SEMA News—April 2012
By Joe Dysart
10 Major IT Security Trends
The apple of many an eye—the iPhone—can be easy prey for the experienced hacker.
“The web will undoubtedly continue to be the most prominent vector of attack,” said Gerhard Eschelbeck, chief technology officer for Sophos, a web-security firm.
Specifically, Eschelbeck predicted that hackers will still use the web as their primary distribution point for malware throughout 2012. And he worries that the growing trend of “Bring Your Own Device” to work, in which millions of workers push to use their own unsecured iPhones, iPads, tablets, Androids and other technologies on the job, will only increase business vulnerability to that malware.
“IT departments are being asked to connect devices to corporate networks and secure data on these devices, which they have very little control over,” said Eschelbeck.
Indeed, according to a Sophos poll conducted at the close of 2011, 61% of those surveyed felt that the biggest security threat on the web was its users who were not doing enough to secure the devices they use to access the Internet. In addition, nearly 50% of respondents said that their workplace allowed staffers to use personal technology—including iPhones, Androids and the like—at work.
“As cybercriminals expand their focus, organizations are challenged to keep their security capabilities from backsliding as they adopt new technologies,” said Mark Harris, a vice president at Sophos.
Added Eschelbeck: “2011 was characterized by a rise in cybercrime. The availability of commercial tools designed by and for cybercriminals made mass generation of new malicious code trivial and scalable. The net result was significant growth in the volume of malware and infections. Cybercriminals also diversified their targets to include new platforms as business use of mobile devices accelerated. Politically motivated ‘hacktivist’ groups took the media spotlight, even as the more common threats to cyber security grew.”
And while Microsoft Windows remained a favorite target for hackers in 2011, most of the black hats preferred to tunnel in via add-ons to Windows such as Adobe .PDF and Adobe Flash.
Also rearing its ugly head yet again in 2011 was the Conficker worm, which has been terrorizing the web for more than three years.
“The Conficker worm is still the most commonly encountered piece of malicious software, representing 14.8% of all infection attempts seen by Sophos customers,” Eschelbeck said. “Evidently, plenty of infected PCs are still trying to spread this old worm. Although Microsoft patched this flaw more than three years ago, the current rate of Conficker infection is a shining example of how bad many of us are at patching our systems.”
All told, Eschelbeck saw the following 10 major IT security trends emerging in 2012, which are discussed in detail in a report he co-authored with a number of analysts at Sophos entitled “Security Threat Report 2012”:
Expect Major Hits on Social Media: “We expect cybercriminals to continue their effective mass generation of malware, increasing the number of attacks using social media platforms and integrated apps,” Eschelbeck said.
Look for Apple as a Target: Enjoying newfound popularity, Apple—once passed over as an afterthought to Microsoft—is now considered a legitimate target by hackers. Look for increased attacks on the Mac operating system as well as other non-Microsoft software, including Adobe, in the coming year.
Prepare for Android Attacks: Google’s wildly popular operating system, embraced by a wide variety of mobile computer device manufacturers, will face its own plundering. “IT security professionals will need to deal with rapidly evolving mobile platforms, each with a unique set of risks,” Eschelbeck said.
Safeguard That iPhone: “A casual shift to the use of consumer devices without appropriate controls will cause backsliding in security capabilities,” Eschelbeck said. “IT will once again struggle to deploy reliable security measures for the environment.”
Anticipate Rebels With a Cause: 2011 saw an outbreak of cause-fueled attacks on major corporations such as Sony, Paypal and Bank of America. Expect more of the same in 2012 as hacker groups like Anonymous single out more businesses for vengeance.
Expect a Push for More Regulations in D.C.: Consumers fed up with what they perceive as an onslaught of privacy-invading technology will be in Washington again, pushing hard for more regulations on how traffic on your website can be analyzed.
Expect Trouble With New Mobile Payment Systems: While many businesses and consumers are eagerly anticipating new cell phone technologies that will allow customers to simply “wave” a smart phone at a register to pay for an item, that same technology—near field communication—could prove easy pickings for the expert hacker. “We expect cybercriminals are just as eager to target these integrated platforms that hold our money,” Eschelbeck said.
Prepare for More Sophisticated Encryption to Usher in the Cloud: As more businesses turn some or all of their applications over to the cloud, IT departments will need to encrypt data wherever it flows, rather than just focusing on protecting endpoints like devices and in-house networks.
Double-Check Your HTML5 and IPv6: New technologies for websites and web communications will create their own vulnerabilities.
Do the Right Thing: Scores of businesses will invite plundering by simply ignoring security fundamentals. Don’t be one of them. Instead, educate staff on the critical importance of keeping up to date on security patches from Microsoft and other software vendors. And engage in sensible password creation that features keywords of at least 12 characters in length.
“Keeping your devices healthy by identifying missing patches in areas commonly targeted by the bad guys will help significantly,” Eschelbeck said. “Technologies like file and folder encryption will smooth the adoption of cloud services and new devices.”