Zero-day attacks, outdated vendor patches, malware toolkits spewing out new variants in their thousands, new threat vectors from unprotected and unmanaged mobile devices.
For any IT security manager, these and other hacker-exploited perils remain constant reminders that the price of IT freedom is eternal vigilance. Yet as 2013 revs up, the spectre of 2012’s fast-growing security threats looms large and – if industry predictions are to be believed – a broad range of threats look set to continue their rampage throughout the rest of the year.
AVG Technologies’ Q4 Community Threat Report found that not only did 2012 see the debut of numerous new forms of attacks, but also they are set to continue and intensify through 2013. Exploit toolkits, for example, mare likely to continue their full-frontal assault on the Internet, with a new release of the insidious Blackhole toolkit, and new releases like Cool, fl ooding websites
with malicious code.
AVG fi gures suggested that 60 per cent of attacks in 2012 were based on toolkits, and Cool and Blackhole are expected to continue dominating the malware market in 2013.
“We expect to see an exploitation of this technology and new toolkits through 2013,” says AVG security advisor Michael McKinnon. “The best way to mitigate these is to make sure browsers are always fully up to date.”
Looking forward to 2013, AVG predicted continuing attacks on mobile users, particularly those running
Google’s Android operating system. “We have seen an explosion of malware on the Android platform,” McKinnon explains, “including the ability to side-load apps from an untrusted source. If you install it and accept permissions, it could do almost anything. You only need to use your imagination to work out what could happen.”
Slow telco-driven updates often contribute to the problem. “It often stems from the lack of updates on the Android platform, especially if you’ve purchased the phone from a telco that has a special build and have to wait for the update to come from them. Android phones should be updated as often as they can – but for many people they really don’t do that.”
Cloud security is guaranteed to be a hotspot, particularly as 2013 sees continuing growth in cloud investment by companies seeking to tap into the benefits of hosted information and, increasingly, big data sets. AVG anticipates increasing DDoS attacks against cloud-hosted systems like DropBox, Microsoft SkyDrive, Amazon’s Cloud Drive and Google Drive.
Cloud isn’t the only new trend causing security hiccups: virtually all of the key ICT investment drivers for 2013 present their own security-related threats. IDC’s top 10 strategy predictions for the year, for example, refl ect a broad range of trends that involve the centralisation of data and the shifting of security perimeters: omni-channel retailing, business analytics, automation and virtualisation,
converged on-premises systems, mobile growth, unified communications and social networks, and machine-to-machine (M2M) communications all involve new roles and responsibilities around the curation of data.
This last topic could become a security bugbear, particularly in the wake of increasing M2M rollouts on the back of services (new M2M services) like those recently announced by Optus. Those M2M services – offered through a partnership with Jasper Wireless – will support mobile health, vehicle telematics, smart metering, asset tracking, mobile commerce and more. Each of these carries its own security profi le, which will need to be addressed by organisations taking advantage of the services.
Interestingly, IDC has forecast the end of mobile device management (MDM) as IT managers re-evaluate security strategies and move away from perimeter-based security. Where security perimeters were once an adequate line of defence, they’re fast becoming a liability if companies maintain them while adopting bring your own device (BYOD) strategies: with persistent gaps between corporate security policies and the network-access rights being granted to unmanaged devices, BYOD will be one of the most signifi cant disruptive security issues this year.
A separate IDC survey of 250 Australian businesses recently quantified the threat, noting that while most businesses are coming to accept BYOD practices, fully 55 per cent of them have no formal BYOD policies for smartphones and 49 per cent have none for tablets. This represents untold security issues as the growing functionality of such devices means they can represent an imminent threat to the integrity of corporate networks and data.
Ian Yip, security and governance product manager with security fi rm NetIQ, sees BYOD at the intersection of lifestyle and technology decisions. “If you talk with organisations about how they deal with BYOD, they’ve gone through the fi ve stages of grief,” he explains.
“IT starts with denial, then moves to anger as users ask to use their iPads – until the CEO calls up and even though it wasn’t in the policy, IT makes an exception. They move on to bargaining – where they allow BYOD in the policy but only to a certain extent – then depression, and acceptance. But if you deal in exceptions, the harder it is to do security.”
Without adequate controls, the fl ood of new technologies runs the risk of washing over
corporate security frameworks. “IT needs to understand that since threats are changing, if you’re using materials and defences that are based on plans from four years ago, you’re behind the times and unprotected,” says Bob Hansmann, senior product marketing manager with Websense, who nominates BYOD, cloud and the changing regulatory environment as the three biggest challenges facing organisations in 2013.
Noting Websense statistics that suggest businesses are seeing an average of 1719 attacks per 1000 users, per week, Hansmann expects things to only get worse in2013: “The bad guys are looking at us and saying, ‘These guys have advanced and did a lot of new stuff in 2012,’”
he says. “So we’re expecting them to get smarter and to specifi cally target ways to evade security.”
Indeed, regulatory change presents challenges, particularly around the management of personal data that is increasingly being collected, analysed and used by private organisations. With interactive technologies more powerful than ever, one of the biggest threats in 2013 will come from the inevitable breaches of privacy. Changes to Australian law will update and standardise protections for consumer data next year, but they have little sway on a global scale and AVG expects to see online and mobile fi rms aggressively monetising the information they have – or the information they can find.
Security specialists at Sophos are of similar thinking, noting in the company’s Security Threat Report 2013 that the increased availability of malware-testing platforms will help malware authors slip past corporate defences. They will be assisted by ongoing issues such as basic Web server mistakes, attack toolkits with premium features, a rise in social-engineering attacks, and a rise in ‘irreversible’ malware that will refocus efforts on the need for behavioural protections. There will also be new opportunities for hackers from new platforms: AVG, for one, particularly pointed out the growth of Windows 8 during 2013 and the inevitable risks of unknown vulnerabilities.
Verizon, which offers a range of security consulting and management services through its RISK (Research Intelligence Solutions Knowledge) Team, has a slightly different outlook on the threats for this year. By delving into empirical evidence from its RISK Team’s activities, Verizon has concluded that a much more likely data- security threat revolves around authentication attacks and failures, continued
espionage and ‘hacktivisim’ attacks, Web application exploits and social engineering.
Not only did that company name its predicted top threats during 2013, but it’s put odds on them
– and they’re not encouraging. Authentication failures are involved in 90 per cent of intrusions, Verizon fi gures suggest, while there’s a 75 per cent chance of Web application exploits – particularly in organisations that don’t have secure application development and assessment practices nailed down.
Social engineering, a security-intrusions bellwether, remained high on the list. Also named were targeted attacks motivated by espionage and hacktivism – a phenomenon that used to be largely anecdotal until security fi rm Mandiant recently released a report fi ngering the Chinese government
for its involvement with a Chinese hacking group.
Growing prevalence of targeted attacks will push IT managers to develop formal incident response plans in 2013, security fi rm McAfee predicted in its look at the coming year. That firm also expects a growing number of ransomware attacks, increasing use of falsifi ed digital-certifi cate credentials to make malware look legitimate, and a growing investment by IT managers in security process automation.
Whether or not your organisation is targeted by nameless, faceless foreign hackers, you should approach your information security like it defi nitely will be. For many companies, that’s going to see a change in 2013 from monolithic security suites to best-of-breed solutions, driving process automation in areas such as identity and access management (IAM). Better IAM will be a key requirement through 2013, many predict, for knitting together the many hosted, cloud and mobile-accessed services that
employees now access.
“What we’re seeing now is a disassembly of those big suites, and organisations are starting to look at niche, best of breed solutions that are going to meet a particular requirement,” says John Havers, CEO of IAM vendor First Point Global.
“If you’ve got an organisation with a lot of history, movement and change, a system that merely provisions accounts is inadequate. Only 10-20 per cent of Australian organisations have a broad IAM infrastructure in place – and somebody at the board level has got to take responsibility for passing that through as an important thing.”
Anticipating a growing requirement for IAM, some vendors are already choosing dance partners as they target the release of new capabilities in 2013. Symantec, for example, joined with mobile-security vendor Giesecke & Devrient to combine its solutions with G&D’s Trusted Execution Environment, a secure application framework that will debut later this year as a secure version of Symantec Validation and ID Protection Service two-factor authentication.
IAM vendor Centrify has taken its own shot at the IAM pie, using a partnership with mobile giant Samsung set to deliver user authentication and access control to Samsung mobile devices running Samsung’s new KNOX enterprise-security platform. Expect similar initiatives as growing use
of new online and mobile services in 2013 mandates tighter user access controls.
No matter how much new technology the year sees, however, the importance of the human element must still be considered, warns AVG’s McMillan.
“Everything seems to be on the increase because the Internet is growing,” he explains. “We’re creating more and more data than ever before. Inevitably, that means more and more crime goes online. Ultimately, humans are the weakest link anyway. That’s not to say we shouldn’t be creating as many technical controls as we possibly can –but it’s an ongoing challenge to create technology that is user proof, and training users to be technology proof.”