and their narrative is first rate. I’d heartedly recommend that readers take the time to flip through Cisco’s report.

Cisco’s 2009 Security Predictions
Anyway, towards the end of the report Cisco have four predictions (well, technically they call them trends) which we’ll take a look at.

(1) Smaller, More Frequent, Targeted Attacks

"More sophisticated attacks will occur in the year ahead… deployed rapidly and designed for even more specific targets—individuals, groups, businesses, organizations, and governments. … Criminals will certainly keep refining how they take advantage of (and profit from) … news events.
… There will be more “specialists”—criminals who deliver one or more key components essential to creating a complex and convincing attack. As they grow their expertise and reputation, these specialists will be sought out and hired by others looking to create their own high-impact attacks."

This type of thing has been going on for quite a few years already now, so it’s reasonable to assume that the trend will continue in 2009 (and beyond) – although I think that there is a general misconception within the industry of targeted attacks. If you’re the victim, it almost always looks like you’ve been targeted – but in reality, it’s all part of an efficient (and inevitable) cyber crime process with increasing usage of bulk (bulk-brought, bulk-stolen or bulk-traded) personal information.

As the volume of personal information available to criminals increases, its successful integration in to attack schemas is reasonable – especially since it has proven to be a reliable and efficient tactic thus far (e.g. phishing).

On the other front, for the last couple of years we’ve seen a consolidation of criminal expertise as formalized “professional” hacking services have materialized (i.e. “Hacking-as-a-service) and the growth of “dual use” crimeware (e.g. “universal remote administrators toolkit” with rootkit functionality, 24x7 support, and money-back guarantees that it won’t be detected by any anti-virus product – all for $199…).

(2) Cross-Protocol Attacks

"Online criminals looking to improve their odds of success will increasingly rely on cross-protocol or “blended” approaches that combine email, Web-based threats, and intrusions. This type of attack, successful in recent years, will keep growing during 2009. Also expect to see more botnets that are capable of “multitasking”—for instance, sending spam, hosting malware, and launching a direct attack."

OK, so this one’s a no-brainer too. I’ve covered this particular threat/trend many times over the years and anyone that’s been to a conference and listened to an IBM ISS sales guy giving a talk will have heard the blended-threat story (and the protection strategy you need to adopt). You’ll also remember that whitepaper I published on the topic of “old threats never die” – so you can guarantee that blended threats will continue to remain – and probably make up the volume of attacks “targeting” your organization.

With regards to “multitasking” botnets etc., well any company with a malware research team will tell you that this has been going on from the year dot. This is an effect of why criminals continue to develop their botnets – it’s all about the money. The days of “mine is bigger than yours” have been and gone. The botnet’s of 2009 and beyond will be more about stealth – and the most successful and profitable criminal botnet operators will be the ones that we don’t hear about and don’t make it to the IT media.

(3) Reputation Hijacking

"Hijacking reputations has proven attractive and effective for online criminals. … In 2009, more online criminals will be actively hijacking reputations and will work on finding additional, more sophisticated ways to do so."

Umm, yeah. I’ve forgotten, is this meant to be a prediction, a trend, and a comment about the last decade of phishing attacks?

Sinicism aside, going back to what I said earlier concerning the growing use of personal information – the same thing applies to corporate identity information (whether that’s in the form of “brand”, “reputation” or a spoofed email address). If the criminals have access to the information (and graphics) and it’ll help socially engineer future victims, then they’ll continue to use it.

(4) Mobility, Remote Working, and New Tools as Risk Factors

"The trend of remote working and related use of Web-based tools, mobile devices, virtualization, “cloud computing,” and similar technologies to enhance productivity—especially in an economic climate that demands leaner, more-cost effective and global staff—will continue in 2009.
This means that preventing loss of data—from outside attacks, insiders, or negligence around data storage devices such as laptops—will become more crucial than ever. But it will be a challenge for security personnel. The edge of the network is expanding rapidly, and the increasing number of devices and applications in use make the expanding network more porous, creating new inroads for threats."

This really is an area of concern for all security professionals – along with anyone with a corporate responsibility for personal and confidential information. Without doubt the industry and its workforce are transforming in to a highly mobile “anywhere, anytime” globally networked cloud. To top it off, I’ve yet to encounter any enterprise customer who could truthfully answer the question “do you know where all your corporate data is?”

Virtualization and cloud computing are going to make this even more difficult to answer going forward. But let’s face it, from a threat perspective there is very little difference to what we’ve already seen since the beginning of this millennium.  All the old cyber threats continue to apply.

Most organizations already (continually) fail to understand precisely where there confidential data is at any point in time and, with their own internally distributed computing environments (servers higgly-piggly scattered throughout their enterprise network, maintenance and support responsibilities delegated to various teams with varying impetus to look after them, and unclear “ownership” responsibilities for the data upon them) the only real changes to the threat spectrum due to their adoption of new virtualization and cloud infrastructure in 2009 has to do with efficiencies in managing a smaller subset of physical assets – and that’s good news in most realms.

In 2009 I do expect to see several noteworthy corporate data-leaks due to remote workers, virtualization and cloud computing. But they’ll largely be noteworthy because they happened on the newer technologies – after all, who’s going to bang the media drums about the 100,000th data-leakage on an Oracle database due to SQL Injection and default configuration settings?

Do I think that these newer technologies introduce major new security threats in 2009? No.

What they bring (following the classic 80:20 rule) is 80 percent of the old threat stuff we’ve been hearing about daily for a decade, and 20 percent new attack vectors that we haven’t had to worry about before (and have yet to figure out how to confidently protect against). Meanwhile, we’re only too quick to forget about all of the old threats that no longer have practical relevance to the new technology. Maybe’s that’s due to all the FUD that the majority of the security vendors like spread?

More “Security Predictions 2009” analysis tomorrow…

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.