• United States




2011 was the year of the cyber criminal

Jan 03, 20124 mins
CybercrimeData and Information Security

Cyber crooks raided networks, pillaged data, and wreaked havoc in 2011, thanks to our persistently shoddy IT security practices

In the world of IT security, 2011 was a great year — for cyber criminals. One exception would be a certain Russian cyber crime ring pushing spam for meds. But outside of that global aberration, it’s been a good year for the villainy of the Internet, in part thanks to end-users and organizations who have once again failed to take basic steps to protect themselves from attacks.

Few companies, if any, were patching in 2011, not even enough so to prevent the most common malware attacks. I’ve yet to visit a single company that has adequately patched Adobe Reader, Adobe Flash, or Java, all of show up on top 10 lists of the most exploited client-side software, month after month. Whenever people tell me they have high confidence in their great patching, I always check for those three products, and the customer is always — I repeat, always — unpatched. I’ve yet to find a client that had all their Internet-facing routers patched. Never. It’s been 20 years.

[ Also on Catch up on the major changes that took place in 2011 for cloud computing and the consumerization of IT. | Look ahead to the IT jobs landscape and developer trends for 2012. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Luckily for most cyber criminals, end-users still readily use the same password among most of their websites. Attackers were eagerly compromising the weakest websites to swipe credentials for breaking in to into the more secure, more popular websites. That phenomenon has driven some site operators to reset all user passwords. We’re all sharing the same pool apparently.

Advanced persistent threats remained a huge problem in 2011. We had documented, coordinated, long-term, successful attacks against much of our critical infrastructure, including government and military targets, nuclear labs, the chemical sector, and energy and water utilities. (I apologize if I left your sector out.)

I don’t know a single security expert with hands-on APT experience who doesn’t think that every large company in the world is already thoroughly hacked. That’s a startling statement, and the best you’ll get out of critics is that maybe not all are hacked, just most. I’m not sure I can celebrate that potential silver lining.

In 2011, we started to see how incidences of hacks causing millions of dollars in reputational damage, such as the attacks on RSA and the Sony PlayStation Network. But it doesn’t even take that much damage to end your company completely. Multiple digital certification authorities are no more.

Truly weaponized worms emerged in 2011. There is no better example than Stuxnet. Stuxnet was discovered in June 2010, but it wasn’t until 2011, after heavy analysis, that we all understood just what it could do and how well. It was likely the world’s first known cyber warfare malware program meant to take out a Cold War hard asset. Cyber Cold War anyone? Well, thugs were paying attention, and now we have Duqu, which is sort of an automated APT attack. How wonderful — now we get the benefits of both worlds.

After nearly a decade of pundits declaring, “This year will be the year mobile malware takes off,” it finally happened in 2011. Android is powering great phones, and it’s even severely cut into Apple’s market share. Unfortunately, the malware crews have noticed and jumped at the chance to take advantage of Google’s more open ecosystem. Expect future mobile app stores to implement code checking before allowing apps to be published. Anything else would be uncivilized.

Some people may point to lower spam rates and phishing levels as a security victory in 2011. Some of that has to do with the Russian botnet takedowns, most of it has to do with the fact that hackers are embracing more targeted, successful attacks. It’s not like most of the Internet’s email traffic still isn’t malicious — it is. “But we have DNSSEC now,” critics may say. Yeah, let me know when your company has it fully implemented.

If there is anything to celebrate from 2011, it’s that the sorry state of IT insecurity has gotten so bad that we must be getting close to a fix. It’s like dealing with an addiction: The first step is admitting that we have a problem that will not go away without intervention. We even know how to fix everything. We just need to take that first step.

This story, “Mobile security fails the history lesson,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author