SAN JOSE – My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.
We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.
We have now entered a third stage–one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In fact, business is just too good for the cybercriminals. With the tremendous growth of new mobile platforms, bad guys will have even more new avenues to attack and unchartered social engineering tricks to engage in to continue to steal from us.
But, Stuxnet is a marker. It a clear indication that the world is changing and the 2011 threat landscape will be different than the years previous.
With all this in mind, Symantec has put together our top Internet security predictions for 2011. From attacks on critical infrastructure, to the security challenges of managing an always-connected mobile workforce, to the race to control the digital arms race, we cover the key trends to keep an eye on throughout the coming year.
Critical Infrastructure Will Come Increasingly Under Attack and Service Providers Will Respond, but Governments Will Be Slow to React.
Attackers have likely been watching the impact the Stuxnet threat had on industries using industrial control systems and are learning from it. We expect them to take the lessons learned from Stuxnet–the most significant example to date of a computer virus designed expressly to modify the behavior of hardware systems to create a physical, real-world impact–and launch additional attacks targeting critical infrastructure over the course of 2011. Though slower to start, expect the frequency of these types of attacks to increase as well.
As evidence of this trend, Symantec recently conducted a study asking critical infrastructure providers about their opinion of cyberattacks against their industries. Forty-eight percent of respondents said they expect to come under attack in the next year and 80 percent believe the frequency of such attacks is increasing.
The overarching messages taken from the study’s findings are that there is a high level of awareness among critical infrastructure providers of the threat that exists and that critical infrastructure protection (CIP) is top of mind. Thus, expect to see these providers move forward with cybersecurity precautions. These precautions will focus not only on simply combating an attack, but on resiliency to survive an attack. This will include backup and recovery, encryption, storage, and information management initiatives.
The Symantec study also found that the majority of critical infrastructure providers are supportive of and more than willing to cooperate with their government in CIP initiatives. However, do not expect to see a lot of movement in this regard from governments this year. For example, it’s unlikely that the U.S. government will pass CIP legislation in 2011. Evidence of this is the widespread changeover that recently happened in the U.S. Congress and the current presidential administration’s lack of indication that it will be making CIP a priority. CIP legislation and government initiatives in other countries face similar challenges.
Zero-Day Vulnerabilities Will Become More Common as Highly Targeted Threats Increase in Frequency and Impact
In 2010, Hydraq, a.k.a. Aurora, provided a high-profile example of a growing class of highly targeted threats seeking to infiltrate either specific organizations or a particular type of computer system by leveraging previously unknown software vulnerabilities. Attackers have been using such security holes for many years, but as these highly targeted threats gain momentum in 2011, plan to witness more zero-day vulnerabilities coming to light in the next 12 months than in any previous year.
Symantec has already seen this trend begin to develop. In all of 2009, Symantec observed 12 zero-day vulnerabilities. As of early November 2010, Symantec has already tracked 18 previously unknown security vulnerabilities this year that were or are actively being used in cyberattacks. Nearly half of these–possibly more–have been used by targeted threats such as Stuxnet (which exploited a record four zero-day vulnerabilities), Hydraq, Sykipot, and Pirpi (which was identified just this month.)
The key driver behind the growing use of zero-day vulnerabilities in targeted threats is the low-distribution nature of such malware. As opposed to traditional widespread threats that achieve success by attempting to infect as many computers as possible, targeted threats focus on just a handful of organizations or individuals (perhaps even only one) with the goal of stealing highly valuable data or otherwise infiltrating the targeted system. In such scenarios, the challenge for attackers is ensuring that they hit their target on the first try without getting caught. Using one or more zero-day vulnerabilities is an effective means to improve their odds that the targeted device(s) or computer(s) will be largely defenseless against their attack.
There is no traditional security technology that excels at detecting this type of threat. Traditional protections require security vendors to capture and analyze specific strains of malware before they can protect against them. The stealthy, low-distribution nature of targeted threats severely decreases the likelihood that security vendors will be able to create traditional detections to protect against them all. However, technologies such as Symantec’s SONAR, which detects threats based on their behavior, and reputation-based security, which relies on the context of a threat rather than the content, turn the telling behavioral characteristics and low-distribution nature of these threats against them and make detection possible.
The Exponential Adoption of Smart Mobile Devices that Blur the Line Between Business and Personal Use Will Drive New IT Security Models
The use of mobile devices such as smartphones and tablets that meet both business and personal connectivity needs is growing at an unprecedented pace. Analyst firm IDC estimates that by year’s end, new mobile device shipments will have increased by 55 percent and Gartner projects that in the same timeframe, 1.2 billion people will be using mobile phones capable of rich Web connectivity. Since this proliferation shows no sign of slowing in the coming year, enterprises will gravitate to new security models to safeguard the sensitive data that will be on and accessible through these devices.
Increasingly, the same mobile devices are being used for personal as well as business use. This creates complex security and management challenges for three key groups: IT organizations, consumers, and communication service providers.
IT organizations: Consumers are driving the innovation of mobile devices and bringing them into the enterprise–evidence of the ongoing consumerization of IT. This is especially true as organizations cut costs and require employees to use their personal devices for business. However, many enterprises lack an all-embracing solution that can keep enterprise data and application access safe on the many mobile operating systems in use, all the while allowing the use of personal d
