In this article I have identified five influential security trends to watch in 2012. The results, identified by a team of highly experienced accredited security professionals and based upon extensive tests at client sites, suggest security threats are becoming more targeted and personal.
Hackers are sidestepping automated security technology and are using social engineering and data mining to orchestrate attacks against prominent individuals and their corporate networks.
This trend has been brought about through advances in network protection and tighter regulation both of which have conspired to make it more difficult for hackers to compromise systems and create widespread disruption.
Traditional techniques such as SQL injection, web app hijacking and unauthorised server access are now being bypassed in favour of more rewarding social engineering practices which yield the data necessary to carry out highly organised systematic attacks.
Five influential security trends to watch in 2012 are:
1. The human perimeter
Attackers are increasingly exploiting the weakest part of the LAN/WAN: the user. Social engineering is fast becoming the leading attack vector for Advanced Persistent Threats (APTs) as hackers harvest data direct from the user, coercing them into parting with information or persuading them to click on email attachments or web links.
Expectation: further examples of the socially engineered email attacks combined with zero day exploits as perpetrated against RSA and its client base, Operation Aurora and Google GMail.
Prevention: Frequent staff training and refresher courses are vital. Security processes may be perceived to be hampering working practices so ensure procedures are tailored to the business to prevent users circumventing them. Use a sender email framework to identify suspect email.
2. Media mining
Users are now hyperconnected, communicating over multiple touchpoints, from email to social media websites such as Facebook, LinkedIn and Twitter, to forums and interactive websites. The importance of these social media channels will increase due to the immediacy and collaborative working opportunities they afford. Contactless payments are also on the rise and vulnerabilities specific to radio communications could see the compromise of wireless technologies.
All of these communication channels are sources of ‘information leakage’ and can be mined for data to launch various attacks.
Expectation: social media and active media sites will increasingly be mined for information in order to crack passwords, perform identity theft or to socially engineer access to a network or building. Other avenues such as RFID and radio frequency channels could also provide valuable personal information by hacking voicemail or intercepting calls.
Prevention: The work/leisure divide no longer exists so be prepared to educate users on how to protect their anonymity and lock-down information on social media sites. Provide clear guidelines on acceptable use.
3. ‘Bring your own’ device issues
User-owned smartphones and tablets are now being accommodated in the workplace through ‘acceptable use’ policies which enable the enterprise to control problematic areas such as authentication and file transfer procedures. However, far more rudimentary problems, such as ‘shoulder surfing’ are seldom addressed. The highly visible screens make it relatively easy to shoulder surf in public locations and observe log-in details during the authentication process.
Expectation: opportunist theft will rise as hackers record log-in details or observe transactions and then replicate these.
Prevention: Revise network access restrictions via remote and wireless connections. Strengthen access control through regular password renewal, two-factor authentication over VPN, review role-based access privileges and carry out regular auditing and penetration testing.
4. USB jacking
USB ports are the Achilles heel of the PC. USB-specific vulnerabilities surfaced this year that include new payloads used to shortcut files and infect a fully-patched terminal running Windows 7. Microsoft swiftly took action but the incident attests the fact that new forms of USB malware are emerging.
I have detected a new threat in the form of specially engineered USB keys which can be used to hijack a client device. The USB payload is able to obtain access to the computer memory and take control of the device even when in dormant locked-down mode. Once the hacker has obtained control of the PC via the USB port, they can browse information held on the hard drive at leisure before attempting network access.
Expectation: The emergence of new malware payloads will see the USB become a greater threat to the PC and corporate networks.
Prevention: Ensure the security policy provides clear guidelines on USB and external device control: users often mistakenly believe that only previously used devices are vulnerable. Traditional USB malware can be detected by scanning removable devices and disabling the autorun feature. New breeds of malware will require more sophisticated monitoring techniques.
5. Cloud concerns
While security concerns over housing data in the cloud have thus far proved unfounded, 2011 did see attacks against DNS/SSL certificate authorities (CAs). The CAs use SSL certificates over web servers to authenticate to other computers, including browsers. Despite purporting to be ‘secure’, these certificates were easily compromised.
Next year could see the emergence of APTs targeting data held in virtual environments. The ramifications of a cloud-based attack on the virtualisation software used to separate customer data, for example, could prove catastrophic.
Issues also remain over the control and ownership of data in the cloud. Recent legislation such as The USA Patriot Act, which essentially grants the US government the right to access data in the cloud without the user’s permission, could also dampen enthusiasm for the technology.
Expectation: Cloud computing adoption among medium to large enterprises will slow due to legislative changes. APTs will seek to exploit cloud-based data. There will be a rationalisation of the cloud while businesses consider how to use it to greatest effect without compromising data integrity.
Prevention: Ensure only non-sensitive data is held in the cloud and provide guidelines on the use of cloud-based file sharing. Protect wireless and wired networks through the use of a DMZ, with sensitive information held offline or on a separate dedicated network.
Much like car theft, we’re now getting the point where security systems are deterring would-be thieves from directly targeting corporate systems. Instead we’re seeing a growth in direct data gathering; equivalent to the directness of carjacking. Social engineering and manipulative emails are being used to solicit information to carry out these targeted attacks.
The question should be not be will these attacks happen but am I prepared? It’s only through a combination of user awareness and regular penetration tests that the organisation can hope to counter these and other evolving threats.