2009 was the year that we learned the meaning of the word recession and looked to the cloud for answers. Budgets were slashed and security departments were forced to do more with less, all while cybercrime rates rose as frustrated individuals used whatever means necessary to earn in a difficult economic climate. What 2010 will bring remains unclear, but as we approach the New Year, optimism is beginning to emerge.
“That which becomes popular today, will be the attack vector of choice tomorrow.”
- Michael Sutton
- Zscaler Labs
On the technology front, the “cloud honeymoon” is over and now the hard work begins. Mobile is as exciting as ever with new platforms and functionality emerging with vendors battling for dominance. Social networking winners have been established, but we’re just beginning to see their true potential. Much remains to be seen, but one thing is for sure – attackers are following these trends just as closely as the enterprises and consumers that benefit from them. That which becomes popular today will be the attack vector of choice tomorrow. Below are my security predictions for the New Year.
1.) Apple is forced to climb the security learning curve
Apple has for some time been considered to have a safer operating system in OS X as it is less often targeted by attackers. While that may be true, it is less secure overall, and Apple’s increasing market share will force them to finally invest in security due to increasing attacks targeted at Apple devices.
2.) App Store Party Crashers
App stores are all the rage, with every mobile vendor racing to replicate Apple’s success. Generally, vendors stand guard and only let in the applications that they feel are appropriate. Consumers mistakenly believe that this ensures that only secure applications can be obtained, but that is not the case. Security testing is limited at best with app developers already having success slipping in apps with undocumented APIs. Attackers will take things one step further and slip malicious apps in under the gatekeeper’s watch.
3.) Web-based worms go prime time
We’ve been teased with a variety of Web-based worms from Samy to StalkDaily. Most have been experiments as opposed to planned attacks with the goal of financial gain. That’s about to change.
4.) The emergence of the Web platform
We’ve gone from Web sites to Web applications, and we’re now seeing the birth of the Web platform. Social Networking sites such as Facebook have gone beyond delivering dynamic applications welcoming user-supplied content. They have now evolved into platforms inviting user-supplied functionality, allowing virtually anyone to develop unique applications within their ecosystem. Attackers will take advantage of this to deploy malicious applications on social networks and the sites will struggle to identify and block them before deployment.
5.) Attackers turn to the cloud
The cloud offers unprecedented storage and processing power at an attractive price. Think that’s only attractive to enterprises? Think again.
6.) The arrival of financial DDoS attacks
Cloud-based services generally charge based on actual consumption. This provides attackers with incentive to hold enterprises hostage by artificially inflating costs. Unfortunately, cloud providers have little incentive to stop this practice.
7.) Poking holes in the cloud
My greatest hope for 2010 is that marketing departments will give the term “cloud computing” a well-deserved break. 2009 saw great interest in the development of cloud computing architectures and one must wonder how often security was sacrificed in order to get to market quickly. Expect attackers to devote time to poking holes in the APIs of cloud providers. When they’re found, thanks to multi-tenant architectures, it will have been worth the effort.
8.) Clickjacking comes out of hibernation
Clickjacking roared onto the scene in the summer of 2008 when Jeremiah Grossman and Robert Hansen had their OWASP talk delayed at the request of Adobe. The sensational Web cam/microphone hack that drew media attention has been addressed, but the overall flaw still remains. Clckjacking can be a valuable tool in a social engineering attack and we’ve just begun to see it leveraged.
9.) Browser vendors finally start to take XSS seriously
I was very encouraged when Microsoft released IE 8 this year and it included cross-site scripting (XSS) protection. For all of the heat that Microsoft takes for security vulnerabilities, it continues to be a leader when it comes to adding innovative security features, and this is another example. I’m confident that other browser vendors have taken notice and will fall in line.
10.) Past Data Breaches will look like child’s play
This is by far the easiest prediction to make. We’ve all been amazed by the staggering numbers of compromised accounts in the CardSystems, Heartland and TJX data breaches, but prepare to be blown away once again. After all, records were made to be broken. As memory becomes cheaper and power becomes more expensive, enterprises are looking to consolidate data storage and continue to build massive data centers and develop ever larger data stores thanks to cloud computing. The volume of data that can be stolen when adequate security controls are not implemented will be truly staggering.