The threats to enterprise networks continued to grow in 2012, but the tech grab bag is also getting more potent, reports Alan Earls.From a security standpoint, it seems like 2012 is destined to go out like the proverbial lion. It's been a lively ride and, according to experts, 2013 is poised to be just as interesting.
The “big buzz” in the view of Fred Touchette, senior security analyst at AppRiver, a Gulf Breeze, Fla.-based provider of email and web security solutions, will remain the influx of mobile devices in the workplace. “The biggest security implication of these devices is the same with any popular trend of the past,” he says. “These devices were built with only minor regards to their security.”
Indeed, handhelds have the same functionality as computers in the home, yet have none of the protection. “With all of the personal information kept on these devices, and the more sensitive transactions done on them, the more they become very big targets for criminals,” Touchette (left) says.
Furthermore, the emerging use of smartphones as “digital wallets” only compounds the risk, he says. “Allowing users to keep digital information – such as concert tickets, boarding passes and all of one's credit card information on a phone in order to make instant purchases simply by scanning them – is something that will look very enticing to cyber criminals,” he says.
Apps on mobile devices are another problem. David Nevin, vice president for marketing and corporate development at Taasera, an Erie, Pa.-based start-up focused on a trust-based approach for visibility and control over private and public cloud infrastructure, points out that users are often simply downloading apps from email links, which may turn out to be malware that is masquerading as an update to an existing application. The emerging solution, he says, is monitoring applications in real time as they run in bring-your-own-device (BYOD) models.
Of course, mobile is just one part of the threat spectrum that is emerging for 2013. In federal security, the growth in size, power, resources and capabilities of transnational and non-governmental organizations can create vulnerabilities, says Tim Larkins, a consultant with immixGroup, a Washington D.C. metro area firm that helps technology companies conduct business with government. “Think SPECTRE and SMERSH from the James Bond franchise – only this isn't a book or movie,” he says.
On the other hand, says Larkin, neither is it simply a matter of corrupt officials or poor regulations elsewhere. Inadequate budgets and lack of trained personnel to fight cyber crime are also factors that contribute to the power of these criminal organizations both here and abroad. The net result is that advanced persistent threats (APTs) will become increasingly threatening – and ubiquitous. “Look for ‘mini-cyber [Arma]geddons' as a result in the near future,” he says, referring to both the cumulative impact of the increasing number, scope and power of APTs and the vulnerability of the targets that are attacked. In particular, he says, “Critical infrastructure remains very vulnerable to cyber attacks.” The fact that private industry, which owns 90 percent of the U.S. critical infrastructure, has resisted any kind of government mandates for even minimal standards to mitigate threats leaves them even more vulnerable, he adds.
In a recent blog post, Jeff Carter, chief strategy officer of EyeLock – a New York-based provider of iris-centric identity authentication solutions, echoes the concerns expressed by Larkins. “These attacks are the very tip of the iceberg,” he says, referencing the massive distributed denial-of-service (DDoS) attacks during 2012 on financial institutions in the United States and elsewhere.