10 Security Trends To Watch In 2012

From cyber espionage to Android malware, expect to see a greater variety and quantity of attacks than ever before.

10 Companies Driving Mobile Security (click image for larger view and for slideshow)
As 2012 gets underway, what can businesses expect on the information security front?
If 2011 was any indication, this year will be anything but quiet. Last year featured seemingly nonstop waves of hacking, malware, and spear-phishing attacks that succeeded in exploiting well-known businesses, including
RSA
and
Sony
. All told, businesses collective
data breaches
exposed millions of records.
Expect 2012 to offer more of the same and then some. In particular, keep an eye on these 10 top information security trends:
1. Breaches now inevitable, say businesses.
Over the past few years, theres been a notable change in information security rhetoric: Instead of preventing all attacks from succeeding, many CIOs now acknowledge that
getting hacked
is a question of when, not if. The chief culprit is the sheer volume of attacks being launched, which makes the chance that one of them will succeed nearly inevitable. According to the
2011 Data Breach Investigations Report
from Verizon, for example, the number of attacks launched online against businesses between 2005 and 2010 increased by a factor of five.
The new mandate, then, is not just to maintain killer defenses, but also to have the right technology and practices in place to
quickly detect when the business has been breached
, and then to block the attack and ideally identify how the breach occurred and what might have been stolen. We frequently see organizations with protective measures based on the assumption that they are not a target, said Alan Brill, senior managing director of the cyber security and information assurance division at Kroll, in a recent report. Yet 2011 taught us that no one is exempt from attack.
2. Cyber espionage continues.
If there is one guarantee for 2012, its that industrial or cyber espionage--often executed via low and slow and thus difficult-to-detect exploits--will continue unabated. Such attacks were too effective in 2011 for attackers to not continue their press, especially because the
social engineering techniques
often employed in exploits are incredibly easy to tap and reuse. For example, it is estimated that the attack which hit RSA was actually used against over 700 other companies, said Harry Sverdlove, CTO of Bit9, in a recent report. Likewise, the
Nitro attack
against chemical and defense companies hit at least 48 businesses,
Shady RAT
hit at least 70 businesses, and
Operation Night Dragon
exploited multiple energy companies. Although China often gets the blame for such attacks, arguably every major country--allies or otherwise--practices cyber-espionage.
3. Mobile malware continues to increase.
For countless years running, pundits have declared it to be the
year of mobile malware
. Heres the reality: to date, mobile malware has largely
targeted the Android operating system
, full stop, and it
rates as little more than a nuisance
. Although mobile malware grabs headlines, its
not very lucrative for attackers
because their number-one target is financial information, and that predominantly resides on peoples desktops and laptops.
Accordingly, attackers biggest bang for the buck continues to be attacking Windows systems, largely via operating system and application-level vulnerabilities, as well as
third-party plug-ins with known bugs
. Even so, expect the ongoing, negative headlines associated with Android smartphone hacking--or smacking, as Bit9s Sverdlove calls it--to drive more manufacturers to
create locked-down Android smartphones
, which would be a boon for securing business users.
4. Mobile devices get anti-theft protection.
If mobile devices arent under attack to the extent that PCs are, mobile devices still carry a well-known security risk: they tend to get
lost or stolen
. That fact alone should be reason enough for businesses to take a more rigorous approach to securing mobile devices, including tracking them when they go missing, and ensuring that remote-wipe capabilities are in place should it be too difficult or expensive to recover the devices. With the bring your own device to work--a.k.a. BYOD, or the consumerization of IT--trend in full force, expect to see more organizations attempt to add better security to their employees mobile devices, including smartphones.
5. Spear-phishing scourge continues.
Fast, cheap, and out of control:
spear-phishing attacks
continue to plague businesses large and small. Witness EMCs RSA, which experienced a breach that
compromised aspects of its SecurID system
, simply because an employee opened a malicious Excel file that exploited a known vulnerability and allowed external attackers to
create a beachhead in RSAs network
. RSA, of course, is far from the only business or government agency thats been exploited by these fake--but real-enough-looking--emails. Unfortunately, stopping such attacks is impossible from a purely technological standpoint. Instead, users must be educated--warned, cajoled, trained--to resist such attacks, but even that is not a foolproof strategy. Accordingly, some spear-phishing attacks will continue to succeed.
6. Social engineering attacks hit social networks.
All social-engineering attacks succeed based not on technological sophistication, but rather by fooling users. It costs little to send someone an email that redirects them to a fake PayPal website, which tricks them into entering their actual PayPal username and password, which is then passed to attackers. Accordingly, social engineering attacks arent going away. Furthermore, with 800 million people now registered on Facebook, and 175 million on Twitter, expect attackers to spend more time
targeting social networks
. What do such attacks seek to steal? According to Check Point, the primary impetus behind social engineering attacks is
financial gain
(51%), followed by accessing proprietary information (46%), gaining a competitive advantage (40%), and revenge (14%).
7. Botnets keep infiltrating businesses.
According to Panda Labs, three quarters of all new malware strains seen in 2011 were
Trojan applications
, able to silently infect PCs and make them function as part of a botnet, while also phoning home to attackers with stolen information of interest.
Cybercrime toolkits
now make it easy for any criminal to generate and distribute malware that has a high degree of success at infecting PCs. Such toolkits easy availability and the potential profits on offer--which far exceed the toolkits initial purchase or rental cost--means that large-scale malware attacks aimed at exploiting PCs and pressing them into silent service as nodes in a botnet will only continue to increase. Ditto for the evolution of botnet-related ecosystems, which offer everything from malware infection as a service to
leasing botnets by the hour or for the day
for use in attacks or scams.
8. Breach notifications gain greater traction.
Today, all 50 states effectively require that businesses notify their customers when their personal information has been potentially exposed. But different notification requirements--for example, for
medical records
--means that although many breaches might be disclosed to government watchdogs, they might never be fully disclosed publicly. (See the
RSA breach
.) Might Congress finally pass a law requiring that all data breaches be tracked by a single, centralized agency? That doesnt seem likely, although some other countries now appear to be pursuing that plan. Germany enacted a federal data-breach notification law in 2010, and other European countries have expressed interest. Meanwhile, Canada is weighing changes to its Personal Information Protection and Electronic Documents Act (PIPEDA) that would make data breach disclosures mandatory for that countrys businesses.
9. Critical infrastructure rhetoric keeps heating up.
What do you do if youre the head of a government agency tasked by Congress with
protecting the nations critical cyber infrastructure
, yet said infrastructure is
95% privately owned
? You posture, especially where large cyber-security budgets are concerned. Said posturing has been the modus operandi of both legislators and agency heads, notably at the Department of Homeland Security and the Department of Defense. Businesses, meanwhile, dont seem to have leapt at the chance to let the government tell them how to run their networks. That said, expect
industry-led information-sharing agreements
to help bridge this gap in 2012, by facilitating freer sharing of threat intelligence information between government agencies and critical infrastructure businesses.
10. Code gets externally reviewed.
Attackers often exploit known vulnerabilities in applications, and there are a plethora of such bugs to choose from. Accordingly, this business mandate is clear: Developers must take the time to
code cleanly
, and eradicate every possible security flaw before the code goes into production. Developers, however, cant do this on their own. They need top-down support, with everyone from executives to front-line personnel held accountable for
code quality
, which by the way can be measured. Indeed, both internal development tools and
on-demand code-review services
can scan code, pinpoint flaws, and recommend fixes. Remediating those bugs, by the way, often takes just a matter of days, and is always less expensive than fixing them after products ship.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
10 Security Trends To Watch In 2012