Pierluigi Paganini
December 09, 2011
Please carefully read the entire article, first we discuss the nine threats that worry Imperva, then I will introduce the most dangerous threats from my point of view.
What I want to do with your help is to analyze the published list, completing it and identifying what are the threats that are of particular concern.
Lets go to analyze in detail each point:
Trend #9: SSL gets hit in the crossfire – Attackers are exploiting vulnerabilities in the various implementations of the SSL protocol. It is possible that during the next year we will see a rise in attacks which target the worldwide infrastructures that supports SSL. Impervia expects that these attacks will reach a tipping point in 2012. According their forecast it will be the year of the “break point” inducing serious discussion about real alternatives for secure web communications. My point of you is quite different. From my prospective SSL is a fine session encryption protocol that is being inappropriate to protect security for Internet based transaction systems because it was not designed for this purpose and it is dated. Several critics can be addressed to the model, for example the incredible number of Certification Authority and their way to protect their “trust chain”. Comodo case is the worst case we have observed during last year. Which could be valid alternatives … well, the “Convergence” model launched by Marlinspike is a good one , a secure replacement for the certificate authority system with excellent performances.
Trend #8: HTML 5 goes live –
The main problem is that HTML5 is not scheduled for official approval by the World Wide Web Consortium (W3C) until 2014. Developers, meanwhile, want to run the latest technology now. So they will either use proprietary plug-ins such as Flash or protocols considering them a standard.
During last few years, vulnerabilities in browsers’ add-ons (third party components such as adobe’s Flash Player or Oracle’s Java) were the significant cause of “zero-day” exploits. Consider that the HTML 5 standard was created to enable browsers to support a richer end user experience in a standardized way. While the new features are attractive to web developers, they are also very beneficial for hackers. I totally agree on this point the events occurred during the last couple of months of 2011 are demonstrating it.
Trend #7: DDoS moves up the stack – For many reasons this will be one of the main threats of the new year. The year 2011 was a terrible year regarding the number of attacks perpetrated suing this technique. Attacks of this type are widely used for expression of dissent and hacktivism … and dissent is unfortunately destined to grow. I’m concerned about the conjunction DDOS with other dangerous attacks like spear phishing , because similar techniques used in the same time could create very powerful offensive action.
Trend #6: Internal collaboration meets its evil twin I disagree and do not perceive the criticality as proposed.
Trend #5: NoSQL = No Security? – I share the concern. I believe that inadequate security mechanisms of distributed data sources will create several problems like it is happened during the current year.
Trend #4: The kimono comes off of consumerized IT –
Frankly I have not understood the magnitude of the threat and materialize in the coming year. What would make this threat so terrifying the next year? Frankly I did not understand …and you?
Trend #3: Anti-social media – As many more organizations are making their way into the social media space, we expect to see a growing impact to the integrity and confidentiality of the enterprise’s information. Moreover, we expect hackers will continue to automate social media attacks, exacerbating the problem.
The openness to new forms of communication brings undoubted benefits but surely increases the attack surface of each company. The exhibition is expected to increase considerably in 2012 … it is hoped that together increase the security mechanisms needed to countless threats related to such exposure.
Trend #2: The Rise of the middle man – I share the prediction on the rise of the cyber broker. This individual matches the buyers of stolen data or compromised machines (aka “bots”) with the sellers of the data (or bot renters). In the same way stocks and investors gave rise to stock markets, hackers need a middleman. That is an interesting scenario!
Trend #1: Security trumps compliance – In the past, security decisions were usually driven by compliance. However, in 2012 we expect to see security decisions driven by security. Considering that the cost of a breach rising, industrialized hacking impacting many organizations and the need to protect of intellectual property, this means that we will probably see more companies making cyber security decisions based on security.
Despite I consider really interesting the Imperva experts’ analysis I believe it is an incomplete list of some of the threats which I consider among the most worrisome.
Which one? Following my supplementary list:
My Supplementary Trend: #1 – The spread of the cloud paradigm will bring with it a series of problems far from negligible.The cloud platforms today are daughters of an aggressive marketing and immature security models. What if cloud platforms were used as a strike force against a predetermined target. It would be a catastrophe, an offensive before which any system would be helpless.
My Supplementary Trend: #2 – Socialmedia diffusion will be really high. It was becoming a weapon and a battlefield. Governments and private companies have understood the critical of new media platform like social network. Through social network you can collect information, you can perform complex data mining researches, but you can also spread malware and influence common sentiment and event perception … that is a really a big threat.
My Supplementary Trend: #3 – Improved Social Engineering Attacks. Attackers will increasingly make use of social-engineering tactics to bypass technological security controls, fine-tuning their techniques to exploit natural human predispositions. We’ve already seen such approaches succeed at influencing victims into clicking on questionable links, opening exploit-laden attachments, and installing malicious software.
My Supplementary Trend: #4 – Large diffusion of Custom Malware developed to attack specific target, Stuxnet Virus and Duqu malware are a good examples. Which will be their evolutions?
My Supplementary Trend: #5 – 2012 will be the year of the IPv6 consolidation? Well consider that its implementation has today to much obscure issues.
My Supplementary Trend: #6 – Sensible grow for firmware and hardware hack.
My Supplementary Trend: #7 – Mobile Security Issue. Increasingly sophisticated mobile devices and for which there is low perception of threats that can compromise the integrity and security.
Some examples are Ransomware ” (an infection that holds a device “hostage” until a “ransom” payment is delivered) to Take Mobile Devices Hostage and worming into Android platform that are able to quickly propagate from one device to another.
As you can see the threats listed by me and not on the initial list Imperva is far from negligible, in fact likely to become soon the nightmares of those responsible for security in the coming months.
Are you agree?
Pierluigi Paganini
References
http://www.imperva.com/docs/HI_Security_Trends_2012.pdf
http://www.sans.edu/research/security-laboratory/article/security-predict2011
http://www.reuters.com/article/2011/12/06/idUS96123+06-Dec-2011+HUG20111206
http://blogs.wsj.com/tech-europe/2011/07/28/html5-poses-threat-to-flash-and-the-app-store/
http://www.gartner.com/technology/research/predicts/
