Predicting the future of cybercrime and security

Alan Paller, SANS Institute

Twenty respected leaders in cyber security have predicted the future of cybercrime focusing on the top 10 security developments for 2007. Alan Paller, director of research at the SANS Institute, reports on their discussions.

Twenty leaders in cyber security, including representatives from the SANS Institute, directors from the Internet Storm Center and US state chief information security officers (all listed at the end of the article) worked together to reach consensus on the top 10 security developments for 2007.

They narrowed 40 probable computer security developments down to 10 that have the highest probability of happening and will, if they happen, have substantial impact on large numbers of people.

These developments are coming about in an environment of rapidly skyrocketing financial cybercrime (more than 400 per cent year over year growth in most large banks), deep penetration of government and other sensitive sites, increasing numbers of people around the world that are engaged in cybercrime full-time and accelerating sophistication of attack tool and methods.

We have divided them into five groups:

  • those involving mobile devices;
  • attack targets;
  • attack techniques;
  • government action;
  • defensive strategies.

Mobile devices

1. Laptop encryption

Laptop encryption will be made mandatory at many government agencies and other organizations that store customer/patient data and will be pre-installed on new equipment. Senior executives, concerned about potential public ridicule, will demand that sensitive mobile data be protected. This development provides a reasonable safety blanket to protect against an epidemic of laptop and PDA theft.

Whether the data on the stolen (or lost) laptops is ever read, the mere theft makes the company and its executives subject to security breach disclosure laws and public ridicule. If the data is encrypted, in most cases, the loss does not have to be disclosed.

2. PDA smart phones

Theft of PDA smart phones will grow significantly. Both the value of the devices for resale and their content will draw large numbers of thieves.

Attack targets

3.Targeted cyber attacks

Targeted attacks will be more prevalent, in particular against government agencies. Targeted cyber attacks by nation states against US government systems over the past three years have been enormously successful, demonstrating the failure of federal cyber security activities. Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks. Targeted attacks on commercial organizations will focus on military contractors and businesses with valuable customer information.

The most common technique used in targeted attacks against military sites is spear phishing. Spear phishing uses fake emails sent to the employees of a target organization. The email seems to come from a key manager of the target and orders each recipient to load a piece of spyware or to provide log-in information that the attackers use to break in and steal important data.

4. Cell phone worms

Cell phone worms will infect at least 100,000 phones, jumping from phone to phone over wireless data networks. Cell phones are becoming more powerful with full-featured operating systems and readily available software development environments. That makes them fertile territory for attackers fuelled by cell phone adware profitability.

5. Voice over IP (VoIP) systems

Voice over IP (VoIP) systems will be the target of cyber attacks. VoIP is an immature technology that is often deployed hastily in organizations that do not understand the security challenges they will face.

A new type of phishing attack is also using VoIP technology to get bank credentials to steal money. The attacker sends an email to a potential victim saying that a bank doesn't want the victim to use the internet but needs some data verified and gives a phone number to call that seems to be in the correct (local) area code (VoIP technology allows people anywhere in the world to appear to have a local phone number in any location they choose). The victim calls the number and is asked to key in or say their account number and password. The criminals use the data to empty the victim's bank account.

Attack techniques

6. Spyware

Spyware will continue to be a huge and growing issue. The spyware developers can make money so many ways that development and distribution centres will be established throughout the world.

One of the more lucrative (for the criminals) types of spyware is keystroke loggers that wait for the victim to sign on to a bank and capture the keystrokes for the user name and password. Banks tried to fight this with graphical point and click password entry, but sophisticated keystroke loggers now also capture the images on which the victim clicks.

7. Security vulnerabilities

Zero-day vulnerabilities will result in major outbreaks resulting in many thousands of PCs being infected worldwide. Security vulnerability researchers often exploit the holes they discover before they sell them to vendors or vulnerability buyers like 'TippingPoint'.

The ranks of security researchers is growing rapidly, in part because they can sell what they find to Verisign's iDefense or 3Com's TippingPoint. Sadly by the time the researchers sell their discoveries, most have already been used by someone as zero-day attacks breaking into high-value sites.

8. Rootkits

The majority of bots will be bundled with rootkits. The rootkits will change the operating system to hide the attack's presence and make uninstalling the malware almost impossible without reinstalling a clean operating system.

Rootkit sophistication is soaring. Ed Skoudis, SANS Hacker Exploits course director, tells of a tool called the Blue Pill that uses new virtualization features of recent AMD processors to create a practically undetectable rootkit as a virtual machine hypervisor, subverting a system at an extremely deep level, far below the operating system itself.

Government action

9. Legislation governing the protection of customer information

Congress and state governments will pass more legislation governing the protection of customer information. If Congress, as expected, reduces the state-imposed data breach notification requirements significantly, state attorney generals and state legislatures will find ways to enact harsh penalties for organizations that lose sensitive personal information.

Data breach notification laws do make a difference. Executives become very focused on computer security when they fear being shamed on the front page of the local paper. Sadly the business lobbyists have used their political clout to persuade congressional leaders that state disclosure laws are overly burdensome. Committee chairmen in the US House of Representatives have drafted federal laws that eliminate much of the responsibility of business to disclose losses. The result will be a significant decline in management concern about security.

Defensive strategies

10. Network access control (NAC)

Network access control (NAC) will become common and will grow in sophistication. As defending laptops becomes increasingly difficult, large organizations will try to protect their internal networks and users by testing each computer's attempts to connect to the internal network. Tests will grow from today's simple configuration checks and virus signature validation to deeper analysis searching for traces of malicious code.

NAC controls introduce their own security problems. For example they set up quarantine zones where all systems must wait until they are brought up to the current standard. Sophisticated attackers will penetrate the quarantine zones and infect other systems with hard-to-detect rootkits. When the infected systems get their patches updated and are allowed into the sensitive network, the rootkit will still be present, ready to inflict damage or steal information.

Summary

If you have read this far, you will have seen that attacker sophistication seems to be ahead of defensive tools. That is the nature of the war between hackers and defenders: the attackers are always a step ahead. But by making the attackers' job harder and harder and by increasing the length of gaol sentences for cybercrime and improving international police co-operation and skill levels, we can continue to keep up with the attackers and, over time, begin to turn the tide.

Experts involved with the project include:

  • Stephen Northcutt, president of the SANS Technology Institute
  • Johannes Ullrich, CTO of the Internet Storm Center
  • Marc Sachs, director of the SANS Internet Storm Center
  • Ed Skoudis, co-founder of Intelguardians and SANS Hacker Exploits course director
  • Eric Cole, department chair, SANS Technology Institute and SANS CISSP preparation course director
  • Jason Fossen, SANS course director for Windows Security
  • Chris Brenton, SANS course director for Firewalls and Perimeter Protection
  • David Rice, SANS course director for Microsoft .Net Security
  • Fred Kerby, CISO of the Naval Surface Warfare Center, Dahlgren Division
  • Howard Schmidt, former White House cybersecurity advisor
  • Rohit Dhamankar, editor of the SANS Top 20 Internet Security Vulnerabilities and @RISK
  • Marcus Ranum, security products designer
  • Mark Weatherford, CISO of Colorado
  • Clint Kreitner, CEO of the Centre for Internet Security
  • Eugene Schultz, CTO of High Tower Software
  • Koon Yaw Tan, security expert with the Singapore government
  • Brian Honan, Irish security consultant
  • Roland Grefer, security consultant and editorial board of SANS NewsBites
  • Alan Paller, director of research at the SANS Institute