It’s time once again to wrap up a year gone by and think about what is coming in the next 12 months.
For those of us in the information security profession, 2011 was particularly challenging due to an increased number of attacks and breaches that caught the attention of global news outlets. From government agencies to banks and retailers, the list of major breaches includes names of some of the most respected organizations in the world. For security professionals, the message should be clear: most of us still aren’t doing enough to secure sensitive corporate data and assets from would-be attackers.
In addition to security breaches to many visible brands, an interesting development in 2011 was the continued growth of hacktivism, which typically involves organized attacks on large corporate and government entities in support of a political or social agenda. Groups such as LulzSec and Anonymous have been implicated in many attacks this year, some of which amounted to little more than cyber vandalism but others that caused significant economic harm.
These types of attacks are often difficult to identify and prevent due to their distributed nature, yet the ease with which these attacks are deployed has increased due to the availability of packaged, easy-to-use toolkits. In today’s world, anyone who is willing to pay for technology like rootkits and exploit development packages can wreak potential havoc on targets of their choice.
These tools are becoming far more sophisticated, using techniques like anti-forensics (which can hide the evidence of a breach) and polymorphism (which changes the footprint and behavior of an exploit to avoid detection).
2012 to Bring Rise in Mobile Malware
So, what will this next year bring? It is nearly impossible to issue predictions for 2012 without taking a look at mobile malware. This category, which only came about in the last few years, is growing rapidly, leaving a very real possibility that there will be at least one major public breach next year associated with smartphones.
Mobile malware has become more sophisticated and in some cases has been developed to be persistent for long periods of time. For example we have seen instances in which malicious mobile applications sign the unsuspecting victim up for expensive premium SMS services and hide the confirmation emails.
What’s to stop an attacker from developing an application that will record a victim’s phone conversations and send them over a 4G network to a gang of cyber criminals who can use the information for blackmail or fraud? Both consumers and enterprise IT organizations will need to be vigilant against opening unknown attachments or links on these devices to avoid being compromised.
BYOD Sparks New Security Challenges
How many employees will be walking in the door on Jan. 2, 2012 with a new iPad or MacBook Air? The continued consumerization of IT will reach a critical point in January when users bring in new devices that help them be more productive from anywhere.
One can argue that this is part of what makes organizations distinct as it can provide a competitive advantage in a number of ways: enhanced productivity from anywhere, ability to capitalize on opportunities, as well as happy employees who can work when and how they want.
Managing and controlling access within the enterprise will be critical in 2012 due to the influx of personal devices that hit the enterprise after the holiday season. Employees expect to connect from anywhere – it should be seamless, easy, and inherently secure.
IT will need to determine how to support this market shift, not only from a security standpoint, but from a productivity perspective as well to ensure that business expectations are met.
Social Insecurity in the Workplace
The propensity of social sharing and the fact that employees continue to blend personal life and professional activity (i.e. accessing Facebook at work or on a company-issued laptop or smartphone) is not going to change and it will become a much greater risk to organizations in the next 3-5 years. This trend includes the pervasive use of social networks in the workplace, which opens the door to the possibility of unintended divulging of corporate data.
Ultimately, there is a cultural shift occurring and younger generations are more willing to accept the risk inherent to these social networks and services that allow the sharing of data with little or no ability to protect sensitive data. This opens the door for opportunities to mine social networking sites, gather competitive intelligence, impersonate employees and take social engineering to a whole new level.
Going to the Cloud?
It is very possible that at least one significant public breach of a cloud service provider will occur in 2012. When this happens, it will create havoc, causing many companies to revisit their cloud service provider contracts to review legal liability. As such, companies that are considering outsourcing business operations, data or even entire IT infrastructures, should keep in mind that neither liability nor company reputation can be outsourced.
Any organization that is considering going to the cloud must make sure the right legal protections are in place in case the provider is breached, as well as insist on external audit rights, and have effective security controls in place to protect their data.
2012: Security Remains Critical to Organizational Risk Management
While the attacks perpetrated in 2011, as well as the possibilities for further breaches via new vectors in 2012 appears on the surface to be largely negative, there are a few positive outcomes from the growth in targeted attacks and public security breaches. The environment that IT security professionals now find themselves in has created new awareness within the halls of their respective organizations, whether they are financial institutions, government agencies and large corporations.
From boardrooms to IT departments, security has become a topic of conversation and a key area of focus. Increasingly these discussions are centering around security as a necessary step in achieving business objectives beyond simple regulatory compliance. In 2012, security will continue to become an important part of risk management at the board level and this will eventually drive organizations toward effective governance. Ultimately, this will lead to stronger network infrastructures and – hopefully – less frequent and less severe attacks.
About the author: Matt Mosley is the Sr. Product Manager at NetIQ
The Tech Herald welcomes 2012 related threat predictions from vendors, as long as they do not reference the end of the world and remain product neutral. All submissions are subject to editing and are due by December 20, 2011. Submissions can be delivered to [email protected] with the email subject of 2012 Predictions.