Online threats to organizations have shifted to a higher level this year than ever before, says a senior executive of a software security firm.
“I think the overall theme is what people are saying everywhere; it’s getting serious,” Rod Rasmussen, president and chief technology officer of Internet Identity, said in an interview. “This is no longer fun and games or even stealing money, credit card information from someone to make a quick buck.”
It was one of top seven security trends Tacoma, Wash.-based Internet Identity (IID) spotted during the last 12 months.
IID named 2011 “The year of the data breach”. Everyone from Sony Corp.’s Playstation to RSA was targeted and mass amounts of client data was lost into the wilds of the Internet. “It’s not ginormous like the TJ Max leak a couple of years ago but people are leaking data all over the place,” Rasmussen said.
He attributes this gain to a new black market for data stealing software. “It’s the commoditization, the commercialization of crimeware,” he said. “Anyone can get a ZeuS kit or a SpyEye.”
Rasmussen said cybercrime has undergone a sophistication in the last couple of years. “There’s a couple of different guys in the Eastern block [of Europe] that have combined and shifted around who have what source code for what,” he said. “New versions of these tools are coming out, with plug-ins and all kinds of stuff.”
Another trend is the boom in mobile malware due to the proliferation of smartphones. “There will be far more mobile phones, or smartphones, than desktops and laptops in the near future,” he said. This has led to a shift in focus for malware makers since mobile devices don’t have the kind of deep security infrastructure that desktops have.
Police involvement in investigating cybercrime and the resulting increase in the number of arrests was another trend. “One of the things we talked about this year that we’ll be talking about next year is getting the bad guys arrested and what will happen to them,” he said. “We saw law enforcement actually get some long term gangs. Law enforcement and long term protection is getting better and better and better … They’re getting their act together.”
Rasmussen said that law enforcement are getting better about working with other involved governments, allowing them to prosecute and arrest criminals wherever they are. “Even if they’re attacking people in your country, they’re using resources overseas,” he said.
Attacks on domain registries have also become more common, IID noted. Attackers are being thwarted on front end sites, so have been forced to hack sites by going after the domain providers, or registrars. What is also concerning about this, Rasmussen said, is that those criminals have begun using social media in earnest. LulzSec and the hacking collective called Annonymous both took to social media sites to further their respective causes this year.
The last two trends IID listed were malware with a purpose and SSL certification flaws. Malware with a purpose is a trend that began before 2011 but grew in prevalence this year. Instead of targeting individuals with the sole purpose of extracting credit card information, criminals are aiming higher using malware. By attacking a specific employee, hackers have managed to use their access to pilfer whole company databases and resources.
The final trend is SSL certification, which, Rasmussen said, just plain needs updating. “(We’re) probably going to see stuff like Safe CAs and plug-ins like that to control the user experience instead of ‘we trust the browser guys’ or ‘the guys who build our apps’ to trust SSL,” he said.
The full list of IID’s 2011 Top Internet Security Trends is at www.internetidentity.com.