At this time of year, I am always thinking about the many
events that have transpired both politically as well as in the field of
security. I will spare you my political
views, but I will provide some thoughts on 2011 from a security
perspective. As I have said before, it
really was the year of the hack. Notable
breaches include Sony, RSA, Epsilon, and dozens of others. These breaches really put a punctuation mark
on how vulnerable we are to any sort of competent adversary. Some
breaches transpired over many years and weren't all that sophisticated; however,
the RSA breach gave new meaning to the word “persistent.” What was particularly interesting were
adversaries targeting the security supply chain in order to break into their
ultimate targets - Lockheed Martin and other companies / governments that use
RSA authentication. While 2011 was a security disaster, what
does 2012 hold? I don’t have a crystal
ball, but I will give you a few of my predictions:
#5. Proposed
cyber-legislation will take one step forward and two steps back
I do think that we will make some progress on more
comprehensive cyber-legislation to help fight fraud, espionage, and
intellectual property theft. While taking one step forward, we will also
be saddled with awful legislative efforts like H.R. 3261 better known as the Stop
On-line Piracy act (SOPA) which will have us taking two steps back. Tackling these hard issues and creating a
modern cyber framework is not an easy task; however, one would hope our elected
officials could put some focus on something as critical as cyber-security. Hopefully some of the more well informed
politicians will realize this is a layer 8 problem (people) and not solely a
technology issue.
#4. Mobile malware
goes mainstream but the world doesn’t end
I know this is a softball prediction; however, I would be
remiss not to include it. We have seen
a massive jump in mobile malware from a percentage perspective; however, the
overall total is insignificant compared to traditional PC based malware. In particular, it was a busy year for Android
with a host of malware released into multiple app stores. While not malware, I particularly enjoyed the
details on getting a root shell on an Android device just by using it the way
it was designed.
Even though iOS has a pretty darn good security model, I still think we will
see some headlines next year. In
particular, I am surprised the self updating mechanism using Lua scripting I talked about at the 2011 RSA conference this year has not been more widely abused.
I do think there will be a few notable security issues that hit iOS next
year.
#3. Mac is back
If I take the Warren Buffet approach to figuring out how
well a company is doing by visiting their stores, there appears to be no
recession going on in Cupertino. I have
also observed a large increase in executives who have switched over to MacBook
Airs as more and more Macs continue to backdoor their way into corporate America. With that backdrop and Apple’s market share
above 15% in most developed countries (not world-wide), we are finally getting
to a point where it makes financial sense for the bad guys to target the Mac
platform. In May 2011 we saw the tell tale signs of
interest in the Mac when Mac Defender was reported in the wild. More recently we saw DevilRobber used to mine
Bitcoin virtual currency. However, the
most troubling is Mac malware being disguised as a PDF document. I think we have seen this movie before, and
it isn’t pretty. While it won’t be earth
shattering, I think we will see some creative attacks against the Mac in
2012. Most of them spread via social
networks and abusing peoples trusting nature more than anything that is
terribly sophisticated.
#2 . Stuxnet / Duqu
tip of the iceberg
With control systems blowing up, drones falling out of the
sky, and general paranoia around embedded systems reaching a fever pitch, we
are going to find more advanced versions of Stuxnet and Duqu in 2012. I still believe Stuxnet was an early
generation of what is out in the wild and that the level of sophistication
associated with well funded attacks will be awe inspiring. I think any person in security worth his/her
salt has to find these advance pieces of malware fascinating. So be ready for more entertainment in 2012.
#1. Calling a Spade a
Spade
There is a lot of dancing that goes on when we hear about an
APT. I have worked with many companies
that have had some form of APT, and the ones that didn’t just haven’t figured
out that they really did. By and large, many of the APTs appear to have originated in China. I think this Bloomberg article does a pretty good job of spelling out that China hit 760 companies and many
more that haven’t become public. Yes,
there are the other likely suspects that have a well-organized machine of cyber
warriors, but China has been pretty busy over the past few years. So in 2012 I think we will start seeing more
attribution of where these APTs are coming from and not just throwing the
overused and politically corrected APT on every intrusion. Being able to decipher the threat from one
nation to another is helpful in thinking about how to better protect
intellectual property and what resources should be spent on specific defense. Most
importantly, we can begin to shape what kind of response is warranted in return
by understanding “who” is targeting companies, not just “what” malware exists.
I know that it is easy to make predictions and that
according to Jack Daniel there are Five Pentagrams of Prognostication.
While I enjoyed his post, I do
hope I have given you a few things to think about. Will any of this come true
next year? Who knows, but I will be
reporting back at the end of 2012 and grade my performance. Let me know what you think. You can reach me at george.kurtz at
warburgpincus.com.