Art Coviello, RSA Security: security predictions for 2009
December 2008 by RSA, La Division Sécurité d’EMC
2008 is drawing to a close and I have spent this quarter travelling around the world talking to customers, government officials, and analysts about what promises and challenges await us in the year ahead. It comes as no surprise that enterprises worldwide are taking a hard look at their budget allocations, and as critical as information security is, it will not escape scrutiny. Budgets will tighten, security infrastructures will be expected to do more with less, and executives will be looking for the maximum return on investment.
However, protecting against online fraud will continue to be a major spending priority for CIOs in the coming months and well into next year as the protection of a company’s intellectual property remains a top priority. This past year we saw a major ramp-up in online fraud activity, especially in the form of Trojan warfare with Neosploit, Asprox and – most recently – the discovery of the Sinowal Trojan. We also witnessed a shift in the underground fraud community, away from a crimeware business model (buying, hosting, installing Trojans) to a Software-as-a-Service model where fraudsters can inexpensively subscribe to a monthly service for hosted Trojans – making it much easier for a novice to get into the game. And while we’ve made major headway in shaking up cyber criminal operations, the task is ongoing. 2009 will bring online threats to a new level, in three specific ways:
Breadth of threats: Online fraud has always been a global industry. Fraudsters have typically targeted the consumer market – looking to trick the average user into divulging sensitive information – but as consumers have become more educated and security technologies more sophisticated, fraudsters have begun looking for new channels to exploit. We will see this come in the form of enterprise phishing in which attacks will be focused more on businesses rather than on “Joe Consumer”. Further, the rise of cloud and virtual ecosystems will introduce new breeding grounds for fraudsters if not protected properly.
Heightened motivation: The economy is affecting everyone, including the criminals. The financial data of an entire enterprise is worth much more than that of a single individual and as a result, is a much more appealing target. In addition to the normal brood of online criminals looking for credit card numbers to sell and bank accounts to empty, enterprises could also face intellectual property theft from both insiders and outsiders. As companies reduce their workforces, insider threats could become more probable than ever before. Similarly, competitors and other outsiders (even nation states) may be looking to steal product designs, formulae, and similar assets recognizing that they can steal innovation much faster than they can create it.
Threat sophistication: The security industry has been working hard to keep pace with the onslaught of threats, but as our level of sophistication grows so does that of the fraudster. We can expect a build-out of the fraudster supply chain (the fraud-as-a-service business model), automated attacks, and much more complex technologies. We need to meet threat escalation with layered security, defence-in-depth, and knowledge sharing.
Finally, as the fraud economy continues to be profitable it will become more attractive to a whole new generation of online criminals around the world. It will be up to the security community to continue to stay one step ahead of them; corporations to deploy security where necessary to mitigate these risks; and governments to continue to invest in legislation and in keeping cyber security on the agenda.
2009 will not be all doom and gloom, however. Economic, political and business leaders around the world are looking to innovation to lead us out of our economic crisis. And forward-thinking security organizations are focusing on programs that strongly align investments to business success and to mitigating business risk. More than ever, companies need to position themselves for the long-term by moving away from a highly-distributed, fragmented approach to security that has them spending wildly on new projects and technologies to beat down each new threat; and move to a new model where security frameworks are established that enable companies to quickly adapt to changes in the security environment. The best way to do that is to take a thoughtful and holistic approach to security by determining what data really needs to be protected, which areas are most vulnerable, and the probability that someone will be able to expose those vulnerabilities. This approach will better position companies to protect their most valuable assets, adjust to a changing regulatory environment, and provide a solid foundation for business innovation projects — all while using fewer resources.
And there are other promising developments. Government leaders, especially in the United States, have made cyber-security more of a focus than ever before. The current administration put the spotlight on cyber-security and instituted a good framework but it will be up to President-elect Obama’s administration to ensure the right pieces (technology and technology experts, rather than politicians) are in place and that we ensure consistent follow-through on the plans that have been established. As I discussed in my keynote address at the 2008 RSA Conference, the onus is not only on security vendors and organizations to change how we think about security, but also on governments to implement policies that help enterprises achieve meaningful security rather than mere regulatory compliance. As we transition to a new U.S. administration, I am confident that we are moving closer to this call being fulfilled.