SC Magazine Autralia summarized Ed Skoudis’s and Joannes Ullrich’s RSA presentation on the six most dangerous IT Security threats of 2011 and what to expect in the year ahead. They are:
DNS as command-and-control
SSL slapped down
Mobile malware as a network infection vector
Hacktivism is back
SCADA at home
Cloud Security
Additional trends:
IPv6
Oldies
Social Networking
Malware
DNSSEC
The reference to the Malware item above is that blacklisting is a losing proposition and organizations need to move to whitelisting. IMHO, this especially true for establishing positive network control at the application level.
The report divides risks into five categories – Economic, Environmental, Geopolitical, Societal, and Technological. What I also found interesting is that within the Technological category, Cyber attacks scores highest as a function of likelihood and impact. See the chart below:
The report further defines “connectivity” as one of the “Three distinct constellations of risks that present a very serious threat to our future prosperity and security…” The report then goes on to identify the three types of objectives of cyber attacks using physical world “military strategy” and “intelligence analysis” analogies: sabotage, espionage, and subversion. Here are the examples they provide:
Sabotage
Users may not realize when data has been maliciously, surreptitiously modified and make decisions based on the altered data. In the case of advanced military control systems, effects could be catastrophic.
National critical infrastructures are increasingly connected to the Internet, often using bandwidth leased from private companies, outside of government protection and oversight.
Espionage
Sufficiently skilled hackers can steal vast quantities of information remotely, including highly sensitive corporate, political and military communications.
Subversion
The Internet can spread false information as easily as true. This can be achieved by hacking websites or by simply designing misinformation that spreads virally.
Denial-of-service attacks can prevent people from accessing data, most commonly by using “botnets” to drown the target in requests for data, which leaves no spare capacity to respond to legitimate users.
These do not map easily into our traditional method of categorizing threats as risks to confidentiality, integrity, and availability of information but may be useful because what’s really important is the focus on adversaries and the actions they take to threaten the confidentiality, integrity, and availability of our cyber assets.
Of course we need to focus on assets in the sense that we have to “harden” them to reduce the likelihood of a successful attack. But we cannot stop there due to the following.
The Connectivity case provides two axioms for the Cyber Age:
Any device with software-defined behaviour can be tricked into doing things its creators did not intend.
Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not been detected.
If these axioms are true, then we must go beyond hardening assets. We must also invest in technical controls that can detect obviously negative and anomalous behavior of assets.