One of the great unintended consequences of my job, having covered the IT security space for nearly four years, is my great inability to accurately gauge the awareness that mainstream America has for cyber-risks.
Because I am so immersed in the topic, covering stories on a daily basis, writing about the vast array of vulnerabilities and breaches, legislation and lawsuits, phishing and spam, arrests and prosecutions, that I often forget infosec is not your typical cocktail party material.
But while I am certain that most of my friends and family aren't aware of even a small percentage of the digital threats out there today, I do believe that they are catching on to the problem, bit by bit.
The tipping point is still not here -- just last night, for example, I was borrowing a friend's laptop and noticed it didn't have active AV protection. She didn't seem too pressed to fix the problem.
Part of the blame for this apathy could be sheer risk/reward. Why accept security advice when the rational economic move is to ignore it, as a Microsoft researcher recently wrote about? Not to mention, attacks are more targeted these days (meaning nobody notices the threats out there), and banks are pretty good at reimbursing you if you do happen to fall victim to financial fraud.
Still, each year, cognizance grows.
So, with that said, here is SC Magazine's token summation of 2010 threat predictions, compiled through the dozens of emails we received from the Nostradamus' of the IT security community.
- Social networking threats: Experts seem to be in across-the-board agreement that cybercrooks are going to increasingly target these new media platforms to push their wares. Also, organizations will have to worry that their end-users will leak sensitive information. I mean, this makes sense. And it's been happening already. After all, where else can you find 350 million people chilling out on a website?
- Windows 7: Well, that whole Vista thing didn't go over so well, but all signs seem to be pointing to much higher adoption of the next iteration of the Microsoft OS. So that means cybercrooks will begin targeting this platform.
- New platforms: No surprises here. Take your pick. Mobile devices, though, seem the likeliest candidate -- yet some experts seem unconvinced. Still, one has to believe that once people are actively using these smartphones to make transactions, the bad guys will be riding right along.
- Apple: I'll believe that the Mac OS has become a viable target when the PR folks in Cupertino start returning my phone calls. Next...
- Peer-to-peer malware/data leakage: This seems more plausible, and we saw some examples of it this year. But, with increased organizational awareness to the dangers of file-sharing networks, and a focus around this on Capitol Hill, one is foolish to expect an epidemic.
- HTML5/IPV6: Updated web language and increased address space have some believing that these new technologies are going to be abused. But adoption may not come in 2010. I'm sure this will be on the list next year, as well.
Other mentions: Continued targeted attacks via socially engineered malware, such as banking trojan Zeus (Zbot); search engine poisoning, cloud computing risks and botnet infrastructure innovations.
The news, though, is not all doom-and-gloom. One interesting prediction from McAfee suggests that the threat of rogue anti-virus will actually drop now that "the fake anti-virus market has...been saturated and the profits for cybercriminals have fallen."
With all this said, I wish you all a Happy New Year, and look forward to talking about cybercrime over a cocktail with you in 2010. Or 2011.