Top 9 security predictions for 2009

New year will see high demand for multi-function appliances, with adoption of 3G and Web 2.0 introducing new security vulnerabilities, says Fortinet.

perspective Securing corporate networks will continue as a high priority in 2009, but companies will be looking for ways to economize and will make IT purchasing decisions on a need-to-have versus nice-to-have basis. But, this doesn't mean they will want to sacrifice performance or features, especially in security.

With the growing number of applications to exploit, a plethora of online avenues and revenues to pilfer, and many more corporate networks to hack, cybercriminals will have no shortage of targets to pursue. The heightened interest and response from law enforcement worldwide in bringing cybercriminals to justice, will force malicious hackers to be even more aggressive and creative in their efforts to sidestep the law.

With cybercriminals on the active prowl, companies cannot afford to let their guard down and IT departments must be even more proactive and expeditious in their defense.

Fortinet outlines the Top 9 security predictions for 2009 to help companies safeguard their networks by mounting a multi-layered, multi-vectored defense strategy.

1. More bang for the buck: Security consolidation and then some
Integrated security appliances will be deployed in greater numbers as IT departments are pressured in an economic downturn to trim cost, and yet, maintain network integrity--essentially, doing more with less.

In addition to integrating two or more security functionalities into a single device for capital and operational savings, companies can look for "superset" security offerings that encompass other network functionalities, such as WAN optimization and SSL (Secure Sockets Layer) inspection.

In a nutshell, efficiency will be the new technology must-have for 2009.

2. Information security lockdown
With high-profile data theft on TJX, among others, more companies are realizing that it is not enough to padlock the front door to their networks. They also have to put a watchdog on their databases to detect and prevent both internal and external breaches.

In addition, updates to PCI-DSS regulations include mandatory application firewall as a measure to protect consumers' credit information. As a result, greater emphasis will be placed on database security and regulation compliance, forcing companies to incorporate information security measures as part of their overall network security strategy.

3. Web 2.0 vulnerabilities multiply
The popularity of social networking sites and cloud computing such as SaaS (software-as-a-service), means the definition of the "network" is now greatly expanded. Cyber criminals have many more chinks in the network armor to target, as employees traverse in and out of the network proper.

As a result, companies will find a greater need to employ Web application firewalls and data leakage prevention mechanisms, to avoid employees introducing tainted data into the corporate network and from the inadvertent leak of proprietary information.

4. Bigger pipes, faster speed: Letting in the good, bad and ugly
10-Gigabit Ethernet (GigE) throughput is not a pipe dream but a welcomed reality, with adoption expected to surge in 2009. But, opening up the network spigot means there is also a lot more bad stuff getting in with the good.

Enabling 10-GigE security protocols that work at the speed of the network is crucial, and should be the next area of focus for maintaining the integrity of high-speed networks.

5. The next biggest threat to mobile security: 3G
Malicious activity on smart mobile devices such as smart phones, has been low to date. However, the anticipated consumer adoption of 3G, as well as new and business models the platform is expected to enable, opens up a new and enormous market for cybercriminal activity. For example, we are just seeing the tip of the iceberg with Google's recent Android OS vulnerability.

3G enables network operators to offer a wider range of advanced mobile services including real-time access to high-quality audio/video transmission, and greater network capacity. This all adds up to greater opportunity for virus infections and attacks, and requires a focused approach to securing the millions of handheld mobile devices in operation today.

6. More cash to flow in the digital underground
Organized cybercriminal operations have been building base over the last couple of years, and will now look to extend trade with other operations.

More services will be offered, including botnets or harvested account networks such as social networking. Affiliate programs will increase as organizations seek to fuel their existing framework; if it works, they will offer more programs and incentives to "script kiddies".

A new generation of users are plugging into cyber space. This generation will be more exposed to underground channels, and framework such as phishing and exploit kits. This will in turn tempt more from this generation into joining the "dark side".

7. Let the games begin
Online games have gained much momentum, particularly in Asia, over the past year. This will continue to grow with the next generation of users.

As a result, more interactivity will occur in these virtual worlds. We have seen a sharp increase in Trojans targeting account information, and this will be something to look out for in 2009 as this market grows.

8. Premeditated, targeted attacks on the rise
Throughout 2008, we saw a steady drop in monthly distributed malware--with the exception of the scareware attack, which drove much of the malware volume in the latter half of the year.

As we enter an age of information warfare, we'll see more targeted attacks using custom malware and more premeditated attacks targeting specific goals, with most of such attacks aimed toward enterprises and governments.

9. Law enforcement unite online
Law enforcement mounted an aggressive effort in 2008, bringing malware authors and criminal organizations to justice. We will no doubt see more of this welcomed activity in 2009.

However, it will take more than just one year in 2009 to fully catch up to the required pace and infrastructure to adequately deal with cyber crime. This will be a slow process, which will require an unprecedented effort between various bodies from law enforcement to effectively address issues in cyber security.

Derek Manky is security research engineer for Fortinet.