The threats to enterprise networks continued to grow in 2012, but the tech grab bag is also getting more potent, reports Alan Earls.From a security standpoint, it seems like 2012 is destined to go out like the proverbial lion. It's been a lively ride and, according to experts, 2013 is poised to be just as interesting.
The “big buzz” in the view of Fred Touchette, senior security analyst at AppRiver, a Gulf Breeze, Fla.-based provider of email and web security solutions, will remain the influx of mobile devices in the workplace. “The biggest security implication of these devices is the same with any popular trend of the past,” he says. “These devices were built with only minor regards to their security.”
Indeed, handhelds have the same functionality as computers in the home, yet have none of the protection. “With all of the personal information kept on these devices, and the more sensitive transactions done on them, the more they become very big targets for criminals,” Touchette (left) says.
Furthermore, the emerging use of smartphones as “digital wallets” only compounds the risk, he says. “Allowing users to keep digital information – such as concert tickets, boarding passes and all of one's credit card information on a phone in order to make instant purchases simply by scanning them – is something that will look very enticing to cyber criminals,” he says.
Apps on mobile devices are another problem. David Nevin, vice president for marketing and corporate development at Taasera, an Erie, Pa.-based start-up focused on a trust-based approach for visibility and control over private and public cloud infrastructure, points out that users are often simply downloading apps from email links, which may turn out to be malware that is masquerading as an update to an existing application. The emerging solution, he says, is monitoring applications in real time as they run in bring-your-own-device (BYOD) models.
Of course, mobile is just one part of the threat spectrum that is emerging for 2013. In federal security, the growth in size, power, resources and capabilities of transnational and non-governmental organizations can create vulnerabilities, says Tim Larkins, a consultant with immixGroup, a Washington D.C. metro area firm that helps technology companies conduct business with government. “Think SPECTRE and SMERSH from the James Bond franchise – only this isn't a book or movie,” he says.
On the other hand, says Larkin, neither is it simply a matter of corrupt officials or poor regulations elsewhere. Inadequate budgets and lack of trained personnel to fight cyber crime are also factors that contribute to the power of these criminal organizations both here and abroad. The net result is that advanced persistent threats (APTs) will become increasingly threatening – and ubiquitous. “Look for ‘mini-cyber [Arma]geddons' as a result in the near future,” he says, referring to both the cumulative impact of the increasing number, scope and power of APTs and the vulnerability of the targets that are attacked. In particular, he says, “Critical infrastructure remains very vulnerable to cyber attacks.” The fact that private industry, which owns 90 percent of the U.S. critical infrastructure, has resisted any kind of government mandates for even minimal standards to mitigate threats leaves them even more vulnerable, he adds.
In a recent blog post, Jeff Carter, chief strategy officer of EyeLock – a New York-based provider of iris-centric identity authentication solutions, echoes the concerns expressed by Larkins. “These attacks are the very tip of the iceberg,” he says, referencing the massive distributed denial-of-service (DDoS) attacks during 2012 on financial institutions in the United States and elsewhere.
Rodney Joffe, CTO of Neustar, a Sterling, Va.-based provider of attack mitigation services, is concerned about these DDoS attacks and similarly scaled efforts, in particular the way in which they can be used to mask more targeted attacks. He sees growing sophistication in “botnets for hire” – sets of internet-connected computers whose defenses have been unknowingly breached and are now under control of a criminal. In addition, he predicts that the security community will be hard pressed to keep up with these ongoing developments. When the DDoS threat and the botnet menace are combined with malware already resident on the machines of thousands of customers, it paints a depressing picture for the security community – one that he says has cost banks, individually, from tens of thousands to millions of dollars both for defense measures and in terms of actual fraud losses.
“Smaller regional banks will be the victims of more exploits since their dependence on third parties for wire transfers usually results in a time lag, which criminals can exploit to pilfer accounts with less chance of detection,” Joffe says.
Carter agrees, noting that attackers are using the “fog of cyber war” to attempt to implement fraudulent transactions, penetrate networks and harvest customer account information. He warns that these attacks are the very tip of the iceberg, and predicts that attackers will be back for more, resulting in higher fees for consumers and potentially threatening the underpinnings of the economy.
Infrastructure operation and practices are also on the minds of others in the security field. For his part, Brian Gay, a director at Think First Consulting, an Arlington, Va.-based strategy firm, is concerned with the increasing adoption of cloud services, most of which are accessible over the public internet. Therefore, the provider must implement two-factor authentication using a PIN, he says.
Tom Cross (left), director of security research at Lancope, a Alpharetta, Ga.-based company focused on flow-based security and network performance monitoring, sees more risks buried in the infrastructure. For instance, he says, virtual-machine-to-virtual-machine communications inside a physical server cannot be monitored by traditional network and security devices, complicating problem identification and potentially erasing any cost savings associated with virtualization.
“This loss of visibility can be exacerbated in public cloud environments, where the enterprise has given up control over the infrastructure on which its applications are running.” Also, he says, the transition to IPv6 – the latest iteration of the internet protocol (IP), the coding on which the entire internet is built – is approaching, with the last few IPv4 addresses in the final stages of allocation. IPv6 connectivity can create a blind spot if all of one's network security tools and processes are focused on attack activity occurring over IPv4, Cross says. “As networks and systems become IPv6-capable, organizations need to ensure that they have visibility into IPv6 assets and addresses in their environments,” he says. “Attackers have been known to take advantage of those blind spots to stay under the radar, a trend we expect to increase as IPv6 adoption proceeds.”
Of course, the good-news part of the bad-news story is that the resources and talent being arrayed against cyber crime have arguably never been more formidable.
Jeff Snyder, vice president of cyber programs at Raytheon, a Waltham, Mass.-based defense contractor that helps safeguard systems against internal and external threats, says firms in 2013 need to start thinking about their cyber resiliency – a layered approach to defending infrastructure. “Companies will need the obvious perimeter layer, with things like firewalls and intrusion detection, a second layer to minimize exploitation and vulnerabilities, and a third layer that embeds security right at the processor level,” he says. A cultural shift is coming, he adds, so vendors and internal software engineers should focus on security from the time they start writing code.
“PKI has always been a bear to manage, but in the coming years, I believe the industry is just going to have to deal with that.”
– Bruce Snell, director of technical marketing, McAfee
Meanwhile, Shuman Ghosemajumder, vice president of strategy at Shape Security, a Mountain View, Calif.-based firm that offers technology to protect e-commerce and social networking websites, believes security professionals about to see the security industry evolve past detection and move toward deflection and minimization of attack as primary lines of defense. As a result, he says, the remaining detection, analysis and incident response activities can be made more efficient and impactful.
Considering future security trends from a slightly longer-term perspective, Bruce Snell, director of technical marketing at Santa Clara, Calif.-based security firm McAfee, says the focus will have to move to identity to make sure that people are who they say they are.
“As we move to more of a cloud-based infrastructure, the number one issue to address will be authentication,” says Snell. Multifactor identity vetting will be part of the cure, he says, along with the implementation of public key infrastructure. “PKI has always been a bear to manage, but in the coming years, I believe the industry is just going to have to deal with that,” he says. That is, if they are serious about mounting a truly strong cyber defense.
Surveying the scene
Seth Robinson, the director of technology analysis for CompTIA, has a crystal ball in the form of the work he is completing on the firm's “10th Annual Information Security Trends” survey, due out early in the new year. What Robinson sees is mostly disturbing.
“I am seeing three major areas, and two are evolving from things that were a focus this year,” he says. The first area is cloud security, where, he says, survey data shows that organizations are actually starting to trust cloud providers, implying that they “have pretty good security,” says Robinson. However, he adds, there may still be substantial “in transit” vulnerabilities that both users and cloud providers need to address.
The second major area highlighted by the survey is the growing and “disruptive” role of mobility. “With the cloud, the data may reside elsewhere, but the IT processes and safeguards are familiar,” he says. By contrast, mobility – especially BYOD – is opening up whole new challenges. “That whole topic is now spreading to include things like mobile enterprise application management,” he says.
The third area that has emerged in the CompTIA study is, by Robinson's admission, somewhat more amorphous. “It is not quite accurate to describe it as the social enterprise, but it does have to do with the extent to which employees now have very powerful technology at their disposal, so IT people are much more concerned with malware, hacking and viruses because the potential for breaches and data loss is now much greater at that individual level,” he says.
The CompTIA study is expected to be released in February 2013.