Top 10 Information Security Threats of 2010 - Page 4
2010 is upon us. I am amazed that it has been a decade since all the fear and speculation of Y2K. Take a moment to review your personal technological transformation in the last 10 years.
#8 - Zero-Day Exploits (Steady Threat)
Zero-day exploits are when an attacker can compromise a system based on a known vulnerability but no patch or fix exists. Even a couple of years ago, zero-day exploits were pretty rare. They have become a very serious threat to information security. Many of these zero-day flaws reside in browsers and popular 3rd party applications. In November 2009 alone, Microsoft announced zero-day flaws in IE 6 and 7 and a Windows 7 zero-day vulnerability. Zero day vulnerabilities are being discovered in traditionally very secure protocols such as SSL and TLS as well.
The zero-day vulnerability may not even be in your systems, it could be in your providers. For example, web hosting provider Vaserv had an attack against 100,000 of their websites based on a zero-day exploit. The HyperVM software they were using to run many virtual websites was compromised. In this attack, the perpetrators destroyed the sites. Some companies did not have backups of website data and files.
#9 - Cloud Computing Security Threats (Rising Threat)
Cloud computing is a concept that is becoming very popular. While it still means a lot of things to a lot of people, using cloud based (i.e. Internet based) applications may not be as secure as you might hope. There were many stories in 2009 regarding cloud based security. Many are calling for forced encryption to access many of these services. While it seems ludicrous that this isn't done by default, you can't simply assume cloud apps are secure.
Some cloud computing security threats come in the form of vulnerabilities such as the October 2009 story that attackers exploited a web application flaw to hijack Yahoo Mail accounts. This was a brute force attack where the hackers use software to systematically guess the passwords. Someone even went so far as to post the passwords, where there were many common ones such as "password” and "123456”. Poor password policies and software that doesn't limit this type of attack will always lead to compromise.
As cloud computing becomes more popular in the next few years, we will see the issue of cloud security become a very big issue. There will be no shortage of cloud based security issues in 2010.
#10 - Cyber Espionage (Rising Threat)
A threat that we hear about more and more all the time is Cyber Espionage. There has been a flood of stories in 2009 on this subject. Most of them of course surround governments and therefore have not been a huge threat to most individual organizations. A few of the incidents include:
- According to the US-China Economic and Security Review Commission's annual report to Congress, US Defense Department computer systems have been the target of cyber incidents 43,785 times in the first half of 2009, which if it continues at that pace will be a 60% increase over 2008.
- For one-third of US government agencies, security incidents are a daily occurrence.
- A National Journal article talks about America's use of cyber terrorism tactics.
- 60 minutes reported on US cyber security in November 2009. While there was quite a bit of sensationalism, the piece spoke about verified incidents of cyber espionage including those targeting and compromising the countries power grid, military computer systems, and much more.
- An attack on an alleged Syrian nuclear facility was aided by a compromised laptop.
- Evidence of North Korean involvement in July cyber attacks.
- The U.S. government opens a new cyber security operation center designed to help the government coordinate cyber attack responses.
- The US-China Economic and security review commission released a report entitled "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploration.” According to the report, domination of an adversary's information flow is critical to Chinese military strategy. The report also states that China will likely conduct "a long term, sophisticated computer network exploration campaign.”
- There is an interesting article entitled "Cybercriminals have penetrated the U.S. electrical grid”. It is an interesting article showing the use of malware to map the entire network and grid.
Over the years it has gotten more and more difficult to classify threats because so many of them are blended. For example, a social engineering technique will be used to get someone to click on a link that infects their system with malware that is based on a zero-day exploit. Very few attacks utilize a single method.
You could take the top 10 threats and look at them another way. The threats from insiders (for the most part) include malicious insiders, careless and untrained insiders, social engineering attacks, mobile devices and social networking. Vulnerability exploit includes malware, exploited vulnerabilities, zero-day exploits and even some cloud computing and cyber espionage threats. But these broad based threat categories don't help create mitigation strategies. Obviously you will have different tactics to deal with careless employees as opposed to malicious employees. The solutions you employ to deal with the threats from social networking will be different than those from social engineering.
Falling From the Top 10
This threat was certainly a major player in 2009. Due to the downturn in the economy, this jumped into the top 10 for the first time in 2009. While 71 percent of SMBs believe a data security breach could put them out of business, three quarters froze or cut security spending according to a McAfee survey. While this will likely continue to negatively affect organizations in 2010, it is not listed in the top 10. This is primarily due to so many other threats increasing so dramatically.
Remote workers still represent a threat to organizations, however, this threat used to focus on an infected laptop being connected to the network. Today the greatest threat is not just remote workers, but all the various forms of mobile media they use. So in reality, this threat has morphed into the "mobile media” threat listed above.
Unstable 3rd Party Providers
Again, due to the downturn in the economy that hit so hard in 2009, it was projected that many vendors would reduce service quality or go out of business. While this happened, there is only anecdotal evidence of reduced service quality. All-in-all most companies faired better than expected.
This was a problem in 2009. For example, areas of the US government banned the use of peer-to-peer software which enables the download of software that could be infected with Trojans, spyware, or other malware. A bill was even introduced in the US House of Representatives that would prohibit the use of P2P file-sharing technology in government computers. This is in response to a flurry of problems with sensitive data being leaked via P2P as well as malicious downloads. While downloaded software still poses a threat to organizations, it simply cannot be put in the top 10 for 2010.
Macking (Media Hacking)
Macking is a term coined in the up-and-coming book "Security 2020” to be released second quarter 2010. The book illustrates how over the next several years there will be high value placed in manipulating the media in conjunction with computer information systems to commit fraud and other crimes. We have already begun to see this type of behavior. Take a few stories in 2009 as examples:
- An Internet based "pump and dump” stock scheme netted 2.7 million.
- Climate research documents stolen and posted to the Internet just before the international climate summit. The documents supposedly show that researchers are not disclosing research that isn't in support of climate change.
- Several high profile celebrities passed away during 2009. Inevitably what followed were false media reports, compromised Twitter accounts sending false information, and Facebook and other social media outlets exploited over the news.
- Some celebrities didn't even have to pass away to become fodder for this type of behavior. Brittney Spears, Jeff Goldblum and others were victims of Macking.
While this is still in its infancy stage, manipulating the media through online means will become an effective tool in criminal arsenals.
Information security is an ever evolving discipline that requires tremendous expertise, time, and money to effectively manage. Each of the top 10 threats for 2010 could be broken out into a separate whitepaper with mitigation strategies, tactics, and solutions. Every organization should take stock of what they are doing today, how well their current solutions mitigate the risk of the top 10 threats, and make adjustments where necessary. In some cases, new technology should be implemented. Other technology may be of little value and can be discarded. Other threats will only be able to be addressed through policies, procedures, training and enforcement. Proper information security is fluid and dynamic. Be sure your organization is properly preparing itself for what cyber criminals, thieves, spammers, phishers, hackers, and all manner of society's underbellies are planning to do to exploit you in 2010.