No matter what publication you pick up or e-pub you scan between now and throughout January and February, if it has anything to do with technology, there’s going to be an article related to foreseeing security risks, predicted attack trends or something risk-related projected for the forthcoming year. Most of those predictions will have some variation on a few exploits and trends we have seen before, often revealing one common theme: because the way we use technology hasn’t really changed in the past few years, you don’t have to look far to anticipate what the problems will occur.
For starters, we have to look at this sector of the world: Asia and the APAC region. Though the Asian sector is still very much a part of the world’s business, cultural and technology community—and is leading in many ways—there are still nuances and unique ways in which this region has to look at how tech is both implemented and abused.
Sure, there will be plenty of the talk-about organized cybercrime movements, and the rise of computer piracy in the future, along with the continuation of hit-and-miss credit card thefts, etc., but what problems lurk on the horizon of the Year of the Snake is actually somewhat predictable, because of how we use technology.
For example, throughout Southeast Asia, in countries with emerging adoption of technologies, guidelines, software implementation, etc., organizations are slow to implement newer versions of software and because of availability and financial restraints have to make due with older tools—some places even still using such dinosaurs as Windows 2000! When you face situations like this, in which archaic tools are still the staple of business, many problems already exist, and new, even more difficult problems will surface, not only for the users of these applications, but also the people on the other end of their transmissions. In fact, many times, business won’t even be able to fully communicate, due to revision limitations—and that’s a major risk in itself. Anything that reduces performance should be treated as a risk to operational success.
Then there’s this other problem: bias. When you read those “Top Ten” lists, often there are vendors looming just out of sight, whose products somehow miraculously address 90 percent of the stated problems. That’s a problem too.
So for the sake of following the status quo of sharing some insight on the top 10 problems that ConZebra sees, and without stating any “We can help with that” solutions, I’m going to elaborate on five of what we think are the Top 10 (in no particular order) are anticipated to cause the most potential grief to this region, and then briefly discuss the other five:
#1. Random Acts of Confusion
Look at these as globally reported incidents that involve some unknown (or known) entity launching some massive distributed denial of service attack on some under-protected, higher visibility target, for the purpose of causing more harassment than anything. This one is sort of like having a gang of faceless bullies attacking the nice kids on the block, simply to steal their lunch money, while on their way to school, and then never really getting to school to spend that stolen money.
Overall, I’d say careless spending has to be at the top of the list, since the whole Security space is climbing closer to that US$10 Billion mark. There are more products, services and versions of products, varying sometimes only by the vendor’s UI, and this alone will instigate a continuing flood of uncertainty and misalignment between technologies.
You’re going to hear of at least one major cyber crashing of a known organization, and here’s the saddest part of all: The bad guys are going to use a common exploit, like a cross-script web attack, SQL injection or some other commonly posted (and commonly fixable) exploit. Why? Because older systems are still vulnerable to these exploits, and even newer systems, when not configured properly, are easily broken using old techniques, and bad guys don’t like to work too hard to get into trouble.
#2. Maturing Malware
Malware seems to be maturing in its capabilities, and Stuxnet is certainly a good example of how far a more sophisticated attack can go. So on this one, look for politically (and even nationally) motivated agendas to drive target attacks, either toward whole countries or for designated motives. While Windows is still the victim of choice, the Mac world is not out of reach for something big to happen.
#3. Stormy Clouds Ahead
The whole notion that organizations are moving away from locally hosted points of storage and access, toward cloud-based computing means opening an even deeper level of virtual security risks. I do expect something on the scale of a tsunami-like force to be released in the cloud. On the good side, organizations are moving smarter toward cloud-based computing because of what they’ve learned over the non-cloud years. Still, however, I don’t think it will be enough.
Moreover, has more applications shift to cloud-based hosting (especially in the handheld device categories), it just invites a raging storm to rain down.
Better get something stronger than those umbrellas!
#4. BYOD Panic & Preparation
Given the fact that one-seventh of our world is somehow connected via the social networks (that’s a billion-plus people), even to the point where people are sharing their shopping, dining, everything habits with anybody and everybody, don’t be surprised to find that the social networks are going to take a hit—which means privacy attacks will be stars of the 2013 security blockbuster season (not to mention at least four or five predicted hacker- and global security-based cyber movies scheduled for release in 2013). Who knows? This actually might make the folks in Hollywood bring us something better than ridiculous teen vampire stories!
The incredible bowling over of mobile technology has spread throughout the world overnight, and guess what: It’s not the iPhone 5 everybody is turning to, it’s the ANDROID.
Since July 2012, more than 100 million Android phones have found their way to new owners, which represents slightly more than half of the market in smartphones (sorry, iPhones). Fake apps and bad SMS messaging is all the rave with the malware writers these days, and as the new year unwinds, we have already seen report after report of this rising tide of “new” target exploits.
Trojans and hostile payloads are being introduced almost daily, which target a range of outcomes, including rerouting EFTs made with smartphones, to piggybacking SMS time for others to exploit, while the unsuspecting owners foot the bill. And that’s not to mention the problems associated with downloading a host of exploits hidden in all of those games.
Methinks the birds are going to get much angrier in the coming year!
#5. Compromising the Infrastructure
Rounding out my Top Five anticipated antics for the 2013 cyber-season are exploits that target whole infrastructures. I’m going out on a long limb here on this one, but Asia is the most rapidly growing sector in the area of technology focusing on how to protect and monitor critical infrastructures. Notwithstanding the bad guys, gangsters and political mavens that all want a share of the expanding Asian Fortune, even Mother Nature is getting in on the action. Every time an earthquake rumbles, a typhoon throws a spin in the region, a tsunami takes out a coastline or even when a volcano burps, the devastating loss of life aside—it’s the infrastructure that takes the most damage, costs the most to fix and results in the greatest economic losses.
You might say, “How do you anticipate these problems?” While the answer is not easy, it is a good solution, and you can sum it up in one word: Planning.
Okay, here are the other five:
- #6. Attacks on data storage (Do you know when, how and where your data is accessed?).
- #7. Growing patterns of Identity Theft (Social engineers don’t have to work hard, we already tell them everything about ourselves). Even Hollywood recognizes the value in the topic, as a new movie by the same name is premiering next month around the world.
- #8. Data forensics will be an emerging tool set and as such, new perhaps smarter attack patterns will target the same kinds of results, but will carry lighter footprints so as not to be as easily recognized in the log files, etc.
- #9. General all-around problems associated with the expanding Android market will come to rest its ugly head in full force during 2013. This goes back to my earlier remarks about smartphones and other handheld devices. No doubt, as more of us depend on our gadgets, these devices and supporting systems will continue be the hotbeds for the rise in device-targeted exploits. So if you’ve got one (and most of us have several), my advice would be to start learning as much as you can, “hardening” your configurations, and making sure you have a strong and routine back-up plan for your data.
- #10. More “Stupid Human Tricks” are still the first and foremost method of exploits in almost 90 percent of the cases of security misbehavior–like cutting budgetary corners by combining systems that shouldn’t be combined, or relaxing on how people access critical assets, etc. Or maybe the boss needs yet another back door into the system?This last concern is perhaps the easiest of all to fix as well. Still, we tend to look outside our house to find trouble while forgetting that most of the problems happen because we left our front door open and our windows unlocked. Simply stated, we really don’t like to or don’t understand how to change our operational habits (like strong passwords, privacy settings, encryption, etc.), and because of that, this will continue to be a lingering sore we will feel in the coming months.
While there’s no science to predicting the future, common sense usually serves as a reasonable crystal ball. And in the case of these 10 points of concern, and based on the trends we are seeing in how technology is embraced and exploited, it’s a pretty good bet your organizations are going to see at least a couple of these problems creep into the conversation around the server rooms.
The bigger challenge, however, is getting the discussion about how to manage these problems up to the board rooms.
But that’s a conversation for a different column.
Image (C) 2012-2013 ~Kestya