Security Watch

Securing 2010

Hackers will find ways to keep security experts busy. Keep your eye out for these eight.

• By Jabulani Leffall
• 12/23/2009

This year -- 2009 that is -- was filled with new awakenings and threats in the brave new world of IT security and Web-borne threats. From security breaches to historic patch releases from Microsoft, which this year -- 2009, that is -- fixed some 80 vulnerabilities in Windows operating systems, office applications and server programs.

By now, you’ve been deluged with recaps, so Security Advisor wants to take you forward into next year -- 2010, that is -- which will soon be this year... Get it?

Don't worry; you have a whole new year for new challenges and breakthroughs in security, according to ITSEC gadflies such as Randy Abrams, Director of Technical Education as at ESET.

Through various e-mails and conversations with Abrams and other security observers, there is plenty to learn and plenty to look forward to.

Apropos, here's a list of eight phenomena to look for in 2010. Why eight? Because I know you haven’t seen one of these yet this year. Everybody does a top 10 but, that’s right, we’re living on the edge.

1. Social media and engineering attacks will grow.
Spoofing and phishing have taken to social networks such as Facebook, MySpace and Twitter. Such incursions will be even more common in the months and years, and especially with Windows users. Why? Because Internet Explorer is still the most prevalent browser in the world.

"Part of this will be driven by adoption of Windows 7," said Abrams. "Computers sold with Windows XP, with a few exceptions, such as newer netbooks, are beginning to age and will be replaced with PCs that have Windows 7. The increased security in Windows 7 means that tricking the user is far more viable than exploiting the OS for most criminals.

2. Third-party applications will give users, Microsoft more headaches.
Most agree that Microsoft has done a swell job making improvements in operating systems security. This has driven hackers in the direction of third-party apps that sit on Windows. The biggest case in point of 2009 was continual problems with Adobe Systems products. Adobe Flash and Adobe Reader have had many bugs, so much so that the company has piggybacked its security update cycle along Redmond’s Patch Tuesday releases. Unfortunately, users are far less savvy about patching third-party applications and administrators are a lot less stringent with installing these hotfixes on programs that are seldom used but could be nonetheless harmful.

3. Internet service providers will begin to block infected systems.
Companies such as AT&T, Earthlink and Roadrunner are often spoofed and users are directed to fake services sites and then zapped with malware. Well, security experts say ISPs in the consumer sector and possibly those who serve the small and medium-sized business sector will begin to implement technologies to identify users who are infected and basically quarantine machines, whether or not a user is paying their bill. This could be problematic and something to watch for, given the fair trade practice implications.

"It will probably be a few years before these ISPs are the norm, rather than the exception," Abrams said. BBut still the prevalence of such practices will increase."

4. Increased data breaches and losses could parallel growth of cloud computing.
"For many years, the IT security community has discussed change. But change is no longer hypothetical -- it's real," said Torsten George, a vice president at security firm ActivIdentity.

Tech evangelist with their heads literally in the cloud would want to take heed to what George describes as ‘ "external threats of advanced cyber attack" and internal threats caused by disgruntled, negligent, or unaware employees.

"In this context, organizations should consider leveraging versatile authentication and credential management solutions which can be used across diverse communities," George said. "This includes citizens, employees, contractors, partners, suppliers, and customers that are affected by any given enterprise."

The appropriate level of system authentication, he said, should be put in place for each type of electronic transaction a business conducts.

5. More extortion-based software will be released.
Here's how this stuff works: Malware is released on your computer and you're re-routed to a Web page boasting a security solution that requires payment. It’s like holding your system for ransom and then charging you to get it back. On the back end, they get you twice by selling that credit card number to another party or using it themselves.

6. Virtualization is a vivacious path for seasoned hackers.
Much like the inception of the cloud, continued development of virtual PCs and servers will inevitably lead to hackers discovering weaknesses in such computer processing environments. This is one of those dark horses, though, because the system needs to be targeted where an attacker would need direct access to enterprise hardware in order to perform the action. The average hit-it-and-quit-it hacker will find this path of exploitation cumbersome, but not so much for a whiz-kid with malicious intent.

7. Why WiFi? Why not?
By the time you read this, there will be more people working remotely and more people transferring information through wireless networks and devices. Increased research into attacks on wireless networking and interception will make it more risky to conduct online shopping and banking over wireless connections. This will be especially true with the growth of mobile commerce (m-commerce) among businesses. A lot of the devices will have to run on browsers; hence, there's risk with cross-site scripting (XSS).

"I was very encouraged when Microsoft released IE 8 this year and it included XSS protection," said Zscaler's vice president of Security Research Michael Sutton. "For all of the heat that Microsoft takes for security vulnerabilities, they continue to be a leader when it comes to adding innovative security features and this was another example. I'm confident that other browser vendors have taken notice and will fall in line."

8. Patch management becomes an even bigger challenge.
This was and is number one on a lot of people’s lists and keep in mind, this list follows no discernable order.

The Conficker worm was the biggest case for patch management and deployment reform in recent years. It got Microsoft’s attention, as well as critics who say that such prevalent outbreaks are the reason IT administrators should either step up their patch games or vendors should find faster and newer ways to roll out hotfixes.

"Conficker and these types of vulnerabilities are a hotbed for worms and bot outbreaks," said Jason Miller, security and data team manager of Shavlik Technologies. "With the number of machines that were affected by a vulnerability that had a patch released months prior, the Conficker worm showed the world just how many organizations do not take patch management seriously."

Do have a Happy New Year and do take this list of eight seriously -- it's almost a guarantee that you will see one or all subjects come to prominence in 2010.