With the McAfee Labs’ 2012 predictions report as a guide, we started off this month’s #SecChat by crowdsourcing the question to our participants: what did the security community believe would be the most influential threats of 2012? We received a wide variety of speculations and well thought-out arguments, and we’ve collected what we hope is an accurate representation of the most buzzed-about topics of the hour:
1. Mobile & BYOD
Similar to what we reported in the McAfee whitepaper, many of you predicted that mobile threats would remain one of the most prominent vectors through 2012. But while nearly all of our 2011 sightings were concentrated on the Android platform, @rpermeh, @msarrel and others predicted that we are also due to see an increase in malware for iOS devices. In light of these increasing mobile threats, this presents a challenge for enterprises that have embraced BYOD policies. @hrbrmstr noted that organizations will struggle with increased demand for BYOD, but will continue to lack effective means to control and monitor the practice. @ChetWisniewski predicted that the mobile market would start to specialize, as did the market for desktop exploitations. While today’s attacks are for the most part opportunistic and interested in a quick monetary payoff, exploits will continue to evolve throughout 2012 to a focus on data theft.
The threat of hacktivism is a particularly interesting case, because while most of our followers agreed that hacktivism would continue through 2012, many did not think that that it would necessarily increase in real-world influence. @jenatsafenet noted that “hackers love free publicity,” citing that hacktivist exploits often get much more buzz if they are timely – around holidays, elections, etc – influencing the time and type of attacks. @KPHaley in particular believes that the hacktivist threat will increase around this year’s election. Still, @FSLabsAdvisor predicts that some of the “fame-seeking” segments of hacktivist groups will burn out in 2012, causing a subsequent drop in media coverage which could affect how the world views them as a threat.
3. Social Engineering
As @chort0 pointed out, “social engineering is the only true multi-platform tool in the tech world”. As a result, no matter what #SecChat topic we choose, social engineering always seems to make an appearance by the end. Many of our participants voiced some of the best practices advice we discussed during our December chat on security awareness. @ChetWisniewski noted that we must partner with users, provide tools and education with practical advice, and remember that IT only becomes ‘the enemy’ when we act like dictators. @chort0 advised showing employees examples of real-world attacks, to encourage them to modify behavior.
4. Critical Infrastructure
As we moved on in our conversation, critical infrastructure stepped into the spotlight; a threat the McAfee Labs also predicted would be influential in the coming year. While @sam0910 agreed that critical infrastructure is more at risk than ever before, @ChetWisniewski asserted that those systems are no more vulnerable than anything else – the attacks just get more press, because there is a larger real-world impact when facilities are breached. @chort0 believed that most hacktivists lack the skill and motivation for kinetic damage, and @Shpantzer added that nation-states could be influenced by the deterrent of MAD. Nevertheless, @KPHaley believes that infrastructure providers should be looking at exploits like Stuxnet and Duqu as a warning, and take steps that will allow them to mitigate the threat of attack. @rpermeh agreed, saying that these are particularly good targets for nation-state actors and hacktivists, as they provide a bridge from the cyber to the real world.
We’ve heard time and time again that for many organizations, 2012 is set to become the “year of the cloud”. @KPHaley and @ChetWisniewski addressed the security implications of this New Year’s resolution, predicting that many companies will migrate to the cloud and only afterwards worry about data security. @ChetWisniewski in particular noted that very few organizations have a “cloud data” policy, and awareness is very low among end-users. There is a great need to provide contextual warnings, as well as an easy and secure means to share files and data. Many of our participants mentioned the problem orgs are now facing with systems like Dropbox, and the need to create something that will work well in place of it.
6. Showing how security is material to the business
To wrap up with a thought we think is important to bring home, one of the most poignant topics in our discussion was the importance of effective communication between IT/security and the business. As @securelexicon pointed out, the inability of information security professionals to communicate risk in business terms could be one of the biggest threats of all. It’s time to form alliances with executives beyond the IT bubble, work to understand their culture, and learn how to explain to a board how a more secure company is a more profitable company. @msarrel gave a particularly interesting tidbit of advice – he likes to show C-level executives material evidence showing how news of a data breach can directly correlate to a drop in stock price. Whatever method you choose, it is crucial that security advocates learn to speak the language of business if any of the above threats are going to be fully addressed going into 2012.
Thanks again to everyone who contributed to this month’s discussion. We are always so impressed by the breadth of knowledge shared, and the many professionals who take time out each month to share their experience with our community. For those of you who haven’t yet joined a #SecChat discussion, look out for our next topic announcement here in the blog and on Twitter at @IntelSec_Biz. We always enjoy welcoming new faces and opinions to the table, as well as suggestions for future discussion topics.