Fortune Cookies

2013 Security Predictions

It’s late fall, and time for vendors around the world to start guessing at what threats the coming year will bring.

First up, Symantec’s 5 Security Predictions for 2013:

  • Cyber conflict becomes the norm
  • Ransomware is the new scareware
  • Madware adds to the insanity
  • Monetization of social networks introduces new dangers
  • As users shift to mobile and cloud, so will attackers

Imperva’s 2013 Cyber Security Predictions:

  • Government Malware Goes Commercial
  • Black Clouds on the Horizon
  • APT Targets the Little Guy
  • Security in Numbers
  • Hacktivism Gets Process Driven

Verizon RISK Team’s 2013 predictions:

  • Authentication related failures [stolen/weak passwords]
  • Web application exploits
  • Social engineering attacks
  • Targeted espionage & hactivism attacks
  • Lost or stolen devices are the primary mobile threat

Zscaler’s 2013 Security Predictions:

[note: the Zscaler post doesn’t lend itself to simple bullets, but I will try to summarize]

Also, Zscaler has represented the predictions with a likelihood ]note: I think this sets them apart from the other predictors]: Mild – unlikely, Medium – may happen, Bold – likely to happen (my words, not theirs)

  • Mild – Mobile device management application providers will see consolidation
  • Mild – Traditional security tool vendors will get on the “big data” bus and figure out how to leverage the large amounts of security data being collected
  • Medium – Organizations will begin spending more money on detective security controls and less on preventive security controls
  • Medium – Increased scrutiny of mobile application providers use of private information
  • Medium – Embedded devices (thermostats, security systems, garage door openers, etc) become a significant target for attackers
  • Bold – Microsoft gets into the bug bounty game
  • Bold – Privatized malware specifically tuned to target an attacker’s victim

WatchGuard’s 2013 Security Predictions:

  • Malware Enters the Matrix through a Virtual Door
  • It’s Your Browser – Not Your System – that Malware Is After
  • Strike Back Gets a Lot of Lip Service, but Does Little Good
  • We’ll Pay for Our Lack of IPv6 Expertise
  • An Exploit Sold on the “Vulnerability Market” Becomes the Next APT
  • Finally! Important Cyber Security-related Legislation Becomes Law
  • A Cyber Attack Results in a Human Death

RSA’s 8 Computer Security Predictions For 2013:

  • The hackers will likely get even more sophisticated.
  • Our attack surfaces will continue to expand and any remaining semblance of a perimeter will continue to wither away.
  • These changes will occur whether security teams are ready or not.
  • And, national governments will continue to diddle or, should I say, fiddle (while Rome burns),  failing to legislate on rules of evidence, information sharing and the reforming of privacy laws.
  • It is highly likely that a rogue nation state, hacktivists or even terrorists will move beyond intrusion and espionage to attempt meaningful disruption and, eventually, even destruction of critical infrastructure.
  • Responsible people in organizations from all verticals, industries and governments will move to that newer intelligence-based security model and pressure governments to act on our collective behalf.
  • I also predict a significant uptake in investment for cloud-oriented security services to mitigate the effects of that serious shortage in cyber security skills.
  • Big Data analytics will be used to enable an intelligence-based security model.

Lancope’s 5 Key Computer Network Security Challenges For 2013:

  • State-sponsored espionage and sabotage of computer networks
  • Monster DDoS attacks
  • The loss of visibility and control created by IT consumerization and the cloud
  • The password debacle
  • Insider threats

F-Secure’s Seven Prediction for 2013:

  • The end of the Internet as we know it? (The ITU is working on a new regulations treaty for the Internet)
  • Leaks will reveal more government-sponsored espionage tools
  • Commoditization of mobile malware will increase
  • Another malware outbreak will hit Macs
  • Smart TVs will become a hacker target
  • Mobile spy software will go mainstream
  • Free tablets will be offered to prime content customers

Next, Websense’s 7 Predictions:

  • Mobile devices will be the new target for cross-platform threats.
  • Cybercriminals will use bypass methods to avoid traditional sandbox detection.
  • Legitimate mobile app stores will host more malware in 2013.
  • Government-sponsored attacks will increase as new players enter.
  • Expect hacktivists to move to the next level as simplistic opportunities dwindle.
  • Malicious emails are making a comeback.
  • Cybercriminals will follow the crowds to legitimate content management systems and web platforms.

Microsoft’s Top 5 Threat Predictions for 2013

  • Criminals will benefit from unintended consequences of espionage
  • Attackers will increasingly use apps, movies and music to install malware
  • Drive-by attacks and cross-site scripting attacks will be attacker favorites
  • Software updating gets easier and exploiting vulnerabilities gets harder
  • Rootkits will evolve in 2013

Fortinet’s FortiGuard Labs 2013 Threat Predictions

  • APTs Target Individuals through Mobile Platforms
  • Two Factor Authentication Replaces Single Password Sign on Security Model
  • Exploits to Target Machine-to-Machine (M2M) Communications
  • Exploits Circumvent the Sandbox
  • Cross Platform Botnets
  • Mobile Malware Growth Closes in on Laptop and Desktop PCs

Georgia Institute of Technology’s “Emerging Cyber Threats Report 2013”

  • Information Manipulation
    • Information manipulation gives attackers the ability to
      influence what a victim sees on the Web in a way that
      survives cleaning the client machine.
    • The act of personalizing search results and news
      feeds leads to a narrowing of viewpoints, a form of
      automated censorship.
    • Attempts to increase the uptake of a given viewpoint
      can be detected based on certain characteristics.
  • Insecurity of the Supply Chain
    • Supply chain insecurity is both hard to detect and
      expensive to defend against.
    • Detecting firmware changes will continue to remain
      difficult.
    • On an international policy level, supply chain issues
      will continue to be an intractable problem.
  • Mobile Security Reanalyzed
    • Malicious and privacy-undermining applications for
      Android will continue to grow quickly, as cybercriminals
      use toll fraud and other mechanisms to turn compromised
      devices into cash sources.
    • Well-vetted app stores will continue to be a good first
      defense against malware and have kept infection
      rates in the U.S. low.
    • Infrequent patching by carriers and manufacturers
      continue to leave mobile devices vulnerable.
    • Mobile wallets will face further scrutiny and slow
      adoption until their security is proven.
  • Cloud Security Enters Its Teenage Years
    • The accretion of data in the cloud will provide better than-
      average information security, while at the same
      time offering attackers more attractive targets.
    • Authorization will continue to be the weakest point for
      cloud data stores.
    • The responsibilities and liabilities of cloud service
      providers will be resolved in the near future.
    • Companies will need stronger guarantees of security
      to more widely move their data and business processes
      to the cloud.

Trend Micro’s Predictions for 2013 and Beyond

  • The volume of malicious and high-risk Android apps will hit 1 million in 2013.
  • Consumers will use multiple computing platforms and devices. Securing these will be complex and difficult.
  • Conventional malware threats will only gradually evolve, with few, if any, new threats. Attacks will become more sophisticated in terms of deployment.Africa will become a new safe harbor for cybercriminals.

Booz Allen Hamilton’s 10 Financial Services Cyber Security Trends for 2013

  • Business/Information Risk Protection is not Just a Technology Issue: Spending on new technology alone is not enough to protect a firm’s information and business.
  • Data Disruption Attacks May Become Data Destruction Attacks: The potential of threat actors actually destroying data is a major concern among risk and security professionals.
  • Nation States and Threat Actors Are Becoming More Sophisticated: We now have to face more sophisticated threat actors such as smaller nation states and terrorist elements obtaining similar capabilities.
  • Legislation Could Push Industry Standards Around Cyber Risks: Banks already share information, but they will need to do more in light of possible legislation to set standards for cyber protection.
  • Predictive Threat Intelligence Analytics Will Create a More Effective Risk Management Capability: Financial services firms must begin to employ a more predictive threat intelligence capability to determine who might be trying to attack them and how.
  • Vendor Risk Management Is Becoming an Increasingly Important Concern Among Firms: Most firms buy much of their information technology and services from suppliers. .
  • Cyber Risk Continues to be a Board-Level Issue: Information, legal documents, communications with clients and employees are all becoming more and more electronic every day to include an even greater usage of mobile technologies and social media.
  • Firms Must Continue to Embrace and Adapt to the New “Boundless Network”: Cloud, social and mobile technologies, including “Bring Your Own Device” (BYOD), are simply too cost efficient and effective for institutions to ignore them.
  • Identity and Access Management Is Becoming a Key Security Control Area: The days of focusing solely on perimeter defense have long since past.
  • The Financial Services Industry Will Rely More Heavily on Cyber Benchmarking: The FS industry is investing more and more in protecting its information assets and wisely spending these scarce dollars is becoming increasing important, not only from an effectiveness standpoint, but to also be able to articulate to business leaders, the value of such an investment.

1 thought on “2013 Security Predictions

Leave a Reply