Our panel of prognosticators
Craig Spiezle, executive director & president of Online Trust Alliance (OTA)
Randy Sanovic, owner of RNS Consulting; former general director, information security of General Motors
Spiezle (left): I expect to see continued targeting of the trusted supply chain, such as certificate authorities, content providers and the ad-supply chain and others. For example, Epsilon is just the tip of the iceberg. Email marketers are being attacked at increasing velocity. If they can compromise these trusted providers, it is game over downstream. I also expect a continued focus on the compromising of ad servers to serve malicious ads, which are unknowingly served by high trafficked websites (aka “malvertising”).
Sanovic: My first worry would be malicious hackers and bots. The environments that concern me most are mobile computing and social technology. For example, to somewhat secure Facebook could require at least 105 clicks, and most people, including the more technical-oriented, will not get it done. Because of the pervasiveness of mobile computing, and the fact that technological advances continue to outpace reasonable and prudent security fixes, I feel we will not be able to get “user friendly/capable” security solutions implemented in a timely fashion.
Mogull: What's prominent in terms of attacks? The same stuff as today: email and web phishing/social engineering. In the press releases? Whatever the vendors want to sell that you probably don't need: a lot of mobile device and cloud hype. I expect a lot of iOS headlines this year, and a lot of Mac hype. Not that Macs are immune, but the hype will far outweigh the number of people being compromised. And, while cloud security is important, most of what you'll see is “cloudwashing” of traditional security stuff. People will really have to keep hunting for the innovation (which is there, just not from your usual vendors).
Eschelbeck (left): The web is today's platform of choice for communication and interaction, and will undoubtedly continue to be the most prominent vector of attack. Cybercriminals tend to focus where the weak spots are, and use a technique until it becomes far less effective, as we saw with spam mail (which, while still present, is less popular with cybercriminals, as people have deployed highly effective gateways). The web remains the dominant source of distribution for malware – in particular malware using social engineering or targeting the browser and associated applications with exploits. Social media platforms and similar web applications have become hugely popular with the bad guys, a trend that is only set to continue over 2012.
Kennedy: Enterprises are concerned about trends associated with IT consumerization – personnel bringing in their own devices – and how to handle that in all of its manifestations (smartphones, laptops, etc.) while still protecting custodial and intellectual property data.
Craig Spiezle, executive director & president of Online Trust Alliance (OTA)
Randy Sanovic, owner of RNS Consulting; former general director, information security of General Motors
Rich Mogull, founder of Securosis
Gerhard Eschelbeck, CTO & SVP at Sophos
Daniel Kennedy, research director, TheInfoPro, a division of The 451 GroupQ
What threat vectors will be most prominent? Why?
Spiezle (left): I expect to see continued targeting of the trusted supply chain, such as certificate authorities, content providers and the ad-supply chain and others. For example, Epsilon is just the tip of the iceberg. Email marketers are being attacked at increasing velocity. If they can compromise these trusted providers, it is game over downstream. I also expect a continued focus on the compromising of ad servers to serve malicious ads, which are unknowingly served by high trafficked websites (aka “malvertising”). Sanovic: My first worry would be malicious hackers and bots. The environments that concern me most are mobile computing and social technology. For example, to somewhat secure Facebook could require at least 105 clicks, and most people, including the more technical-oriented, will not get it done. Because of the pervasiveness of mobile computing, and the fact that technological advances continue to outpace reasonable and prudent security fixes, I feel we will not be able to get “user friendly/capable” security solutions implemented in a timely fashion.
Mogull: What's prominent in terms of attacks? The same stuff as today: email and web phishing/social engineering. In the press releases? Whatever the vendors want to sell that you probably don't need: a lot of mobile device and cloud hype. I expect a lot of iOS headlines this year, and a lot of Mac hype. Not that Macs are immune, but the hype will far outweigh the number of people being compromised. And, while cloud security is important, most of what you'll see is “cloudwashing” of traditional security stuff. People will really have to keep hunting for the innovation (which is there, just not from your usual vendors).
Eschelbeck (left): The web is today's platform of choice for communication and interaction, and will undoubtedly continue to be the most prominent vector of attack. Cybercriminals tend to focus where the weak spots are, and use a technique until it becomes far less effective, as we saw with spam mail (which, while still present, is less popular with cybercriminals, as people have deployed highly effective gateways). The web remains the dominant source of distribution for malware – in particular malware using social engineering or targeting the browser and associated applications with exploits. Social media platforms and similar web applications have become hugely popular with the bad guys, a trend that is only set to continue over 2012. Kennedy: Enterprises are concerned about trends associated with IT consumerization – personnel bringing in their own devices – and how to handle that in all of its manifestations (smartphones, laptops, etc.) while still protecting custodial and intellectual property data.
