Top 10 Information Security Threats of 2010

2010 is upon us. I am amazed that it has been a decade since all the fear and speculation of Y2K. Take a moment to review your personal technological transformation in the last 10 years. Were you using a mobile phone 10 years ago? Could you live without it today? How about how far the Internet has come and your reliance upon it? Did you ever imagine you would use technologies like Facebook and Twitter as often as you do? Did you ever imagine that cyber security would be such a huge issue that you have to deal with it personally, every day?

2009 IN REVIEW

Some big predictions were made last year. Let's start by seeing how we did. The volume and severity of attacks from international sources did increase substantially. Many of these attacks were targeted towards the government and military. There were many stories and articles on this topic in 2009 that confirm the predictions made last year. We also saw a strong increase in targeted attacks towards utilities and other critical infrastructure systems. It wasn’t just the U.S. either; this was widespread across many nations.

As predicted, botnets did not pose a significant threat, especially to small and medium sized businesses. While botnets such as those based on “Conficker” were feared and there were even some days when some in the industry braced for something big, nothing much happened that caused a large scale impact.

Another prediction was an increase in the exploit of buffer overflows. Some have reported that close to 90% of exploits in 2009 targeted Microsoft buffer overflow vulnerabilities. (see Microsoft Security Bulletin MS08-067)

One big shift last year was predictions tied to the downturn in the economy and the impact that has on information security. Malicious insiders were listed as the #1 threat for 2009 and were listed as a rising threat. According to a survey released in October of 2009 by Actimize and reported by DarkReading, nearly 80% of financial institutions worldwide say the insider threat problem has increased in the wake of the economic downturn. 70% of financial institutions reported incidents of insider fraud in the last 10 months. Nearly half of the banks in the Actimize survey say they are losing 1 to 4 percent of their total revenues to insider fraud.

2010

Now we look into the future. What do we have to worry about in 2010 from an information security perspective?

#1 - Malware (Rising Threat)

In 2009, Malware was listed as a “steady threat” and the 2nd highest ranked threat to organizations. I underestimated the dramatic increase in malware in 2009. Due to that increase and the number of organizations that are affected each day by malware, I have elevated it to the #1 position. This is a bit controversial since most security experts would list insiders as the top threat, but I believe in 2010 more organizations will be negatively affected by malware than by malicious insiders.

There are so many methods employed today to get malware installed on systems. One primary method is through the use of client-side software vulnerabilities. These are usually 3rd party applications that are exploited such as Adobe Acrobat, Quicktime, Flash, and even Microsoft Office. Client-side applications are not patched nearly as frequently as operating system vulnerabilities. Browsers remain a top target for vulnerabilities that criminals want to exploit as well. Browser flaws and subsequent patches were common news in 2009 and will likely be in 2010.

Malware is most often getting installed on systems when the user is lured through any number of methods to malicious or compromised websites that can exploit one of these client-side vulnerabilities. Once the malicious software is installed, it acts as a Trojan horse software program performing any number of malevolent acts including information stealing keyloggers, fast flux botnets, relays, and remote control agents. In 2009, the Zeus Trojan began spreading via drive-by downloads (malware sites that automatically infect systems that simply browse the webpage) and was capable of spreading, capturing financial data, and a variety of other things.

IBM reported that during the first half of 2009, malicious links on websites increased by 508%. Much of the malware distribution is performed by organized cybercrime networks. In 2009, the FBI reported that for the first time ever, revenue from cybercrime had exceeded drug trafficking as the most lucrative illegal global business, estimated at taking in more than $1 billion annually in profits. Individual hackers and groups loosely tie themselves together into an organized criminal hierarchy where common goals are achieved through a reward system.

Malware is used in all the major cases you hear about in the news. Heartland, TJMaxx, Hannaford, and many other companies have seen the effects of malware installed on their systems. Many organizations go months and sometimes years before the malware is discovered. According to a study released by the Verizon Business Risk Management group, malware contributes to about one third of data breaches.

#2 - Malicious Iinsiders (Rising Threat)
Malicious insiders were listed as the top threat for 2009 but have fallen to the #2 spot for 2010. With the downturn in the economy, it was no surprise that many desperate and disgruntled employees attempted to exploit the companies they currently or previously work for. Here are just a few of the 2009 stories:

• The Fannie May former engineer who planted a logic bomb that (had it not been discovered) would have shut down the company for at least a week by decimating all of their 4,000 servers. It would have cost the company millions in lost productivity and damages.
• Luis Robert Altamirano accessed a system a year after he was no longer an employee at United Way. He deleted files and disabled the voicemail system.
• The University Medical Center in Las Vegas learned that an employee allegedly leaked confidential patient data including Social Security numbers, billing data, and full descriptions of injuries and it has been reported that the information was sold.
• A T-Mobile employee stole customer records and sold them to a data broker who in turn sold the data to T-Mobile competitors. It included millions of records that contained valuable information such as account expiration date so competitors could target those customers at the time they may look for a new provider.
• After a series of disputes with executives and investors, the former YouSendIt co-founder and CEO left the company and later launched a denial-of-service attack against YouSendIt systems.
• Former Bank of New York Mellon employee Adeniyi Adeyemi was indicted on identity theft charges. He was charged with grand larceny, identity theft, and money laundering after stealing and using New York Mellon employee information. He opened phony bank and brokerage accounts where he deposited stolen money.
• A former DuPont research scientist is facing federal criminal charges for allegedly trying to steal trade secrets.
• A hospital security guard at a Dallas, Texas hospital had been planning an attack to be launched July 4. He had been installing malware on several systems at the hospital including the environmental control system and many systems that contain sensitive data.
• A former bank employee attempted to steal 1.9 million after their successful theft of more than 1.1 million in April 2005 and May 2006. Ansir Khan used his position at the bank to extract customer information and shared it with accomplices who performed the theft.