What's in store for security in 2013?
1. Mainstream Cloud and Mobile Adoption Seeks Security
In 2013 more businesses than ever will look to cloud and mobile computing while also seeking security checks and balances to protect corporate data. "'Cloud' is finally getting over its hype curve," said Steve Robinson, vice president of security development, product management, and strategy at IBM, speaking by phone. "In the beginning of 2012, we were hearing more discussions about if the cloud is safe."
Going into 2013, however, more firms are now setting deployment timetables and talking security practicalities. "I've had a few CISOs tell me that the two platforms they're planning the most for now, looking five years out, are cloud and mobile," Robinson said. On the cloud front, he continued, "We're seeing cloud security being discussed in much more practical terms: what workloads do we put out there, and how do we protect it?"
For mobile devices, on the bring-your-own-device (BYOD) tip, many businesses are asking how to best mix corporate and personal information on smartphones. Interestingly, such questions were hardly ever asked about corporate-owned laptops or desktops, according to Robinson. As a result, he said, by 2014 "we think mobile is going to be as secure, or more secure, than many desktop environments."
2. Businesses Begin Sandboxing Smartphone Apps
One tool that could see widespread adoption in 2013 will be mobile app sandboxing. Indeed, as more employees examine how corporate data gets stored on myriad employee-owned devices, Jim Butterworth, CSO of security software and consulting firm HBGary, predicts that more businesses will turn to sandboxing technology on mobile devices to protect their data. Using a sandbox application to access corporate emails, for example, "that application is only resident on the machine while you're receiving emails -- but you can't copy out or in any attachments," said Butterworth, speaking by phone.
3. Cloud Offers Unprecedented Attack Strength
Just as there's a productivity upside to new technology or trends such as BYOD, so often there can be a potential security downside. In the case of cloud computing, notably, some security researchers have been warning that the sheer scale of the recent DDoS attacks against U.S. banks presages a future of Armageddon-style attacks in which hackers can overwhelm not just targeted websites with high-bandwidth attacks, but every intervening service provider.
In 2013, expect to see even bigger attacks launched from the cloud. "It used to be, to launch a massive denial of service attack, you had to build up your botnets so criminals would slowly and surely build up their army of hundreds of thousands of drones," said Harry Sverdlove, chief technology officer of security software vendor, speaking by phone. "Now, they can rent the equivalent of 100,000 processors. ... So just as legitimate companies are using the cloud to do great things, of course cyber attackers are taking notice as well -- and they can cause significant damage."
4. Post-Flashback, Cross-Platform Attacks Increase
Write once, infect anywhere? That's no doubt the attack goal of many a malware writer. But until recently the relatively scant install base of every operating system -- bar Windows -- led most malware writers to avoid bothering with Mac, Linux, Unix, Android, or other operating systems.
In 2012, however, malware authors altered their approach with the Flashback malware. "With the Flashback Trojan earlier this year, we saw estimates of over 600,000 Mac computers were infected," said Sverdlove, and it apparently earned attackers big bucks via click fraud. Since Flashback, more than one attack has targeted multiple operating systems via cross-platform vulnerabilities present in Java and Flash, and no doubt that targeting those plug-ins for financial gain in 2013 will continue. "With the prevalence of Macs in the workplace and the number of mobile devices, this is becoming a much more lucrative target," he said.
5. Destructive Malware Targets Critical Infrastructure
In 2012, the Shamoon malware was notable for what it apparently wasn't, which was a state-sponsored attack. Instead, Middle Eastern hacktivists have taken credit for disrupting Saudi Aramco -- the state-owned national oil company of Saudi Arabia and the world's largest exporter of crude oil. To do this, they didn't build a Stuxnet-style cyber-weapons factory, but rather gleaned some tricks from previously launched attack code, such as the U.S. government-created Flame malware. The result was Shamoon, which infected and begin erasing the hard drives of 30,000 Saudi Aramco workstations.
Moving into 2013, said Sverdlove, "the trend of hacktivists, combined with a rise in sophistication, will lead to much more destructive attacks on infrastructure." Already, Shamoon has shown that the barrier to entry for launching malware attacks against critical infrastructure systems continues to decrease and that attackers no longer have to be malware experts. Accordingly, people with a grudge may add them to their attack toolkit, next to website defacements, Twitter account takeovers, and DDoS attacks.
"Hacktivists represent the unpredictable factor," said Sverdlove. "All it takes is a few individuals with an agenda or an ax to grind, and they now have the tools to launch distributed denial-of-service attacks or attacks to wipe out data. It makes for a much more dangerous combination."
6. Hackers Target QR Codes, TecTiles
One of the more innovative -- as well as simple and inexpensive -- attacks to emerge over the past year involves fake QR codes, which attackers have printed out and used to cover up real QR codes on advertisements -- especially for financial services firms. "Banks have been battling fake QR codes as a method of doing cross-site scripting attacks on mobile phones," said HBGary's Butterworth. "It's scary: [attackers] use open-source QR generators, then they put these things on billboards or ATM machines, promising $100 if you open a new account -- and it's all just to exploit [consumers]." Alternately, attackers could use fake QR codes on bank advertisements to send consumers to fake versions of their bank's website, then steal their access credentials.
Banks are now also exploring Samsung TecTiles, which are Android apps that let you read and write near field communication (NFC) tags, as a way to let people make payments. But according to Butterworth, with near field communications comes a huge amount of risk. Enterprising attackers could create their own TecTiles that redirect to malicious websites, or even launch phishing attacks.
Attacks using QR and TecTiles target consumers. "It's a problem more, I think, for personal banking and the threat of people getting their money stolen than for some state-sponsored entity trying to find their way in," said Butterworth.
7. Digital Wallets Become Cybercrime Targets
Expect any combination of smartphones, payment capabilities, or credit card data to draw attackers' interest. On a related note, Google, Apple, Verizon, T-Mobile, AT&T and others are now moving into the electronic wallet and digital wallet space. But storing gifts cards and credit cards on a smartphone and allowing consumers to make payments via NFC -- simply waving a smartphone near a payment terminal to begin a transaction -- will make digital wallets a big target for criminals, said Bit9's Sverdlove.
It's virtually guaranteed, furthermore, that every last potential attack vector or exploitable vulnerability hasn't yet been worked out of such systems. "Like any new technology, convenience always precedes security ... and we'll see some elevation in the number of attacks on e-wallets or digital wallets," Sverdlove said. "It will serve in the long run to strengthen security."
But in the short term: come 2013, watch your digital wallet.