Michael Sutton, VP of security research at Zscaler outlined the following security predictions for 2010.
Apple is forced to climb the security learning curve
Apple has for some time been considered to have a safer operating system in OS X as it is less often targeted by attackers. While that may be true, it is less secure overall and Apple’s increasing market share will force them to finally invest in security due to increasing attacks targeted at Apple devices.
App Store party crashers
App stores are all the rage, with every mobile vendor racing to replicate Apple’s success. Generally, vendors stand guard and only let in the applications that they feel are appropriate. Consumers mistakenly believe that this ensures that only secure applications can be obtained but that is not the case. Security testing is limited at best with app developers already having success slipping in apps with undocumented APIs. Attackers will take things one step further and slip malicious apps in under the gate keeper’s watch.
Web based worms go prime time
We’ve been teased with a variety of web based worms from Samy to StalkDaily. Most have been experiments as opposed to planned attacks with the goal of financial gain. That’s about to change.
The emergence of the web platform
We’ve gone from web sites to web applications. We’re now seeing the birth of the web platform. Social Networking sites such as Facebook have gone beyond delivering dynamic applications welcoming user supplied content. They have now evolved into platforms inviting user supplied functionality, allowing virtually anyone to develop unique applications within their ecosystem. Attacker will take advantage of this to deploy malicious applications on social networks and the sites will struggle to identify and block them before deployment.
Attackers turn to the cloud
The cloud offers unprecedented storage and processing power at an attractive price. Think that’s only attractive to enterprises? Think again.
The arrival of financial DDoS attacks
Cloud based services generally charge based on actual consumption. This provides attackers with incentive to hold enterprises hostage by artificially inflating costs. Unfortunately, cloud providers have little incentive to stop this practice.
Poking holes in the cloud
My greatest hope for 2010 is that marketing departments will give the term ‘cloud computing’ a well deserved break. 2009 saw great interest in the development of cloud computing architectures and one must wonder how often security was sacrificed in order to get to market quickly. Expect attackers to devote time to poking holes in the APIs of cloud providers. When they’re found, thanks to multi-tenant architectures, it will have been worth the effort.
Clickjacking comes out of hibernation
Clickjacking roared onto the scene in the summer of 2008 when Jeremiah Grossman and Robert Hansen had their OWASP talk delayed at the request of Adobe. The sensational web cam/microphone hack that drew media attention has been addressed, but the overall flaw still remains.
Clckjacking can be a valuable tool in a social engineering attack and we’ve just begun to see it leveraged in attacks.
Browser vendors finally start to take XSS seriously
I was very encouraged when Microsoft released IE 8 this year and it included XSS protection. For all of the heat that Microsoft takes for security vulnerabilities, they continue to be a leader when it comes to adding innovative security features and this was another example. I’m confident that other browser vendors have taken notice and will fall in line.
The Card Systems data breach will look like child’s play
This is by far the easiest prediction to make. After all, records were made to be broken. As memory becomes cheaper and power becomes more expensive, enterprises are looking to consolidate data storage and continue to build massive data centers and develop ever larger data stores thanks to cloud computing. The volume of data that can be stolen when adequate security controls are not implemented is truly staggering.