Sec Lab: Predictions and Trends for Information, Computer and Network Security
This is an effort to chronicle what a number of really smart
people believe the state of the information security industry to
be, and where we are going. A lot of the emphasis is on security
threats, but we also consider what is working and what good
practice is. We hope you will be able to use this in your
strategic planning and also as input for your security
Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security
Security Predictions 2012 & 2013 - The Emerging Security Threat
Feb 23rd, 2011
Stephen Northcutt & Friends
Security Predictions 2012 & 2013 - The Emerging Security Threat
This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.
This web page is sponsored by SANS Security West 2011: Emerging Trends, May 3 - 12, 2011 San Diego.
What do we mean sponsored by SANS Security West? Of all the conferences in the year, this is the one we use to focus on emerging security threats. Many of us have been working on our panel material and evening talks since Security West ended last year.
I see the most dramatic change yet coming to the IT security industry. That is the entry of the big boys. Up until now IT security has frankly been a niche industry. No one segment has gone much over $5 billion in total spending. (The market for yogurt in the US is larger than the entire firewall industry.) By the Big Boys I mean the defense industry. Boeing, Raytheon, Lockheed, SAIC, Northrop Grumman, BAE, EADS, HP(EDS) and others will be expanding their security capabilities and making acquisitions. With big guns like these even Symantec could be in play. Times change, and our cozy little industry is going to change with the times. There will be good and bad repercussions from these changes. Just as the nascent rocket industry was fueled by governments piling on to deliver weapons around the earth, which led to manned exploration of the Moon, IT security (or dare I say *cyber* security?) will fall into the hands of governments and the industry giants that provide them with products and services. The end result will be better security products and services, but the down side will be insane disruptions to the Internet passed by over zealous legislatures and the militarization of cyber space.
More Targeted Custom Malware Attacks
Stuxnet, way back in 2010 signaled the new era. The Google and Heartland attacks have highlighted the need for something more than traditional black-list approaches to malware. We will start to see more security vendors committing to application white-listing approaches and more customers realizing anything other the than the traditional black-list approaches is "hard." If your security posture can be bypassed with custom malware you are probably already compromised. This will force many organizations to take a hard-long look at the 20 Critical Security Controls.
Ed Skoudis has been saying it for years (the zero-day, polymorphic, metamorphic, multi-platform flash worm). I believe this is the year of the zero-day malware. The growing trend over the past year has been for more and more well planned and executed breaches leveraging zero-day or customized malware. Four out of the last five incidents that I've dealt with have involved targeted malware widely deployed in an enterprise, none of which could be detected by any main-stream antivirus product. With behavioral-based malware detection like Memoryze from Mandiant just beginning to come on the scene, the window on traditional forms of malware is beginning to close. As the saying goes, the night is always darkest before the dawn! It's incredibly important to get your information assurance and audit programs up to snuff right away. Check out the SANS Audit Site and the SANS IT Audit blog for tips and techniques on how to detect zero-day malware throughout your enterprise!
Mason Pokladnik comments further, Intruders will continue to increase the persistence of their network foothold by attacking all of the other devices on the network from printers and routers on one end to more non-traditional targets on regular desktop/server computers. The newest Alureon rootkit attempts to persist even after a reinstall of Windows 7 64-bit and a researcher has just announced a proof of concept rootkit embedded in a Broadcom network card's firmware. These attacks will become more common in 2011 since they do not require the same level of investment as attacking the supply chain with modified hardware. The only surprise is it took so long. Ed Skoudis and Lenny Zeltser have been pointing at this trend since at least their 2004 book Malware:Fighting Malicious Code. Expect security appliances built on top of custom Linux distributions to be an appealing target. And of course, Stuxnet was the final nail in this coffin, it may have set Iran's nuclear program back, but it also served as a massive tech transfer for targeted malware.
Cory Ramsden suggests we will see grid worms – malware targeted at poorly secured smart meters and meant to cause widespread disruption. He also points out geolocation could result in location-aware malware. Imagine a program that was smart enough to not take any action unless it was within a certain geographic area, say within a government building. Once it knew it was inside the building it could propagate over a wireless connection to poorly secured access points, take pictures, infect other handheld devices, send contact information, etc.
Steve Elliot adds,
1) Reputational Hostage Malware: Future ransomware may say, "Note the attached embarrassing media of you, found on your drive/in your cloud storage. (The media files are actually attached.) Pay us $X, or copies will be sent to these
friends: <list follows, including people you know well, your co-workers, church friends, etc.>." (In an ironic twist, the malmarket will price your ransom proportionately to the "ick" factor of your blackmail.)
2) Physical Hostage Malware: Your car doors will not unlock until you pay $X.
You'll either be locked in or out of your vehicle. Your smartphone's e-pay function can pay a small ransom and release the doors instantly. Out of desperation, many would immediately pay a token amount (less than 3 dollars, perhaps).
3) Bioimplant Malware: "You know that pacemaker your loved one has? Our organized crime family has some good news for you, and some bad news..." After the first real bioimplant attack gets sensationalized in the mainstream media, no matter how esoteric the attack vector, it will resonate loudest with the least technically savvy among us: those most vulnerable to fear. Who wouldn't pay any sum to save a loved one's life? Naturally, 98% of these messages will be faux-bio scareware, but the e-mob will collect millions anyway.
Editor's Note: The window may be closing for traditional malware in large organizations that can afford skilled security staffers, but all of the research I have been doing indicates the small business owner and home user is a sitting duck. In fact, we could read a situation in 2011 - 2012 when there are essentially no uninfected Windows home systems. In fact Chet Langin famously remarked, "I wonder if there's a Stockholm Syndrome for people "held hostage" by malware?" According to Wikipedia, Stockholm syndrome is a term used to describe a paradoxical psychological phenomenon wherein hostages express adulation and have positive feelings towards their captors that appear irrational in light of the danger or risk endured by the victims. This is rare enough, it only happens to about a quarter of victims and only if enough time passes. However, what if the malware was to interact with the user? Robert Axelrod is an American political science professor whose field of study is complexity theory, especially agent-based modeling. His primary research has been in the evolution of cooperation. His work has been instrumental in making BitTorrent the success that it is, and the principle he uses is reciprocal altruism. If the malware was to make itself apparent to the user, make it very clear an attempt to clean the system would result destruction of the OS AND even be helpful in some ways some times, people would probably be willing to put up with its presence.
The Changing Face of Incident Response
The virtual incident response team concept will begin to fade in favor of full time Incident Responders, Forensic Analysts, and Reverse Engineering Malware Specialists. Many companies responded to incidents by using the volunteer fire department model where individuals were drafted into serving on an IR team temporarily during an incident. However, with the scale of incidents growing and the time to respond shifting from weeks to months and even years, organizations find that they cannot pull core IT staff off their normal duties to continually respond to incidents. Security Operations Centers will begin to form dedicated full-time incident response teams to respond to ongoing security threats. Usually in enterprise sized IT organizations, the ration should be 1 responder to 7,500 systems. So if you have a 100,000 node network your team size should be around 13-14 dedicated personnel. As a result, the demand for experienced incident responders will rise sharply.
- Prediction by Rob Lee
IPv6 will Become Important When IPv4 Address Space is Exhausted
Some time within 2011 or 2012, ARIN and regional registrars will exhaust the existing IPv4 address space (http://www.potaroo.net/tools/ipv4/index.html). At this point, ISPs will no longer be able to grow unless they start to implement IPv6. In order to support the roll out of IPv6, operating system vendors aggressively add IPv6 support and enable support for various auto configuration mechanisms, including auto configured tunnels, by default. However, at this point only a small number of networks has implemented IPv6 (http://v6asns.ripe.net/v/6). One of the hold ups is a lack of security tools supporting IPv6. Implementing IPv6 properly, including the necessary security controls, is a time intensive and difficult process. The lack of properly implemented IPv6 networks and the increasing availability of auto configured IPv6 connections from desktops and servers will lead to a "shadow network" of IPv6 tunnels which will evade many controls like intrusion detection or prevention, firewalls, content filtering, data leakage monitoring, spam filters and many other technologies we have been relying on in network security. Securing the end point will become more important. Asset detection and patch management has to include more passive components instead of relying on active scanning for rogue and unpatched systems. Prediction by Johannes Ullrich of the Internet Storm Center and author of SANS IPv6 course. Raphael Gomes Pereia wrote in to say that he agrees and that he thinks it will take six or seven years to get the whole IPv4 - IPv6 transition complete.
Advanced RISC Machines are prevalent in cell phones and microcontrollers. As cell phones become more advanced, As more and more data is stored on mobile phones, since they are gaining in popularity as laptop replacements, they become a bigger target. More services runs on mobile phones, and some of them are vulnerable in the same way the are vulnerable on PCs, although, exploiting those weaknesses were harder till 2010, in 2011 with more common tricks and more shellcodes, it will be easier for hackers to exploit vulnerabilities on mobile phones. Most of the focus is on Android/iPhone, of course, which suffered from different attacks in 2010. Remote attacks such as sending malicious links, or doing MiTM for mobile phones became bigger threat for devices surfing through WiFi. I expect this process will become more automatically in 2011 including Metasploit modules for phone vulnerabilities, etc. You can expect to see the hacker community focusing on ARM devices attacks such as this blog post.[Updated 12/30/2010]
- Prediction by Itzhak Avraham @ihackbanme on Twitter
What about Secure Hardware?
We're seeing significant improvements in secure software development teams. Not all vendors have made the huge strides that eliminate a great deal of software bugs, but major vendors have stepped up to the task, leading the way for smaller software vendors to follow. Missing from this trend is the design of secure hardware systems. Exploiting weaknesses in hardware systems is becoming a more and more attractive target area for attackers, especially considering the lack of secure hardware development knowledge and practice, as well as the general lack of hardware "patching," giving an attacker an extended period of time to exploit a hardware vulnerability while a vendor or customer attempts to recover from the flaw. We'll continue to see interesting research on exploiting various hardware systems from parking meters to smart appliances and more, with growing concern over the kind of power an attacker can wield when they control critical hardware systems such as electrical generation and traffic management systems.
Editor's Note: One of the most fascinating implementations in 2010 is the Iron Key designed for secure online banking.
- This prediction is by Josh Wright author of Wireless Ethical Hacking, Penetration Testing, and Defenses who will hack for sushi.
Improved Social Engineering Attacks
As it has been famously said, nothing is idiot proof because we keep making better idiots. Lenny Zeltser makes the following observation.
Attackers will increasingly make use of social-engineering tactics to bypass technological security controls, fine-tuning their techniques to exploit natural human predispositions. We've already seen such approaches succeed at influencing victims into clicking on questionable links, opening exploit-laden attachments, and installing malicious software. Economics of on-line crime will focus the attention of talented scam and con "artists" on Internet-based activities. Their techniques will take advantage of psychological factors, such as our desire to have more stuff, the need to comply with social norms, and the reliance we place on authority figures. This will bring us closer to merging the line between external and internal threat agents, because social engineering will allow external attackers to quickly gain an internal vantage point despite traditional perimeter security measures.
More organizations will adopt social media as a core aspect of their marketing strategy. They will struggle to balance the need to be active as part of on-line social communities while balancing compliance and litigation risks associated with such activities. Similarly, organizations will have a hard time controlling online social networking activities of their users. Attackers will continue to take advantage of the still-evolving understanding of online social networking safety practices to defraud people and organizations. Security vendors will position their products as solving all these problems; some of them will stand out by allowing organizations to granularly control and monitor on-line social networking activities, while being mindful of users' privacy expectations.
Editor's Comment: We are also starting to see these tools become more refined. On my Twitter account (www.twitter.com/stephennorthcut ) Twitter suggests who to follow and these are almost 100% security focused.
Securing The Human
Humans are the weakest link, regardless of how technology changes attackers know they can always hack employees. If you look at many of the predictions for 2011 they focus on how these human attacks will only grow in sophistication and numbers, and I could not agree more. Cyber attackers will always take the path of least resistance. What I think will change in 2011 is organizations and management will finally start doing something about it, they will begin to secure the human. At some point people will realize technology can do only so much, that the human issues must start getting addressed. 2011 and 2012 will be the year of the human.
For more information on human issues of information security, follow Lance Spitzner at his Securing the Human security awareness blog. Randy Marchany adds, "Security awareness programs such as the Securing the Human initiative will be the most effective long term solution to our security issues. Why? End users and small businesses are the target of security attacks, as mentioned in another prediction. Awareness helps reduce the effectiveness of security attacks and at the very least, allow end-users to detect an attack. End-user awareness increases the chances of customers not accepting vendor software with security flaws embedded in them."
You Have to Mention Smartphones!
You can't do a 2011-2012 security prediction without issuing a dire warning that some worm will eat all the iPhones and convert the Androids to bricks. However, the biggest issue seems to be apps with spyware. Even the apps that come loaded on your phone are likely to phone home, it is a sure thing with 3rd party apps. AT&T has proved they cannot be trusted by signing their customers up for Asurion road side assistance without even asking them. And it matters big time. Charlene Li, author of Groundswell, points out that two pieces of information will positively identify knowledge workers in the future, their email address and their mobile number. Claude Burns points out that younger people are using smartphones for almost everything and they strongly choose functionality over security or privacy. As they move up in organizations they will expect business functionality to be delivered to their smartphones. Nick Bilton, author of I live in the future & here's how it works points out that to be successful in the future we need to program content to be displayed at 1, 2 and 10 feet, for smartphones, desktop devices and big flat screens. Your smartphone knows where you are, has access to your email, appointments, phone contacts, it is part of the way you surf the web, soon you will be able to make purchases with it and it has very little security or privacy built into it.You don't need to be a futurist to call this one!
Barbara Filkins had an observation that is important. Asurion is best known as a cell phone insurance company. However, the tide will continue to shift so that the hardware becomes less of the value and the information stored on the device is the greater value. This is not a new trend, well over 20 years ago, Grace Hopper famously said, "Some day, on the corporate balance sheet, there will be an entry which reads, "Information"; for in most cases, the information is more valuable than the hardware which processes it." For the present, the wireless carriers and insurance companies are selling a lot of smartphone insurance policies, but they only cover hardware which is declining in value while the information becomes of greater value by the year to the owner, the wireless carrier, marketing firms and organized crime. Some of that information gets backed up, some may not. By 2012 we will start to see companies selling cloud phone back up solutions that back up data in the background just like they do for home computers. The interesting question is whether the insurance companies will spot this trend early enough to take advantage of it, or will they eventually lose market share by being the best buggy whip manufacturer in the business.
Memory Scraping Will Become More Common
What I believe Rich is referring to is RAM Scraping. This has been around for a long time, but is more aggressively targeting data such as credit card records, passwords, PIN's, keys, as of late. The reason they are successful is that they get around PCI/GLBA/HIPAA/ETC security requirements that data must be encrypted while in transit and at rest. Data in transit is decrypted on the system and often stored in memory during the lifetime of a process, or at least during a decryption routine. Depending on how a process cleans up after itself, it may stay resident even after the fact. The data is encrypted on the hard disk, but again, the RAM likely maintains the clear-text version of the data.
Browsers are notorious for leaving things sitting around in memory during web sessions. The RAM Scraping malware also targets encryption keys in memory to decrypt anything for session data to encrypted files. As far as the emerging security threat part, we are seeing RAM scraping more commonly now as attackers focus on client-side attacks, shifting away from server-side attacks. Browsers are often misconfigured, allowing malware to get onto a user's system, stealing credit card data and passwords. They are mostly an annoyance where if a customer or fraud department detects fraudulent transactions, the account must be credited and changed. This requires the banks to write-off these transactions, which can add up quickly. AV products can't keep up with the aggressive rate and polymorphic characteristics of this type of malware. We discover a ton of new malware every week, reverse it to some extent, and send the details to AV vendors to be added as a new signature. The other emerging component is the threat of RAM scraping malware targeting Point Of Sale (POS) systems. Note this trend was identified by Rich Mogull @rmogull and content provided by Stephen Sims who teaches Developing Exploits for Penetration Testers and Security Researchers for SANS when he is not playing in his Solid State Logic band.
Update 2/23/2011 Saw this article in Computerworld on the topic http://news.idg.no/cw/art.cfm?id=12E023D8-1A64-6A71-CEFC402BA0EC04F7
Compliance by Anton Chuvakin @Anton_Chuvakin
As many other observers noted, many of the security activities in 2010-2012 will still be defined by regulatory mandates such as PCI DSS, HIPAA/HITECH and others. This will be the case from the smallest (larger extent) to the largest (smaller extent of compliance influence) organizations. I'd love to predict that people will finally get the spirit of PCI DSS (data security) and not just the letter (assessment readiness), but it is a tall one to forecast.
So, PCI DSS will continue its march. In fact, I bet (like I predicted in 2008) PCI DSS frenzy will further spread down-market - there is so much more Level 3s and Level 4s compared to Level 1 merchants. Now they all take payment cards, they are all insecure - thus, they might all be 0wned! BTW, nowadays nobody is predicting that PCI momentum will fizzle, as some did in 2007-2008. While some people criticize it for specific requirements or missing things here and there, I still swear that those organizations who paid NO attention to security now do it ONLY because of PCI.
On the other hand, just as it was in 2008, ISO17799 (and its 2700x children), ITIL, COBIT frameworks likely won't be 'hot,' at least not in the US. Ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule. In fact, more will try to base their entire security program on PCI DSS. All this "comply-mancing" will bring both good and bad, as far as those organization’s ability to defend themselves from “bad stuff” is concerned. If you'd like more, go to Anton Chuvakin's 2010 security predictions or even Anton Chuvakin's 2020 security predictions.
Monitoring and Analysis Capability will increase, but not Enough
Monitoring capabilities will increase but lag behind the requirements to monitor and store. We have seen a ramp up in features and capabilities in the monitoring and analysis space, with Palantir, Netwitness, Xtractrr, and OSSEC making waves recently.
Regulators are going to ask for more log retention, and more log analysis. Next step, requiring you to take action based on the analysis. I also predict that along with instrumentation and analysis, we will see the growth of logs being used for business analytics.
Wireless Security Issues
Wireless adoption will continue, branching out into a larger number of purpose-focused protocols that fit the needs of individual technology. Wi-Fi technology will continue to grow, but other protocols will also emerge with widespread adoption suiting the needs of embedded technology with a variety of focus areas including ZigBee, WirelessHART and Z-Wave, as well as proprietary protocols. With this growing alternate wireless adoption, we're already seeing some of the past mistakes from earlier failed protocols repeated. Based on this exposure, and the trend of Wi-Fi failure and improvement, we'll see history repeating itself where vendors are quick to the market to capitalize on new opportunities, failing to critically examine the lessons from earlier wireless technologies.
- This prediction is by Josh Wright author of Wireless Ethical Hacking, Penetration Testing, and Defenses who will hack for sushi.
More Cloud Computing Issues
While there are many possible benefits to Cloud Computing, the honeymoon will end. Many organizations will soon discover that they do not have the flexibility they need for their businesses, and many others will discover that any security issues (from audit to compromise) are far more complex in the cloud.
And I (Stephen Northcutt) would like to add, people are going to realize cloud computing is pricey. We looked into it for a compute intensive application and blades were a lower cost alternative. Jerry Shenk, a SANS Industry Analyst, adds, "I just met with a client last week who is initiating a large business push right now. We had a meeting to discuss options and somebody threw out the idea of "doing it in the cloud". It was clear that nobody understood that this concept involves putting the related data on somebody else's network. The owner had previously stated rather emphatically that he wanted to be totally in contol of his own data and his own servers...basically, he wanted to build it, own it, manage it all in-house. He has looked into some "cloud options" and if his growth predictions are right, he's better off to build it himself." At SANS, we came to the same conclusion when we decided to build a new data center.
Many security professionals will come to terms with security risks of cloud computing. They will do so under pressure from the businesses they support, as companies will continue to migrate to cloud platforms. The infosec community will better understand cloud environments, while the technologies implementing cloud platforms will reach an acceptable level of maturity. Security professionals will continue to apply extra scrutiny to scenarios that involve processing sensitive or regulated data in shared cloud environments. Prediction by Lenny Zeltser who discusses security related to cloud security and other issues on his blog. Lenny leads a security consulting team and teaches how to analyze and combat malware.
The coming of the age of extreme disclosure
Wiki-leaks, backscatter scanners, FOIA revisited and the fallout. The next few years will bring a rapid increase in forces seeking to expose businesses and governments alike. This will cause a ratcheting down of information management policy, increased instrumentation, and massive litigation. This prediction is by Mike Poor.
Security Continues to become part of Virtual Infrastructure
As more and more organizations add virtualization technologies into their environment, particularly server and desktop virtualization, security will be more embedded in the native technologies, and less of an "add-on" after the implementation is complete. For server virtualization, new firewalls and monitoring capabilities are being integrated into some of the leading platforms now. For desktop virtualization, native integration with remote access technologies and client-side sandbox capabilities are common. Vendors will continue to push the envelope and offer new tools to enhance virtual environments, but virtualization platforms will evolve to easily allow existing security technologies to interoperate more natively, as well. In addition, security architecture design will be a "must have" element of virtual infrastructure planning and deployment, not a "nice to have". Prediction is by David Shackleford, author of SANS Virtualization Security Course.
Want Work? Be an Investigator!
As the quantity of e-records about business and personal activity skyrockets, the number of official audits and investigations will grow. And, the granularity of those probes will become ever more fine. We live in the AGE of INVESTIGATIONS. "Professional Investigator," is a smart career choice. Source Ben Wright.
- Ben Wright's Google Sidewiki Commentary on "Turning Web retailers into tax tattlers"
- Benjamin Wright's Blog
Forensics courses are the hottest selling courses at SANS right now with multiple sell outs. Do not know if the trend will hold all the way through 2011, but for right now Ben is spot on.
Desktop Virtualization to the Rescue
Desktop virtualization takes off for its ability to remove sensitive data from the new onslaught of personally owned devices from the iPhone/iPad to home computers that are now extensions of many organizations' networks. It also makes inroads as "sensitive" networks --that were supposed to be separate from the Internet all along-- use VDI to allow people to get out to the Internet and check email from machines on isolated networks. This trend may accelerate after a company gets sued for remotely wiping a personal device without the owner’s consent and/or the Department of Homeland Security gets the regulatory authority to fine companies that do not properly isolate “critical” networks. Prediction by Mason Pokladnik
Social Engineering to Deliver Malware Works as Good as it did in 2010, 2009, 2008 . . .
In 2011, I see a continuation of highly believable and well crafted email containing customized malware that exploit zero-day and well known vulnerabilities. The attacks will continue to be carefully planned and highly successful. Even cautious users will continue to get caught and most types of host protection will continue to fail protecting the users. Policies are becoming more restrictive and I see a shift to go back to a centrally managed the thin client to further put the client in a "box". It is no longer cost effective to just keep re-imaging workstations to cleanup a client. Guy Bruneau
More Blaming China
The good news is that an increasing amount of organizations will be more open about being compromised. The bad news is they will be blaming China every chance they get. It will be interesting to see how this helps or hurts the industry. Truly bitter-sweet.
The Final Word on Security Predictions in 2011/2012 by Raffael Marty
I believe that going forward, we will be dealing a ton with wireless devices. Just look at the hype around the iPad. There will be much more like that. In addition, the targeted attacks will keep us busy for a long long time to come, and I am not sure they will ever go away. It's just too hard to prevent all the spear phishing and such. I also believe that we will be facing a larger and larger problem with sites and users that do not follow the basic security setups; weak passwords, etc. In aggregate, those could turn out to be pretty huge problems. Just think about the cloud and how it enables many more people to do things, setup services, etc. If all those services are vulnerable to the most basic vulnerabilities, that's going to blow up. In fact, the cloud is going to bear a few interesting things: vulnerable base images, trojaned base images, weak setups, etc. The barrier of entry is almost too low for people.