Looking forward into what lies ahead for us in 2012, Zscaler offers predictions for the upcoming threat landscape.
1. Mobile: With WebOS now officially an orphan, Blackberry OS racing to the grave and Windows Mobile still trying to get ready for the party, the victors can be crowned – iOS and Android have won. The interesting part of the race is about to begin, namely who has the best security model. Will it be Apple’s draconian, “we control everything’ or Google’s happy-go-lucky “come on in, everyone’s invited’ approach?
Prediction: The “do no evil’ company will struggle mightily to keep evil applications out of their App Marketplace. In an effort to avoid being to mobile what Windows is to PCs (a breeding ground for malware), Google will subtly make Android less open to both partners and developers. They will also announce an initiative to increase security screening for applications before deployment in the App Marketplace.
Apple on the other hand will have comparatively few malicious apps to deal with, but at least three major OS flaws that impact all users (and makes the jailbreak team happy). Apple will address the vulnerabilities several days late and apologize to no one.
2. Enterprise: Thanks to marketing teams across the globe, APT (Advanced Persistent Threat) has become a meaningless buzzword in the security lexicon. Let’s therefore ditch that term and instead focus on targeted attacks, specifically those focused on enterprises with the goal of corporate espionage or to inflict financial damage.
Many praised Google for coming forward in January 2010 to reveal that they and others had been the victim of a sophisticated targeted attack, likely originating from China. Many in the public mistakenly assumed that this was a new and previously unseen event on the security stage. What was new about it was the openness displayed by Google in discussing the situation.
Prediction: The term “APT’ will go the way of “eCommerce’ and the Dodo bird, but stories of targeted attacks against enterprises will rise tenfold in the media. This will be a reflection of increased activity by attackers as they broaden their reach to smaller companies and decisions by corporate council to disclose details of an attack rather than to suppress the information and risk litigation for trying to cover up such activity.
3. Web: Want to know a secret for making security predictions? Take a look at what was being discussed at security conferences 2-3 years ago. At Black Hat DC 2009, I discussed the dangers of persistent web browser storage. One of the key technologies that will be taking browser storage to the next level is HTML5. In 2009, HTML5 apps were few and far between.
Thanks in large part to mobile browsers, HTML5 is now much more mainstream. As with any new technology, developers are quickly rushing to play with the new kid on the block and publishing their goods, without taking the time to understand the security implications.
Prediction: We’ll see an increasing number of web application vulnerabilities in HTML5 apps, not because the technologies behind it are insecure, but because it is not well understood from a security perspective.
4. Hardware: Security in the hardware space is at least ten years behind security in the software industry. This isn’t so much a reflection of the good work being done in software as it is the reality of software vendors being forced to address an issue that was impacting business.
Thanks to the efforts of many great researchers investing countless hours doing QA work that should have been done long before products hit the shelf, today most major security vendors have no choice but to employ security response teams and take vulnerability disclosure very seriously.
Hardware vendors simply haven’t faced the same scrutiny, but that’s changing. This year at Blackhat, I spoke about the sad state of embedded web servers and recently researchers at Columbia University discussed the ability to remotely cause physical damage to HP printers due to security flaws.
Prediction: Hardware vendors will get a wake-up call as researchers shift their efforts to hardware and party like it’s 1999.
Social networks such as Facebook are of value to more serious criminals, but mainly for reconnaissance during targeted attacks. They are a great resource for learning background information about an individual and uncovering relationships, all of which can be of great value for social engineering. We’re not however, commonly seeing the communication aspects of social networks used to deliver malicious payloads directly to victims or investments in uncovering web application vulnerabilities used to compromise end user machines as opposed to spreading the aforementioned scams.
Prediction: Attackers will raise the bar and leverage social networks for more sophisticated attacks, the goal of which will be full compromise as opposed to marketing financial scams.