A group of prominent security professionals forecast the most significant industry shifts in 2013. Greg Masters compiles the responses.
Q: What threat vectors will be most prominent?
Winn Schwartau: Mobile. Without question, mobile.
Jarno Limnéll: The world will experience more intentionally caused cyber attacks, and international debate on using cyber space for different purposes will increase. The development of highly sophisticated malware by state-sponsored organizations has the potential to radically affect the speed at which the wider threat landscape evolves. Cyber threats will be more unpredictable than ever before. Nations-states are taking cyber espionage more seriously, and accusations between countries will rise to more severe levels.
Our panel of prognosticators
Nick Cavalancia is SpectorSoft's VP of marketing.
George Bilbrey is co-founder and president of Return Path.
Steve Durbin is global executive vice president of the Information Security Forum.
Jeff Hudson is CEO of Venafi.
Ryan Hurst is the chief technology officer at GlobalSign.
Daniel Kennedy is a former Wall Street CISO and current research director of information security at 451 Research.
Rob Kraus is director of research, Solutionary Security Engineering Research Team (SERT).
Jarno Limnéll is director of cyber security at Stonesoft.
Winn Schwartau has appeared before Congress as an authority on cyber security, and has been a regular speaker at industry events, including SC Congress and DefCon.
Suzanna Schmeelk is a network security research scientist at LGS Innovations - Bell Labs in New Jersey.
Tatu Ylonen is CEO of SSH Communications Security and the inventor of SSH.
Steve Durbin: Today, we're seeing that C-level executives are increasingly being tasked with managing a widening range of company security risks. Most IT business decision-makers are not necessarily dealing with daily catastrophes, but are dealing with the challenge of creating a stable environment to reduce risk and the associated costs of doing so. But when things do go wrong, security challenges do occur. A thorough understanding of what happened and why is necessary to properly understand and respond not just to the incident, but also to the underlying risks associated with that incident.
George Bilbrey: The social engineering of email is a prominent threat vector. Email is becoming more attractive due to mobile – all of the education around how to identify phishing and spoofing messages only applies to a message seen on a desktop or in webmail. On mobile devices, all bets are off. Additionally, mobile consumption tends to be quick – users aren't taking the time to check email over closely to tell if it's phishing, increasing its effectiveness. And phishers are optimizing for mobile. In fact, it's actually easier for spammers and phishers to make an email message look legitimate on a mobile device.
Daniel Kennedy: Mobile is a chief concern for most of the security managers I speak with, and there's little doubt why, with the flood of employee-owned devices coming into their firms' systems environment. It speaks, in a larger sense, to the evolution of what will be the endpoint of the future, as what are now separate mobile device management and mobile application management and mobile security applications will converge as mobile devices potentially meet or overtake PCs as the primary business computing device.
Rob Kraus: We anticipate continued evolution of exploit kits and deployment of malware through targeted attacks, as well as an increase in the visibility to malware distributed via mobile platforms. Several significant advancements have been noted to the advanced exploitation capabilities and deployment of BlackHole Exploit kit, as well as other similar platforms.
Ryan Hurst: This year we saw a trend develop where foundational technologies on the internet that have been treated as largely solved problems became attack vectors. As we look at these issues, in every case we see that they could have been easily prevented by following industry best practices for use of the associated technologies. In several of these cases, the vulnerabilities that were being attacked were known for nearly a decade, and mitigations existed, yet they were still ignored. Recent examples include Flame.
I believe we will see this trend continue in 2013 because I have not seen the industry put in place the processes, procedures and toolsets that are necessary to address these risks.
Nick Cavalancia: By far, the greatest threat to security and compliance is BYOD. With no control over personal devices that have access to company data, applications and critical systems, organizations that are adopting BYOD are creating the greatest gap in their security model.
With BYOD, it will be easier than ever before for data to leave the organization, whether it be maliciously via a forwarded email, for example, or accidentally via lost or stolen tablet devices. These are just two examples – there are (and will prove to be) many more in 2013.
Suzanna Schmeelk: I think the rise of cloud computing will see an increase in novel threat vectors, particular related to data leakage and denial-of-service, because attackers usually want information or want to deny other people service.
Tatu Ylonen: Engineered cyber warfare viruses. The Pandora's box has been opened, and “everyone” is scrambling to do their own.
Jeff Hudson: Attackers will escalate their assault where they find weak encryption keys and mismanaged certificates. Every enterprise relies on hundreds and even thousands of certificates and encryption keys, but few know where each one is and how they're used. Criminals know this and have only just begun their attacks. The techniques used by Stuxnet, Flame, and Duqu are now in the hands of common criminals and will be used for intellectual property theft and inflicting serious harm on enterprise systems.