Incident Response, TDR

Your iPhone as an attack vector and other coming attractions


Industrial espionage firms, professional criminals, disgruntled insiders and hacktivists are threatening consumers and corporations alike. As cyber threats and attacks get more sophisticated, companies' networks are becoming more vulnerable to attacks from multiple vectors. We will not only see a new level of where the bad guys will target but how and what they are attacking, namely hardware. Here are the areas which deserve attention in 2014:

NSA intrusions will drive encryption efforts.
The extent to which the NSA has penetrated companies' networks has been staggering. The NSA and PRISM will be a driver for companies tightening up security and developing ways to protect their data from decryption. In the coming months, more companies will ask, ‘How can we prevent the NSA from looking at data on our employees and customers?'

We'll also see more companies trying to circumvent gag orders by openly stating what information they cannot disclose. Tech giants Apple, Google, Microsoft, Yahoo, Facebook and LinkedIn are already pushing back on the government, arguing they should be allowed to share data about NSA requests for confidential, customer data. As a result, we will see a renewed distrust of the government and potentially legal battles.

Collaboration will suffer a setback. 
The government recently released the National Institute of Standards and Technology's (NIST) preliminary Cybersecurity Framework with the objective of reducing cyber risks to critical infrastructure. While this represents a good start, I feel that it does not focus enough on detecting anomalies from normal baselines and does not sufficiently focus on requiring and enabling collaboration. If relationships between companies and the government continue to be strained (as described above), collaborative efforts in the security industry may suffer setbacks as organizations attempt to shore up their defenses against government intrusion.

The entry point is a moving target. 
The security perimeter will become even more porous. We'll begin to see increasingly sophisticated attacks that exploit existing vulnerabilities like mobile devices, USB drives and Blue Tooth speakers. The number of ways for an attack will keep increasing, making it difficult to keep track of all the possible entry points. Attackers will jump traditional boundaries and preventative safeguards to penetrate perimeter security. Cybercriminals will exploit the increasing consumerization of IT – BYOD, home networks and online sharing tools – to gain access to companies' networks. 

Organizations must be on the lookout for anomalies. 
In order to combat the threats I've discussed, enterprises need to shift from reactive security to smart proactive security to safeguard the data vs. the network. The key is to get ahead of the alerts by hunting for anomalies and discovering the footprint that an attack leaves behind as it moves through the system. We'll also begin to see an increase in use of solutions such as sandboxing to find, contain and evaluate threats – addressing security issues at the point of contact.

Hardware will become a prime target.
In part due to the success of Stuxnet, we will see an increased volume of malware targeting the boot sector and hardware with cybercriminals attacking beneath the operating system. These attacks may happen via mobile devices with cybercriminals using smart phones or USB devices to gain access to PCs via Wifi in order to infect the network.  

The human is the next big attack vector.
The layered security approach is still a necessity. Companies will always need to check the boxes for intrusion detection, firewalls and anti-virus systems. But more layers will not solve the problem. The human will be the attack vector of choice in 2014. We will see increasingly precise and sophisticated phishing attacks, which result in a single person unwittingly handing over the keys to the corporate data kingdom with everything from intellectual property to customer data  suddenly up for grabs. 

The Internet of things.
Bring-your-own-device (BYOD) is increasingly the norm, particularly with Millennials in the workforce who are plugged in 24x7x365 and expect to be able to use their work devices for work-related duties.  We are increasingly more dependent on downloading apps, using the Internet and socializing on the Web. That obsession can become a corporate security risk since the bad guys are targeting people's personal accounts with the intent of using them as ricochet points into corporate systems.

Androids, iPhones and malware, oh my.
Today, it is easier to make and release an app for the Android, and as such, it makes planting apps with malware a straightforward process. Apple has more stringent policies about sharing its apps and reviews them before making them public. Will Google do the same? 

Security and mobile must play nice.
Enterprises are still trying to figure out how to incorporate cloud, BYOD and mobile technologies securely. Currently, mobile device management is all about access. Next year, we are going to force a shift one way or another. Either the enterprise will abandon those technologies and find other ways to gain efficiencies or force mobile device vendors to standardize and work better with security vendors. 

Education, education, education.
With humans as the perimeter and one of the main sources of security concerns, data privacy training is critical to helping employees protect their personal data and police their own actions. A company is only as secure as its weakest employee. Making people more aware of the potential risks of their actions on the Internet, in social media and on the network will fill that soft center and strengthen the perimeter. This may lead to greater collaboration between infosec teams and HR departments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.