2011: Security Trends for the New Year

Crystal ball with 2011 inside itThe turning of the year means it’s time to pull the crystal ball down from the shelf and do a little gazing into the future. Sifting through the predictions of several IT prognosticators revealed the following as top security concerns for 2011. In no particular order, here are some things to be particularly aware of in the coming year.

The Rise of the Mobile Device

Smartphones will be a big target in 2011. Not much of a surprise as close to 50% of recent mobile phone acquirers made theirs a “smart” purchase. Trends such as the shift to cloud computing, more sophisticated devices – whether phones, tablets or variations such as the addition of docking stations – and the increased use of personal smart mobile devices in the workplace, could mean that smartphones and as well as tablets nudge out netbooks and laptops as the mobile devices of choice.  This would, of course, be true for hackers as well as device owners.  As attack vectors shift, security measures – such as identification and authentication as well as locate, lock and remote-wipe services – will rush to keep up.

Social Networking

According to Nielsen, nearly a quarter of all online time is spent social networking.  So as more people actively use social media sites, it becomes more likely that a major breach could occur in the coming year. On the other hand, it is also predicted that social network security measures will increase among prominent social networks, as greater emphasis is placed on security over privacy.

Compliance & Encryption

As the threats grow more serious and the data more tempting, expect more stringent methods – including laws – to protect it.  Kevin Haley (Symantec) predicted that “regulatory compliance will drive adoption of encryption technologies more than data breach mitigation,” noting the enactment in 2010 of the healthcare industry regulation (HITECH) and legislation in several states aimed at protecting data.  “Despite regulations, many organizations do not currently disclose when mobile devices containing sensitive data are lost, as they do with laptops,” Haley wrote on his Symantec blog.  “In fact, employees do not always report these lost devices to their organizations. This year, we expect that regulators will start cracking down on this issue and this will drive organizations to increasingly implement encryption technologies, particularly for mobile devices . . . in order to meet compliance standards and avoid the heavy fines and damage to their brands a data breach can cause.”

Mike Lennon (Security Week) foresees ” Privacy regulations in the healthcare, financial services and critical infrastructure industries like energy and telecommunications will likely see new regulations dictating what needs to be protected and what to do when data loss occurs.  .  . Expect a national data breach notification law. Notification laws like California’s SB 1386 exist in 46 of 50 states today. A federal law is imminent. . . More companies will encrypt more data. Three factors are converging to make 2011 the year of encryption adoption:
1. More regulations today require encryption.
2. It’s become a best practice in many industries.
3. It’s easier to implement and less confusing for users. With processing power increasing and companies like Proofpoint innovating, encryption has become faster and easier to implement and use.”

Darkening Clouds

With more services, along with their security controls, moving into the clouds, the hackers and their attack methods follow. The move will mean that devices – whether desktop, laptop or handheld – become only the “temporary access point” to data residing on the other side.  According to a spokesperson at Palo Alto Networks, “Consolidation of various messaging platforms (chat, social media, and email) into Web services (Gmail, Facebook, Yahoo Mail, etc.) will increase – making it an attractive target for hackers who want to break into the corporate network.”

McAfee’s and SANS contributor Eric Cole commented in his list of emerging threats, “As the Internet continues to grow and be used for everything, new protocols will continue to emerge. The problem is, the traditional model of deploying new protocols no longer works. . . Today, when a new protocol comes out it is used so quickly that the problems are only identified after there is wide spread use, which quickly leads to widespread attacks.”

Malware & Threats

What threats should one expect for 2011?  Mike Lennon says they will be blended ones.  “While email is still the number one threat vector for personal information loss, threats from newer communications channels is increasing, especially in the form of blended threats where the target is first attacked through email, then directed to Web or social media.”

Ian Grant (Imperva) forecasts that an “increase in Man-in-the-Browser (MitB) Attacks will create a growing concern for online service providers who must be able to serve and protect customers infected with some form of malware.” He also sees shifts in the “hacking industry”, which will continue to mature “as amateurs are shut down and mergers among larger, organized groups take place.”

Tony Bradley (PC World) advised caution when doing online searches. “Attackers have a new way to exploit current events, though, and that trend will continue in 2011. Malware developers have figured out how to game search engines to get malicious links featured prominently in search results.”

It may sound cute, but Larry Seltzer (PC Magazine) warns of “botiques”, i.e., smaller, targeted botnets engaging in precision malware attacks.

“Zero-day vulnerabilities will become more common as highly targeted threats increase in frequency and impact,” says Symantec’s Kevin Haley. “As opposed to traditional widespread threats that achieve success by attempting to infect as many computers as possible, targeted threats focus on just a handful of organizations or individuals (perhaps even only one) with the goal of stealing highly valuable data or otherwise infiltrating the targeted system.”

Maturation of Cybercrime

According to Haley, “We have now entered a third stage – one of cyber-espionage and cyber-sabotage.  Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it.  In fact, business is just too good for the cybercriminals.  With the tremendous growth of new mobile platforms, bad guys will have even more new avenues to attack and unchartered social engineering tricks to engage in to continue to steal from us.”

The Weakest Link

The individual user will continue to be the prime target, and the most vulnerable layer in any multi-layered security plan.  No firewalls, scans or other security measures will protect someone who hands over personal information or clicks on a malicious link in response to phishing, SMiShing (SMS phishing, i.e., text scams), spear phishing or some variation.  Instead, everyone will need to continually watch for “to good to be true” offers and urgent requests that don’t seem quite right.