Top 10 Information Security Threats of 2010 - Page 2
2010 is upon us. I am amazed that it has been a decade since all the fear and speculation of Y2K. Take a moment to review your personal technological transformation in the last 10 years.
#3 - Exploited Vulnerabilities (Steady Threat)
Some might wonder why exploited vulnerabilities are listed in the malware section, but then also have a section of their own. Well, malware often relies upon exploited vulnerabilities to be installed properly. At the same time, user behavior can do it as well through social engineering techniques. Vulnerability exploit is at the heart of hacking and data breaches. Worms, viruses, malware, and a host of other attack types often rely on vulnerability exploit to infect, spread, and perform the actions cyber criminals want. According to a Microsoft Security Intelligence Report, Conficker was the top threat to enterprise computers during the first half of 2009. Worm infections have doubled between the second half of 2008 and the first half of 2009.
With organizations still not doing what they need to for patch management, vulnerability exploit remains a major problem. According to a Verizon study, the vast majority of data security breaches where vulnerability exploit was used relied upon vulnerabilities that had patches available for more than 6 months. There are several reasons this remains an issue. First, it only takes one unpatched system for your entire organization to be compromised. One system not up-to-date is all a hacker needs. Second, there are many applications loaded onto each and every system, many of which have weaknesses that can be exploited. Often these 3rd party applications are not patched. Few application vendors automatically update their software so this is a manual process if you don't use a commercial patch management package. For many enterprises, SMBs, and especially home users, this simply doesn't happen.
Last year I listed this vulnerability as a decreasing threat. In fact, that is still true for operating system vulnerabilities. But hackers have moved up the stack and are more often exploiting client side vulnerabilities and other vulnerabilities associated with 3rd party applications. As a result, this threat is being changed to "steady”, which means we will likely see many more vulnerability exploits in 2010.
#4 - Careless Employees (Steady Threat)
Careless and untrained employees will continue to be a very serious threat to organizations in 2010. Remember that insiders can be broken down into 3 categories: careless & untrained employees, employees that are duped or fall prey to social engineering type attacks, and malicious employees. The reason I think it is important to understand these categories of insiders is because protecting your network and critical/sensitive data is done very differently for each type. In a recent research report released by RSA, accidental disclosure of sensitive information occurs far more frequently than deliberate incidents.
In the annual Perimeter E-Security data breach study released last year, it is noted that for data breaches between 2000 and 2008, more incidents happen by careless and untrained employees than any other type of insider incident. Careless insiders can be devastating to an organization. What is worse, this category of threat is one of the most controllable. Policies, procedures, training and a little technology can make a world of difference in reducing an organization's risk to careless insiders.
Take the employee of Rocky Mountain Bank for example. The employee was asked to send a loan statement to a customer. Not only did the employee send the information to the wrong email account, a file was attached that contained confidential information on 1,325 individual and business customers including their names, addresses, tax identification or social security numbers and loan information. The bank then sued Google to identify the recipient. Google refused. Google was then ordered to deactivate the recipient's account. Google determined that the email had never been opened and they deleted it. This is a case where the bank knew what devastating consequences disclosing the data breach would bring and went to great extremes to avoid that path.
Sometimes simply allowing employees to access their personal email can cause major problems. Scott Graham from Ohio sent his girlfriend (who he thought was cheating on him) an email laced with spyware. He was hoping the spyware would be installed on her home system, but she accessed the email from Akron Children's Hospital where she worked and it infected her computer. The spyware captured and sent a lot of sensitive information which constituted a data breach.