Continuing our series on threat predictions for 2012, The Tech Herald presents a list of nine things to consider in the coming years. The list was compiled by Joseph Steinberg, the CEO of Green Armor Solutions.
There will be an uptick in sophisticated, targeted cybersecurity attacks. The success of the Stuxnet virus and other targeted forms of cyberattack have shown hackers the value of such an approach.
Improved social engineering attacks. As people share an increasingly large volume of data about themselves online, and as social networking sites regularly change both their feature-sets and their privacy policies thereby causing information leaks due to resulting user errors, we will see increased targeted social engineering attacks.
In addition, criminals will leverage social information to assist them with crimes. So think twice about posting onto Facebook those photos of your family at Disneyworld until you are back home, burglars know that if you are at Disney, your home is likely empty.
Psychology will play a greater role in both attacks and defenses. Security technologies improve far more rapidly than the human mind, and people are increasingly often the weak link in the security chain. Criminals will increase their use of psychological subterfuge in launching attacks, such as through targeted phishing and it will be more important than ever to leverage psychology in defenses.
There will be an increase in attempts at stealing data and monetizing it, rather than going after money with direct financial cybercrime. Criminals have realized that their odds of successfully breaching non-financial systems, and getting away without being caught, are higher than if they target a major bank. They have also learned that the data that can be pilfered in a simple attack can be worth far more than the balance of the average checking account.
Cyberspying by non-democratic nations will increase. State sponsored hacking is a highly effective and far less expensive way for governments to improve militaries, infrastructure, and national superiority than research and development. I have long argued that non-democratic nations pose a far greater risk as cyber adversaries of the United States than terrorist groups, and I believe that will continue to be the case in 2012.
Software containing 'bad code' will continue to be released thereby causing a mass proliferation of vulnerable systems. Until there are real repercussions for vendors for releasing vulnerable code, profit concerns will trump security, products will be developed using international outsourcing and other cost-reduction models, and software will be delivered without sufficient security testing. Regular patching will remain absolutely necessary, if not become even more critical. This trend will ultimately extend to mobile apps; we may see the first signs of regular patching of some of the more heavy-duty Android apps, which are rapidly gaining sophistication in 2012.
The government will continue to be successfully breached. In many cases, data will be pilfered and the government will not be aware of it until much later, if at all. Because of outdated GSA procedures and certification requirements that impede the government's ability to quickly react to new cyberthreats with best-of-breed technology, as well as due to other policy and procedure deficiencies, we will read about more government breaches in 2012.
Mobile devices, including smartphones and tablets, will become increasingly targeted. Problems will worsen in 2012 and beyond until people in general internalize that smartphones are mobile computers that constantly communicate with other machines (and hence need to be properly secured) and not telephones with added features like the far more primitive devices that they replaced.
We will see hardware-based viruses - malware embedded within the plug-and-play drivers of a USB device could really wreak havoc. While I do not expect mass proliferation of such threats in the near term, I do believe that by the end of 2012 we will hear of some instances. Such technologies are ideal for both targeted and mass attacks. In a 1992 thesis I argued that anti-virus software of the future might ultimately need to be improved by having portions embedded in hardware. We may be drawing closer to that day.
Regardless of these individual predictions, one thing is clear. As the twenty-first century progresses, it is increasingly obvious that America's economic prosperity and competitiveness depends on our successfully implementing effective cybersecurity. Cybersecurity, already important in 2011, will become even more so in 2012 and years to come.
Joseph Steinberg, CISSP, ISSAP, ISSMP, CSSLP, is a respected cybersecurity expert and the CEO of Green Armor Solutions.