Tuesday, December 27, 2011

2012 – It Isn’t Going to Get Any Better

At this time of year, I am always thinking about the many events that have transpired both politically as well as in the field of security.  I will spare you my political views, but I will provide some thoughts on 2011 from a security perspective.   As I have said before, it really was the year of the hack.  Notable breaches include Sony, RSA, Epsilon, and dozens of others.  These breaches really put a punctuation mark on how vulnerable we are to any sort of competent adversary.    Some breaches transpired over many years and weren't all that sophisticated; however, the RSA breach gave new meaning to the word “persistent.”   What was particularly interesting were adversaries targeting the security supply chain in order to break into their ultimate targets - Lockheed Martin and other companies / governments that use RSA authentication.     While 2011 was a security disaster, what does 2012 hold?  I don’t have a crystal ball, but I will give you a few of my predictions:

#5.  Proposed cyber-legislation will take one step forward and two steps back

I do think that we will make some progress on more comprehensive cyber-legislation to help fight fraud, espionage, and intellectual property theft.  While taking one step forward, we will also be saddled with awful legislative efforts like H.R. 3261 better known as the Stop On-line Piracy act (SOPA) which will have us taking two steps back.  Tackling these hard issues and creating a modern cyber framework is not an easy task; however, one would hope our elected officials could put some focus on something as critical as cyber-security.  Hopefully some of the more well informed politicians will realize this is a layer 8 problem (people) and not solely a technology issue.

#4.  Mobile malware goes mainstream but the world doesn’t end

I know this is a softball prediction; however, I would be remiss not to include it.   We have seen a massive jump in mobile malware from a percentage perspective; however, the overall total is insignificant compared to traditional PC based malware.  In particular, it was a busy year for Android with a host of malware released into multiple app stores.  While not malware, I particularly enjoyed the details on getting a root shell on an Android device just by using it the way it was designed. Even though iOS has a pretty darn good security model, I still think we will see some headlines next year.  In particular, I am surprised the self updating mechanism using Lua scripting I talked about at the 2011 RSA conference this year has not been more widely abused.  I do think there will be a few notable security issues that hit iOS next year.

#3.  Mac is back

If I take the Warren Buffet approach to figuring out how well a company is doing by visiting their stores, there appears to be no recession going on in Cupertino.   I have also observed a large increase in executives who have switched over to MacBook Airs as more and more Macs continue to backdoor their way into corporate America.  With that backdrop and Apple’s market share above 15% in most developed countries (not world-wide), we are finally getting to a point where it makes financial sense for the bad guys to target the Mac platform.   In May 2011 we saw the tell tale signs of interest in the Mac when Mac Defender was reported in the wild.   More recently we saw DevilRobber used to mine Bitcoin virtual currency.  However, the most troubling is Mac malware being disguised as a PDF document.   I think we have seen this movie before, and it isn’t pretty.  While it won’t be earth shattering, I think we will see some creative attacks against the Mac in 2012.  Most of them spread via social networks and abusing peoples trusting nature more than anything that is terribly sophisticated. 

#2 .  Stuxnet / Duqu tip of the iceberg

With control systems blowing up, drones falling out of the sky, and general paranoia around embedded systems reaching a fever pitch, we are going to find more advanced versions of Stuxnet and Duqu in 2012.  I still believe Stuxnet was an early generation of what is out in the wild and that the level of sophistication associated with well funded attacks will be awe inspiring.   I think any person in security worth his/her salt has to find these advance pieces of malware fascinating.  So be ready for more entertainment in 2012.

#1.  Calling a Spade a Spade

There is a lot of dancing that goes on when we hear about an APT.  I have worked with many companies that have had some form of APT, and the ones that didn’t just haven’t figured out that they really did.   By and large, many of the APTs appear to have originated in China.    I think this Bloomberg article does a pretty good job of spelling out that China hit 760 companies and many more that haven’t become public.  Yes, there are the other likely suspects that have a well-organized machine of cyber warriors, but China has been pretty busy over the past few years.  So in 2012 I think we will start seeing more attribution of where these APTs are coming from and not just throwing the overused and politically corrected APT on every intrusion.  Being able to decipher the threat from one nation to another is helpful in thinking about how to better protect intellectual property and what resources should be spent on specific defense.   Most importantly, we can begin to shape what kind of response is warranted in return by understanding “who” is targeting companies, not just “what” malware exists.

I know that it is easy to make predictions and that according to Jack Daniel there are Five Pentagrams of Prognostication.   While I enjoyed his post, I do hope I have given you a few things to think about. Will any of this come true next year?  Who knows, but I will be reporting back at the end of 2012 and grade my performance.   Let me know what you think.  You can reach me at george.kurtz at warburgpincus.com.