Most of the security companies have a stab at predicting events around this time of year, and reading their year end security reports can have the same effect as reading a medical dictionary -- you may end up imagining all sorts of symptoms that don't exist. And, of course, the companies have no interest in playing down the dangers -- they want you to buy their products.
Nevertheless, it is possible to extract some good news from the reports this year. As Kaspersky Lab's research experts admit: "If no serious [software] vulnerabilities are detected, 2010 may well prove to be one of the quietest years for some time."
That is a big 'if', of course, and software patching is still going to take up far too much time and effort. But the fact is: for the well-managed company practising good basic security, things could get a bit easier in 2010.
The cybercriminals, always more interested in hitting soft targets, are finding it easier to hit consumers rather than try to penetrate well-protected organisations. For that reason, they will continue to target social networking sites and peer-to-peer file-sharing sites to spread their malware, knowing that many users have little regard to their own security. Smartphones, too, will also become a target, but that may be limited to iPhones and Android devices which are not (as of yet) in widespread business use.
On the other hand, the rapid uptake of cloud-based services will inevitably make them a target for the cybercriminals, according to security company M86 Security Inc. With so much information from multiple clients held in a single place, cloud service suppliers will need to have immaculate security practices to avoid becoming a victim of some kind of cyber attack -- whether a data theft or a denial of service.
It is worth bearing in mind that cybercriminals on the whole are thieves interested only in stealing money or information that they can sell, with the least effort involved. In other words, their methods are dictated by some kind of return-on-investment calculation.
In its annual report, Cisco Systems Inc. makes use of this fact to plot the different types of attacks, which it calls the Cybercrime Return on Investment Matrix. The matrix ranks many different cyber attack techniques against their success rate and their money-making potential.
In the diagram, Cisco singles out "Rising Stars," methods with the greatest success rate and money-making potential. These include the Zeus banking Trojan and Web exploits. Below them, with money-making potential but a dwindling success rate, are what Cisco calls the "Cash Cows" -- such as 419 scams, pharma spam and click fraud -- which continue to generate money without too much effort.
While most security firms expect current attacks to continue, certain new trends are worth special mention:
Web threats and other vulnerabilities
Several factors make the Web so attractive for malware authors and distributors. First, according to Cisco Systems Inc., online criminals favour the Java programming language when creating malware because Java-based malware will run regardless of the device or platform being used, and because it is difficult for antivirus programs to detect Java code.
The complexity of modern websites also allows the malware writers to avoid detection. A typical webpage may pull in content from as many as 150 sources, and it is hard for the site owner to check on every one of them. This has become a big problem for sites where advertising is generated on the fly. So although the site itself may be legitimate, ads may contain links to malware.
-->Cisco cites one example in its year end security report: "In September 2009, a major news publication announced that a homepage online advertisement, served up by one of the newspaper's ad networks, was delivering malware to people who clicked on it. The advertiser initially claimed to represent Vonage, the telecommunications company; however, once posted, the ad was switched to a computer virus warning that offered "antivirus" software. Unsuspecting users who installed the fake software appear to have also installed malware."
This is likely to be an ongoing problem for online businesses.
According to the same Cisco report, "Online criminals show every sign of continuing their campaign to steal lucrative financial login information -- and they're growing ever smarter and more sophisticated with their tactics."
One of the most effective cyber attacks of 2009 was the Zeus Trojan, which Cisco estimates had infected more than 3.6 million computers by October. Infection occurs via email phishing attacks or by drive-by downloads when the user visits an infected webpage. Once installed, Zeus sits waiting for the user to enter usernames and passwords, which are then transmitted to the central controller of the Zeus botnet. Cisco expects the rate of infection to grow over 2010, especially since the Zeus Trojan is now available for sale on the Internet as a toolkit. Priced around $700, the toolkit creates new variants of the Trojan, providing each new version with a unique signature that enables it to evade detection by antivirus programs.
A newer contender, the Clampi Trojan, works like Zeus and has already infected hundreds of thousands of machines.
Spam is regularly written off as a menace, and last year, we certainly saw the rise of Web-based threats while email seemed less of a problem. But according to antivirus maker BitDefender, spam is making yet another comeback, using big news events (such as the death of Michael Jackson) to get people to click on a message, which might either carry ads for sexual enhancement drugs or ads for rogue security software or malware. In one case cited by a BitDefender report, a message asked the user to click on a link to see the "secret photographs" of Michael Jackson's killer. In this case, the attached file was a Trojan variant, which, once installed, added the compromised computer to the Zeus Botnet, and then transformed it into a spam relay.
Until recently, there were few genuine attacks against mobile phones, but that is set to change. Websense Inc. promises "more dedicated targeting of smartphones in 2010" and reports that at the end of 2009 it detected four iPhone exploits in a span of a few weeks -- "representing the first major attacks on the iPhone platform and the first iPhone data-stealing malware with bot functionality."
Websense notes that smartphones, such as the iPhone and Android, are essentially small computers and therefore face the same threats as other computing devices. However, they are usually not as well controlled as traditional computers, and tend to attract a lot of third-party applications that may be vulnerable to attack.
While several companies note that the Macintosh platform is no longer a safe harbour from attack -- Apple released six major security updates during 2009 -- Microsoft Windows and Internet Explorer will still provide criminals with their most fertile hunting ground.
Websense notes that Windows 7 is particularly vulnerable because Microsoft has removed many of the heavy-handed security features that had annoyed users of Windows Vista. But reaching the right balance between security and usability is proving tricky, as evidenced by the Patch Tuesday cycle in October 2009, where there were five updates for Windows 7 -- even before it was released to the general public.
Despite the predictions of doom for 2010, companies can still protect themselves against most threats by adopting good basic security practices, keeping patches up to date, and ensuring that users are kept aware of the need for security.
Most criminals will go for the low-hanging fruit -- the easiest targets -- and for the moment careless users of social networks and smartphones present a lucrative market for the criminals.
At the same time, the security industry has done well to keep pace with the criminals and to provide the tools with which to beat them. With a bit of luck, Kaspersky Labs might be right, and we may well have a quiet year in the corporate world.
But as Websense warns, businesses can never drop their guard. "The dynamic nature of Web 2.0 attacks, the use of email to drive users to malicious websites and tactics like SEO poisoning and rogue AV, all demonstrate the need for organizations to have a unified content security platform that protects against blended Web, email and data security threats."