Top 10 Information Security Threats of 2010 - Page 3
2010 is upon us. I am amazed that it has been a decade since all the fear and speculation of Y2K. Take a moment to review your personal technological transformation in the last 10 years.
#5 - Mobile Devices (Rising Threat)
Mobile devices have become a plague for information security professionals. They are an easy way for a malicious employee to remove data from the corporate network. There are worms and other malware that specifically target these devices, such as the iPhone worm that would steal banking data and enlist these devices in a botnet. There was also the iPhone game maker that designed his game to harvest user information.
USB thumb drives are also a problem. In the case of the Virginia Department of Education, an unencrypted flash drive containing personally identifiable information of more than 103,000 former students (including social security numbers) went missing. Many times it isn't the data that leaves on these little devices, but rather what they bring in. For example, the infected USB key that shut down a town council for four days. The USB drive was infected with Conficker and spread to many systems inside the network, wreaking havoc and costing them just under $1,000,000.
Theft is still a major cause of data breaches. Mobile devices, especially laptops, are the main culprits. Tens of thousands of laptops are stolen each year. Often these have sensitive data that require public disclosure as a data breach. Blue Cross Blue Shield is being investigated after a laptop computer containing 800,000 healthcare providers' personally identifiable information was stolen in Chicago. In this case, the attorney general Richard Blumenthal said that one year of credit monitoring for the victims is "inadequate and unacceptable,” while the cost of that alone would be tens of millions of dollars. We could have chosen any of the hundreds of stories in 2009 like this.
#6 - Social Networking (Rising Threat)
Social networking sites such as Facebook, MySpace, Twitter, and many others have literally changed the way many people communicate with one another. Due to many publicly disclosed breaches and compromises, we saw that these sites can be very real and serious threats to organizations. There are many Trojans, worms, phishing and other attacks targeted specifically at the users of these sites. One main problem is the inherent trust component these sites carry, much like email did many years ago. Furthermore, people that utilize these sites for entertainment purposes, such as online games, are rewarded for accepting friend requests even from people they don't know. This is very fertile ground for identity thieves. Some might say that there isn't enough information on their account to do any identity theft, but criminals are very resourceful. Just a little bit of information correlated with other sources of available information on the Internet can give someone all they need to steal your identity.
There is also a personal safety issue here as well. Social networking sites are a stalkers dream come true. With some people posting multiple times each day, you can know exactly what someone is doing all of the time. In a well publicized article, the wife to the Chief of the UK International Spy Agency had information released on social network sites including the location of their home, where their children went to school and played, etc. Imagine the manipulation tactics, blackmail, kidnapping, and other things that could result by knowing this information, especially for influential people. Even friends and family can cause problems. Posts like "see you when you get back from vacation” can give others the vital information they need to commit crimes.
Employers are using these sites for a variety of reasons as well. They can use them to filter through applicants. One employee lost her long term sick leave benefits when the company she worked for found her "having fun” in pictures on Facebook.
Social networking sites are breeding grounds for SPAM, scams, scareware, and a host of other attacks. In June a scareware scam was spreading on Twitter with a message that simply read"Best Video” and contained a link to malware with a similar outcome to what was mentioned above. Social networking threats will undoubtedly continue to increase into 2010.
#7 - Social Engineering (Steady Threat)
Social engineering is always a popular tool used by cyber criminals. Often, the more difficult it is to exploit vulnerabilities natively, the more they rely on social engineering to make up the difference. I mean really, why would you go to all the effort to exploit a vulnerability when a user will simply give you their username and password? Phishing is still a popular method for doing just that. But this is where the classifications blur a bit. Phishing in email is a social engineering threat, but is a phishing email on Facebook a social engineering threat? Or is it a social media threat?
Despite the mediums these tactics rely upon, tricking users into performing actions they wouldn't normally perform will remain very popular into 2010. In fact, these new venues make social engineering even more effective. For example, people are very skeptical when they get a phishing email, but are far less skeptical when they get a message on Facebook, MySpace, LinkedIn, Twitter, instant messaging and so forth. Most people are ten times more likely to click on a link or follow instructions from social networking messages than from regular email.
A method that found a tremendous amount of success in 2009 is scareware. The two most effect methods I saw were the "Blue Screen of Death” scareware and Fake Anti-Virus scareware. In the blue screen of death case, users would see what looks like a Microsoft blue screen of death and then be prompted to fix the issue by downloading and installing software. The phony program was called SystemSecurity and collects money from the user to remove the ‘blue screen”. In an even more successful campaign, cyber thieves would have pop-up messages appear on the desktop of the user telling them they were infected with a virus. They would be prompted to buy, download there and install a program to remove the infection. These programs were so insidious that they would actually disable the anti-virus software you already have loaded. Until resolved, the computer is nearly unusable. Cyber criminals are earning tens of thousands of dollars from these scams.
According to a report by IBM, phishing attacks are on the decline. This is measured by taking the percentage of SPAM messages that are phishing emails and comparing 2008 to 2009. There was either a significant drop in phishing or a radical increase in SPAM. I believe one of the reasons for this is the myriad of ways criminals can send phishing messages outside of traditional SMTP email, like social networking mediums.
While generic phishing attacks seem to be declining, targeted phishing attacks are still an effective method for cyber criminals. Take the Aetna data breach this past year as an example. Hackers were able to extract 65,000 current and former employee information as well as 450,000 individuals who had applied to Aetna over the years. The criminal sent a targeted email that asked the individuals to go to a website (link provided) to fill out some more specific information to continue the process of their employment application. The information was then used to commit fraud. At Downeast Energy and Building Supply, in Maine, an employee received a spear phishing message that appeared to come from the company's bank. After clicking on the provided link, the employee entered the company's account access credentials, which the
attackers then used to steal $150,000.
2010 will have an added measure of complexity when it comes to social engineering attacks. Beginning sometime mid-2010, domain names will be expanded to include Japanese, Arabic, Hindi and even Greek characters. For years, people have analyzed the domain name to determine legitimacy of the site. With all these characters being available for domain names, no longer will looking at a domain help you determine if it is legitimate or not.