According to a new report released on December 16, 2008, by security vendor VeriSign, 2008 was designated the year in which cyber security threats and malicious activity reached a tipping point. The report entitled “2009 Cyber Threats and Trends” saw an increase in both the frequency and severity of cyber crimes and attacks in 2008 due to new exploits and organizations to perpetrate them. The report also predicted that in 2009, critical infrastructure systems and the global financial crisis would become major targets for a variety of malicious cyber attacks.

Critical infrastructure systems, most notably the Supervisory Control and Data acquisition systems (SCADA) that are used to deliver such services as electrical power transmission, oil and gas pipelines, and large communications systems are vulnerable in many countries around the world because these systems were not developed with a high degree of security in mind. The lack of security increases the potential for increasingly technology savvy terrorist or criminal organizations to launch a successful attack on these systems.

•An estimated 85 to 90 percent of the United State’s critical infrastructure systems are owned by private companies who in the current global economic downturn have little financial incentive to increase the security of these systems.

In the interest of national and economic security, political leaders may have little choice but to provide the mandatory guidelines and financial incentives to companies who own and operate critical infrastructures systems in the US.

Emerging Threats and Trends

As the world struggles to emerge from the global economic crisis in 2009, cyber-criminals will be developing new fraudulent schemes and strategies to entice victims into providing them with the credentials needed to access financial assets of unsuspecting victims. Internet users could also be lured into turning their computers into a participant of a SPAMing botnet ring – a collection of software robots, or bots, that run autonomously and automatically – that can make the SPAM operator large sums of money. The Internet not only affords cyber-criminals a certain level of anonymity, it also gives them access to a vast network of peer knowledge, how-to information sharing and crimeware – a class of malware designed specifically to automate financial crime – that can be purchased as a service.

Security experts warn that in 2009, Internet users will become increasingly vulnerable when browsing legitimate websites as hackers, who have successfully compromise web servers, place malicious code on popular, trusted sites where users expect to be safe. Placing better attack tools on trusted websites is giving attackers a sizeable advantage over past computer infection methods such as malware propagating itself via e-mail attachments, which has decreased by 50 percent in the past two years.

In 2009, we anticipate the following areas will be most vulnerable to cyber threats:

•Corporate and governmental espionage from countries like China and Russia.
•Pre-war cyber attacks like those perpetrated on Georgia before Russia’s invasion of the country in August 2008.
•An increased use of technology to plan and coordinate terrorist attacks similar to those seen in the November 2009 terrorist attacks in Mumbai, India.
•Increased use of botnets to send unsolicited commercial bulk e-mail (SPAM) for financial gain or for coordinated denial of service (DoS) attacks against businesses or governmental organizations.
•New exploits in mobile phones as more users purchase devices capable of accessing Internet based content.
•Web application security exploits that will allow a hacker to place malicious code on reputable websites that may be downloaded and installed onto a user’s computer.

More Services Moving to the Internet

Over the course of the next year, as more commercial and governmental organizations move more of their services to an Internet based service model to help cut costs as nations struggle to emerge from the global economic downturn, we predict these organizations will come under increased targeting and attack by cyber-criminals and hackers. We believe these hackers will seek data that is sellable in the underground cyber economy to foreign governments looking to increase their intelligence advantage.

It will therefore be important for leaders in these organizations to recognize the need for increasing the financial and operational resources of their IT security departments in order to ensure that a severe and widespread cyber hacking attack does not create a national security threat or negate the financial and operational gains brought by an increased use of technology.

Upcoming International Conference on Cyber Security

IT security experts and developers along with law enforcement agencies worldwide are at the forefront of defending the expanding landscape of the Internet. To coordinate and plan for the defense of global IT systems and networks, the Federal Bureau of Investigation (FBI) along with Fordham University’s Department of Computer and Information Sciences has announced the launch of the first International Conference on Cyber Security (ICCS 2009) in January 2009 in an effort to bring together global leaders in emerging cyber threat analysis and enforcement.

The conference, which will take place at Fordham University in New York City, will host more than 300 international cyber security experts who will discuss and develop strategies for combating cyber threats across the globe in the coming year. The shared expertise and insight into a multitude of cyber security trends, tools and techniques will allow conference attendees to help shape the policies and procedures needed to combat cyber threats in their respective countries and around the world.

The launch of an international conference focusing on cyber threats worldwide indicates that politicians, leaders of commercial enterprises and heads of governmental agencies have recognized the need for strong international cooperation and coordination among IT security professionals and law enforcement agencies worldwide to combat cyber-crime and cyber-terrorism.

We believe this conference is an important new development in the efforts of IT security professional and law enforcement personnel to discuss current problems related to cyber security and to propose new industry measures and law enforcement strategies to combat cyber threats in 2009 and beyond. By hosting an International Cyber Security event at the beginning of 2009, attendees have the opportunity to explore ways to address cyber security concerns in a pro-active manner versus reacting to incidents as they occur. The result could potentially save businesses and government agencies many man-hours and millions of dollars recovering from cyber-attacks and cyber-terrorism.

The conference will offer IT security professional and software developers an opportunity to discuss ways to make computer security software more reliable and automated. Improvements to security software would help stem the spike in computer systems falling victim to botnets and help prevent end users from becoming victims of sophisticated phishing schemes and virus infections. For a majority of Internet users, computer security is often an afterthought which underscores the need for security software to be pre-installed or built into operating systems and designed to maintain itself and actively defends against cyber threats with little or no involvement from the user.

The conference also offers law enforcement personnel the opportunity to discuss ways to combat online criminal gangs who are using the Internet’s ability to offer them greater anonymity and a larger underground marketplace to buy and sell illegal and stolen items online. Discussion of emerging trends like the selling of crimeware within a ‘Software as a Service’ (SaaS) model that allows criminals with little or no technical expertise to launch new types of illegal enterprises online would help law enforcement agencies worldwide coordinate their fight against criminal enterprises dispersed throughout the world.

We believe the conference will be an important forum for sharing current and emerging cyber threats facing commercial and governmental organizations and will enable these organizations to develop effective plans to combat an evolving set of new and modified cyber security threats posed by an increasing number of sophisticated hackers and cyber-criminals. However, without successful information sharing, coordination and planning, these organizations, which have limited staff and budgets, will be unable to keep up with the growing plight of cyber-crime and increasing threats of cyber-terrorism.