In January 2010, the Fortinet’s FortiGuard Labs threat researchers issued a report outlining their predictions for The Top 10 Security Trends for 2010. Now that we’re midway through the year, we thought it would be interesting to see how right (or wrong) we were and if anything completely unexpected has come up along the way. The following report spells out the trends the team predicted at the beginning of the year and concludes with comments on where each threat exists today.
1) Security, Virtually Speaking
**January 2010: **“Preventing infections from cross pollinating between virtual machines will be key in securing virtual movements of servers.”
**June 2010: **With the ongoing progression of virtualization, it indeed becomes important to treat each virtual machine as if it were a physical box. For example, a worm could easily hop inter-VM on the same machine to another machine that has a completely different set of access credentials, creating a more potent infection. Virtualization adds another level of complexity, further widening the security gap. We have seen some interesting developments this year, including a unique Flash crash (potentially exploitable) that only occurs in a virtualized environment.
2) Information, Protect Thyself
**January 2010: **“Information-centric security, rather than container-centric security, will be necessary in the next decade as access to data will continue to evolve outside the traditional network.”
**June 2010: **We are now knee-deep in digital storage. Information can be stored anywhere: digital cameras, printers, picture frames, thumb drives, laptops / netbooks, etc. The number of containers is growing, while the sensitive information remains relatively the same. This is precisely why enterprises and administrators need to think about policies and a security framework that police information as it comes into and out of the network, no matter what the container.
3) Get Your Head, Not Your Security, Out of the Cloud
**January 2010: **“Adopting cloud-based services opens organizations up to many risks and vulnerabilities as information travels to and from protected networks via a public pipe, creating many more opportunities for data infection or theft.”
**June 2010: **Information continues to flow through public pipes. For example, Facebook has now introduced social plug-ins. Information that is already available from one source is bound to be integrated to other public platforms, spreading potentially sensitive data though cyber space. Once information leaves your fingertips, it becomes very difficult−if not impossible−to control. Thus, it is extremely important to safeguard your information before it leaves your fingertips and ultimately your data store/network.
4) Don’t Throw the Apps Out with the Bath Water
**January 2010: **“Second-layer security will be adopted to help enterprises have better application control beyond just allow or not allow.”
**June 2010: **As a packet travels, it will be shaped frequently. Second-layer (“layered”) security can be thought of as a waterfall filtering process with each tier able to extract hazardous material before it makes it to the next step. An example scenario with application control would be legitimate application traffic making it through the “allow policy,” only to abuse the application as the traffic arrives at the client. Intrusion prevention would be a good second-layer security mechanism in this example. We continue to see more vulnerabilities discovered and exploited in legitimate applications, further driving the need for layered security.
5) Security and Network Services Aren’t Strange Bedfellows
**January 2010: **“A natural evolution with the trend in consolidating network devices is to integrate more network functionality into security devices.”
**June 2010: **Fortinet has been following this trend for years, and continues to do so after pioneering the drive towards true unified threat management (UTM). For example, Fortinet's FortiGate appliance allows both application control and intrusion prevention on one device. While they both have different goals, the underlying packet inspection technology allows enhancement on both sides. As the attack surface grows, appropriate security technology needs to be developed to counter-attack. Integration of these technologies and ease of management is critical for threat mitigation from an administrative standpoint. Without this approach, counter-attack simply becomes exhaustive and wastes otherwise valuable resources.
6) CaaS vs. SaaS
**January 2010: **“Cybercriminals will take a page from the new security-as-a-service (SaaS) business model to implement their own crime-as-a-service approach, a criminal “environment for hire,” so to speak.”
**June 2010: **Crime services have been openly available in 2010, most notably through the use of simplified botnets - loader software that downloads and executes malware. These botnets will then report statistics back for quality control, so that the operators selling services ("loads") can inform their customers when and where their malicious software was installed. We also continue to observe the Cutwail spam bot being distributed with different identification numbers. These are customer IDs, with each hired bot sending spam for the customers who bought them.
7) Scareware and Affiliates Find New Ground
**January 2010: **“With consumers becoming wise to scareware, cybercriminals are expected to up the stakes in 2010 by holding consumers’ digital assets hostage for ransom.”
**June 2010: **The rise of ransomware is no longer a myth, it's a reality. We have witnessed several variations of ransomware emerge in 2010, from SMS-based locks to ones that kill applications until the user has paid the recovery fee. Detection levels have grown stronger in 2010, with variations of ransomware making their way into our top ten threat listings. While volume increases, attack strategy and technology continues to grow increasingly sophisticated. Combine this with solid encryption algorithms, and there is no doubt that ransomware will continue to plague cyberspace as we move through the remainder of 2010 and beyond.
8) Money Mules Multiply
**January 2010: **FortiGuard said, “Unwitting consumers may find themselves accessories to a crime as cybercriminals find new “mules” to launder their ill-gotten gains.”
**June 2010: **We have observed numerous instances of this trend and highlighted several examples in our threat reports. These socially-engineered attacks dupe users into fraudulent jobs that may sound innocent by description. Typically, the recurring job descriptions we observed in 2010 were accounts receivable ones, which involved the candidate receiving and forwarding funds while taking commission. Be very cautious of such promises, as there are legal implications - if it sounds too good to be true, it generally is.
9) Multiple Platforms in the Crosshairs:
**January 2010: **“With a growing number of users on new platforms, cybercriminals will target their attacks beyond Microsoft Windows.”
**June 2010: **As predicted, we have seen an increase in mobile threat activity. Symbian OS still remains a favored attack platform - viruses like Yxes are becoming more increasingly sophisticated while others, such as Enoriv, are just starting to emerge. As other operating systems such as Android continue to gain momentum, they, too, could shortly pose similar threats.
10) Botnets Hide through Legit Means
**January 2010: ** “Botnets will no longer just obfuscate their binary codes to escape detection. Instead, they will piggyback on legitimate communications vehicles to propagate and cloak activities.”
**June 2010: **This year we have described several new botnets that have come into scope, each using common protocols such as HTTP to do their dirty work. On top of this, botnets, which existed before 2010, continue to remain strong and develop their protocols to obfuscate activity. This is big business and seemingly has become a primary focus for botnet developers.
A new development we discovered this year was Webwail, a Web-based scripting engine that can create accounts through the Web (such as Yahoo, Hotmail, GMail, etc) and then spam through them. In order to do this, CAPTCHAs are cracked dynamically (another example of demand for a CaaS market) by a third party, so that the Web bot may proceed as if it were human. While we have only observed Webwail to create and send spam, our analysis indicates it is much more capable. For example, it could easily spam through social networks. Other new developments include mobile threats and heavy use of document-based exploits through PDF and Flash. For more information on these, please refer to our FortiGuard Center and Blog which is regularly updated to feature such content.