2010: The year of the cyberspy
Dan Kaplan, executive editor, SC Magazine
Truth be told, the IT security news cycle was slow to get cranking in 2010. Among the major headlines of the new year's first week: Microsoft's plans to release a single patch as part of its January security update.
But the slumber quickly lifted. On what was supposed to be an otherwise easy-going Patch Tuesday, arguably the biggest story of the year broke that same day when Google disclosed that its corporate systems – and those belonging to some 30 other well-known American brands – were compromised by Chinese hackers out to steal intellectual property. The cyber mercenaries leveraged a zero-day Internet Explorer vulnerability as part of an operation dubbed Aurora.
Immediately, it became quite clear that 2010 would be defined not by the highly publicized credit card breaches of past years, such as incidents at Heartland and TJX that were masterminded by Eastern European crime groups, but instead espionage that could threaten the nation's security and economic welfare.Cyberwar, meanwhile, moved from hypothetical to theoretical with the discovery of Stuxnet, considered by some to be the most sophisticated piece of malware ever created. What made the threat so worrisome was that it specifically targeted critical infrastructure systems that control facilities like power plants and oil refineries.
Crimeware remained in vogue, too. The Zeus trojan, despite a series of internationally coordinated police busts to cripple the operation, continued to siphon millions from small- and mid-sized organizations. These entities were left to foot the bill because banks – as of now – don't reimburse corporate accounts for unauthorized wire transfers.2010 also brought infighting within the security community, sparked by a zero-day Microsoft bug publicly revealed by Google researcher Tavis Ormandy, who reignited the age-old debate on the best way that vulnerabilities should be disclosed to keep both vendors and researchers happy.
Cybercrime bills, as is typical, remained largely stalled in the face of legislation deemed more important. Compliance mandates, such as a new version of PCI DSS, continued to drive security. Several botnets were knocked offline, though spam continued. Concerns over social networking and, more generally, cloud security rose to new levels as more businesses embraced such platforms. And, despite a still-dull economy, consolidation was fierce, punctuated by Intel's $7.6 billion purchase of McAfee.Busy year, after all.