It’s that time of the year again, the bit right near the end where we start wondering if next year could possibly be any worse than this. (Bah humbug! Ed.) For those of us involved in any way with IT security the hope is, of course, that the answer will be no. One way of helping to ensure this is to have a good idea of what the emerging security threats will be.
While nobody could have foreseen the ongoing hacktivist attacks that have followed the political storm of the Wikileaks affair, for example, it’s a little bit easier to spot the kind of generic security issues that are most likely to shape the threat landscape in 2011. Here are my predictions, in no particular order as all security threats should be treated equally seriously, for the coming year:
1. Stuxnet will change things
Governments will start taking IT security more seriously, thanks to the perceived critical infrastructure risk following the Stuxnet attack on Iranian nuclear plants. Although this failed to do any serious damage, it did highlight the potential of these sophisticated threats that can target specific logic controllers rather than the carpet bombing of networks and servers.
With increased spending and research at government and military IT laboratories, there will be a trickle-down effect in terms of intelligence. This should lead to better security products and services in the long term, although the same process could also lead to increased regulation and compliance regimes which might have a negative impact on the day-to-day administration of IT security for enterprises like the NHS (auditing and reporting, for example).
2. The mobile threat will escalate
Smartphones are becoming smarter, tablets are becoming more commonplace and the bad guys are becoming more aware of the opportunities both to target these mobile devices themselves and also to use them as a lever to force a way into the networks they communicate with. As more and more health-related apps appear, so ever more medical staff will be inclined to use them and ever more bad guys will look to exploit them by installing malware or spyware alongside.
It’s more essential than ever that only authorised software is allowed to be used on mobile work devices, and only authorised mobile devices are allowed access to the network. It’s also just as important that staff are educated so as to be aware that the same care needs to be taken with personal and patient data when using a mobile device as when using a desktop terminal. Size really doesn’t matter as far as IT security is concerned.
Finally, there are the physical security issues of smartphone and tablet use. Just as we have had a plethora of media reports regarding lost and stolen USB drives packed with confidential data, so we are likely to see the same concerning lost and stolen tablets and smartphones unless the physical side of mobile security is properly addressed.
3. Computer crime will get more organised
Investment in call-centre style social engineering outfits will continue as long as such operations are seen to be profitable. This type of scam was exemplified by the 2010 ‘Microsoft Support’ con where victims were called at home and told that their computers were infected; of course, if they took the bait they soon were.
I expect to see criminal organisations become much more organised at computer crime during 2011, and that will include much better targeting when it comes to attack vectors. From spear-phishing to sophisticated malware attacks, the NHS is a gold mine of hugely attractive and valuable personal data. You can expect socially engineered attacks to become more focused on bypassing the technological measures installed to protect that data. As in 2010, humans will remain the weakest link in the security chain during 2011.
As well as social engineering, there’s also the continuing popularity of social media within the NHS to worry about. More to
4. Scams will become more social
the point, there’s the lack of an adequate educational and strategic response to this growth to worry about.
As more staff use social media for both authorised and unauthorised purposes, in the workplace and at home, the danger is that data leakage will be harder to prevent unless staff are properly educated on the risks involved and the potential consequences of failing to address them. 2011 could prove to be a tipping point for such risks as staff know plenty about using social networks but their understanding of social safety is still evolving.
5. Wireless will get stronger and weaker at the same time
The adoption of WiFi will continue to get stronger, with a greater reliance on wireless devices around NHS establishments. At the same time, WiFi security is likely to get weaker. Why so? Well, mainly because those who would like your data on a plate are not sitting still. It was almost exactly two years ago, on these very pages, that I warned about commercially available Russian software which enables anyone to hook up powerful Nvidia graphics cards and use the combined GPU power of these things to accelerate the cracking of WPA encryption on a budget.
Stuff a couple of these cards (each capable of processing hundreds of billions of fixed-point calculations per second), into a PC with 1GB of onboard memory per card; then link a few of those PCs together and you can become a supercomputing bad-ass for no more than a couple of thousand pounds. That’s peanuts to the real bad guys. Just to add to the wireless woes, earlier this year Japanese researchers managed to break WPA encryption in less than sixty seconds from start to finish. WPA2 remains a secure base level for WiFi encryption, but for how long is anyone’s guess…
6. The cloud will become clearer
I forecast that security issues surrounding, and in many cases holding back, the adoption of cloud computing will start to melt away as the benefits of doing business in the cloud will start to be matched by a better understanding of how to secure data within it. Private clouds will come to the fore, especially in security know-how, and 2011 could be the year that such private clouds start to gain acceptance within the health sector.
It has to be said, public clouds are quite another matter and I suspect we are still some way off from seeing NHS data floating around within a public cloud environment.
7. Blended threats will still work
It’s certainly not new for 2011, but the kind of blended threat that we saw being successfully implemented this year shows no sign of being diluted next year. A blended threat, as the name suggests, comprises many different attack vectors all blended into a single thrust. So you might get an attack which starts by email and then moves to the web via some link-clicking, or starts with a telephone call and then moves online. Expect more blending of social media and mobile platforms in 2011, to exploit the popularity and convergence of both.
8. Watch out for the Man in the Browser
MitB attacks, also known as Man in the Browser or Proxy Trojan attacks, will gather pace in 2011. We have already seen these put to good use by the likes of the hugely widespread Zeus Trojan for example. A MitB attack most commonly sees additional fields injected into HTML forms, with requests and replies being intercepted. To the infected end-user, all appears to be normal; meanwhile the bad guys are scraping all the personal information that is being inputted away.
That’s it for this year – which only leaves me to wish you a very happy Christmas and a safe and prosperous new year…