To round out our series of malware and cybercrime predictions here are some of my thoughts on what the next 12 months will bring. I expect more high profile arrests of cyber-criminals but no abatement in criminal activity that seeks to profit at the expense of data owners. Some of these arrests will occur in conjunction with the takedown of botnets, but the number of botnets being created will not drop. Some of these botnets will be used for political purposes and some will be based on mobile devices. In other words, the struggle--to prevent data theft and abuse that is fueled by malware which enables botnets and employs mobile devices--will continue.
My outlook for 2012 has been influenced by a variety of factors, including working with Securing Our eCity, talking to IT staff at organizations large and small, and collaborating with my colleagues in ESET's research facilities around the world. I also admit to being influenced by one of the first documents to present 2012 cybercrime predictions, the Emerging Cyber Threats Report 2012 delivered in October at the Georgia Tech Cyber Security Summit 2011. Here is the opening paragraph from that report:
Collaborative research, education and awareness are required to battle advanced and large-scale botnet attacks, mobile application exploits, and manipulation of online information.
The bold face and colored highlights are mine and I want to focus on the last of the three highlighted items: manipulation of online information. The Georgia Tech report further breaks this down into three areas: personalized content; search poisoning, and DNS/certificate abuse. The first of these items might strike you as out of place: personalized content. This is not so much a risk to the security of systems and data but a fear about the general health of our information-based society. If content and search results are increasingly tailored to individuals, at what point does this algorithmic narrowing of focus become a form of censorship? Definitely something to think about in 2012.
Of more immediate concern in the area of manipulation of online information is search poisoning. I have written about this several times in recent months and it is likely to be a popular attack vector in 2012, favored by those bad actors who seek to cheat consumers and harvest their personal data or infect their systems. How deep into 2012 SEO poisoning will remain an effective attack strategy depends a lot on Google, far and away the leading source of Search results. The fix does not strike me as that complex. Unfortunately, 2 out of the first 5 image results for "Taylor Swift" today still lead you to the same flaky survey site they fronted for a month ago. It is hard to fathom why sites like this are not being blacklisted by Google.
The third form of online information manipulation pointed to by Georgia Tech Information Security Center, abuse of the DNS system and stolen certificates, really goes to the heart of online trust. Hopefully the current debate raging over U.S. legislation that could affect how DNS operates will serve to focus efforts on making DNS more robust. However, as far as certificates are concerned, the outlook for 2012 is troubled. As my colleague Aryeh Goretsky points out, 2012 is likely to see increased interest in digitally signing malware using stolen code-signing digital certificates.
My penultimate prediction is that a lot of cyber-security awareness raising will take place in 2012, and not a moment too soon. The PricewaterhouseCoopers Global Economic Crime Survey of 2011 indicated that 2 in 5 respondents had not received any cyber security training. A quarter of respondents said there was no regular formal review of cybercrime threats by the CEO and the Board. A stunning 60% of respondents said they don’t have, or are not aware of having, in-house capability to investigate cybercrime, and 40% said they don’t have, or are not aware of having, the in-house capability to prevent and detect cybercrime.
Finally, I would say that we're guaranteed to get a bunch more cyber threat statistics thrown at us in 2012, so I leave you with a sampling of numbers I encountered during my research in recent weeks:
- The median annualized cost of cybercrime incurred by companies with over 700 employees in 2011: $5.9 million per year.
- Increase in median annualized cybercrime cost from 2010 study: 56 percent.
- Number of personal records exposed in largest security breach of 2011: 77 million.
- The going rate per record for credit card details on the black market today: $1 to $20.
- My guess-timate of the total number of records containing confidential personal information exposed worldwide by security breaches/lapses in 2011: 120 million.
- Average per person amount lost to fraud in cases of identity fraud in 2010: $4,567.
- The average take from a bank robbery in the U.S. in 2011: $7,806.
- Number of felons shot and killed by law enforcement officers or private citizens during commission of a felony in 2010: 617.
- Total number of cyber-criminals shot and killed in the history of cybercrime: 0.*
- Number of Americans who learned that they were victims of identity fraud in 2010: 8.1 million (we await the 2011 number).
- Amount lost in U.S. to identity fraud in 2010: $37 billion.
- Cost to an organization per compromised record, as reported in 2011 study: $214.
* If you happen to know of a cyber-criminal being shot and killed during commission of a felony, please let me know. While I would hate to find out that such a thing has ever happened, I do have a t-shirt to send to the first person who reports a verifiable incident (in the Comments section or by email to askeset@eset.com, one shirt per incident, awarded on a first-report-first-shirt basis).