As the end of the year closes in on us, it's time to think about the profile of the enterprise threat surface for the coming 12 months. Davey Winder has been asking the IT Security industry to do some crystal ball gazing...
Almost half (47 per cent) of enterprises predict a larger IT security spend in 2013, according to a 451 Research report. Although the average increase is likely to be in the up to 10 per cent region, some 11 per cent of those increasing budgets were looking at a jump of between 11 per cent and 24 per cent over last year’s budgets. Simply throwing money to react to IT security problems is not a solution, however, and in order to best protect the enterprise you need to be proactive.
Any intelligence that allows you to predict the kind of threats that may impact upon your business will help in tweaking your security policy, and spending, accordingly. With this in mind, IT Pro has been asking those at the coal face of the fight against insecurity to look into their crystal balls. Here are our top 13 enterprise security threats for 2013..
1. Cloud attacks
As cloud computing continues to grow in popularity, so too will the number of security threats targeting the cloud. If a service provider becomes compromised the data of every one of its customers could become compromised – making the cloud a lucrative target for cybercriminals. It’s important that companies realise that whilst they may outsource the handling and storage of their data, they can’t out-source responsibility for the data itself. If their provider’s systems are breached, and data is exposed, they are responsible.
Therefore, any risks need to be assessed in the same way as they would if they were holding the data internally. Other issues organisations should consider include; where will the data be stored, what happens to any data if organisations switch providers and what steps are being taken to secure the data on their provider’s systems, including how they prevent other customers from accessing it.
David Emm, senior security researcher at Kaspersky Lab
2. BYOD[/b ]
You might think that enough has been said about BYOD, its data leakage potential, and the increased exposure to targeted threats from user-owned devices that aren’t sufficiently protected by device-specific countermeasures (security software, pass code/pass phrase protection, internal segmentation of the network so that a mobile device doesn’t have unnecessary access to sensitive content). [But you’d be wrong]. One significant countermeasure is what my colleague Righard Zwienenberg calls CYOD (Choose Your Own Device – i.e. limit the range of allowed BYOD devices to those that you know can be adequately protected and insist on configuring them accordingly before they’re allowed access to internal services.
However, some of our research data suggest a particularly worrying trend: most organisations that are going down the BYOD route don’t seem to be implementing appropriate training for end users. In fact, our data indicates that BYOD-adopting organisations are no likelier to implement security awareness training than organizations in general, where you’d think that they would at least attempt to implement BYOD-specific training.
David Harley, senior research fellow at ESET.
3. Failure to hire sufficient security specialists
A very real threat in the coming year is the reduction in non-critical IT staff hence the lack of urgency in hiring IT personnel skilled in creating and maintaining secure environments. It becomes increasingly difficult for lower tier managers to 'sell' the need for additional staff when the company is deemed 'secure' by upper management. In tandem with reduced staff is the move to full network integration, more common multi-site network integration, the rise of mobile devices and tight integration with cloud services. In other words, our systems and data have never been more exposed yet the recruitment of security specialists has never been more lacking.
Management need to become aware of the tremendous importance that securing company data has to the future of their business.
Aside from the nightmare of legal lawsuits that might arise should data belonging to the public be lost, attacks on mission critical systems may also bring the company to its knees should breaches occur. There should be more emphasis than ever before on hiring staff with a background in the complex art form that is enterprise security.
Kevin Curran, Member, IEEE and a reader in Computer Science at
the University of Ulster.
4. Opportunistic attacks
Over the past few years, there has been a noticeable growth in the proportion of cybercrime recorded in the Data Breach Investigations Report that is attributable to opportunistic attackers; those hackers who don’t select their victims deliberately, but pick on them because they exhibit a weakness that they can exploit. Of the 855 data breaches recorded in this year’s report, 79 per cent of all attacks were classified as opportunistic, so this is clearly a problem that must be taken seriously. For companies to avoid falling victim to opportunistic attacks, there are simple safeguards that can be put in place that do not have to involve heavy investment.
These hackers are the virtual world’s equivalent of a thief walking through a car park testing the doors. If they find a password they can guess, on an open port, then they will take advantage. So make sure your passwords are long and include a mixture of letters, numbers and symbols, so that they are more difficult to crack. These attackers are lazy; they will try the door and move on. Companies should look to keep unnecessary services off the internet and put in place simple policies and procedures relating to data security. Many of the existing solutions offer built-in security features that if enabled, will prevent many of the methods that these attackers are employing. The problem is more a lack of awareness amongst some organisations, rather than a lack of resources that is leaving them vulnerable to these attackers. As with many cyber-threats, awareness is the first and best line of defence.
Jay Jacobs, principal, Verizon RISK team.
5. Multi-Vector DDoS Attacks
Everyone has heard of Distributed Denial of Service (DDoS) attacks over the past few years given the mainstream press coverage of the attacks from Anonymous and so on. DDoS attacks pose a significant threat to the availability of our internet services, and as we have become more reliant on these services for our business continuity the risk of an attack having a major business impact has increased.
Not all DDoS attacks are created equal though, there are actually three main categories of attack: Volumetric attacks, which are all about existing link or forwarding capacity either within or between networks; TCP State Exhaustion attacks, which are all about exhausting the state tables in our firewalls, load-balancers and servers; Application Layer attacks, which are the stealthy more sophisticated attacks, and are aimed at exhausting application layer resources. Attackers have learned that if they utilise multiple attack vectors at the same time their chances of taking sites and services down, and keeping them down, are increased. The recent spate of attacks against the US financial sector were multi-vector in nature.
In 2013 we will see more of these attacks, where multiple vectors are used and attack vectors are modified quickly to counter-act mitigation strategies as they are put in place. We can defend ourselves from DDoS attack by using services and solutions based around Intelligent DDoS Mitigation Systems (IDMS) which are specifically designed to deal the DDoS threat. If we put the most appropriate services, solutions, people and processes in place then we can make sure 2013 is not an unlucky year for our businesses.
Darren Anstee, solutions architect team lead at Arbor Networks, in Europe, the Middle East and Africa (EMEA).
6. Blind trust
One of the major threats is the fact that CIO or IT managers relying on their vendor’s security strategy. They install the vendor protection system and trust it all works without verifying it. Sometimes they verify once, but as more applications are added to the system more threats are introduced, and the protection is not sufficient anymore. This factor can be limited by regular security assessment by an independent test tool.
Marc Meulensteen, security consultant, Spirent Communications.
7. Incident Response
In 2013, organisations will need to ensure that they have adequate preventative and detective security controls in place. With the perimeters of most organisations collapsing (due largely to BYOD and Cloud services), and the ever increasing number of threats against a tremendous number of vulnerabilities, it simply is not realistic to believe that all attacks can be stopped.
Enterprises will be attacked, and some attacks will succeed in obtaining access to internal systems. The goal for enterprises in 2013 should be to ensure they have a strong detective controls in place and an established incident response process that can quickly contain and remediate successful intrusions to minimize the loss of confidentiality for information assets.
Andrew Wild, CSO at Qualys.
8. The telephone
Telephone payments are still a high-risk area in security terms; if card details are spoken out loud and then entered into the infrastructure of a contact centre, the opportunities for fraud are numerous. Next year may well be crunch time for many organisations; many businesses, particularly in the retail sector, have simply opted not to worry about meeting Payment Card Industry standards for voice payments as the cost of a breach is seen to be less than the cost of compliance. The result is that contact centres are likely to be targeted increasingly by fraudsters, as security on online payments has tightened.
An impending change in EU law will soon force businesses to report any losses of customer data, so there will be an urgent need to address this issue. Fixing the problem once card details enter the infrastructure of a contact centre, is costly and time-consuming, involving constant checks and controls on IT and telephony systems, as well as fierce controls on staff. The only effective solution is to remove card data from the contact centre completely.
Technology now exists to allow customers to enter card data into a telephone keypad, sending it directly to the bank. In this way, staff never see or hear the data, and details never enter the IT infrastructure of the organisation.
Tim Critchley, CEO of Semafone.
9. Big Data deployments
While Big Data offers significant business benefits, the potential for compromising large volumes of sensitive data looms large. Big data platforms like Hadoop, MongoDB, Cassandra and CouchDB lack native security controls and risk having big data turn into big data breach.
When the Big Data deployment includes sensitive data, organisations now face the challenge of understanding where sensitive data resides and then how to secure it – an issue compounded by the fact that conventional defences are no longer sufficient to protect these elastic repositories.
Organisations looking to capitalise on functionality of big data endeavours in 2013 need to deploy extensible security solutions that avoid solution silos, control access to data and extend to structured and unstructured data wherever it resides. A layered defence in depth approach that secures sensitive data with encryption, coupled with monitored access to that data, is the most robust way for enterprises to mitigate the risk of unauthorised disclosure or triggering the regulatory consequences of data compromise.
Paul Ayers, vice president of Europe, the Middle East and Africa (EMEA) at Vormetric.
10. Critical national infrastructure attacks
Over the past year, the focus of cyber attacks has seen a worrying shift from information and financial theft, to compromising critical systems in order to cause real world damage. As the cyber threat becomes ever more frequent and sophisticated, and as our world becomes increasingly reliant on technology – for example, with the internet controlling most aspects of daily life from traffic systems to cash machines to smart meters and other infrastructure – the year ahead will see such vulnerabilities increase. With much of existing national infrastructure developed prior to the rise of the internet, the focus of control system security is often limited to physical assets. As such, organisations must look to security intelligence platforms that have the capabilities to combine continuous event correlation for early threat detection, deep forensic search to understand the scope of impact and attack origin, and to ensure that even the smallest intrusion or anomaly can be detected before it becomes a bigger problem – after all, you can only defend against that which you can see. Only then can rapid and intelligent response to remediate any potential damage in real time be ensured.
Ross Brewer, managing director, LogRhythm.
Android malware has exploded in the last 18 months. Some 90 per cent of mobile malware now targets Android devices and the attention surrounding this platform is only going to intensify in 2013. To date, most malware has been designed to get access to device, but we are likely to see the use of vulnerabilities that target the operating system and the development of ‘drive-by downloads’. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store.
We’re also likely to see more mobile botnets, of the sort created using the RootSmart backdoor in Q1 2012. In order to prevent falling victim to mobile malware, businesses should install anti-malware protection on their Android devices, secure the data held on them and make sure that this can be wiped remotely if the device is lost or stolen. Businesses should also develop a policy for staff on how to reduce the risks from mobile devices. This should include not rooting the device, avoiding public Wi-Fi networks for confidential transactions, not relying solely on a simple PIN and only installing apps from trusted sources.
David Emm, senior security researcher at Kaspersky Lab.
12. Cyber espionage
You only have to consider this year’s high profile breaches to see that cyber criminals have certainly upped their game in the quest to steal data. There has been a notable shift from relatively low level attacks in an attempt to obtain credit card details etc. to social engineering, spear phishing and other large-scale enterprise assaults with the aim of acquiring sensitive data for much greater monetary rewards.
Falling victim to a cyber espionage attack is a potential double blow for enterprises, as in addition to the ill effects of a hack (such as financial losses and reputational damage), the consequences of undisclosed secrets falling into the hands of competitors can prove disastrous. During the first half of 2012 we noted an intensified danger of email-based attacks – with cybercriminals becoming more dynamic in their use of malicious URLs and attachments. Indeed FireEye’s Advanced Threat Report – 1H 2012 revealed a 56 per cent growth in email based attacks in Q2 2012 compared with Q1. The same report also found that the use of advanced malware that is capable of evading signature-based detection has risen by 400 per cent since 2011.
These worrying statistics show that the threat is escalating and is likely to worsen over time. In short, perimeter security tools have outstayed their welcome as a standalone defence. Instead, a multi-layered approach is advisable, which ensures that data defences are in place to catch the day-to-day known attacks as well as more advanced, targeted and crucially unknown malware.
Paul Davis, director, FireEye.
13. Closed-source enterprise applications
Closed source enterprise applications, Oracle and SAP. There has been a lot of vulnerabilities in these systems, yet the vendors lack MAPP like information sharing process to IT-security industry making these systems difficult to protect. Yet SAP/Oracle systems contain business critical data and are highly valuable targets for intruders. Apple’s attitude towards security compared to the market share reminds us of Microsoft 10 years ago.
Olli-Pekka Niemi, head of the vulnerability analysis group at Stonesoft.
Why prediction has a place in security strategy
While it is impossible to predict the future with complete accuracy, there is value in making an attempt: it forms the basis of a proactive approach to risk management. As the future is uncertain, organisations must prepare for the unpredictable so they have the resilience to withstand unforeseen, high impact events. Such a forward looking stance increases organisational agility and resilience.
To do this effectively, the ISF recommends thinking about threats in the context of the most valuable assets in your organisation; consider which threats are more likely to create risk and which could have considerable impact. Finally, share these threats and resilience based approaches to mitigating risk with senior management and other functions such as risk management, risk committees and business continuity planning teams.
Steve Durbin, global vice president of the Information Security Forum (ISF).