Anonymous, Hacktivism

Hacktivism increased dramatically in 2011, and for many people, cyber-attacks became an accepted form of political and social activism. While there had been distributed-denial-of-service attacks against controversial organizations in the past, there was more of a focus on getting voices heard by attacking and defacing Websites, disclosing personal information and generally causing mayhem.

While Google had previously talked about advanced persistent threats, RSA Security’s Art Coviello’s admission that the company had been compromised was the first time many organizations had even thought about APTs. Since then, APTs have become another thing for CEOs and company boards to worry about as their security teams struggle to secure their networks from unknown attackers who were sophisticated, silent and willing to lurk patiently for long periods of time.

For a while, it felt like there was a new data breach story every single week. Millions of people were potentially affected by the data breach at Epsilon, a company few had ever heard of, because its customers were big names, such as Chase. Sony’s PlayStation Network and Sony Online Entertainment were breached, and Sony became a poster-child for how not to act after a breach. But there were plenty of other incidents, such as the careless mistakes made by the Texas Comptroller’s office and lost hard drives and backup tapes containing health data.

After years of Apple faithful saying Mac users don’t need to worry about security and Apple’s refusal to discuss it, malware developers in 2011 showed how they could target Mac OS X, too. Mac Defender, a fake antivirus that infected unsuspecting users in May, forced Apple to add new basic, stripped-down antivirus features to OS X. Malware developers showed Mac users were no less vulnerable to social engineering than Windows users.

In December 2010, security pundits claimed 2011 would be the year of mobile malware. It felt like it as malicious apps flooded the Android Market that could intercept text messages, send SMS messages to prime-rate numbers and commandeer mobile devices to participate in the botnet army. The team behind the Zeus banking Trojan even came out with a mobile version, Zitmo, for major mobile operating systems that could intercept authentication credentials sent by financial institutions. It looks like 2012 will bring even more mobile threats.

Malware wasn’t the only thing to fear from mobile devices. These handy gizmos contained a ton of personal information, and it turned out much of it was not stored securely, allowing access to anyone interested in the information. Some legitimate apps were leaking data, and it turned out both Android and iOS devices were capable of tracking people’s geographic location. Reports of carriers using data collected by Carrier IQ’s software, which people didn’t even know was installed on their handsets, was just another item in a long list this year.

Every major security incident, whether it was an APT attack, security breach or a new malware family, seemed like it could be traced back to China. Dell Secureworks found evidence that the malware from the RSA breach came from China. McAfee was careful not to say the “C” word when it revealed Operation Shady Rat, a cyber-spying operation that may have affected more than 70 targets around the world over a five-year period, but everyone thought it, anyway. Japan’s Mitsubishi Heavy Industries cited a China link when it reported the malware attack that compromised its systems. Richard Clarke, the former cyber-security czar for President George W. Bush, has identified Chinas government and its industries as a major source of cyber-hacking and espionage targeting intellectual property and competitive information.

Spam and malware qualified for both the best news and worst news of the year. The Good: Law enforcement authorities around the world successfully shut down several command and control infrastructure controlling major spam and malware spewing botnets. The Bad: Criminals are developing much more targeted techniques to deliver malware that could compromise users, steal data and damage equipment. Social networking sites also became a very effective way to deliver malware.

Attacks against certificate authorities and critical infrastructure kept security professionals awake at night envisioning scary scenarios, but didn’t really spill over into mainstream consciousness that much in 2011. Even so, the attacks on Comodo and DigiNotar prompted the security industry to discuss ways to make the SSL and DNS infrastructure more secure so that users can surf the Internet without worrying about man-in-the-middle attacks or Website spoofing. The government is also scrambling to come up with rules to protect the country’s power grids and Internet infrastructure in case of a cyber-attack.

Congress was busy with cyber-legislation in 2011, introducing bills designed to protect critical infrastructure, create a federal data breach notification law, allow private industry to share cyber-threat intelligence with federal government agencies and define rules on the kind of data online services can collect about Internet users. The Stop Online Piracy Act has become a bitter battle, with major technology companies and civil liberties groups opposing the legislation that would give copyright holders broad powers to go after foreign-infringing Websites.

The popularity of mobile devices led to a surge of employees who want to use their personal devices to access work applications and check work email. The bring your own device, or BYOD trend, however, was scary for enterprises as IT departments realized the amount of corporate data that resided on devices over which they had no visibility or control. Some companies tried to restrict users from using their personal devices at work, while others tried to minimize risk with various mobile device management technologies, such as the ability to remotely lock lost devices or wipe all data if the device couldn’t be found.