Risk
12/27/2012
10:51 AM
Connect Directly
RSS
E-Mail
50%
50%

7 Top Information Security Trends For 2013

From sandboxing enterprise apps on mobile devices to hacking websites via high-bandwidth cloud attacks, experts detail the security trends they expect to see in 2013.

What's in store for security in 2013?

On the information security front, 2012 was notable in numerous ways: for Muslim hacktivists launching distributed denial-of-service (DDoS) attacks against U.S. banks, the FBI busting alleged LulzSec and Anonymous leaders, eccentric antivirus founder John McAfee's flight from justice, the apparent data security missteps of the former director of the CIA, as well as a nonstop stream of website hacks, defacements, and data breaches.

Expect more of the same for 2013, and then some. Here are some of the top information security trends -- and vulnerability warnings -- that experts are calling out for the upcoming year:

1. Mainstream Cloud and Mobile Adoption Seeks Security

In 2013 more businesses than ever will look to cloud and mobile computing while also seeking security checks and balances to protect corporate data. "'Cloud' is finally getting over its hype curve," said Steve Robinson, vice president of security development, product management, and strategy at IBM, speaking by phone. "In the beginning of 2012, we were hearing more discussions about if the cloud is safe."

[ Hacktivism is alive and well. Read more about their increasingly sophisticated tactics at 9 Ways Hacktivists Shocked The World In 2012. ]

Going into 2013, however, more firms are now setting deployment timetables and talking security practicalities. "I've had a few CISOs tell me that the two platforms they're planning the most for now, looking five years out, are cloud and mobile," Robinson said. On the cloud front, he continued, "We're seeing cloud security being discussed in much more practical terms: what workloads do we put out there, and how do we protect it?"

For mobile devices, on the bring-your-own-device (BYOD) tip, many businesses are asking how to best mix corporate and personal information on smartphones. Interestingly, such questions were hardly ever asked about corporate-owned laptops or desktops, according to Robinson. As a result, he said, by 2014 "we think mobile is going to be as secure, or more secure, than many desktop environments."

2. Businesses Begin Sandboxing Smartphone Apps

One tool that could see widespread adoption in 2013 will be mobile app sandboxing. Indeed, as more employees examine how corporate data gets stored on myriad employee-owned devices, Jim Butterworth, CSO of security software and consulting firm HBGary, predicts that more businesses will turn to sandboxing technology on mobile devices to protect their data. Using a sandbox application to access corporate emails, for example, "that application is only resident on the machine while you're receiving emails -- but you can't copy out or in any attachments," said Butterworth, speaking by phone.

3. Cloud Offers Unprecedented Attack Strength

Just as there's a productivity upside to new technology or trends such as BYOD, so often there can be a potential security downside. In the case of cloud computing, notably, some security researchers have been warning that the sheer scale of the recent DDoS attacks against U.S. banks presages a future of Armageddon-style attacks in which hackers can overwhelm not just targeted websites with high-bandwidth attacks, but every intervening service provider.

In 2013, expect to see even bigger attacks launched from the cloud. "It used to be, to launch a massive denial of service attack, you had to build up your botnets so criminals would slowly and surely build up their army of hundreds of thousands of drones," said Harry Sverdlove, chief technology officer of security software vendor, speaking by phone. "Now, they can rent the equivalent of 100,000 processors. ... So just as legitimate companies are using the cloud to do great things, of course cyber attackers are taking notice as well -- and they can cause significant damage."

4. Post-Flashback, Cross-Platform Attacks Increase

Write once, infect anywhere? That's no doubt the attack goal of many a malware writer. But until recently the relatively scant install base of every operating system -- bar Windows -- led most malware writers to avoid bothering with Mac, Linux, Unix, Android, or other operating systems.

In 2012, however, malware authors altered their approach with the Flashback malware. "With the Flashback Trojan earlier this year, we saw estimates of over 600,000 Mac computers were infected," said Sverdlove, and it apparently earned attackers big bucks via click fraud. Since Flashback, more than one attack has targeted multiple operating systems via cross-platform vulnerabilities present in Java and Flash, and no doubt that targeting those plug-ins for financial gain in 2013 will continue. "With the prevalence of Macs in the workplace and the number of mobile devices, this is becoming a much more lucrative target," he said.

5. Destructive Malware Targets Critical Infrastructure

In 2012, the Shamoon malware was notable for what it apparently wasn't, which was a state-sponsored attack. Instead, Middle Eastern hacktivists have taken credit for disrupting Saudi Aramco -- the state-owned national oil company of Saudi Arabia and the world's largest exporter of crude oil. To do this, they didn't build a Stuxnet-style cyber-weapons factory, but rather gleaned some tricks from previously launched attack code, such as the U.S. government-created Flame malware. The result was Shamoon, which infected and begin erasing the hard drives of 30,000 Saudi Aramco workstations.

Moving into 2013, said Sverdlove, "the trend of hacktivists, combined with a rise in sophistication, will lead to much more destructive attacks on infrastructure." Already, Shamoon has shown that the barrier to entry for launching malware attacks against critical infrastructure systems continues to decrease and that attackers no longer have to be malware experts. Accordingly, people with a grudge may add them to their attack toolkit, next to website defacements, Twitter account takeovers, and DDoS attacks.

"Hacktivists represent the unpredictable factor," said Sverdlove. "All it takes is a few individuals with an agenda or an ax to grind, and they now have the tools to launch distributed denial-of-service attacks or attacks to wipe out data. It makes for a much more dangerous combination."

6. Hackers Target QR Codes, TecTiles

One of the more innovative -- as well as simple and inexpensive -- attacks to emerge over the past year involves fake QR codes, which attackers have printed out and used to cover up real QR codes on advertisements -- especially for financial services firms. "Banks have been battling fake QR codes as a method of doing cross-site scripting attacks on mobile phones," said HBGary's Butterworth. "It's scary: [attackers] use open-source QR generators, then they put these things on billboards or ATM machines, promising $100 if you open a new account -- and it's all just to exploit [consumers]." Alternately, attackers could use fake QR codes on bank advertisements to send consumers to fake versions of their bank's website, then steal their access credentials.

Banks are now also exploring Samsung TecTiles, which are Android apps that let you read and write near field communication (NFC) tags, as a way to let people make payments. But according to Butterworth, with near field communications comes a huge amount of risk. Enterprising attackers could create their own TecTiles that redirect to malicious websites, or even launch phishing attacks.

Attacks using QR and TecTiles target consumers. "It's a problem more, I think, for personal banking and the threat of people getting their money stolen than for some state-sponsored entity trying to find their way in," said Butterworth.

7. Digital Wallets Become Cybercrime Targets

Expect any combination of smartphones, payment capabilities, or credit card data to draw attackers' interest. On a related note, Google, Apple, Verizon, T-Mobile, AT&T and others are now moving into the electronic wallet and digital wallet space. But storing gifts cards and credit cards on a smartphone and allowing consumers to make payments via NFC -- simply waving a smartphone near a payment terminal to begin a transaction -- will make digital wallets a big target for criminals, said Bit9's Sverdlove.

It's virtually guaranteed, furthermore, that every last potential attack vector or exploitable vulnerability hasn't yet been worked out of such systems. "Like any new technology, convenience always precedes security ... and we'll see some elevation in the number of attacks on e-wallets or digital wallets," Sverdlove said. "It will serve in the long run to strengthen security."

But in the short term: come 2013, watch your digital wallet.

Cloud computing, virtualization and the mobile explosion create computing demands that today's servers may not meet. Join Dell executives to get an in-depth look at how next-generation servers meet the evolving demands of enterprise computing, while adapting to the next wave of IT challenges. Register for this Dell-sponsored webcast now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon9698876813
50%
50%
anon9698876813,
User Rank: Apprentice
4/1/2014 | 11:00:09 AM
Cloud security
Cloud storage is absolutely going to become the number one way to store data - why should I set up a RAID setup when I can pay someone else to do it remotely? But I am unsure of how cloud security works and how safe it is - the companies are opaque and they speak in useless jargon to describe the encryption levels. How can we know how secure that data is once it leaves our computers? I think a combination of cloud and physical storage is probably good for data storage and database management.

-James, DCIM software coder
fahim93
50%
50%
fahim93,
User Rank: Apprentice
11/16/2013 | 3:27:45 PM
Application sandboxing
Application sandboxing is controversial because its complexity can cause more security problems than the sandbox was originally designed to prevent. The sandbox has to contain all the files the application needs to execute, which can also create problems between applications that need to interact with one another. For example, if a developer builds an application that needs to interact with a device's contacts list, sandboxing would cause that application to lose important functionality.

Is there a solution for the above example?
PJS880
50%
50%
PJS880,
User Rank: Ninja
1/6/2013 | 12:20:32 AM
re: 7 Top Information Security Trends For 2013
It is good to read about what the biggest security trends of 2013 are going to be. I think that last one on the list was probably going to be the obvious, digital wallets has trouble for consumers, and opportunity for hackers written all over it. It is no surprise that this made the list, I am however surprised that this is forecast to have due a growth that the need for advanced security was among the top 7. Cloud computing an individualization I would have imagined filling the top 10 slots.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio