Sophos have created this timeline of mobile threats going back to 2004. It’s by no means comprehensive, but it gives you a good idea of how threats have evolved in a short period of time.
A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos. A summary of the study is below.
Cyber security is often not a priority
- 58% of respondents say that management does not see cyber-attacks as a significant risk
- 44% say a strong security posture is not a priority.
- Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
- While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.
Senior management rarely makes decisions about IT security
Who is responsible for determining IT Security Priorities?
- CIO 32%
- 31% no one
Lack of in-house expertise hinders the achievement of a strong security posture
- Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.
Security threats and attacks experienced
“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months
- 42% of respondents say they were
- 33% are unsure
- 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
- Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.
Data breach incidents are known with greater certainty
More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.
More than half of respondents say their organization has had a data breach
- 51% Cited is a third-party mistake or negligent employee or contractor
- 44% cannot identify the root cause.
Most organizations say cyber-attacks are increasing or there is no change
- 76% of respondents say their organizations face more cyber-attacks or at least the same
- 18% are unable to determine
Most organizations see cyber-attacks as becoming more sophisticated
- 56% say cyber-attacks are more sophisticated
- 45% say they are becoming more severe
- 28% of respondents are uncertain if their organizations are being targeted
- 25% are unsure if the attacks are more sophisticated
- 23% do not know if these attacks are becoming more severe.
The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.
Disruptive technology trends
The cloud is important to business operations
- 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
- 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
- 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services
The use of cloud applications and IT infrastructure is not believed to reduce security
- 45% of respondents say the cloud is not considered to have an affect on security posture
- 12% say it would actually diminish security posture
- 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected
The use of mobile devices to access business-critical applications will increase
- 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
- 69% of respondents expect this usage to increase over the next 12 months.
While respondents do not seem to be worried about cloud security, mobile device security is a concern.
- 50% of respondents say such use diminishes an organization’s security posture
- 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.
BYOD also affects the security posture
- 26% of mobile devices owned by employees are used to access business-critical applications.
- 70% of respondents either expect their use to increase or stay the same
- 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD
BYOD is a concern for respondents
- 32% say there is no affect on security posture
- 45% of respondents believe BYOD diminishes an organization’s security effectiveness.
Effectiveness of security technologies
The majority of respondents have faith in their security technologies
- 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
- 23% are unsure
Big data analytics and web application firewalls are technologies growing in demand
Today, the top three technologies in use are:
- client firewalls
- endpoint management
They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.
The cost impact of disruptions and damages to IT assets and infrastructure
Damage or theft to IT assets and infrastructure are costly
- 1 the cost of damage or theft to IT assets and infrastructure
- 2 the cost of disruption to normal operations
The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.
Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197
The uncertainty security index
The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:
- Did their organization have a cyber-attack during the past year?
- Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
- Are the root causes of these data breaches known?
- Are the cyber-attacks against their organization increasing or decreasing?
- Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
- Do they understand the nature of advanced persistent threats (APTs)?
- Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
- Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture
Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).
U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.
Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.
An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.
Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.
In Sophos’s 2013 Security Threat Report they provided 3 tips on how to be more secure when using the cloud.
The tips are simple but straight to the point so I thought I would share them.
- Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits.
- Use application controls to block or allow particular applications, either for the entire company or for specific groups.
- Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronized, you have full control of the safety of your data. You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else. Should your web key go missing for some reason, maybe the user simply forgot the password, the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.
Everyone has an opinion on what could be around the corner, some are based on extensive research and market trends, and some are based on customer expectations and experience.
Rather than bore you with my predictions I thought I would extract the predictions of several vendors and a distributor and put them into one single post so it is easier to see trends and when we get to the end of the year we can see if they were right.
The 6 specialist predictors this year are from the following organisations:
Wick Hill Group’s Ian Kilpatrick delivers his top five trends for 2013
- BYOD. “BYOD was arguably the biggest buzz word of 2012 and is now an unstoppable, user-driven wave which will continue to make a major impact on the IT world in 2013 and beyond. Smartphones, tablets and laptops all come under this category, as well as desktop PCs used remotely from home. BYOD is a transformative technology and 2013 will see companies trying to integrate it into their networks. While tactical needs will drive integration, strategic requirements will become increasingly important.
- Mobile Device Management. The very rapid growth of mobile devices such as smartphones, tablets and laptops, but particularly smartphones, led to concerns about their management and security in 2012. With employees using their smartphones for both business and personal use, the security and management issues became blurred. Mobile Device Management solutions were a strong growth area in 2012, which will accelerate in 2013.
- High density wireless. Wireless requirements have been significantly incrementing over the last year and this trend will continue in 2013. BYOD has changed both the data transfer and performance expectations of users.
- Data back-up and recovery. While large organisations have always been at the forefront of back-up and recovery, data centres and big data have put significant demands on them during 2012. Alongside that, smaller organisations have been under immense pressures from ever increasing data volumes, archiving and compliance requirements.
- Data leakage protection. With growing volumes of data and with regulatory bodies increasingly prepared to levy fines for various non-compliance issues, data leakage protection will continue to be a major cause for concern during 2013. Companies will be looking closely at how to secure and manage their data as their network boundaries spread even wider, with increased use of social networking and BYOD, increased remote access, the rapid growth of wireless, increased virtualisation and the move towards convergence.
Websense’s 2013 Security Predictions (the link also contains a video clip explaining the predictions).
- Cross-Platform Threats. Mobile devices will be the new target for cross-platform threats.
- Malware in App Stores. Legitimate mobile app stores will host more malware in 2013
- Government-sponsored attacks. Government-sponsored attacks will increase as new players enter.
- Bypass of Sandbox Detection. Cybercriminals will use bypass methods to avoid traditional sandbox detection
- Next Level Hacktivists. Expect Hacktivists to move to the next level as simplistic opportunities dwindle
- Malicious Emails. Malicious emails are making a comeback.
- CMS Attacks. Cybercriminals will follow the crowds to legitimate content management systems and web platforms.
WatchGuard Technologies reveals its annual security predictions for 2013
- A Cyber Attack Results in a Human Death
- Malware Enters the Matrix through a Virtual Door
- It’s Your Browser – Not Your System – that Malware Is After
- Strike Back Gets a Lot of Lip Service, but Does Little Good
- We’ll pay for Our Lack of IPv6 Expertise
- Android Pick Pockets Try to Empty Mobile Wallets
Additionally WatchGuard believes:
- An Exploit Sold on the “Vulnerability Market” Becomes the Next APT
- Important Cyber Security-Related Legislation Finally Becomes Law
“2012 was an eye-opening year in cyber security as we saw the number of new and more sophisticated vulnerabilities rise, impacting individuals, businesses and governments,” said WatchGuard Director of Security Strategy Corey Nachreiner, a Certified Information Systems Security Professional (CISSP). “This is a year where the security stakes reach new heights, attacks become more frequent and unfortunately more damaging as many organizations suffer attacks before taking measures to protect themselves from the bad guys.”
Kaspersky Lab’s Key Security Predictions for 2013
The most notable predictions for the next year include the continued rise of targeted attacks, cyber-espionage and nation-state cyber-attacks, the evolving role of hacktivism, the development of controversial “legal” surveillance tools and the increase in cybercriminal attacks targeting cloud-based services
- Targeted attacks on businesses have only become a prevalent threat within the last two years. Kaspersky Lab expects the amount of targeted attacks, with the purpose of cyber-espionage, to continue in 2013 and beyond, becoming the most significant threat for businesses. Another trend that will likely impact companies and governments is the continued rise of “hacktivism” and its concomitant politically-motivated cyber-attacks.
- State-sponsored cyber warfare will undoubtedly continue in 2013. These attacks will affect not only government institutions, but also businesses and critical infrastructure facilities.
- In 2012 an on-going debate took place on whether or not governments should develop and use specific surveillance software to monitor suspects in criminal investigations. Kaspersky Lab predicts that 2013 will build on this issue as governments create or purchase additional monitoring tools to enhance the surveillance of individuals, which will extend beyond wiretapping phones to enabling secret access to targeted mobile devices. Government-backed surveillance tools in the cyber environment will most likely continue to evolve, as law-enforcement agencies try to stay one step ahead of cybercriminals. At the same time, controversial issues about civil liberties and consumer privacy associated with the tools will also continue to be raised.
- Development of social networks, and, unfortunately, new threats that affect both consumers and businesses have drastically changed the perception of online privacy and trust. As consumers understand that a significant portion of their personal data is handed over to online services, the question is whether or not they trust them. Such confidence has already been shaken following the wake of major password leaks from some of the most popular web services such as Dropbox and LinkedIn. The value of personal data – for both cybercriminals and legitimate businesses – is destined to grow significantly in the near future.
- 2012 has been the year of the explosive growth of mobile malware, with cybercriminals’ primary focus being the Android platform, as it was the most popular and widely used. In 2013 we are likely to see a new alarming trend – the use of vulnerabilities to extend “drive-by download” attacks on mobile devices. This means that personal and corporate data stored on smartphones and tablets will be targeted as frequently as it is targeted on traditional computers. For the same reasons (rising popularity), new sophisticated attacks will be performed against owners of Apple devices as well.
- As vulnerabilities in mobile devices become an increasing threat for users, computer application and program vulnerabilities will continue to be exploited on PCs. Kaspersky Lab named 2012 the year of Java vulnerabilities, and in 2013 Java will continue to be exploited by cybercriminals on a massive scale. However, although Java will continue to be a target for exploits, the importance of Adobe Flash and Adobe Reader as malware gateways will decrease as the latest versions include automated update systems for patching security vulnerabilities.
Costin Raiu, Director of Global Research & Analysis Team Kaspersky Lab said, “In our previous reports we categorised 2011 as the year of explosive growth of new cyber threats. The most notable incidents of 2012 have been revealing and shaping the future of cyber security. We expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure. The most notable trends of 2013 will be new example of cyber warfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.”
Fortinet’s FortiGuard Labs Reveals 2013 Top 6 Threat Predictions
- APTs Target Individuals through Mobile Platforms. APTs also known as Advanced Persistent Threats are defined by their ability to use sophisticated technology and multiple methods and vectors to reach specific targets to obtain sensitive or classified information. The most recent examples include Stuxnet, Flame and Gauss. In 2013 we predict we’ll see APTs targeted at the civilian population, which includes CEOs, celebrities and political figures. Verifying this prediction will be difficult, however, because after attackers get the information they’re looking for, they can quietly remove the malware from a target device before the victim realizes that an attack has even occurred. What’s more, individuals who do discover they have been victims of an APT will likely not report the attack to the media. Because these attacks will first affect individuals and not directly critical infrastructure, governments or public companies, some types of information being targeted will be different. Attackers will look for information they can leverage for criminal activities such as blackmail; threatening to leak information unless payment is received.
- Two Factor Authentication Replaces Single Password Sign on Security Model. The password-only security model is dead. Easily downloadable tools today can crack a simple four or five character password in only a few minutes. Using new cloud-based password cracking tools, attackers can attempt 300 million different passwords in only 20 minutes at a cost of less than $20 USD. Criminals can now easily compromise even a strong alpha-numeric password with special characters during a typical lunch hour. Stored credentials encrypted in databases (often breached through Web portals and SQL injection), along with wireless security (WPA2) will be popular cracking targets using such cloud services. We predict next year we’ll see an increase in businesses implementing some form of two-factor authentication for their employees and customers. This will consist of a Web-based login that will require a user password along with a secondary password that will either arrive through a user’s mobile device or a standalone security token. While it’s true that we’ve seen the botnet Zitmo recently crack two-factor authentication on Android devices and RSA’s SecurID security token (hacked in 2011), this type of one-two punch is still the most effective method for securing online activities.
- Exploits to Target Machine-to-Machine (M2M) Communications. Machine-to-machine (M2M) communication refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability. It could be a refrigerator that communicates with a home server to notify a resident that it’s time to buy milk and eggs, it could be an airport camera that takes a photo of a person’s face and cross references the image with a database of known terrorists, or it could be a medical device that regulates oxygen to an accident victim and then alerts hospital staff when that person’s heart rate drops below a certain threshold. While the practical technological possibilities of M2M are inspiring as it has the potential to remove human error from so many situations, there are still too many questions surrounding how to best secure it. We predict next year we will see the first instance of M2M hacking that has not been exploited historically, most likely in a platform related to national security such as a weapons development facility. This will likely happen by poisoning information streams that transverse the M2M channel — making one machine mishandle the poisoned information, creating a vulnerability and thus allowing an attacker access at this vulnerable point.
- Exploits Circumvent the Sandbox. Sandboxing is a practice often employed by security technology to separate running programs and applications so that malicious code cannot transfer from one process (i.e. a document reader) to another (i.e. the operating system). Several vendors including Adobe and Apple have taken this approach and more are likely to follow. As this technology gets put in place, attackers are naturally going to try to circumvent it. FortiGuard Labs has already seen a few exploits that can break out of virtual machine (VM) and sandboxed environments, such as the Adobe Reader X vulnerability. The most recent sandboxing exploits have either remained in stealth mode (suggesting that the malware code is still currently under development and test) or have actively attempted to circumvent both technologies. Next year we expect to see innovative exploit code that is designed to circumvent sandbox environments specifically used by security appliances and mobile devices.
- Cross Platform Botnets In 2012. FortiGuard Labs analyzed mobile botnets such as Zitmo and found they have many of the same features and functionality of traditional PC botnets. In 2013, the team predicts that thanks to this feature parity between platforms, we’ll begin to see new forms of Direct Denial of Service (DDoS) attacks that will leverage both PC and mobile devices simultaneously. For example, an infected mobile device and PC will share the same command and control (C&C) server and attack protocol, and act on command at the same time, thus enhancing a botnet empire. What would once be two separate botnets running on the PC and a mobile operating system such as Android will now become one monolithic botnet operating over multiple types of endpoints.
- Mobile Malware Growth Closes in on Laptop and Desktop PCs. Malware is being written today for both mobile devices and notebook/laptop PCs. Historically, however, the majority of development efforts have been directed at PCs simply for the fact that there are so many of them in circulation, and PCs have been around a much longer time. For perspective, FortiGuard Labs researchers currently monitor approximately 50,000 mobile malware samples, as opposed to the millions they are monitoring for the PC. The researchers have already observed a significant increase in mobile malware volume and believe that this skewing is about to change even more dramatically starting next year. This is due to the fact that there are currently more mobile phones on the market than laptop or desktop PCs, and users are abandoning these traditional platforms in favor of newer, smaller tablet devices. While FortiGuard Labs researchers believe it will still take several more years before the number of malware samples equals what they see on PCs, the team believes we are going to see accelerated malware growth on mobile devices because malware creators know that securing mobile devices today is currently more complicated than securing traditional PCs.
Sophos think the following five trends will factor into the IT security landscape in 2013
- Basic web server mistakes. In 2012 we saw an increase in SQL injection hacks of web servers and databases to steal large volumes of user names and passwords. Targets have ranged from small to large enterprises with motives both political and financial. With the uptick in these kinds of credential-based extractions, IT professionals will need to pay equal attention to protecting both their computers as well as their web server environment
- More “irreversible” malware. In 2012 we saw a surge in popularity and quality of ransomware malware, which encrypts your data and holds it for ransom. The availability of public key cryptography and clever command and control mechanisms has made it exceptionally hard, if not impossible to reverse the damage. Over the coming year we expect to see more attacks which, for IT professionals, will place a greater focus on behavioral protection mechanisms as well as system hardening and backup/restore procedures
- Attack toolkits with premium features. Over the past 12 months we have observed significant investment by cybercriminals in toolkits like the Blackhole exploit kit. They’ve built in features such as scriptable web services, APIs, malware quality assurance platforms, anti-forensics, slick reporting interfaces, and self protection mechanisms. In the coming year we will likely see a continued evolution in the maturation of these kits replete with premium features that appear to make access to high quality malicious code even simpler and comprehensive
- Better exploit mitigation. Even as the number of vulnerabilities appeared to increase in 2012—including every Java plugin released for the past eight years—exploiting them became more difficult as operating systems modernized and hardened. The ready availability of DEP, ASLR, sandboxing, more restricted mobile platforms and new trusted boot mechanisms (among others) made exploitation more challenging. While we’re not expecting exploits to simply disappear, we could see this decrease in vulnerability exploits offset by a sharp rise in social engineering attacks across a wide array of platforms
- Integration, privacy and security challenges. In the past year mobile devices and applications like social media became more integrated. New technologies—like near field communication (NFC) being integrated in to these platforms—and increasingly creative use of GPS to connect our digital and physical lives means that there are new opportunities for cybercriminals to compromise our security or privacy. This trend is identifiable not just for mobile devices, but computing in general. In the coming year watch for new examples of attacks built on these technologies.
Sophos “The last word, Security really is about more than Microsoft. The PC remains the biggest target for malicious code today, yet criminals have created effective fake antivirus attacks for the Mac. Malware creators are also targeting mobile devices as we experience a whole new set of operating systems with different security models and attack vectors. Our efforts must focus on protecting and empowering end users—no matter what platform, device, or operating system they choose”
For a retrospective view why not ready my post from last year “7 experts predict the IT security and compliance issues and trends of 2012”
Three years on and Conficker (also known as Downup, Downadup and Kido) is still the most common virus threat.
Since November 2008 it’s infected computers across the globe, consuming network traffic and opening a back door to other malware attacks.
Conficker exploits unprotected computers and weak passwords. Today it’s often spread through infected USB storage devices.
To prevent infection, Sophos recommends:
- Apply the MS08-67 patch
- Disable file and print sharing
- Strengthen your password
- Turn off autorun for USB devices
- Apply a device control policy
Sophos have released a FREE Conflicker detection and removal tool. Dowload it HERE, registration required.
Sophos White Paper.
The UK Information Commissioner’s Office can levy fines of up to £500,000 for data breaches, which proves data security is essential. And while it’s not illegal in the UK to lose data – regulators understand there is no 100% in security – you do need to demonstrate you’re managing information risks responsibly. Read this paper to get the key items you should cover to avoid the ICO’s wrath in 2011.
Download the White Paper here – registration is required.
Sophos has published its first report focused on data security, “The State of Data Security”.
The report is excellent read with 25 pages packed full of information and advice.
The report provides advice and guidance to businesses interested in protecting their data, including “Today’s IT and business managers must take a hard look at the risks and costs of potential data loss. Creating a proactive data security plan arms you with the knowledge you need to manage the risk and helps you to stay compliant with data protection rules and regulations.”
Some statistics and quotes from the report:-
- The U.S. had the highest cost per compromised record at $204, followed by Germany at $177, France at $119, Australia at $114 and the U.K.at $98
- CSO magazine’s 2011 CyberSecurity Watch Survey found that 81% of respondents’ organizations experienced a security event during the past 12 months, compared with 60% in 2010.Twenty-eight percent of respondents saw an increase in the number of security events as compared with the prior 12 months
- In a survey of 1,000 people in the U.K., 94% ranked “protecting personal information” as their top concern, equal to their concerns about crime, according to The Telegraph.
- according to security expert Rebecca Herold, you’ll cover roughly 85 to 90% of compliance regulations if you practice effective data protection
- About 85% of all U.S. companies have experienced one or more data breaches, according to the Ponemon Institute
- In 2010, malicious attacks were the root cause of 31% of the data breaches studied, according to the Ponemon Institute – up from 24% in 2009 and 12% in 2008
- According to the Identity Theft Resource Center, at least 662 data breaches in the U.S. occurred in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit card or debit card data
- With over 500 million U.S. records of data breaches and loss since 2005, it’s no surprise that these data loss stories are headline news.
The report can be downloaded here.