The Top Ten Cybersecurity Threats for 2009 – Draft for Comments

Posted on 01/05/09 18 Comments

Here is my draft list of the Top Ten Cybersecurity Threats for 2009.  Your comments are greatly appreciated.  I will publish the final list later this month, based on comments received.

— Constant negative news reporting and adverse analysis undermining public and business confidence in leadership, business management and economic recovery efforts.

— Criminal manipulation, fraud and subversion of financial markets by opportunists and competitors.

— Identity masquerading to abuse, attack, blackmail, bully, extort, terrorize or molest others.

— Criminal fraud by password and identity theft via phishing, pharming, spyware, malware and theft of hardware.

— Criminal use of botnets and botnet-like technologies, for example email (marketing and rumor) spam and denial-of-service attacks.

— Criminal exploitation of social networks.

— Criminal use of cloud computing and software-as-a-service infrastructures for cyberattacks and spam.

— Spying and theft of data by governments, industry, terrorists and other criminals.

— Sabotage, theft and other attacks by disgruntled employees and insiders.

— Natural disasters, accidents, errors and unintended consequences without malicious intent.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

18 Comments

  1. Maureen Fleming says:
    Monday, January 5, 2009 at 10:55pm

    I am confused about your first point. What does coverage of negative news have to do with cybersecurity?

    Are you saying everyone should bury their heads in the sand so it isn’t so scary to go to sleep at night — or are you saying these reports are a threat because they are inaccurate and we can’t trust them?

  2. Stephen Craig Evans says:
    Tuesday, January 6, 2009 at 1:28am

    Hi Maureen,

    My take on it is that cybersecurity is weakened when continuous negative news undermines peoples’ confidence in their leaders. It can be dangerous if in time of crisis people do not act and do not rally around their leaders.

    To give an extreme case but a good one, in Singapore the media is positive almost to a fault. At first, it seems that they go overboard to be positive; it took awhile for me to get used to it. But, as the scifi author William Gibson once said about Singaporeans, “there’s a little bit of police in everybody”. The positivity rubs off in a good way and Singaporeans take fierce pride in their country as a whole. Which I think is a good thing.

    Just my 2 cents worth,
    Stephen

  3. Tim Bass says:
    Tuesday, January 6, 2009 at 7:57am

    Hello Maureen and Stephen,

    Thanks for stopping by and commenting. In 2008 I did a full blog post on each topic before publishing the draft, so I can easily understand the confusion. In addition, item that you are discussing above is particularly difficult to find the exact right wording and “sound bite” for, so that adds to the confusion.

    Basically, the theme of this item is “Perception is Reality”, which falls in line with Stephen’s comment. In a world of immediate communications, from publisher to consumer, globally, where everyone has an opinion, right or wrong, good or bad, every analyst and news report has immediate global reach. This creates “Perception” based on the attitude, or general perception, in cyberspace.

    The threat is similar to yelling “Fire” in a crowded move theater, however, the difference is that there might be 1000 instances of “doom and gloom” versus the one instance of “we will be OK”, the very nature of most news reporting and analyst reports. It is very difficult to shift from a flood of “doom and gloom” especially when there are factions that seek to undermine leadership, for example, for political reasons.

    Hence, the threat is not from a single person, or single criminal, the threat is from the collective, self-organizing, complex system we call “cyberspace” and all the people who pump information into it. It is also correct to say “these reports are a threat because they are inaccurate and we can’t trust them?”, as Maureen wrote, because we certainly can’t trust them. However, it is not only a matter of trust, and matter of accuracy, it is a matter of how humans react to perception and how perception is created in a world where cyberspace is “the big third eye” or “a large part of our global consciousness” (for a lack of a better metaphor), with an amazing influence over all of us.

    There are numerous, unexplored unintended consequences of this large complex system we have created and are all a part of, and this system poses (or can pose) a threat to economic, social political and similar systems and institutions.

    The question, for another day, is “how vulnerable are we to this threat?”, because risk is the intersection of threat, vulnerability and criticality. Each of these three components of risk exist independent of the other. The threat list is also independent of the other components.

    From my seat, it is easy to see that the growing capability of instance global communications, cyberspace, creates a threat based on the consequences of this complex system.

    Perception is Reality. If the airwaves are constantly full of “doom and gloom” then we will have “doom and gloom” and if our collective minds are fully of “the sky is falling” that becomes reality, when in fact, we cannot be certain how much the news and analyst reports are contributing to the overall situation, leading or following.

    The answer, in my opinion, is both; and that is the looming danger of cyberspace and the unintended consequence of instant, mass global communications in times of serious economic disaster (as we have been told we are facing today).

    I hope my attempt to explain the complex phenomena has been helpful.

    Yours sincerely, Tim

  4. Jeff Wells says:
    Tuesday, January 6, 2009 at 3:45pm

    Hi Tim,

    In your number one threat- I think that you have a point about the economic downturn affecting the psychology of security but it could easily be argued that people become more conservative and vigilant, so I wouldn’t include it in this sense in the top ten. Or maybe you need to rephrase.

    Perhaps your ninth threat should go higher up the batting order. If more people are laid off or worried about their security then they might feel justified in taking advantage of corporations.

    Another question related to economic malaise- what happens to computer records when firms go out of business? That would presumably be a much bigger threat today than last year.

    Regards

  5. Tim Bass says:
    Tuesday, January 6, 2009 at 4:59pm

    Hello Jeff,

    Great to see you here. Thanks for commenting. I will certainly keep your comments in mind as other comments come in. Speaking of comments, here is a comment just in from Glenn D. Watt, CISSP, CISM:

    ————— begin comment ————–
    Looks very good. We have actually experienced some of these in 2008 and we are very interested in Cloud Computing #7 on your list. You’ve hit the mark!

    Glenn

    Glenn D. Watt, CISSP, CISM
    Corporate Security & Privacy Officer
    Vice President, Global Information Security and Privacy
    Regulatory Compliance Department
    Medidata Solutions, Inc.
    79 Fifth Avenue, Eighth Floor,
    New York, NY 10003
    ————— end comment ————–

    I greatly appreciate all comments and perspectives. Keep those comments coming in!

    PS: Jeff, I agree that we/I need to find the right way to reword the item you mention in your reply. This concept is difficult to explain in a one-liner!

    Thank you.

    Yours faithfully, Tim

  6. Richard says:
    Tuesday, January 6, 2009 at 8:58pm

    Your number six (social networks) is very worthy of inclusion however just saying ‘criminal exploitation of social networks’ is too broad to be useful.

    I’d like to see you take more of a punt on just how the bad guys will be exploiting social networks. Will it be through identity theft, spamming, harassment, malware – all of which already take place on social network sites. Or do you foresee some new threat?

    I’m new to your lists so forgive me if this next comment is redundant already. Wha I’d like to see alongside the final list is a set of measures that can be taken to mitigate each of the risks, both by organisations and individuals where appropriate. This would make the list useful as well as being just another set of predictions.

  7. Daniel Clemens says:
    Tuesday, January 6, 2009 at 9:25pm

    I didn’t see ‘hacking’ or specifics on what what type of exploitation or espionage like activity would take place. I may not be the target audience for this type of prediction.

    -Daniel

  8. Tim Bass says:
    Wednesday, January 7, 2009 at 2:32am

    Dear Richard and Daniel,

    Thank you for your comments and for visiting. As a reminder, and I hope the reminder is not duplicating your knowledge, I would like to remind you of this 2007 blog post from last years preface:

    The Top Ten Security Threats for 2008 (Part 1) – Threats Are Not Vulnerabilities

    http://www.thecepblog.com/2007/11/09/the-top-ten-security-threats-for-2008-part-1-threats-are-not-vulnerabilities/

    In that post, I reminded readers of some basic IT security foundations,

    Vulnerability: A characteristic of the system (e.g. a flaw, bug or feature) that provides a means of exploitation.

    Threat: The possible existence of an entity – person or process – that could exploit the vulnerability.

    Generally, IT professionals do not mitigate threats, we mitigate risk, which is the intersection of threat, vulnerability and impact. So, to be precise, IT security professional do not suggest how to mitigate threats, we suggest how to mitigate risks. In all fairness, there are, of course, IT professionals who suggest mitigation against exploits (vulnerabilities) without the context of threat or impact, and in many circumstances, this is perfectly OK. Generally speaking, however, risk is discussed in context of all three necessary elements, threat, vulnerability and impact.

    For the purposes of a top ten threat list, kindly understand (discussed in 2007) that threats exist without the context of vulnerability and criticality. Hence, just because a threat exists, does not mean the threat has a channel (the means, a vulnerability or weakness to exploit).

    For more information, please see this (and related) post(s):

    http://www.thecepblog.com/2007/11/09/the-top-ten-security-threats-for-2008-part-1-threats-are-not-vulnerabilities/

    Yours faithfully, Tim

  9. Doug Davidson says:
    Wednesday, January 7, 2009 at 12:35pm

    Tim,
    An interesting list.

    I suggest that one key area of threat which we need to be cognisant of is the increasing threat of targeted and aggressive social engineering against our own staff.

    Although several people have commented on disaffected staff and you have mentioned Identity masquerading I can’t see that the increasing threat of targeted social engineering has been addressed.

    As we build ever more complex assurance barriers and controls around our information (assets) then the risk weighting for an internal compromise moves significantly towards those who have authorised access.

    Although undoubtedly the majority of this threat is through disaffected workers, there is an increasing threat that external elements will target and even pressure staff to gain knowledge or access to assets.

    This has obvious connotations in high value business activities and has been pushed up my own threat perspective given the UK focus on “treating data as if it were money” – This statements perspective has not been lost on the criminal fraternity…

    Regards,

    Doug Davidson

  10. Tim Bass says:
    Wednesday, January 7, 2009 at 2:19pm

    Hi Doug,

    Thank you for your comments. I agree with your assessment. My thoughts are that social engineering is a technique, used by many threat agents, including these:

    — Spying and theft of data by governments, industry, terrorists and other criminals.

    The rationale for my observation is that criminals use social engineering techniques to steal data, generally, in line with you comment to the effect that “data is money”. There are many ways to steal data, and social engineering is one way.

    Do you have the same opinion?

    Yours sincerely, Tim

  11. Doug Davidson says:
    Thursday, January 8, 2009 at 2:32pm

    Tim,

    Thanks for your prompt response.

    I obviously agree that criminals and other threat agents use social engineering as a tool to steal data.
    I also agree that the high level statement does address theft of data. However, I think in its current form, the statement doesn’t convey the essence of the revised threat.

    My original comment was to highlight the risk that threat agents would adopt a revised threat form (attack vector) that others perhaps need to be aware of.

    Classic social engineering techniques previously employed are either opportunistic single events or are targeted scenarios which require significant time and effort to cultivate an individual (potential threat actor) to gain the highest value from endeavour.

    I think we are (unfortunately) about to see the start of a revised version of this threat based on short term targeted brute force duress and intimidation of staff – this is especially likely given the enhanced security I previously mentioned, the likely rewards to be gained and the (current) relatively low impacts metered out through the courts should the protagonist be caught.

    The impact of this threat has already been seen over the last year in incidents of aggravated car theft, etc, where the security controls have been significantly increased to the point where it is easier to target the owner directly.

    I suggest that it is only a matter of time before this threat becomes manifest within Information Security.

    Although this threat seems extreme, it is unfortunately a logical reaction to increased assurance that we must be aware of.

    While I see that the risk that I am highlighting can fold under the topic of “Spying and theft of data by governments, industry, terrorists and other criminals” I think that the actual threat would be subsumed (ie. hidden) when I think we need to actually highlight new variants of the high level threats listed.

    This is obviously true of many other threats in realtion to the top ten statements.

    As a suggestion;
    Perhaps it would be useful to collate the agreed top ten high level threats and provide a brief overview of current and emergent threats addressed within the topic. i appreciate that this invariably moves into greater work and more detail, but I think this would provide greater insight and value to others viewing the output.

    Regards,

    Doug

  12. Tim Bass says:
    Thursday, January 8, 2009 at 7:09pm

    Hi Doug,

    Thanks for your “spot on” comments. I agree.

    Last year I did discuss each item in the list in detail. This year, I was a bit lazy and published the revised list without providing the words for each bullet item, mainly because I was busy toward the end of 2008 and did not have time to write a prelude (or an update) for each item.

    If you want to suggest how to incorporate your comments into the list, please feel free to do so. Would you add something to an item? Change some wording? Create a new item and remove another?

    I can’t promise I will do as you suggest, but I can promise that I will give your suggestion a lot of serious consideration. Last year I made a number of changes based on comments, so I am hoping this years list will also get better via an open and transparent process of review.

    Yours sincerely, Tim

  13. Doug Davidson says:
    Friday, January 9, 2009 at 4:09pm

    Tim,

    Having given your list another review, I think there is one item that i would suggest is replaced by a far more pressing threat;

    While I agree that “Constant negative news reporting and adverse analysis undermining public and business confidence in leadership, business management and economic recovery efforts” is indeed a potential issue,

    I can’t reconcile this as a cyber security threat.in its own right. I suggest that other threats articulated elsewhere (again at the high level) would certainly address the attack vectors I would expect as threat agents take advantage of any imbalance in the financial or business systems.

    In place of this, I suggest a far larger threat for 2009 is the fact that there are relatively low numbers of trained and experienced InfoSec Strategists, Consultants, and operational support staff currently available to support the assurance requirements of both the Public and Private sector.

    The secondary threat then becomes poorly trained/unknowledgeable resources introducing new vulnerabilities, etc

    We are all increasingly reliant upon complex physical, technical and administrative controls, all of which require specialist skills to correctly design, implement and operate.

    On this basis, I suggest that the lack of available staff, both now and in the near future is a significant threat to our InfoSec assurance within 2009.

    As always, I welcome wider discussion on the validity of this being added to the list.

    Regards,

    Doug

  14. Tim Bass says:
    Friday, January 9, 2009 at 4:45pm

    Hi Doug,

    Thanks for your reply.

    I disagee with your assertion that lack of resources, training, money, time, education, etc are “threats”, per se. These are simply facts of life and business contraints, not threats, by definition. Threats are people, processes, systems, entities that can exploit vulnerabilities.

    Thanks for your discussion. However, I can fairlywell assure without further debate that I will not be adding resource constraints to this threat list, as it does not fit the criteria of a threat. That is a different area of cybersecurity.

    Thank you for your comments, much appreciated!

    Yours sincerely, Tim

  15. Bill Donahue says:
    Monday, January 12, 2009 at 1:58pm

    I agree with the whole list; however, after reflection on the first point I wonder if there are not two other points that should be made — making this the dirty dozen list.
    #11: Mission and business leaders not yet recognizing that Cyber Threats but their missions and businesses at substantial risk.
    #12: Governments not yet realizing that operations in the cyber domain are as real as operations in land, sea, air and space and Cyber Operations can put “National Sovereignty” is at risk.

  16. Tim Bass says:
    Monday, January 12, 2009 at 2:03pm

    Hi Bill!

    Happy New Year! You should come to Thailand and play some golf with me, eat seafood and drink beer in the warm sunshine!!

    It is great to see one of the heavy hitters of cyberspace operations commenting, thanks for stopping by and visiting!

    Yours sincerely, Tim

  17. Geraldo Fonseca says:
    Thursday, January 15, 2009 at 2:19pm

    Hi Tim,

    Still on the first threat of your list, and as an addition to Mr. Donahue #11 entry, I would say that another potential side effect is the banalization of the issue among leaders, decision makers and governments.

    This could lead to us hearing the dreaded “It seems that, no matter how much we effort and money we invest, we are still getting incrementally insecure everyday” a lot more often…

    Best regards, Geraldo

  18. Raul Passow says:
    Friday, November 12, 2010 at 10:51am

    Hi there! Is it alright that I go a bit off topic? I’m trying to read your domain on my new iPad but it doesn’t display properly, do you have any suggestions? You can always email me at osada@gmail.com Thank you for the help I hope! Bradley