For security professionals, 2012 was a very exciting year. We saw some major changes in information security attack strategies, known as vectors, and an increase in their public visibility. Advanced persistent threats (APTs) became more common and mobile and wireless security came into the forefront of our threat indices. DDoS attacks became cloud-based, leveraging virtual servers to generate ultra-high bandwidth attacks.
We expect 2013 to be even more exciting based on the following top 10 security challenges identified by AT&T information security researchers and engineers. Let's review this list of challenges and evaluate how to reduce risks and protect the critical information that manages our business.
1. State-sponsored espionage: This challenge highlights the need to protect critical data from politically or financially motivated threats. Critical data includes the information needed to run network attached infrastructure as well as the intellectual property used to manage business and drive innovative solutions.
2. Distributed denial of service (DDoS) attacks: Security professionals in the financial services industry are likely to agree to our second challenge: DDoS attacks. We can expect to see a higher risk of business impacting threats with the shift from computer-based attacks, generating large number of lower bandwidth events, to virtual server or cloud-based attacks, generating ultra-high bandwidth events. With these new attack vectors it becomes even more beneficial to identify and mitigate large DDoS events while traffic is in the network cloud.
3. Cloud migration: 2013 is being promoted as the year companies will move critical systems into the cloud. This migration into virtual shared infrastructures changes how we address information security and risk management. The challenge is that cloud security processes and solutions are still being developed. Ultimately, with innovation and planning, cloud services could reduce business risks by providing greater flexibility, resiliency and security.
4. Password Management: Our challenge is putting in place and enforcing stronger user-controlled passwords that are less likely to be broken. This educational and administrative challenge requires creative solutions and enforced policies. Or, we can look at alternatives to traditional passwords, such as the use of a federated ID.
5. Sabotage: Sabotage of computer networks can affect critical infrastructure and ultimately impact corporate and backbone networks. This challenge is so potentially perverse because it combines social engineering with software based tools to provide a complex multi-vectored attack profile.
6. Botnets: Botnets are everywhere. The challenge is that many botnet owners design systems that are more adaptive and redundant than many corporate and government networks. Controlling this agile attack vector before it can be used as an advanced persistent threat (APT) and migrates into smart mobile devices is crucial.
7. Insider threat: A dissatisfied employee base provides a vector for insider security events, while the inadvertent injection of malware through removable media or web interconnections can make any employee the origination point for a network security violation.
8. Mobility: Management and security of mobile networks and smart mobile devices becomes even more challenging when employees want to use their own devices for business purposes. The bring-your-own-device trend exasperates this challenge when we look at protecting the critical information needed to manage the organization and the network without sacrificing the privacy of employee's personal information and activities.
9. Internet: One of the greatest challenges to security professionals is the perception that the internet, a best effort network, is a secure critical infrastructure. The internet is an open connection of diverse networks. The 2013 challenge is to start treating critical networks as if they are critical to our operations. We need to put into affect policies that distinguish platforms and security levels based on business criticality. Control networks need different security than general business communications. This includes using network embedded security controls to help reduce risks and to simplify security infrastructure.
10. Privacy laws: This final challenge is currently being legislated worldwide. We need to balance privacy with the need to gather information that can help address security breaches or fraud, while complying with associated legislation.
All of these challenges will affect how we treat risk and security this year and in the years ahead. By leveraging network embedded and end-point security solutions with innovative thinking, we can all be part of the solution that overcomes this year's security challenges.