Security trends 2011: Making sense of predictions

While vendors have never been known to underestimate security threats, the job of the information security pro is, nevertheless, getting harder, says UK Bureau Chief Ron Condon.

This article can also be found in the Premium Editorial Download: IT in Europe: Handle with care: Calculating and managing risk is tricky business

Many in the security realm, vendors included, enjoy making predictions at year’s end, and this time around, when it comes to the new year’s security trends, 2011 is no exception. December and January had all the security vendors once again reaching for their crystal balls and making predictions.

Most of the forecasts make for uncomfortable reading, of course; no security company wants to admit that things are getting better, since there would be no need to buy any more of their products.  They also tend to focus on the threats for which they believe they have a cure.

However, even if we strip out the predictions, hyperbole and the marketing, the raw data suggests that the job of information security is getting harder for a number of reasons.

The reason for the growth is that cybercrime is a profitable business, and the chances of getting
caught are slim.

On the one hand, threats are undoubtedly growing and changing. According to vendor and research firm Panda Security, 34% of all existing viruses were created during 2010. It adds that banking Trojans, such as Zeus, accounted for 56% of all new malware samples detected , and another 11.6% were fake antivirus software, a malware category that only appeared four years ago.

Botnets are also on the rise, according to ESET, another security firm, which detected 5,500 active botnets in November, compared to 4,000 the previous year. It forecasts that botnets could hit the 7,000 mark in 2011, partly because the criminals are using more and smaller botnets, which have a better chance of flying under the radar.

The reason for the growth is that cybercrime is a profitable business, and the chances of getting caught are slim.  Well-funded criminal gangs can buy the skills they need to create even more sophisticated malware.

And, working under a cloak of secrecy and false trails, these cybercriminals can disguise their locations and usually escape the attentions of law enforcement. They work globally, whereas police forces are constrained to their own jurisdictions. Although international police collaboration has improved in recent years, it is still too fragmented and slow-moving to block the activities of nimble crooks who owe no allegiance to any country and can readily decamp to a less punitive jurisdiction if necessary.

Although most cybercrime is still directed at consumers’ credit cards and banking details, corporate confidential information -- with far greater commercial value -- is now increasingly targeted. Advanced persistent threats, which involve slow and careful groundwork by the criminal to find chinks in the corporate armor, take more time and effort, but they play for much higher rewards.

Advanced evasion techniques are also being used to get past the filters of intrusion prevention systems, again using clever techniques to disguise incoming malware.

At the same time, it is becoming harder for organisations to keep track of their data. In the old days of the mainframe, data stayed on disks in the computer room. Now, there are a dozen ways for information to leave the corporate fortress, from webmail attachments to USB sticks, careless comments on social networking sites and smartphones. All these -- and many other holes in the corporate sieve -- provide a means for information to leak out, either by accident or by design.

Advanced evasion techniques are also being used to get past the filters of intrusion prevention
systems, again using clever techniques to disguise incoming malware.

Stuxnet also deserves a mention. Some see it as the grim face of malware to come; others see it as a targeted piece of code whose sole purpose was to disrupt the Iranian nuclear industry, and therefore is of no real relevance to the rest of us. Whatever the truth, it reminded those working with SCADA systems that they, too, need to raise their game against attack.

So there we have it: lots of new threats and an array of new ways for companies to lose their information. But does it change the way we need to do security in 2011?

Not really. The same principles apply, and the best organisations protect themselves by focusing their efforts on doing the basics well. That means identifying their most precious assets, and ensuring those are protected above all else. It also implies good identity and access management, to make sure only authorised users get to access the information they need to do their job.

The best organisations also develop a culture of security.  This is especially important now, since most security firms agree that in 2011 social networking sites will be a major channel for malware and other scams aimed at luring the unwary to infected websites.

For instance, security vendor Sophos  Ltd. surveyed more than 1,200 users in December 2010 and found that 40% of social networkers had  been sent malware (.pdf), such as worms via the social networking sites of which they were members, a 90% increase since the summer of 2009. Two-thirds (67%) said they had been spammed via social networking sites, more than double the proportion two years ago, and 43% acknowledged being on the receiving end of phishing attacks, more than double the 2009 level.

While technology can help defend them, well-trained users are probably one of your best defences.

Ron Condon is UK bureau chief for Send comments on this column to [email protected].

Read more on Security policy and user awareness