Two Bets on 2012
Randy Franklin Smith - December 12th, 2011
Yet another year has nearly come and gone but information security remains as interesting, challenging and relevant as ever – if not more since organized crime and foreign states have eclipsed the traditional lone hacker. Looking back, the endpoint continues to be the focus of criminal organizations. Case in point, out of 86 Microsoft security bulletins so far in 2011, 67% were what I consider endpoint-centric – meaning that the attack vectors and prerequisites limit them to computers where interactive, end-user activities take place like browsing the web, reading email and working with documents. On the other hand there was a significant drop in zero day exploits with Microsoft products (5 this year compared to 9 in 2010 and 10 in 2009) which mirrors the shift bad guys have taken toward attacking other software products like Acrobat, Flash, iTunes and Java.
In my mind, 2011 is also the year that the term Advanced Persistent Threat gained wide usage and soon thereafter, over usage. Another term that we’re hearing more and more is almost scarier than APTs and that’s BYOT – bring your own technology. BYOT can only mean less control over endpoints at a time when they are they are the weakest point in our armor and being heavily targeted by the enemy.
Looking ahead, I’ll make one safe prediction and one that is a little more adventurous but I don’t claim either is very imaginative.
The safe bet: first, bad guys will continue to develop new ways to break into systems and steal information. It’s just too profitable for them to stop. The adventurous bet: second, 2012 may be the year for mobile device hacks that really hit some big name organizations hard. There I said it. It has to happen some day and I feel like mobile device usage is hitting some kind of critical mass which the bad guys will not, cannot ignore.
The hacks may hit Android or they may hit iOS. It seems technically easier to target Android but a successful attack against iOS or the AppStore infrastructure could be potentially much wider and more devastating.
The threats, attackers and vulnerabilities may change but the fundamental counter measures don’t. Unfortunately though, I see history repeating itself with each new wave of technology. There’s a rush to adopt the new technology and security is an afterthought. Then there is the back lash. Seems to cycle as sure as our seasonal journey around the sun and we are watching it right now with virtualization and BYOT. The jump to the cloud is the only recent technology trend that seems slowed down by security considerations but not necessarily for the right reasons.
But following best practice and taking a decisive, coordinated, strategic approach to security will limit risk. Only organizations with high level executive support for security will remain a step ahead of the bad guys. Organizations that fail to bake security into their IT strategy and fail to embrace security as a business enabler instead of a hindrance will suffer.
FREE Scanner
Free eBook &
Over 48% of IT Directors say that mobile devices represent the greatest network security threat.
Comments