Topping Symantec’s list of 2007 security trends is data breaches. It’s not hard to understand why: According to a 2006 study by the Ponemon Institute, data breaches cost an average of $4.7 million per incident and are predicted to cost even more in the future. That’s not the sort of outlay any IT pro wants to own. “Data breaches are indicative of an underlying trend: a movement away from hobbyist attacks… to targeted financially motivated attacks,” said Amrit Williams, CTO of enterprise security company BigFix and a former IT security analyst for Gartner. “When you have a motivation that’s driven by financial gain, the goal is to be quiet. You don’t want to be seen. What the attackers are after is not to bring systems down. They’re after the information itself.”
Symantec’s number two security trend for 2007 is Windows Vista, which has seen 16 security patches since its introduction. Both Symantec and McAfee foresee more attention being paid to Vista by malware writers as Vista adoption continues.
Third on Symantec’s list is spam, which reached record levels in 2007, according to the company. That may seem improbable given the vast sea of spam in which we’ve been swimming for the past few years, but spammers’ fortunes are buoyed by their ever-rising tide of unwanted messages. Thus, we now have to contend with spam in new bulky flavors — image spam, PDF spam, MP3 spam, and greeting card spam — that strains server resources even further.
A tasty irony: Offline, the mafia has long been involved with garbage collection; online, the cyber mafia is in the business of garbage generation and it’s the security industry that makes a killing cleaning up.
And, as Williams and others have said, it is a business. Symantec claims that a member of the Fujacks cybercrime gang once boasted, “This is a better money-making industry than real estate.”
To sustain that business and improve margins, cybercriminals are creating professional attack kits. That’s the fourth-ranked trend on Symantec’s list. “Forty-two percent of phishing Web sites observed in the first half of the year were associated with three phishing toolkits,” according to Symantec. Kits like WebAttacker and MPack make malicious expertise available globally in an instant, with the only requirements being a download, some IT savvy, and contempt for the law. Keeping with the professionalization of cybercrime are the fifth-, sixth-, and seventh-ranked security trends of 2007: phishing, exploitation of trusted brands, and bots, respectively. Phishing sites rose 18% in the first half of the year, according to Symantec, and the bots conquered Estonia in May, albeit briefly.
The eighth-ranked trend of 2007, as Symantec sees it, is Web plug-in vulnerabilities.
Number nine gets back to the professionalization of cybercrime: The creation of a market for security vulnerabilities. WabiSabiLabi aspires to be an informational eBay for legitimate buyers to obtain information about security flaws that isn’t yet public knowledge. If the market works, and it appears to be doing so, companies may discover that the cost of security is more than they expected.
Finally, the last item on Symantec’s list is virtual machine security. Virtualization is all the rage, because of perceived benefits in terms of cost and flexibility of management. Security is in there too, but there’s some debate about whether virtualization creates security problems, too. Symantec expects malware writers will give the skeptics some ammunition as they find ways into virtualized systems.
Looking ahead, Symantec sees storm clouds, which proves convenient for a company that sells umbrellas, so to speak. It expects election season social engineering to victimize computer users in 2008. It foresees increasingly sophisticated bots that can host phishing sites on the compromised computers of unwitting consumers — have fun explaining that to the FBI when they seize your PC.
As mobile phones, particularly smartphones with complex operating systems, continue to become more popular, Symantec sees hacker interest following. What luck that security companies are already offering mobile security software.
And like McAfee, Symantec expects attacks on virtual worlds to rise. There’s already a thriving market for virtual goods and it’s probably a safe bet that the FBI won’t send agents to recover your stolen gold or Axe of the Gronn Lords.
Such threats won’t be fixed by products, Williams insisted. He expects that the IT security story of 2008 will be the convergence of security and systems management. “It’s too costly, difficult, and challenging to maintain separate infrastructures,” he said.