From prediction to prophecy: The 2010 threat landscape

In January 2010, Fortinet issued a report outlining our predictions for The Top 10 Security Trends for 2010. Now that we’re midway through the year, I’ve decided to look back at those prognostications and compare and contrast them with what we have been seeing today.

Guest editorial by Derek Manky

In January 2010, Fortinet issued a report outlining our predictions for The Top 10 Security Trends for 2010. Now that we’re midway through the year, I’ve decided to look back at those prognostications and compare and contrast them with what we have been seeing today.  

1) Security, Virtually Speaking

January 2010: “Preventing infections from cross pollinating between virtual machines will be key in securing virtual movements of servers.”

June 2010: With the ongoing progression of virtualization, it becomes important to treat each virtual machine as if it were a physical box. For example, a worm could easily hop inter-VM on the same machine to another machine that has a completely different set of access credentials, creating a more potent infection. Virtualization adds another level of complexity, further widening the security gap. We have seen some interesting developments this year, including a unique Flash crash (potentially exploitable) that only occurs in a virtualized environment.

2) Information, Protect Thyself

January 2010: “Information-centric security, rather than container-centric security, will be necessary in the next decade as access to data will continue to evolve outside the traditional network.”

June 2010: Today, information can be stored anywhere: digital cameras, printers, picture frames, thumb drives, laptops/netbooks, etc. The number of containers is growing, while the sensitive information remains relatively the same. This is why enterprises and administrators need to think about policies and a security framework that police information as it comes into and out of the network, no matter what the container.

3) Get Your Head, Not Your Security, Out of the Cloud

January 2010: “Adopting cloud-based services opens organizations up to many risks and vulnerabilities as information travels to and from protected networks via a public pipe, creating many more opportunities for data infection or theft.”

June 2010: Information continues to flow through public pipes. For example, Facebook has now introduced social plug-ins. Information that is already available from one source is bound to be integrated to other public platforms, spreading potentially sensitive data though cyber space. Once information leaves your fingertips, it becomes very difficult to control. Thus, it is extremely important to safeguard your information before it leaves your fingertips and ultimately your data store/network.

4) Don’t Throw the Apps Out with the Bath Water

January 2010: “Second-layer security will be adopted to help enterprises have better application control beyond just allow or not allow.”

June 2010: As a packet travels, it will be shaped frequently. Second-layer (“layered”) security is like a waterfall filtering process with each tier able to extract hazardous material before it makes it to the next step. An example scenario with application control would be legitimate application traffic making it through the “allow policy,” only to abuse the application as the traffic arrives at the client. Intrusion prevention would be a good second-layer security mechanism in this example.

5) Security and Network Services Aren’t Strange Bedfellows

January 2010: “A natural evolution with the trend in consolidating network devices is to integrate more network functionality into security devices.”

June 2010: This is the foundation for today’s unified threat management (UTM) solutions. Devices such as Fortinet's FortiGate product line allows both application control and intrusion prevention on one device. While they both have different goals, the underlying packet inspection technology allows enhancement on both sides.  As the attack surface grows, appropriate security technology needs to be developed to counter-attack. Integration of these technologies and ease of management is critical for threat mitigation from an administrative standpoint.

6) CaaS vs. SaaS

January 2010: “Cybercriminals will take a page from the new security-as-a-service (SaaS) business model to implement their own crime-as-a-service approach, a criminal ‘environment for hire,’ so to speak.”

June 2010: Crime services have been openly available in 2010, most notably through the use of simplified botnets. These botnets report statistics back for quality control, so that the operators selling services ("loads") can inform their customers when and where their malicious software was installed. We also continue to observe the Cutwail spam bot being distributed with different identification numbers. These are customer IDs, with each hired bot sending spam for the customers who bought them.

7) Scareware and Affiliates Find New Ground

January 2010: “With consumers becoming wise to scareware, cybercriminals are expected to up the stakes in 2010 by holding consumers’ digital assets hostage for ransom.”

June 2010: The rise of ransomware is no longer a myth, it's a reality. We have witnessed several variations of ransomware emerge in 2010, from SMS-based locks to ones that kill applications until the user has paid the recovery fee. Detection levels have grown stronger in 2010, with variations of ransomware making their way into our top ten threat listings. While volume increases, attack strategy and technology continues to grow increasingly sophisticated. Combine this with solid encryption algorithms, and there is no doubt that ransomware will continue to plague cyberspace through the remainder of 2010 and beyond.

8) Money Mules Multiply

January 2010: “Unwitting consumers may find themselves accessories to a crime as cybercriminals find new “mules” to launder their ill-gotten gains.”

June 2010: We have observed numerous instances of this trend and highlighted several examples in our threat reports. These socially-engineered attacks dupe users into fraudulent jobs that may sound innocent by description. Typically, the recurring job descriptions we observed in 2010 were accounts receivable ones, which involved the candidate receiving and forwarding funds while taking commission. Be very cautious of such promises, as there are legal implications.

9) Multiple Platforms in the Crosshairs

January 2010: “With a growing number of users on new platforms, cybercriminals will target their attacks beyond Microsoft Windows.”

June 2010: We have seen an increase in mobile threat activity. Symbian OS still remains a favored attack platform - viruses like Yxes are becoming increasingly sophisticated while others, such as Enoriv, are just starting to emerge. As other operating systems such as Android continue to gain momentum, they, too, could shortly pose similar threats.

10) Botnets Hide through Legit Means

January 2010: “Botnets will no longer just obfuscate their binary codes to escape detection. Instead, they will piggyback on legitimate communications vehicles to propagate and cloak activities.”

June 2010: This year several new botnets that have come into scope, each using common protocols such as HTTP to do their dirty work. Botnets, which existed before 2010, continue to remain strong and develop their protocols to obfuscate activity. This year we discovered Webwail, a Web-based scripting engine that can create accounts through the Web (such as Yahoo, Hotmail, GMail, etc) and then spam through them. To do this, CAPTCHAs are cracked dynamically by a third party, so that the Web bot may proceed as if it were human. While we have only observed Webwail to create and send spam, our analysis indicates it is much more capable.

* Derek Manky is the project manager for cyber security and threat research at Fortinet, a network security appliance company. As lead author of Fortinet's Threat Landscape Report, Manky blogs and regularly writes on breaking security developments. He designed the company’s responsible disclosure policies, which have been used for years to report and disclose critical, zero-day vulnerabilities.