It would be great to see some proper analysis done about these different threat predictions. While waiting, I browsed through several predictions to see what's a consensus.
I checked predictions from Symantec, Sophos, McAfee, Panda, WebSense, F-Secure, zscaler, Bankinfo Security, SANS, CIO Insight, Stonesoft , Hakin9, Help Net Security, Imperva and IBM. There's probably lot more, but this was enough to see the common ground.
Five most mentioned security problem areas were (not in any specific order):
- Smartphones and tablets
- Stuxnet-like advanced attacks against critical infrastructure
- Social media
- Mobile applications
- Cloud
Let's see...
Smartphones and tablets
Number of smartphones is growing fast and it's expected to exceed the number of computers in few years. Smartphones are going to be the most common device to access Internet and applications. It's safe bet to assume that they will be attacked. Because of Apple's popularity, many predictions expected attackers to focus more on Apple devices and applications.
Interestingly, number of other devices connected to Internet is growing even faster and it's expected that in few years smartphones and computers will be only a fraction of all IP-connected devices. Think about security problems of smart-meters, vehicles and fridges.
Stuxnet-like advanced attacks against critical infrastructure
Stuxnet was one of the biggest security topics last year. It shook some beliefs what malware could do and who do malware. It's clear, that different nations are thinking how to use malware as a weapon. Weapons need to be tested, weapons want to be used.
Social media
Everyone is rushing to join different social media and geotagging services. Criminals don't need to be brainiacs to follow the potential victims. This is just a case where all-so-familiar spamming, phishing, social engineering and malware attacks move from email and web-sites to social media sites.
Mobile applications
Rise of the smartphones means more amateur-made, easy-downloadable, cheap/free applications. Businesses and individuals want to act fast and test waters with different applications. Security won't be priority. At the same time users are taught to download and install a lot of apps. Checking security features, privacy options or terms of usage is just too freakin' difficult.
Cloud
Nice, warm, fluffy cloud. We used to have eggshell security model - tough shell outside, all soft inside. Cloud services should reverse that tough/soft model. Let's hope we don't get scrambled eggs security model instead. Anyway, cloud is new, unknown and uncontrollable, hence scary.
Those were top 5 security problem areas I found from different predictions. Pretty easy guesses based on what's new, what has happened and what's obvious. Quite many threat-lists excpected also more data loss cases, more hactivism and ever-popular insider attacks. Combining all threats mentioned in predictions we would get +30 different threats.
If I would need to pick one of those predictions papers, I would recommend Hakin9 article Cybercrime and Cyberwar Predictions for 2011.
If you insist reading even more of predictions and trends, I would recommend some good longer-term analysis, like Europol Threat Assessment of Internet Facilitated Organized Crime, ISSA-UK's Information Security The Next Decade or ISF Threat Horizon 2012.
I think my last years security predictions are still pretty much valid also :-)
Smartphones, mobile apps, cloud services and social media are not a threat per se, but they are going to be popular, useful and must have trends/tools/services. Sure it's good to analyse risks and design controls to manage them. We need to be aware and enhance security measures accordingly. However, I think that instead of looking changes from threat perspective, it would be more interesting to think what security opportunities these changes would bring. More about that later.
