Brian Pennington

A blog about Cyber Security & Compliance


Kaspersky Lab

6 Experts predict the IT security and compliance issues and trends for 2013

Everyone has an opinion on what could be around the corner, some are based on extensive research and market trends, and some are based on customer expectations and experience.

Rather than bore you with my predictions I thought I would extract the predictions of several vendors and a distributor and put them into one single post so it is easier to see trends and when we get to the end of the year we can see if they were right.

The 6 specialist predictors this year are from the following organisations:

  1. Wick Hill
  2. Websense
  3. WatchGuard
  4. Kaspersky
  5. Fortinet
  6. Sophos

Wick Hill Group’s Ian Kilpatrick delivers his top five trends for 2013

  1. BYOD. “BYOD was arguably the biggest buzz word of 2012 and is now an unstoppable, user-driven wave which will continue to make a major impact on the IT world in 2013 and beyond. Smartphones, tablets and laptops all come under this category, as well as desktop PCs used remotely from home. BYOD is a transformative technology and 2013 will see companies trying to integrate it into their networks. While tactical needs will drive integration, strategic requirements will become increasingly important.
  2. Mobile Device Management. The very rapid growth of mobile devices such as smartphones, tablets and laptops, but particularly smartphones, led to concerns about their management and security in 2012. With employees using their smartphones for both business and personal use, the security and management issues became blurred. Mobile Device Management solutions were a strong growth area in 2012, which will accelerate in 2013.
  3. High density wireless. Wireless requirements have been significantly incrementing over the last year and this trend will continue in 2013. BYOD has changed both the data transfer and performance expectations of users.
  4. Data back-up and recovery. While large organisations have always been at the forefront of back-up and recovery, data centres and big data have put significant demands on them during 2012. Alongside that, smaller organisations have been under immense pressures from ever increasing data volumes, archiving and compliance requirements.
  5. Data leakage protection. With growing volumes of data and with regulatory bodies increasingly prepared to levy fines for various non-compliance issues, data leakage protection will continue to be a major cause for concern during 2013. Companies will be looking closely at how to secure and manage their data as their network boundaries spread even wider, with increased use of social networking and BYOD, increased remote access, the rapid growth of wireless, increased virtualisation and the move towards convergence.

Websense’s 2013 Security Predictions (the link also contains a video clip explaining the predictions).

  1. Cross-Platform Threats. Mobile devices will be the new target for cross-platform threats.
  2. Malware in App Stores. Legitimate mobile app stores will host more malware in 2013
  3. Government-sponsored attacks. Government-sponsored attacks will increase as new players enter.
  4. Bypass of Sandbox Detection. Cybercriminals will use bypass methods to avoid traditional sandbox detection
  5. Next Level Hacktivists. Expect Hacktivists to move to the next level as simplistic opportunities dwindle
  6. Malicious Emails. Malicious emails are making a comeback.
  7. CMS Attacks. Cybercriminals will follow the crowds to legitimate content management systems and web platforms.

WatchGuard Technologies reveals its annual security predictions for 2013

  1. A Cyber Attack Results in a Human Death
  2. Malware Enters the Matrix through a Virtual Door
  3. It’s Your Browser – Not Your System – that Malware Is After
  4. Strike Back Gets a Lot of Lip Service, but Does Little Good
  5. We’ll pay for Our Lack of IPv6 Expertise
  6. Android Pick Pockets Try to Empty Mobile Wallets

Additionally WatchGuard believes:

  1. An Exploit Sold on the “Vulnerability Market” Becomes the Next APT
  2. Important Cyber Security-Related Legislation Finally Becomes Law

“2012 was an eye-opening year in cyber security as we saw the number of new and more sophisticated vulnerabilities rise, impacting individuals, businesses and governments,” said WatchGuard Director of Security Strategy Corey Nachreiner, a Certified Information Systems Security Professional (CISSP). “This is a year where the security stakes reach new heights, attacks become more frequent and unfortunately more damaging as many organizations suffer attacks before taking measures to protect themselves from the bad guys.”

Kaspersky Lab’s Key Security Predictions for 2013

The most notable predictions for the next year include the continued rise of targeted attacks, cyber-espionage and nation-state cyber-attacks, the evolving role of hacktivism, the development of controversial “legal” surveillance tools and the increase in cybercriminal attacks targeting cloud-based services

  1. Targeted attacks on businesses have only become a prevalent threat within the last two years. Kaspersky Lab expects the amount of targeted attacks, with the purpose of cyber-espionage, to continue in 2013 and beyond, becoming the most significant threat for businesses. Another trend that will likely impact companies and governments is the continued rise of “hacktivism” and its concomitant politically-motivated cyber-attacks.
  2. State-sponsored cyber warfare will undoubtedly continue in 2013. These attacks will affect not only government institutions, but also businesses and critical infrastructure facilities.
  3. In 2012 an on-going debate took place on whether or not governments should develop and use specific surveillance software to monitor suspects in criminal investigations. Kaspersky Lab predicts that 2013 will build on this issue as governments create or purchase additional monitoring tools to enhance the surveillance of individuals, which will extend beyond wiretapping phones to enabling secret access to targeted mobile devices. Government-backed surveillance tools in the cyber environment will most likely continue to evolve, as law-enforcement agencies try to stay one step ahead of cybercriminals. At the same time, controversial issues about civil liberties and consumer privacy associated with the tools will also continue to be raised.
  4. Development of social networks, and, unfortunately, new threats that affect both consumers and businesses have drastically changed the perception of online privacy and trust. As consumers understand that a significant portion of their personal data is handed over to online services, the question is whether or not they trust them. Such confidence has already been shaken following the wake of major password leaks from some of the most popular web services such as Dropbox and LinkedIn. The value of personal data – for both cybercriminals and legitimate businesses – is destined to grow significantly in the near future.
  5. 2012 has been the year of the explosive growth of mobile malware, with cybercriminals’ primary focus being the Android platform, as it was the most popular and widely used. In 2013 we are likely to see a new alarming trend – the use of vulnerabilities to extend “drive-by download” attacks on mobile devices. This means that personal and corporate data stored on smartphones and tablets will be targeted as frequently as it is targeted on traditional computers. For the same reasons (rising popularity), new sophisticated attacks will be performed against owners of Apple devices as well.
  6. As vulnerabilities in mobile devices become an increasing threat for users, computer application and program vulnerabilities will continue to be exploited on PCs. Kaspersky Lab named 2012 the year of Java vulnerabilities, and in 2013 Java will continue to be exploited by cybercriminals on a massive scale. However, although Java will continue to be a target for exploits, the importance of Adobe Flash and Adobe Reader as malware gateways will decrease as the latest versions include automated update systems for patching security vulnerabilities.

Costin Raiu, Director of Global Research & Analysis Team Kaspersky Lab said, “In our previous reports we categorised 2011 as the year of explosive growth of new cyber threats. The most notable incidents of 2012 have been revealing and shaping the future of cyber security. We expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure. The most notable trends of 2013 will be new example of cyber warfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.”

Fortinet’s FortiGuard Labs Reveals 2013 Top 6 Threat Predictions

  1. APTs Target Individuals through Mobile Platforms. APTs also known as Advanced Persistent Threats are defined by their ability to use sophisticated technology and multiple methods and vectors to reach specific targets to obtain sensitive or classified information. The most recent examples include Stuxnet, Flame and Gauss. In 2013 we predict we’ll see APTs targeted at the civilian population, which includes CEOs, celebrities and political figures. Verifying this prediction will be difficult, however, because after attackers get the information they’re looking for, they can quietly remove the malware from a target device before the victim realizes that an attack has even occurred. What’s more, individuals who do discover they have been victims of an APT will likely not report the attack to the media. Because these attacks will first affect individuals and not directly critical infrastructure, governments or public companies, some types of information being targeted will be different. Attackers will look for information they can leverage for criminal activities such as blackmail; threatening to leak information unless payment is received.
  2. Two Factor Authentication Replaces Single Password Sign on Security Model. The password-only security model is dead. Easily downloadable tools today can crack a simple four or five character password in only a few minutes. Using new cloud-based password cracking tools, attackers can attempt 300 million different passwords in only 20 minutes at a cost of less than $20 USD. Criminals can now easily compromise even a strong alpha-numeric password with special characters during a typical lunch hour. Stored credentials encrypted in databases (often breached through Web portals and SQL injection), along with wireless security (WPA2) will be popular cracking targets using such cloud services. We predict next year we’ll see an increase in businesses implementing some form of two-factor authentication for their employees and customers. This will consist of a Web-based login that will require a user password along with a secondary password that will either arrive through a user’s mobile device or a standalone security token. While it’s true that we’ve seen the botnet Zitmo recently crack two-factor authentication on Android devices and RSA’s SecurID security token (hacked in 2011), this type of one-two punch is still the most effective method for securing online activities.
  3. Exploits to Target Machine-to-Machine (M2M) Communications. Machine-to-machine (M2M) communication refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability. It could be a refrigerator that communicates with a home server to notify a resident that it’s time to buy milk and eggs, it could be an airport camera that takes a photo of a person’s face and cross references the image with a database of known terrorists, or it could be a medical device that regulates oxygen to an accident victim and then alerts hospital staff when that person’s heart rate drops below a certain threshold. While the practical technological possibilities of M2M are inspiring as it has the potential to remove human error from so many situations, there are still too many questions surrounding how to best secure it. We predict next year we will see the first instance of M2M hacking that has not been exploited historically, most likely in a platform related to national security such as a weapons development facility. This will likely happen by poisoning information streams that transverse the M2M channel — making one machine mishandle the poisoned information, creating a vulnerability and thus allowing an attacker access at this vulnerable point.
  4. Exploits Circumvent the Sandbox. Sandboxing is a practice often employed by security technology to separate running programs and applications so that malicious code cannot transfer from one process (i.e. a document reader) to another (i.e. the operating system). Several vendors including Adobe and Apple have taken this approach and more are likely to follow. As this technology gets put in place, attackers are naturally going to try to circumvent it. FortiGuard Labs has already seen a few exploits that can break out of virtual machine (VM) and sandboxed environments, such as the Adobe Reader X vulnerability. The most recent sandboxing exploits have either remained in stealth mode (suggesting that the malware code is still currently under development and test) or have actively attempted to circumvent both technologies. Next year we expect to see innovative exploit code that is designed to circumvent sandbox environments specifically used by security appliances and mobile devices.
  5. Cross Platform Botnets In 2012. FortiGuard Labs analyzed mobile botnets such as Zitmo and found they have many of the same features and functionality of traditional PC botnets. In 2013, the team predicts that thanks to this feature parity between platforms, we’ll begin to see new forms of Direct Denial of Service (DDoS) attacks that will leverage both PC and mobile devices simultaneously. For example, an infected mobile device and PC will share the same command and control (C&C) server and attack protocol, and act on command at the same time, thus enhancing a botnet empire. What would once be two separate botnets running on the PC and a mobile operating system such as Android will now become one monolithic botnet operating over multiple types of endpoints.
  6. Mobile Malware Growth Closes in on Laptop and Desktop PCs. Malware is being written today for both mobile devices and notebook/laptop PCs. Historically, however, the majority of development efforts have been directed at PCs simply for the fact that there are so many of them in circulation, and PCs have been around a much longer time. For perspective, FortiGuard Labs researchers currently monitor approximately 50,000 mobile malware samples, as opposed to the millions they are monitoring for the PC. The researchers have already observed a significant increase in mobile malware volume and believe that this skewing is about to change even more dramatically starting next year. This is due to the fact that there are currently more mobile phones on the market than laptop or desktop PCs, and users are abandoning these traditional platforms in favor of newer, smaller tablet devices. While FortiGuard Labs researchers believe it will still take several more years before the number of malware samples equals what they see on PCs, the team believes we are going to see accelerated malware growth on mobile devices because malware creators know that securing mobile devices today is currently more complicated than securing traditional PCs.

Sophos think the following five trends will factor into the IT security landscape in 2013

  1. Basic web server mistakes. In 2012 we saw an increase in SQL injection hacks of web servers and databases to steal large volumes of user names and passwords. Targets have ranged from small to large enterprises with motives both political and financial. With the uptick in these kinds of credential-based extractions, IT professionals will need to pay equal attention to protecting both their computers as well as their web server environment
  2. More “irreversible” malware. In 2012 we saw a surge in popularity and quality of ransomware malware, which encrypts your data and holds it for ransom. The availability of public key cryptography and clever command and control mechanisms has made it exceptionally hard, if not impossible to reverse the damage. Over the coming year we expect to see more attacks which, for IT professionals, will place a greater focus on behavioral protection mechanisms as well as system hardening and backup/restore procedures
  3. Attack toolkits with premium features. Over the past 12 months we have observed significant investment by cybercriminals in toolkits like the Blackhole exploit kit. They’ve built in features such as scriptable web services, APIs, malware quality assurance platforms, anti-forensics, slick reporting interfaces, and self protection mechanisms. In the coming year we will likely see a continued evolution in the maturation of these kits replete with premium features that appear to make access to high quality malicious code even simpler and comprehensive
  4. Better exploit mitigation. Even as the number of vulnerabilities appeared to increase in 2012—including every Java plugin released for the past eight years—exploiting them became more difficult as operating systems modernized and hardened. The ready availability of DEP, ASLR, sandboxing, more restricted mobile platforms and new trusted boot mechanisms (among others) made exploitation more challenging. While we’re not expecting exploits to simply disappear, we could see this decrease in vulnerability exploits offset by a sharp rise in social engineering attacks across a wide array of platforms
  5. Integration, privacy and security challenges. In the past year mobile devices and applications like social media became more integrated. New technologies—like near field communication (NFC) being integrated in to these platforms—and increasingly creative use of GPS to connect our digital and physical lives means that there are new opportunities for cybercriminals to compromise our security or privacy. This trend is identifiable not just for mobile devices, but computing in general. In the coming year watch for new examples of attacks built on these technologies.

Sophos “The last word, Security really is about more than Microsoft. The PC remains the biggest target for malicious code today, yet criminals have created effective fake antivirus attacks for the Mac. Malware creators are also targeting mobile devices as we experience a whole new set of operating systems with different security models and attack vectors. Our efforts must focus on protecting and empowering end users—no matter what platform, device, or operating system they choose”

For a retrospective view why not ready my post from last year “7 experts predict the IT security and compliance issues and trends of 2012


Advance malware threats are growing at an alarming rate

FireEye have published their Advanced Threat Report for the first half of 2012. The results are based on their knowledge of Advanced Persistent Threats and the rest of the malware market.

Their key findings are:

  • Organizations are seeing a massive increase in advanced malware that is bypassing their traditional security defenses.
  • The patterns of attack volumes vary substantially among different industries, with organizations in healthcare and energy/utilities seeing particularly high growth rates.
  • The dangers posed by email-based attacks are growing ever more severe, with both link and attachment-based malware presenting significant risks.
  • In their efforts to evade traditional security defenses, cybercriminals are increasingly employing limited-use domains in their spear phishing emails.
  • The variety of malicious email attachments is growing more diverse, with an increasing range of files evading traditional security defenses.

Finding 1: Explosion in Advanced Malware Bypassing Traditional Signature-Based Defenses

The malicious advanced malware organizations have to contend with has grown dramatically, not just in terms of volume, but in its effectiveness in bypassing traditional signature-based security mechanisms. On average, organizations are experiencing a staggering 643 Web-based malicious events each week, incidents that effectively penetrate the traditional security infrastructure of organizations and infect targeted systems.

This figure includes file-based threats that are delivered over the web and email. File-based threats can be malicious executables, or files that contain exploit s targeting vulnerabilities in applications. They are downloaded directly by users, via an exploit, or links in emails. The statistic of 643 infections per week does not include callback activities, which largely happen over the Web.

Compared to the second half of 2011, the number of infections per company rose by 225% in the first half of 2012. If you compare the first six months of 2011 with the first six months of 2012, the increase seen is even larger at 392%.

These figures are not the total found in the so-called “wild”, but are the number of Web-based infections that successfully evaded organizations’ existing security defenses, such as next-generation firewalls and AV.

  • Users remain very susceptible to clicking on malicious links, especially when those links exploit social engineering tactics.
  • Embedding malicious code within Hypertext Transfer Protocol (HTTP) traffic is proving effective at bypassing traditional security mechanisms.
  • As a result of these two dynamics, cybercriminals see that their tactics are working, so the number of attacks they launch continues to grow

Explosive Growth in Advanced Malware Infections

  • Growth from 2H 2011 to 1H 2012: 225%
  • Growth from 1H 2011 to 1H 2012: 392%

Finding 2: Patterns of Attacks Vary Substantially by Industry—Attacks on Healthcare up 100%, 60% in Energy/Utilities

When assessing the average number of incidents that evade traditional security defenses, patterns and trends vary substantially across industries. For the most part, each industry experiences peaks in attack volumes at different times.

A couple of industries that are prone to high incidents were excluded from this report. Education was excluded since little, if any, control can be had over student systems and in general students are surfing more and visiting more risky sites. Also government was excluded since it is common for government agencies to receive data from FireEye but not send information back to FireEye.

The figures below illustrate the monthly incidents, including inbound attacks as well as outbound exfiltration and communication attempts. These incidents were identified by the FireEye MPS appliances deployed globally within the networks of customers and technology partners.


Between January 2012 and June 2012, the number of events detected at healthcare organizations has almost doubled. Compared to other industries, however, there has been a more consistent pattern of malicious activity, indicating a persistent and steady threat confronting these organizations.

As healthcare organizations move toward the adoption of electronic health record systems and digitally store and manage Personally Identifiable Information (PII), these sensitive assets seem to be coming under increasing attack by cybercriminals.

Financial Services

Between the second half of 2011 and the first half of 2012, the financial services industry has seen a massive increase in terms of the average number of events per customer for that industry. In May 2012 the industry saw more events than the entire second half of 2011. Compared to healthcare, there have been more dramatic fluctuations in this market. The most dramatic shift discovered was a huge spike in May 2012, followed by a drop-off in June, which was a pattern also seen in May and June of 2011.


Companies in the technology sector continue to be the most targeted organizations. While total numbers have remained relatively stable on a month-to-month basis, overall numbers remain high compared to other industries.


In the energy/utilities sector, there have also been some significant fluctuations in incidents, however the overall trend indicates a huge increase. In the past six months, energy and utility organizations have seen a 60% increase in incidents.

As the Night Dragon attack dramatically illustrated, critical infrastructures of energy and utility companies are under attack. In this case, criminals went after intellectual property, information on ongoing exploration, and records associated with bids on oil and gas reserves. Due to current geopolitical dynamics, data surrounding the sources of fossil fuel-based energy in particular are some of the most targeted assets.

Finding 3: The Intensified Dangers of Email-Based Attacks, Both Via Links and Attachments

While the APT attacks that have been reported on in recent years have exhibited a range of different tactics, it is clear that there is one very common characteristic: email is the primary channel through which the attacks are initiated. Operation Aurora, GhostNet, Night Dragon, the RSA breach, and the majority of the other APTs that have been publicly documented have been initiated at least in part through targeted spear phishing emails. The bottom line is that organizations looking to stop APTs absolutely have to have capabilities for detecting and guarding against these kinds of attacks.

To gain entry into an organization’s network, cybercriminals are launching their attacks through spear phishing emails. These emails either use attachments that exploit zero-day vulnerabilities or malicious and dynamic URLs. Between 1Q 2012 and 2Q 2012, there was a 56% increase in the amount of email-based attacks that successfully penetrated organizations’ traditional security mechanisms.

During the course of 2012, there has been significant fluctuation in the amount of malware delivered via attachments versus links. In January 2012, the number of malicious links represented about 15% of the volume of malicious emails. By May and June however, the volume of malicious links outnumbered malicious attachments.

Moving forward, we expect to see continued fluctuation in the relative numbers of these categories on a monthly basis, but don’t expect that either one will dramatically or permanently overtake the other in the long term. The critical takeaway is that both of these types of threats exist in significant numbers, and that organizations need to guard against both of these threat vectors to effectively strengthen their security posture.

As zero-day application vulnerabilities are patched, file attachments used in attacks wane and cybercriminals return to Web-based vectors. However, as we have seen in the past, a new crop of zero-day application vulnerabilities is always just around the corner, leading cybercriminals to return to file attachment-based attacks.

Finding 4: Increased Prevalence of Limited-Use Domains in Spear Phishing Attacks

In their efforts to bypass organizations’ security mechanisms, cybercriminals have continued to employ increasingly dynamic tactics. The continued explosion of malicious domains used in spear phishing attacks illustrates the unsolvable problem facing technologies that rely on backward-facing signatures, domain reputation analysis, and URL blacklists.

Criminals are increasingly employing malicious URLs for only a brief period of time before they move on to using others. “Throw-away” domains are malicious domain names used only a handful of times, say in 10 or fewer spear phishing emails. These domains are so infrequently used that they fly under the radar of URL blacklists and reputation analysis and remain largely ignored and unknown. As the chart on the next page illustrates, the number of throw-away domains identified increased substantially in the first half of 2012.

Through social engineering, cybercriminals are personalizing emails and then using throw-away domains to bypass the signature and reputation based mechanisms that organizations rely on to filter out malicious emails. It is important to note that these URLs are sometimes randomly generated, and sometimes tailored to a specific tactic. In the second half of 2011, domains that were seen just once comprised 38% of total malicious domains used for spear phishing.

In the first half of 2012, that figure grew to 46%. The graph below shows that the overall volume of spear phishing emails is increasing and our domain analysis also shows the ratio of emails that use limited-use domains is also on the rise.

Finding 5: Increased Dynamism of Email Attachments

As outlined earlier, email-based attacks are used to initiate the bulk of the APT s reported, and guarding against both malicious attachments and URLs distributed via email is a critical mandate for organizations. Email-based attacks are the first tactic cybercriminals employ in order to get through the target’s perimeter defenses and gain a foothold in the network. As security teams seek to guard against malicious email attachments, however, they are encountering a fundamentally evolving dynamic in the makeup of these files. Just like URLs, the use of malicious attachments is growing increasingly dynamic.

Over the past twelve months, the diversity of attachments that led to infections has expanded dramatically. In the second half of 2011, the top 20 malicious attachments accounted for 45% of attachments that evaded organizations’ perimeter defenses. In the first half of 2012, the variety of malicious attachments increased so that the top 20 malicious attachments only accounted f or 26%, nearly half of the figure in the second half of 2011. These numbers make clear that cybercriminals are changing their malware more quickly, employing a longer list of file names, and reproducing malware and morphing it in an automated fashion. In this way, the task of creating signature based defenses to thwart these malicious files grows increasingly difficult.

Between the second half of 2011 and the first half of 2012, the average number of times a given malicious attachment was sent in an email dropped from 2.44 to 1.87.

FireEye’s conclusions on its report

As this report amply illustrates, organizations are under persistent attack, and the attacks being waged continue to grow more dynamic, effective, and damaging. For organizations that continue to rely solely on firewalls, IPS, AV, and other signature, reputation, and basic behavior-based technologies, it is abundantly clear that compromises and infections will continue to grow. To effectively combat these attacks, it is imperative that organizations augment their traditional security defenses with technologies that can detect and thwart today’s advanced, dynamic attacks. This requires capabilities for guarding against attacks being waged on the Web, and those being perpetrated through email, including spear phishing emails that use malicious attachments and URLs.


Blog at

Up ↑

%d bloggers like this: