The Sandbox
Understanding CyberForensics

It’s that time of year again when we go through the security predictions for 2012 from the leading prognosticators and the wannabes. So until St. Nick comes, enjoy the “Top”  lists we’ve compiled from M86, Websense, SecurEnvoy, CSO, the folks at SANS and others. You’ll get a different “Top” list in the next few blogs until Christmas.

Targeted attacks grow more damaging and complex

Hacktivist groups such as Anonymous and LulzSec have made security breaches a public event as we learned about the use and rise of Advanced Persistent Threats (APTs) against global organizations and government agencies.

Illicit social media scams escalate

Social media has emerged as magnets for cybercriminals as malicious spam campaigns have mimicked Facebook, LinkedIn, YouTube, Twitter and even Google+, capitalizing on the inherent trust in these brands to dupe users into clicking on links.

Social media identity theft

Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.

Blended attacks increase

The primary blended attack method used in the most advanced attacks will be to go through your social media “friends,” mobile devices and through the cloud.

We’ve already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012

Rise of geospatial mobile device attacks

People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyperspecific geolocation social engineering attempts.

SSL/TLS will put net traffic into a corporate IT blind spot

Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First is the disruptive growth of mobile and tablet devices. And second, many of the largest, most commonly used websites, like Google, Facebook, and Twitter are switching to https sessions by default, ostensibly a more secure transmission. But as more traffic moves through encrypted tunnels, many traditional enterprise security defenses are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic.

Containment is the new prevention

For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

Increase in event-based attacks

The London Olympics, U.S. presidential elections, Mayan calendar, and apocalyptic predictions will lead to broad attacks by criminals. Cybercriminals will continue to take advantage of today’s 24-hour, up-to-the minute news cycle, only now they will infect users where they are less suspicious: sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations.

Social engineering and rogue anti-virus will continue to reign

Scareware tactics and the use of rogue anti-virus, which decreased a bit in 2011, will stage a comeback. Except, instead of seeing “You have been infected” pages, we anticipate three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems.

Mobile malware menaces users and organizations

In 2011, the most prolific cybercrime platforms, Zeus and Spyeye, developed malware for the Android platform in order to intercept the SMS-based security controls deployed by banks to protect their customers from banking Trojans. Android has become the most-targeted platform for malware, surpassing Symbian in the first half of 2011.

Third-party software exploits gain traction

Some third-party browser software such as Java, Flash Player and Acrobat Reader have huge worldwide install bases. Because numerous vulnerabilities in these products are found and often exploited, and because it is difficult for IT administrators to promptly update these products throughout their organizations, these software products have become an increasingly viable vector for attacks.

Exploit kits and malware reuse proliferate

Malware reuse is a growing phenomenon in the underground economy and the Zeus family of malware is a great example. For the last few years, Zeus (a.k.a. Zbot) functions as one of the preferred types of malware used by cybercriminals. Until May 2011, Zeus source code was sold only to private groups, and older compiled versions of the tool were available to anyone, but then the source code of Zeus crimeware kit was leaked and is now publicly available on the Web.

Compromised websites serving malicious content accelerates

Social networking sites such as Facebook and LinkedIn are now being used by businesses to promote their organizations, generate leads and inform customers of special offers or important messages. Additionally, almost every self-aware organization has either started a blog or is in the process of starting one. Regardless of the fact that these blogs run on corporate Web servers, they often are not sufficiently protected against malicious attacks, because they allow remote attackers such as Botnet operators and traders to compromise the corporate Web server, turning it into a redirector to their malware.

Botnets disruption attempts short-lived

Botnets, vast armies of compromised machines around the globe, are the cybercriminals’ weapons of choice, and nothing suggests that this will change anytime soon. Whether it’s spam, data stealing, DDOS, or mass website hacks, botnets provide the horsepower and anonymity that cybercriminals need to perpetuate their crimes. Unless the operators are actually apprehended, botnet takedowns tend to have a short-term effect only. The Cutwail and Lethic botnets are classic examples. Despite being ”disabled” multiple times, they are still spamming today.

Attacks on cloud services inevitable

Many people and organizations are moving to various cloud services to take advantage of convenience and attractive pricing. There are valid security concerns about moving sensitive data and critical systems to the cloud, including control of data, downtime due to an outage and lack of visibility. Despite excellent security practices employed by many cloud providers, the fact remains that these services are likely to be prime targets for cybercriminals.

Organizations will move from hardware to software based tokens to authenticate users

“While you could say this isn’t really a prediction, as in truth the exodus to tokenless has already started, I’ll bravely put a figure against it and say 50 percent of all hardware tokens will be replaced with tokenless two factor authentication by this time next year.”

Leave a Reply

Your email address will not be published. Required fields are marked *