Cross-platform infecting, but Windows based. In terms of Stuxnet, it carried within it malware to infect the Siemens industrial software and equipment. I expect we will see more of that. And I expect it will be exploit-driven. Someone will open a Flash file or a Word document and the file will drop on the system.
The malware itself won't change, we'll just see more of what we have now because the underlying platforms are still the same. They are just going to be using new vulnerabilities, blasting their way in and doing the damage they're designing it to do.
If you predict malware will be increasingly designed to sabotage companies or government infrastructure, who do you think the target might be? A person with a position of authority, or privileged access, within an organization?
Exactly. And if you want to launch a directed attack against some organization, you need a lot of information about them. You can't just throw a virus in an email and hope it works. You actually have to craft a special email that looks like it came from a person two floors down, talking about stuff that you should be possibly talking about and attaching a document or something you could be expecting to get from them and that someone might reasonably open. That's how it works. They call it advanced persistent threats; that's the buzz word. But really what it is is spearphishing.
If you want to spearphish someone, you have to know them. You have to understand them and know what they are interested in. One thing that alarms me is there are 800 million users on Facebook and most of them can't even spell security, let alone care about it. Facebook does their best and takes security seriously, but they've got a million people developing apps for them and I'm fairly confident that not all the million have security interests in mind.
And there are so many people building apps for smartphones. Very often, there is no clear way they are getting a dollar out of it. That's always alarming to me. To build a good app, it takes six months. So if someone is putting some time and effort in to it, you have to question: how they are getting their pay back? If there is a trial version that you eventually upgrade to a pay version, that's OK. Or if it's a brand building app, like the Weather Channel, obviously there is a pay-off there.
But if there is no obvious pay off, we should be concerned. We don't know whether it's adware or information gathering, but people are creating these apps for a reason.
Sign up for CIO Asia eNewsletters.