December 27th, 2006
Top Ten Threats for 2007
I had some time last week to think ahead a bit. I was on a twelve hour round trip flight to Maui just to get frequent flier points with Northwest. I know it sounds like a horrible waste but you do crazy things when you are facing a year of commuting from Detroit to California in coach class. One miserable evening will help me avoid a year of shooting pains in my knees..
So, thinking ahead to next year I created my predictions for the Top Ten Threats of 2007.
1. 100% growth in revenue for cyber crime. There are lots of estimates for just how big the cyber crime economy is. I peg it at over $1 bllion and under $10 billion. Whatever it is today I predict that the quest for financial gain will spur cyber criminals to a banner year, at least doubling their overall take.
Most of my predictions are in support of this first one.
First up are the possible uses of massive denial of service attacks. DDoS is the brute force of network based attacks. Defending against them are expensive and sometimes not even possible.
2. DDoS in support of phishing attacks. A combined effort between the phishers and the DDoSers: an attack against a banking or ecommerce site along with a barrage of emails that claim the site is “down for maintenance, please log in here to access your account”, or some such social engineering attempt.
3. Successful DDoS attack against a financial services firm. While I believe this is already going on, these types of organizations are not to quick to admit when they have had to pay extortion fees. 2007 will be the year of the first high profile attack against a large US or UK bank or trading desk.
4. Attacks against DNS are the threat of the year. DNS servers are part of the critical infrastructure of the Internet. They are also an easy target for DDoS attacks. Unfortunately the collateral damage could be devastating if an attack took our one of the root domain name servers.
5. No abatement in identity theft. As long as banks continue to essentially pay off cyber criminals, by covering their customers losses as a primary means of defense, identity theft will remain a threat. Markets are developing that make it easier to monetize stolen identities thus increasing the value of stolen IDs while decreasing the cost of “moving” them.
6. More attacks against wireless networks. 2006 saw the birth of new attacks against cell phones. These include a text message urging you to call a particular premium phone number (vishing), and malware that infects phones, particularly Symbian phones, and spreads via Bluetooth and even by MMS. And finally, MMS messages that generate calls to premium numbers; a short lived but lucrative exploit.
7. MySpace grows up and gets secure. MySpace is riddled with opportunities for the entrepreneurial criminal. In 2007 the number of attacks from predators, criminals and hackers will get to the point that MySpace will tighten up its controls and monitoring. That will make it less appealing to its teenage audience will grow up and move on.
8. YouTube abuse threatens site. Like network news, email, and IM before it, the new popular service, video sharing, will succumb to spammers who post ads, ad backed videos, and stealth marketing exploits, ruining the experience for everybody.
9. Network infrastructure shows signs of overloading. The backbone providers have been resting on the excess bandwidth they invested in during the dot com bubble. But now that voice and video are really here their infrastructure is showing signs of weakness. That will manifest itself in outages, slowdowns, and a mad scramble to lay more fiber in 2007.
10. Spread of Windows Vista will have zero impact on the overall threatscape. It is too late. The cat is out of the bag. Pandora’s box is open. Adding basic security to Windows is not enough to mitigate the rising tide of cybercrime. It may be several years before Vista represents more than 50% of all machines but by then the attackers will have matured and refined their tools to the point were Microsoft cannot keep up. Reportedly you can already purchase Vista zero day exploits on the web.
This is a sad list. I will have to think of some more upbeat predictions as well. Where should I fly next?
.
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
