Five Security Predictions for 2012
Security market, policies, and threats in the year just begun.
With the beginning of the new year, I would like to share five security predictions for 2012. One year ago, I did the same for 2011 and, curiously enough, seven prediction out of seven proved to be correct.
Here are my forecasts about the security market, policies, and threats in the year just begun:
- Cybersecurity risk assessments will start to become a legal and litigation-avoidance requirements for SEC registrants
What disclosures should be made by public companies in the face of cyber security risks and incidents? On October 13, 2011 the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that provides to registrants an overview of disclosure obligations under current securities laws – some of which, according to the guidance, may require a disclosure of material cyber security risks and incidents in financial statements. Failing to do so could give stakeholders and regulators standing to hold executives responsible for losses. SEC registrants may start to require cybersecurity risk assessment as a means to decrease their defensibility concerns;
- A smartphone or tablet near you will download a malware-laden app
In the year just begun, mobile devices will outship PCs by more than 2 to 1 and 85 billion apps will be downloaded. Platforms diversity and economies of scale will suggest cyber criminals to focus their exploitations mostly on the operating system with the largest market share. Hence, we should expect to see mobile malware targeting Android, who has now (3rd quarter, 2011) more than 50% of the market and keeps growing, quarter after quarter. In June, Google pulled malware-infested smartphone apps from its Android Market for the second time in several months. This is going to happen again and again, unless effective antimalware mechanisms will be build into the market platforms;
- The growth of mobile devices, the costs of mobile malware on carriers and platform owners, and the Windows 8 build-in anti-virus will force security vendors to reposition
Attackers will exploit the vulnerabilities exposed by the increased attack surface and network size, rising the cost of mobile threats on carriers and platform owners. In fact, on mobile networks, security is not an externality - it costs money to mobile market players: malware infections on smartphones generate calls to the carrier's support center or visits to the outlet stores. In turn, aligned incentives will suggest platform developers to build security in and bundle security mechanisms with mobile devices as value added features. All the above, coupled with the decision by Microsoft to ship Windows 8 with built-in anti-virus software, will result in security vendors overhauling their strategies and product ranges. Factors to be considered include: the degree of reliance on consumer sales for a given anti-virus, and the market share of mobile platforms;
- More location-privacy concerns
Along the last year, there was a lot of attention on location-privacy threats. Earlier this year, iPhone was reported to track our movements - it even reached the U.S. Senate. Later, a design fault in Westfield malls app allowed anyone with an Internet connection and some programming skills to track the comings and goings of every single vehicle in one of the country’s busiest shopping centres. More recently, in a talk at the 28th Chaos Communication Congress, Karsten Nohl and Luca Melette highlighted that the German LEAs used half a million "Silent SMS" to track suspects in 2010 - this is something I may write more in the next blog posts.
This is only the beginning. In the upcoming year, we should expect more concern about the disclosure of location-data and surreptitious tracking. As more researchers or incidents will showcase the possibilities, location-privacy will become an increasing concern for users and, later, for legislators. In the next years, we will see products giving to mobile users the possibility to better meet their location privacy needs;
- Social media and rogue anti-virus will increasingly be used by criminals in social engineering attacks
As social media is increasingly adopted among people and businesses, we should expect an increased reliance by on-line scam perpetrators and cyber criminals on social media as an additional channel for their fraudulent activities exploiting our psychological traits.
According to an online survey by Gartner, 50% of US or UK based companies with 50+ employees surveyed (4,321 total) have today a social media presence, with video dominating social media tool adoption, Twitter gaining traction for customer service, and respondents showing interest in FourSquare for 6 to 12 months out.
Cyber criminals will also use rogue anti-malware for the same malicious purposes and with the release of Windows 8, expected by the end of 2012, they will be happy to update the templates for their bogus alerts.