In the past year, malware has evolved in five major areas: bots, rogue security software, generic spyware, targeted malware and attacks on mobile phones and smartphones. These threats have, in turn, allowed criminals to find new ways to monetize the unauthorized access they have been able to gain. In the last year, malware has incorporated better techniques for hiding and staying resident on new hosts, improving their communications and increasing users' concerns about identity theft and related fraud.
Most security attacks get incrementally more dangerous over time, and some attacks will make major advancements in 2010. Malware, for example, will only get worse over the next year, even from its current state of sophisticated botnets. Malicious code will get easier to use, and criminals will have the ability to configure full-management applications, improved toolkits and update mechanisms to incorporate zero-day attacks and customizations. It may seem bleak, and enterprise security pros should certainly find it daunting. However, tools and techniques will also evolve over the next year to better protect corporate networks and data.
Predictions: Future security threats, defenses for 2010
There are few constants in information security, but the continued evolution of (and danger from) malware is one of them. Organizations can combat evolving malware and botnets through a combination of best practices like security awareness training, policies and procedures, and two emerging technologies: whitelisting and cloud-based antimalware. Let's discuss both of those technologies briefly:
Whitelisting will evolve in enterprises as organizations evaluate new products, their functionality and how they can be used to more effectively protect their environment. Whitelisting defines the executables that can run on a system and then stops all others when software isn't on a defined list of acceptable behavior.
Whitelisting has evolved in the last couple years. Initially, the technology was a complex system where enterprises needed to define every single executable. Now whitelisting products come with preconfigured templates, improved capabilities to approve new executables, and full management systems. Enterprises will realize that relying on antivirus software alone will not be tenable, and a new defense must be used. More enterprises in 2010 will use and set up their own whitelists and blacklists to supplement or replace their existing antimalware protections and then configure policy to determine what action to take for software that's not on either list.
Cloud-based antimalware will also evolve in enterprises to supplement the unknown software issues in whitelisting. Cloud-based antimalware allows checks to be made against centralized databases, identifying if the unknown software is malware. Because the signatures are based on research from software providers and other customers, this centralized database will have more signatures and can be updated faster than traditional antivirus signatures. Real-time checks, however, will require network access to the database and will need to be optimized to perform reasonably. This central location could also be used to track the spread of malicious files, but would need to protect the privacy of the users. Similar protections for PCs will continue to mature on mobile phones and smartphones.
- Another rapidly evolving attack vector worth mentioning is threats against mobile and wireless devices. Smartphone attacks and malware have exploited Bluetooth and IP connections on mobile devices, but so far, they have rarely been malicious. Attacks on mobile phones and smartphones will continue to make headlines, but because of the complexities and heterogeneous nature of these devices, widespread attacks on multiple platforms will be unlikely. There will be advancements in attacks, like the recent iPhone SSH default password worm, or the recent malicious Android application that stole bank login details. These threats will evolve to be more than just low-level risks. As more commerce is conducted on smartphones, the devices will be attacked more frequently, especially as development is opened to anyone developing and installing applications. Antimalware applications, like those on personal computers, will protect smartphones, but it is also important to use stronger controls on application distribution methods, such as only allowing signed applications to run and placing strong controls on the ability to sign them.
Common weaknesses in malware detection and protection will continue in 2010. Users and enterprises will start to accelerate their replacement of older, more vulnerable operating systems, which will help reduce their risks. Threats will continue to take advantage of these older systems while criminals find new ways to attack new systems that close the holes they had been exploiting. Security trends in malware and other information security threats will only continue to get worse as there is significant money to be made by criminals.
Enterprise infosec pros should not only seek to mitigate all of these potential threats with their current resources and the technologies and strategies mentioned above, but also continue to monitor these threat areas closely as the year progresses. Even small advances by attackers in any one of these areas could give those with malicious intentions a significant advantage in exploiting enterprise defenses.
About the author
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.