More to fear in 2012

Advanced persistent threats or military-grade attacks on commercial targets will continue in 2012, with a few undercurrent trends.

So says Uri Rivner, head of New Technologies for Identity Protection at RSA, discussing what the ICT security landscape can expect in 2012. “We'll see the emergence of new state players interested in penetrating civilian corporations for the purpose of industrial espionage and theft of innovation as a field-levelling tool between Western states and developing countries.”

He adds that specific segments that might be targeted for this purpose will be pharmaceutical, mining/energy, and consumer electronics.

According to him, cloud and mobility are the new enterprise frontier. “As such, we should expect an elevated interest by state players to infiltrate cloud service providers as well as smartphone and mobile OS makers.”

In addition, financially motivated cyber crime will continue to evolve, with the first attempts to create general-purpose data stealing Trojan kits for smartphones and tablets.

Rivner says hacktivism has escalated to new levels, and the industry should expect a surge in high-profile hacktivism attacks. However, he says these attackers will select their targets more creatively and dynamically, following global news closely and attempting to cater for 'mainstream' public opinion about entities that 'deserve' to be targeted.

He adds that splinter groups following less 'mainstream' causes will also emerge this year. “In addition, there will be more focus on exposing sensitive data, which requires a deeper level of penetration, and less on denial of service/defacing of low-security Web sites, which requires lesser hacking talent. Denial of service will be mainly used to mask more covert penetration attempts.

“We will also see the first [hacking] attacks on mobile apps, especially in the Android market, instead of 'traditional' Web servers.”

He says the industry should also expect a high degree of disinformation in terms of attribution: hacktivism will be used to mask criminal or state-sponsored attacks.

In a similar fashion to hacktivism, but not as devastating as cyber terrorism, 2012 will see cyber skirmishes between nations, religious groups and other interest groups. “We will see a new class of cyber attacks motivated by patriotism or group affiliation. Unlike historic incidents (Estonia in 2007, Georgia in 2008) the attackers will claim responsibility and trigger retaliation by opposing hackers.”

Speaking of cyber attacks, Rivner says employees are now in the front line, as it is far easier to penetrate a network by hijacking a PC belonging to an employee than by staging a direct attack on a company's perimeter security. “In 2012, we'll see even more targeted 'spear phishing' attacks on specific employees within the enterprise, with advanced social engineering ploys to trick them into downloading malware.”

Rivner says that, over the last few years, Trojan and botnet operators created highly specialised tools designed to be extremely targeted that focus on new criminal use cases. He cites examples such as Qakbot, which infects PCs like a Trojan, but then spreads inside the corporate network, looking for users connected to corporate online banking accounts; and Nimkey, a Trojan that singled out individual traders in CO2 emission permits, reaching their prey through publicly available reports in the national European registries, and emptying the carbon credit accounts of over EUR40 million.

“These sort of specialised attacks are likely to continue, given the fact it is now more difficult to find 'low hanging fruit' that can be exploited by general purpose tools.”

On the topic of cyber terrorism, he says: “Attacks on critical infrastructure that have devastating, life-threatening physical ramifications, or cause widespread fear, are difficult to execute, but with the introduction of 'smart grid' utilities and remote-controlled transportation systems, they become high-profile targets.”

Rivner says traditional perimeter defences fail to prevent advanced threat intrusions, and traditional “security textbook principles” are difficult to maintain in a climate of IT consumerisation, greater mobility and rapidly expanding perimeters.

The industry is therefore developing a new defence doctrine that tries to confront the adversary inside the network. “The assumption is that the intruder is already in, and the focus shifts to using better inside-the-network detection systems that amplify weak signals and traces of malicious activity; creating more resilient networks that segregate data using virtualisation, slowing the attacker down; and establishing cyber intelligence capabilities in order to gain advanced knowledge on the actors likely to target the organisation.

“Encryption also continues to evolve and offers stronger protection against specific attack vectors such as brute force attacks against data at rest, which might include personally identifiable information, intellectual property or copyright-protected content,” says Rivner.

“Using end-to-end encryption is a requirement in any security environment. We're likely to see more use of 'tokenisation' of data, which means having a database of information that went through some level of transformation and cannot be used when stolen.”