It's that time again. As people are settling into their 2013 routines, companies and organizations are implementing their plans for the year. I've already been asked for my 2013 Cyber predictions to help a) direct defenses and b) direct marketing. The questions from cyber sensitive executives are "what do I need to prepare for?" and "what do I need to invest in to capture the trend."
I've already reviewed several "2013 Cyber Threats" prediction reports from numerous security organizations. Many of them tout numbers and try to gain the reader's confidence by tossing out facts and figures from 2012. In short, these are all just marketing slicks designed to get people to buy more from the company authoring or sponsoring the report. The least self serving I've seen actually came from McAfee because they actually took a self-serving approach. They asked their customer base "what is it you want us to invest in this year?" Others try to tell their customers and potential customers what it is they should invest in from their products and services, using the "report" to drive sales.
In short no one can prove or disprove these predictions. They are all contextual. Those being derived from data points are limited to the data points captured by the authoring company. If the company is strong in the compliance market, chances are their "data" will predict issues in compliance. If the report is from an AntiVirus vendor, chances are it will be all about malware.
In terms of accuracy looking back at reports from early 2012, you can find truth to them all. Why? Well because the cyber security space is so diverse. There's bound to be at least a few predictions that turn out to be true from everyone. It's also relatively easy to make predictions based on generalities. The hard "data" to support the predictions is again, just marketing fluff in my opinion. The core premise we need to all remember is the adversary is out to get to our data using what we use and abusing the trust we place in computing as their path. They are opportunists and lazy at the same time. They will target what we use, and popularity drives their focus. The more popular the medium, the more they can re-use their weapon.
And so...without using any hard facts or figures, I deliver my predictions for 2013.
1. Malware sophistication will increase.
Given the fact that the adversary doesn't want to be found or detected, and given that malware kits are increasing in availability and usability, I predict we will continue to see more and more sophisticated malware this year. More specifically I believe rootkits and bootkits will become the mainstay of malware used in common exploit kits. Rootkits and bootkits install themselves outside of the operating system (in the boot sector of the hard disk), hence achieving persistence beyond a reboot and beyond any operating system based removal and mitigation (such as antivirus software). Along these same lines, I have a sub-prediction in which we'll see an increase in single-use malware. Traditionally malware is mass produced and mass used, but this is due to the level of sophistication required to develop and delivery the malware. Again, with the rise in popularity and ease of use of adversary kits, I believe the uniqueness and customization of malware will also be on the rise. This is dangerous since most malware detection and prevention solutions still rely on fingerprinting of known malware rather than behavioral analysis of malicious characteristics.
2. Mobile devices will be the targeted platforms of choice
This one's a no-brainer. Just about everyone has a smartphone or wifi enabled tablet of some sort. Just about every user of said device uses their platform for personal and business related work. The mass majority of these even use their personal devices on corporate or business networks or while at work. A very few actually incorporate the same level of security on their mobile device as they do for say their work computer. Hence a target of opportunity for the adversary; unsecured and unprotected access to multiple data sets and networks. What other device has voice and video recording, Internet access, data send/receive, multiple network connection methods, and is physically carried between secure and insecure environments? If I want to steal intellectual property, a great way to do that would be to embed malware on your iPhone or Android device which monitors GPS and engages the microphone to record when you reach a certain location (say your office), then sends the recordings via data feeds, SMS text, email, cellular band, or website uploads?
3. Social media will be used for espionage and compromise
One simple reason; we're careless with social media and our social lives are closely related to our personal information. Think of it this way, what do you need to confirm your identity with your bank or credit card provider? Name, Mother's maiden name, date-of-birth, and some question about your past, your likes, your family etc. How about "dog's name" as a security question. Well, let's say all this information is available through the posts, comments, likes, and pictures you upload to social media. A smart thief can probably use personal information from your social media to validate your identity. Not to mention social media is often used at work or on personal devices while at work. If an adversary can inject your computer through social media they can travel with you. Social media applications themselves are designed to bring people together, not validate identities, and still we inherently assume the person sending us the friend request or message is who they say they are.
4. Attacks against banks and bank fraud will increase
Again, no rocket science here. Criminals are after money. Banks hold our money. Enough said.
5. Attacks against Internet infrastructure will increase
By this I'm referring to attacks against the systems that make the Internet possible; the infrastructure. As we saw in 2012, governments across the globe are increasingly becoming interested in what their citizens are doing online and whom they are communicating with. This isn't isolated to tyrannical states like Iran as evidenced by the leaking of CIA director General Petraeus' private emails. Espionage is on the rise and since people are increasingly turning to the Internet to communicate (SMS text, email, blogs, social media, VOIP etc.), nation states will be there waiting. We've already had one example with the certificate authority compromise involving Google and TURKTRUST.
6. Spear phishing will increase in sophistication
Spear phishing remains to be the delivery method of choice by the adversary because people are click happy. We like getting email, we trust the sender, and we feel compelled to respond. So I predict we'll all see more targeted spear phishing emails in our inboxes that will increasingly look more and more legitimate or too enticing to pass up. Typically these phishing attempts are easy to spot, but they are getting better and will continue to do so.
7. Multiple major company breaches
Even given all the media hype and buzz and self awareness of security issues, I still see the mass majority of companies viewing cyber threats as something to be controlled through insurance and non-disclosure rather than advanced and comprehensive defense. They believe they won't be targeted and if they are they believe the damages will be less than the cost to adequately secure; it will be covered by insurance. Security is deployed to meet government mandates and to improve public or investor confidence, but will be woefully under funded and half-way implemented. I read a statistic recently that said 10% of companies in the US (small, medium and large) understand the threat and are taking steps to adequately defend. 10& more understand the threat but aren't taking adequate steps. 80% believe there is no threat or they won't be targeted and security is another form of insurance; buy what you need to have some level of coverage to comply with a mandate or just because it's a good thing to do. I've also seen a related statistic from an in-the-know source that says 100% of companies have already been compromised by a nation-state and just don't knot it. That's not 100% of the fortune 500, that's 100%. Because we continue to misunderstand this problem, we'll continue to see some major breaches this year. Security is expensive and corporate leadership continues to believe they are alone in this fight. They continue to believe that non-disclosure is the best approach because it saves face and keeps investors happy. In reality it keeps everyone ignorant and that trickles down. Executives don't want to report to their board and shareholders that they've been had, and so they don't want to hear it from their support staff, and so the data is ignored or solutions half-implemented. Head in sand.
8. Cyber war
There it is, yep, I gave into the hype and added it to my list. I can add it because there continues to be no standard definition of this term. Victims of nation-state sponsored cyber activity (espionage, theft, and disruption) continue to cry "war" as a means to obtain international support and pressure while perpetrators tend to point to the lack of physical damage as defined by traditional international conventions and definitions of war for protection. Further, because every nation has a vested interest in continuing to use the cyber world for espionage and virtual advantage, we'll see more of it in 2013. The recent stuxnet actions which did cause physical damage to Iranian nuclear infrastructure got by because Iran doesn't want anyone looking closely at what they are doing. They aren't going to complain too loudly.
9. Data stolen from the cloud
Another easy one to predict as more and more companies move their data and services to the cloud. Adversaries go where the data and money are. If it's in the enterprise, they'll target the enterprise. If it's in the cloud, or the cloud as a trusted partner can be used to access the enterprise, they'll go there. Either way, the growing popularity of cloud based services means the growing attention by the adversary. It'll happen. This year, something will get leaked which will result in a massive breach and questioning of the security of the cloud. Further since people seem to get easily confused by the cloud, they struggle to understand security in that context and struggle to implement adequate defenses.
10. Extensive breach of private records
This one is similar to item 7, but I separate it by the data and I believe this one will be government focused. Specifically, and at the risk of sounding political, I'll say this one will be directly related to private medical records and Obamacare. I say that because Obamacare mandates centralized collection and storage of citizen's medical records for access by any medical provider. Common storage and common access. Having seen how the government protects the .com and .gov world, I have no doubt these Obamacare data warehouses or access systems will be breached and a massive amount of private medical records will be stolen and leaked online. The perpetrator will likely be hactivists like Anonymous trying to embarrass the government or trying to embarrass those tasked with guarding the information. This one might lean into 2014 since Obamacare continues to limp along in implementation while everyone and their brother, sister, mother, father, aunt, and uncle try to stop it. Only the imposers are exempt (isn't that interesting?).