mailing list archives
Cyber Security: Get real about risk
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 8 Jan 2014 19:22:34 -0700
Cyber security is an area of great interest and concern in the business
community. It is that time of the year when numerous IT security firms and
service providers set out to foresee and outline the potential threats and
probable solutions for the new year to combat them. It is a constant quest
to notify the netizens with adequate information to keep them safe and
secure. Some of the upcoming threats to watch out for in 2014 might startle
even the die-hard IT administrators and individuals using a wide array of
personal devices. Read on to find out.
We will see one major data breach incident a month, cautions Trend Micro.
Mobile banking will suffer from more cyberattacks; basic two-step
verification will no longer be sufficient. Cybercriminals will increasingly
use targeted-attack-type methodologies like open source research and highly
customised spear phishing, along with multiple exploits. In the context of
targeted attacks, we will see more click-jacking and watering hole attacks,
new exploits of choice, and attacks via mobile devices. Pretty scary isn’t
it, but staying cautious can go a long way in protecting your assets—but
more on it later.
According to Dhanya Thakkar, managing director, India & SAARC, Trend Micro,
“2013 played host to major mobile threats, a trend which is expected to
continue in 2014. This year is all about mobile banking. Unfortunately, we
can also expect mobile threats like man-in-the-middle (MitM) attacks to
increase in 2014. Android will remain the most dominant OS in the market.
But this dominance will continue to be exploited, as we predict the volume
of malicious and high-risk Android apps to reach 3 million by the end of
The “next big thing,” according to Thakkar, that cybercriminals are waiting
for could come from the world of augmented reality (AR). Virtual reality
headsets will become a disruptive technology. Not only will they change the
gaming space, they will also be used for other purposes like attending
conference calls and posting on social networks. These smart devices will
become more desirable as the years progress.
“Expect isolated attacks to start in a couple of years,” says Thakkar.
“These AR headsets will become the new favoured target to obtain personal
information. Their built-in cameras will be used for privacy attacks,
giving cybercriminals a bird’s eye view of users’ daily activities and a
means to record details like bank PINs and other personal information.”
The continued worsening of the threats we are familiar with today will grow
to the next level, says the Trend Micro India MD. Among the familiar
threats, an increasing sophistication in attacks against mobile banking,
mobile malware continuing to skyrocket and cross the three million mark for
Android in 2014, and the expiration of support for Windows XP and Java 6
that together will create an unprecedented pool of vulnerable users for
From a business point of view, enterprises expect one single solution to
address the overall BYOD challenge which is not practically feasible, says
McAfee, a wholly-owned subsidiary of Intel. BYOD needs to be looked at from
different dimensions like data loss prevention, network access control,
authentication system, internal intrusion prevention systems, internal
firewalls, securing Wi-Fi etc. This demands that companies re-look at the
security architecture and rebuild it to fit BYOD needs.
Another major trend, the Internet of Things is permeating the marketplace,
bringing physical objects together through remote accessibility across the
internet without the need for human intervention, using the same wireless
networks and internet protocol (IP) that connects your computer to the
internet. According to Ericsson, there will be 50 billion IP-connected
devices by 2020, up from 1 billion just a year ago. This phenomenon has
exploded the threat scope for these devices with ATMs, point-of-sale (POS)
terminals, kiosks, medical equipment, SCADA systems and other embedded
devices being hacked in ever-increasing numbers.
As always, the goals with predictions aren’t to scare but instead to draw
attention to possible developments based on current trends to foster
discussion and also drive research forward to meet the emerging threats as
quickly as possible. According to McAfee, in the wake of a sophisticated
threat landscape and newly emerged business models, security cannot be seen
as an instrument to stop bad things from occurring but instead as an
enabler for more efficient, effective, and agile business. This realisation
is steadily coming into effect with the paradigm of security moving from
mere device safety to protection of assets with increased awareness of risk
management and the reputational cost.
This year, there will be greater consciousness for security to be
approached from a combination of endpoint, network, and data-centric
controls for discovery, prevention, detection, response, and audit rather
than each of these elements in a siloed manner. This interlocked approach,
ensures better intelligence exchange arming companies with situational
awareness and real time for quick and strategic action.
“Organisations should begin at the core,” says Thakkar. Protecting your
core data or “crown jewels” is a priority, as this is a favoured threat
actor target. “They will try to get inside corporate networks to steal
data. Classify the data (blueprints and databases) in your core. It’s best
to assume that someone is already inside your network. Make sure your
organisation uses the proper tools and protocols to properly protect your
network. Proper employee education will also help mitigate risks associated
with data breaches.”
Also, protecting your digital life means protecting every device you own.
Even with the rising popularity of mobile devices, don’t ignore your
computers. Install and regularly patch security software to stay safe from
attacks, especially those that rely on vulnerability exploitation. With so
many internet-ready devices, you should also secure your home network. A
secure network is the baseline for security, especially for devices that
lack security features or options.
Sanjoy Sen, senior director, Deloitte Touche Tohmatsu India, says, “The
weakest link in your cyber security isn’t your technology; it’s your
people. Social engineering attacks that use targeted phishing emails or
other techniques often hoodwink users into revealing confidential
information or trick them into downloading malware. This makes it easier
for cybercriminals to penetrate your network, without even resorting to
more traditional hacking methods. Educate your employees to make sure
they’re aware of these risks and threats.”
The new year is a perfect time to get your systems into shape, too.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- Cyber Security: Get real about risk Audrey McNeil (Jan 09)