Everybody makes predictions this time of year.  We aren’t above the hype, so we’ll take our stab at it too.  2011 will be an interesting year; of this we have no doubt.  In our last post, we looked back on 2010 and made note of the year’s most significant events.

First, let us share how we came up with our list.  We didn’t use a crystal ball this year, we actually used an informal methodology, if you will.  We used two primary indicators to derive our predictions this year:

– What are the bad guys thinking? The bad guys know the risk/reward ratio.  Where can they gain the greatest reward with the least amount of risk (of getting caught, or being unsuccessful).  Often the greatest return on a bad guy’s investment is realized from exploiting the human element of information security.  In general, the bad guys like to capitalize on a window of opportunity that exists between when the masses jump on a new “thing” and when the masses begin to protect themselves from the risks of using the new “thing”.  Think of iPhones, Facebook, online banking, etc.  All of these “things” were/are used without understanding the risks in using these “things”.

– What do our experiences with our clients tell us? As you know (or maybe you don’t), most of our clients are small to medium-sized (SMB) organizations, ranging in size from 50 – 2,000 employees.  We have taken note of some interesting trends while working with our clients.

What information security stories do we expect in 2011?  Here’s 11 predictions.

SMBs are targeted more than ever

This doesn’t seem like good news for the companies in the market we serve, does it?  Maybe not, but it is our prediction.  Why the increase in targeted SMBs?  We think of two primary factors:

– It’s easier. The information security programs in large companies have matured, and successful compromise of their controls is becoming more challenging.  On the other hand, the information security controls protecting sensitive information in many SMBs is either non-existent or severely lacking in effectiveness, generally speaking.

– It’s less risky. When attacking an SMB organization, the criminals know that the risk of getting caught is lower.  Skilled law enforcement investigators are overworked as it is, and they have to prioritize their work.  Reality is that law enforcement is more motivated to investigate large-scale attacks.  Small scale attacks, although greatly significant to the SMB affected, may go unnoticed or will be poorly investigated.

More confusion in store for SMBs

The leaders of SMBs are confused, and we don’t expect the level of confusion to decrease this year.  It’s not that SMBs don’t want to do the right thing; it’s that SMBs are told to do many different right things from many different sources.  For SMBs, it’s like trying to shoot at multiple targets at the same time while they are all moving.  We have written about this before; see “Stop wasting money on information security!”

Understanding that it’s not feasible for most SMBs to hire full-time, skilled information security staff, where do you suppose they get their advice?

– The news. It’s important to stay up-to-date on current information security news and trends, but it can hardly be used as a sole source for advice.

– Regulations. The motivation for regulations is hardly in the SMBs best interest, and they only cover a subset of the basic information security controls that should be used globally within an industry, geographic area, or jurisdiction.

– Auditors. Consider who the auditor works for and what they are measuring against.  Large companies send auditors to SMBs to measure how well the SMB is protecting the information shared by the large company, right?  No.  Large companies send auditors to SMBs to measure how well the SMBs are complying with the large company’s standards.  The problem is that the SMB is not the large company, so what sense is there in implementing the same information security program?

– Information security consultants. This could be a good thing, and this could be a bad thing.  There are good consultants, and there are bad ones.  How does the SMB know which is which?

SMBs need to partner with a good information security consultant.  An experienced and highly-skilled consultant that takes the time to educate is worth his/her weight in gold.

Rise in fly-by-night security companies

The economy will be better in 2011, and information security spending will increase in 2011.  These two factors present good opportunities for information security consulting companies, but unfortunately there are too many bad consulting companies.  Consider this.  You are a company that is interested in conducting an information security assessment, and you contact a few consulting companies for bids.  The bids come in at $7,500, $15,000, and $35,000.  Which one best fits the needs of the organization seeking the assessment?

We don’t know do we?  The bad consulting companies know that you don’t know what you don’t know.

Do your research.  In 2011 there will be many consulting companies competing for business, and many of them are doing this industry (and you) a disservice.  Wasting $7,500 is not a better option than investing $15,000 or $35,000 for a return.   We are tired of hearing about information security consulting companies miss-representing the facts, recommending solutions that don’t solve real problems, costing clients thousands of wasted dollars, and making it harder for us to re-educate business leaders.

For those of you who know us (FRSecure), we call a spade a spade.  Sometimes at the expense of being politically correct.

More regulation and government control

Legislators and their constituents are still not satisfied with the current state of information security, and as long as this holds true, we can expect more laws and regulations.

Consider the current legal/regulatory environment as it relates to certain organizations, depending upon where the organization operates and what the organization does.  At the state level:

• 46 states have breach notification laws,
• 29 states have data disposal laws, and;
• Two states have data protection laws

And others:

• Sarbanes-Oxley Act (SOX),
• Payment Card Industry Data Security Standard (PCI DSS),
• Gramm-Leach-Bliley Act (GLBA),
• Electronic Fund Transfer Act, Reg. E,
• Customs-Trade Partnership Against Terrorism (C-TPAT),
• Free and Secure Trade Program (FAST),
• Children’s Online Privacy Protection Act (COPPA),
• Fair and Accurate Credit Transaction Act (FACTA) and Red Flags Rule,
• Federal Information Security Management Act (FISMA),
• North American Electric Reliability Corp. standards (NERC),
• Title 21 of the Code of Federal Regulations (21 CFR Part 11),
• Health Insurance Portability and Accountability Act (HIPAA),
• Health Information Technology for Economic and Clinical Health Act (HITECH), and;
• more

In 2011, we expect the passage of a national breach notification law, and we expect more states to follow the example set by the State of Massachusetts in Massachusetts 201 CMR 17.

If you are an organization that has based your information security program on risk, you certainly have a leg up on legal/regulatory compliance.

ADDED:  The Obama Administration is directing the Commerce Department to develop “an Internet ID for Americans”.  What will this look like and what will the impact be?

Rise in application-level attacks, patching your operating system is not enough

We expect more successful application-level attacks in 2011.  Most organizations are doing an adequate job of patching their operating systems, but few are paying adequate attention to the applications running on those operating systems.  The bad guys know this too.

More mobile device threats and breaches

Androids, iPhones, iPads, and the like are exploding (or have exploded) in popularity.  Companies see how the use of these devices can make their employees more efficient, and many SMBs are allowing their employees to use these devices to create, access, store, and transmit sensitive information.  Unfortunately, the risks associated with using these devices has not been adequately quantified or controlled by these organizations.  As data gets more mobile, it gets harder to control.  Again, the bad guys know this.  We expect more attacks targeted at these devices in 2011, and we expect more breaches.

Increased frequency of and more impact from social networking attacks

According to Facebook, as noted from their Press Room:

• There are more than 500,000,000 active users
• 50% of these active users log in at least daily
• Each user has an average of 130 friends
• The average user is connected with 80 community pages, groups, and/or events
• The average user creates 90 pieces of content each month
• About 70% of Facebook users are outside of the U.S.
• More than 2,500,000 developers and partners from more than 190 countries build applications with/for the Facebook platform
• People of Facebook install 20,000,000 applications each day

On the surface, this looks like a criminal’s paradise!  Is it any wonder that there were so many Facebook scams in 2010, that we couldn’t count them all?  We expect an increase in 2011.  The risk is low for the bad guys, and the rewards can be very significant.  As long as this equation holds true, don’t expect anything to improve.

Facebook isn’t the only social networking site used for scams/attacks.  Expect more scams/attacks targeted at users of other social networking sites too.  Sites like Twitter, Bebo, Classmates.com, Flickr, Habbo, LinkedIn, and Myspace.

URL shorteners used for more gain by crooks

For those of you who are unfamiliar with URL shorteners; a URL shortener is a service that takes a long URL like http://www.nytimes.com/1991/10/28/sports/twins-win-win-world-series-with-1-0-victory-in-game-7.html and shorten it to http://goo.gl/ZZJHJ or http://nyti.ms/gSvDS7.   A URL shortener can be very useful for places where limiting the number of keystrokes is important.  URL shorteners really seemed to explode after the popularity of Twitter, where users are restricted to 140 characters per post.  The problem is this; we know from looking at the URL where www.nytimes.com will take us, but we don’t necessarily know where http://goo.gl/NR1ti takes us.  Do you see the increased risk of successful phishing attacks and other miss-directions of user traffic?

URL shorteners are significantly more popular today than they were a couple of years ago, and we don’t expect any decrease anytime soon.  In fact, we expect an increase in their use.  This is another criminal’s paradise.  Expect an increase in attacks capitalizing on URL shortener use this year.

2011 may be a banner year for hacktivism

Have you heard of the group “Anonymous”?  Did you catch wind of the “Operation Payback” or “Operation Avenge Assange” attacks?  The hacktivists made quite a statement in 2010.  Their motivation can be found in their material:

“YOU CALL IT PIRACY.  WE CALL IT FREEDOM” – Operation Payback flyer.

“Julian Assange deifies everything we hold dear. He despises and fights censorship constantly, is possibly the most successful international troll of all time, and doesn’t afraid of f***ing anything (not even the U.S. government). – Operation Avenge Assange flyer

The group attacked dozens of high-profile sites in 2010, with varying level of success.  We expect more hacktivist attacks this year from this group and others.

Expect at least one significant cloud computing breach

People are rushing to the cloud.  The bad guys know this.

More Mac Attacks

Have you ever talked to a Mac user about anti-virus software?  Or about patching?  Over the years, the general ignorance has improved, but so has the popularity in Apple products.  Where the masses go, so does the target.  We could argue about which operating system is safer; Snow Leopard or Windows 7.  The fact of the matter is that both of these products were developed by human beings, and human beings make mistakes.  Generally, a mistake in software development is a vulnerability, and both operating systems are vulnerable to attack.

Simple equation.  More adoption = more attacks.  More Mac deployments means more attacks.  We know this is probably overly simplistic, but we expect more attempted and successful attacks against Macs in 2011.  Be prepared.

Conclusion

For years the state of the information security industry has been somewhat like the old Wild West.  2011 is like 1900, and we still have a long way to go.

About FRSecure

Formed in 2008, FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure helps clients understand, design, implement, and manage best-in-class information security solutions; thereby, achieving optimal value for every information security dollar spent.

Regulatory and industry compliance are built into all of our solutions.

Share this article