Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

CyTRAP Labs’ IT security predictions and trends for 2007: Top ten threats and exploits

December 31st, 2006 · No Comments ·

Joining in the crystal ball gazing fun, here are our predictions or Prognosen (in German) for 2007. There are still a few hours left in 2006 but here they are, read on.

1) Hasty la vista

Early Microsoft Vista users will have to deal with a number of zero-day vulnerabilities, worms, catch a bunch of viruses and their PCs may end up as Zombies. As a result, it is wise to put off updating to Windows Vista until Microsoft can demonstrate that it has created a master-patch.

2) Patch this Microsoft

The big patch to fix many security as well as usability-related issues will be ready for download sometime during 2008 (remember SP2 – the huge patch we downloaded for Windows XP?), effectively delaying the rollout of Vista for another year.

3) Social networks become the threat on the net

The use of bots, computer programs that perform automated tasks will result in the first huge denial-of-service (DoS) attack from one of the better known social networking or Web 2.0 type sites such as MySpace and YouTube.

Just imagine, establishing a huge botnet with all the users and thereafter, using the latter to distribute and raise havoc with a zero-day vulnerability – a disaster just waiting to happen.

4) Be aware and take care against ransomware

Home users and enterprises will become victims of ‘ransomware’ which locks up data with, for instance, a cryptovirus, until they pay to have it released.

Be prepared for 2007 sign-up now, to be the first to know what matters most to security and risk experts like yourself:

5) Triple play the malware way

Malware authors will be creating a phishing tool in the form of a browser toolbar presented as an effective add-on to fight off spyware and phishing attacks.

6) Welcome Cross Site Request Forgergy (CSFR) exploits

CSRF is where XSS was five years ago but exploited for financial gain black hats are not far away. Expect the first web worm take advantage of this opportunity.

7) Pan European effort to establish recognized security rating – ‘security readiness’

Ever greater dependence upon security metrics will begin to weigh in on decision processes. Discussions regarding the regulatory framework will be launched by the European Commission to develop a ‘security readiness’ directive.

In the U.S., the National Vulnerability Database folks (under NIST – people who publish CVE numbers) have been calculating an interesting number for a while now, which is the ‘Workload Index‘ for security professionals whose duties include the handling of vulnerabilities. It’s a single number, which is good. Neither is its calculation a secret so watch this index.

The ‘security readiness’ directive should become the basis for an index or scoring system for organizations. In turn, it will help citizens in making a better informed decision which organizations to trust and which ones to avoid for doing e-commerce with. This represents the beginning of an unified metric that organizations will be required to report against.

8ball - predicing IT threats and exploits for 2007

8ball – predicting IT threats and exploits for 2007

8) Patch Tuesday goes cross-vendor

To simplify things software makers will begin pushing out patches coordinated with Microsoft Patch Tuesday by having Microsoft publishing links to recent patches for third-party Windows applications. In fact, some patches will be bundled with the Microsoft ones and delivered directly via Windows Update or other mechanisms once revenue, legal, testing and support issues will have been resolved between Microsoft and the software vendor(s).

9) Unsichere Heim-PCs – insecure home PCs and zero-day exploits

Home users are ever more likely to have a broadband connection and staying online longer. In turn, they are ever more vulnerable to attacks and exploits against Windows, Windows Vista and Microsoft Office application software pre-installed on most (90% or more) new PCs across the European Union.

CyTRAP Labs zero-day vulnerability list and looking at our risk exposure index (TRI) as well as the worrisome exploit index (WEI) BOTH indicate that threat exposure for Small and Medium-Sized Enterprises (SMEs) is getting worse. Beware and take care is required to minimize the risks but, more importantly, we believe that things will be such that the higher level threat will trigger a larger number of exploits by criminals hurting citizens and SMEs during 2007 than was the case in 2006.

10) Usability will continue to win over security

New applications will continue using defaults that promote usability over security

Unfortunately, it will take about nine months worth of Microsoft marketing clout to create the notion that Vista and IE7 are user friendliy as well as secure.


The above 10 predictions are food for thought. We will see December 2007 how well or bad we did. In the meantime, happy and secure surfing for 2007. And PLEASE let us know what you think about our predictions, we appreciate your constructive feedback.


→ No CommentsTags: csfr · forgergy · locks · myspace · ransomware · triple · youtube