As with most of technology, security goes through periodic changes, cycles and generations. Hardware, software, applications and methodologies all mature, become commoditised and standardised to the point of being invisible, and then are reinvented in a new evolved form. New platforms and new devices create new opportunities but are also subject to new evolved threats – something that remains true of security.
Cloud Computing: a brand new landscape for threats
IT security threats evolve and adapt to the new IT environment. As corporate and personal IT usage habits have changed, so too have the types of security threats present in the world. New IT practices like Cloud Computing give end-users great benefits in terms of mobility, flexibility and productivity, but they also give malicious third parties new routes to breaching security and increase risks. So while the Cloud has given users a whole new world of mobile computing, it has also created a whole new landscape for hackers and viruses to attack from.
The rise and rise of mobile usage and the Cloud have seen third party attackers change their approaches. Cloud services, social media websites and smartphone operating system devices have all become new targets, while traditional user data and website denial of service hacks remain popular.
Recent malicious examples have included the damaging losses of customer passwords by a number of corporates and office building control system hacked into. Similarly, it was revealed that key financial institutions have been compromised by a phishing attack. In the light of hacking attacks on various institutions, for governments and enterprises in general, cyber security should be among their top concerns. The risks posed by hackers and phishing attacks haven’t gone away, they’ve just evolved.
The ever-changing nature of the cyber security threat
Cyber security attacks and the ways in which they affect people and organizations are always in a state of transformation. As one IT specialist finds a solution to a particular problem or type of attack, so the creative hackers out there come up with something new and improved.
So as the Cloud has played out its role as both a disruptor and an enabler in the technology world, so too new threats have emerged from it. The leading threat to both organisations and individuals is data breaches. Companies fear sensitive corporate data falling into the hands of competitors; private citizens fear their bank details and credit card information being misappropriated and abused. This is of course not a new threat, but the Cloud enables new routes to the hack, with virtual machines and poorly-designed multitenant databases both offering different access points.
In addition to data breaches and data loss, there are the ever-present threats of account hijacking and denial of service, both of which can now be attempted differently thanks to the Cloud. API keys – the coding that Cloud applications use to identify each other – are another tool in the hacker’s armoury, allowing malicious parties to launch denial of service attacks or accumulate fees and charges on a victim’s account.
Security: a critical business issue
Advanced Persistent Threats (APTs) are becoming a key concern and are receiving a higher profile. They typically fit into the cybercrime category directed at business and political targets. Commercial & political cyber espionage is currently in the news and new disclosures are happening on a daily basis.
APTs are typically categorised by a high degree of stealth and longer term objectives directed by groups or organizations rather than individuals. They coordinate multi-vector email attacks against a specific business, educational, or government organisation. An APT might consist of a combination of socially engineered email with a URL attack, credential request, compromised websites and malware in order to steal information. APT attacks are difficult to identify. However the theft of data should never be completely invisible. Detecting anomalies in outbound data is one of the methods for identifying that a network has been the victim of an APT attack.
What this means is that it is time for companies to start thinking about security as a defined strategic issue. Data security threats and attacks are major factors in successfully achieving regulatory compliance, whatever industry a company might be in. Non-compliance through having inadequate protection of corporate and customer data is a terrifying thought for any company director, so cyber security now really needs to sit at the top of any senior executive’s ‘to do’ list.
The end-users’ challenge
At an individual level, the Cloud has helped to bring phishing into the mainstream of cyber security threats. Phishing was previously quite an insidious tactic, but today it has become incredibly brazen and up front, particularly in the mobile world. Because people now use their mobile devices by second nature, often inputting their password dozens of times a day, users are simply less vigilant.
It is estimated that mobile users look at their devices for one reason or another up to 150 times per day – this means entering that precious four-digit PIN code repeatedly – and how many end-users are really certain about what site they are distractedly tapping their password into?
Changing threats mean changing strategy
Read more: Gartner Security and Risk Summit Opens
To address this ever-changing security threat, a change of thinking is required. For many years, companies and governments acknowledged the need for IT security, were both aware of and concerned about the threats involved, but were still very reactive. So this change in thinking means no longer considering IT security as ‘just’ an IT issue. The focus must change to making cyberspace a strategic asset which requires as much security as physical borders and buildings do.
Governments are taking the proactive step of investing in cyber security, identifying the threat as a strategic one which affects not just ‘the Web’, but the country’s entire economy, infrastructure and the nation’s future prosperity.
Risk management is required at all three levels
The evolution of cyber security threats to the new environment means that the threat exists at three different levels
• the personal
• the organizational
• the nation state or community level
At each of these levels, the consequences can be dramatic and risk management is required at all three levels.
This article is brought to you by Enex TestLab, content directors for CSO Australia.