2009 was significant, security-wise. Experts are predicting 2010 will be as well. Michael Kassner reviews some of their predictions and makes a few of his own. See if you agree.
Why was 2009 significant? Criminals figured out they can make a lot of money in cyberspace. So much so, that their underground economy is doing better than the above ground counterpart.
That's going to change in 2010. The pundits say it's going to get worse. Every prediction I read, suggests that cybercriminals are going to continue leveraging existing vulnerable technologies and find new and more effective (for them) vulnerabilities to exploit. Let's take a look at some of the predictionseWeek's prediction
Mr. Brian Prince in his eWeek article foretells a continuation of current bad guy successes, plus a strong push into the cloud:
- Pirated software will drive insecurity. Users of pirated software are afraid to download updates, thus exposed to security risks.
- Social engineering meets social networks, upping the ante for compromises. Criminal organizations are increasingly sophisticated in how they attack social-networking sites.
- Criminals take to the cloud. In 2010, we will see criminals leveraging cloud computing, increasing their efficiency and effectiveness.
- Services will protect themselves. Facebook, Google, Twitter, TinyURL, and the like will gain more control over criminal content.
- Malware will not evolve. No significant changes in malware will occur in 2010. Botnets won't get more sophisticated, although they may make changes in the way they work.
- Consumers are getting smarter. The base level of "cluefulness" for consumers will rise in 2010.
- Serious finger-pointing and frustration over essential protocols (SMTP, DNS) will occur amongst governments and non-technical organizations.
- Apple's increasing market share will force them to finally invest in security, due to increasing attacks targeted at Apple devices.
- App security testing is limited. Developers are able to slip in apps with undocumented APIs. Attackers will take things one step further and get malicious apps accepted.
- The arrival of financial DDoS attacks. Cloud-based services charge by actual consumption. Attackers will hold enterprises hostage by artificially inflating costs.
- Clickjacking has been used successfully for social-engineering attacks and it will become more prevalent.
Mr. Stephen Pritchard of ITPro consolidated the opinions of several security firms for his 2010 prediction. That creates an interesting perspective:
- Bigger botnets are expected by Symantec, meaning more spam e-mail. Can it get worse? Spam is already over 90% of all delivered e-mail messages.
- According to IT security firm Imperva, cybercrime is getting organized. The criminals are operating clearly-defined supply chains, similar to drug cartels.
- Getting users to install scareware that controls their computers is an effective money-making tool for the bad guys. That suggests it will be more common in 2010.
- Windows 7 is a new operating system. That overrides any security improvements. Being new is a liability, just ask any security analyst.
The experts did agree on several concerns, they are:
- Cloud computing: The cloud offers unprecedented storage and processing power. If more businesses start migrating to it, so will the bad guys.
- Data breaches: Data centers continue to grow in size and capacity. Yet, security is not keeping up. Data breaches in 2009 were minor compared to what's expected for 2010.
- Social networks: Social networks are ripe for plundering. That's understandable, considering the popularity of social networks in 2009. Most, except Mr. Cooper, say we haven't seen anything yet.
What I view as the biggest security headaches for 2010 are the problems requiring significant effort to fix, such as:
- Vital, yet broken system protocols, DNS for example.
- Convincing organizations to implement security/privacy measures on behalf of people accessing the organization's Web presence.
- Balancing usability with security when new technology is being developed.
- Becoming proactive, we know mobile devices are on the bad guys' radar, but are doing little about it.
I'm onboard with Mr. Cooper. We did learn a great deal in 2009. Amazing innovation in IT security also occurred. It's now up to us, so I'm thinking 2010 will be a good year.