The Ever-Changing Cyber-Security ThreatData used to live in a safe and tidy world. Sensitive information was locked up in a physical building, unreachable by undesirables. Of course, it was also virtually unreachable by those who could leverage it to advance the company¡¯s goals, and that was a big missed opportunity.
Enter the Digital Age, with personal computers, laptops, the Internet, cloud computing, and mobile devices. Suddenly a company¡¯s data is flowing everywhere, being put to work ? and, at the same time, it is being put at risk.
Today, the cyber threats are unprecedented in their sophistication, reach, frequency, and ability to attack our systems, steal our data, and harm our critical infrastructure.
A report published in the fall of 2011 by the Georgia Tech Information Security Center specifically identified several growing threats.1 A significant one is mobile devices.
With the expansion of bandwidth, and the flood of mobile applications, it is expected that mobile Internet usage will eclipse desktop Internet usage by 2014. Already, most phones, even less-expensive ones, include some form of a Web browser, which is vulnerable to existing and emerging Web-based threats.
One of the difficulties in eliminating mobile Web browser security flaws is that there is a trade-off between usability and security. There are, for example, constraints due to the small size of the devices, including small screens, which offer an opportunity for attackers.
Usability is increased by making the address bar disappear above the screen so more content is visible. As a result, many of the visual cues that enable users to confirm the safety of a site on a desktop screen are not available, making it easier for an attack to be disguised.
Another vulnerability of mobile browsers is their display security, which is not as advanced as that for desktop browsers. Just touching the display can launch an attack. Perfectly legitimate-looking images can hide a malicious link underneath that, when touched, can offer an attacker the ability to spy on the user or redirect the user to a site where malicious content is uploaded to the phone.
¡×¡×¡×¡×¡×¡×¡×¡×¡×¡×
Dan Kuykendall, co-CEO and Chief Technology Officer for NT OBJECTives, sees two other significant issues with mobile devices. He states, ¡°One of the biggest problems with mobile browsers is that they never get updated. For most users, their operating system and mobile browser is the same as it was on the phone¡¯s manufacture date. That gives the attacker a big advantage.¡±
Kuykendall¡¯s second concern is that mobile applications are being developed too quickly, which is not allowing developers to validate the data as aggressively as it should be. He believes attacks from other phones are not being taken seriously, even though they are already happening, and the vulnerabili¡þties found in the back end of all the mobile applications are not being recognized by developers.
¡×¡×¡×¡×¡×¡×¡×¡×¡×¡×
The primary goal of these emerging attacks on mobile devices is data theft. They represent the new on-ramp for planting malware on more secure devices that can then be used to harvest information.
Mobile devices are also increasingly becoming a means for launching attacks on networks and critical enterprise systems. These devices are basically storage devices that can be exploited by an attacker who can use wireless connectivity technology to plant malware on a mobile phone.
When that phone is then connected to a targeted system, even if it¡¯s as innocuous as plugging the phone in to be charged, it can install a dangerous payload as soon as it connects. This possibility poses a threat to systems that have no direct connection with their corporate network. A thought-provoking example is a nuclear power plant.
Another serious and growing threat comes from botnets. Although they have been an issue for some time, the seriousness of the threat is evolving along with the tactics, techniques, and procedures for botnet command and control. Until recently, these tools were used primarily to steal e-mail and password
credentials, which spammers found useful.
But now, operators are leveraging botnets to create massive information profiles that they sell to the highest bidder. These profiles are robust, including name, address, age, sex, financial worth, relation¡þships, and where they visit online ? information that is a marketer¡¯s dream.
After the botnet operator sells the information, it can change hands several times, ultimately being purchased for lead-generation purposes by a legitimate business that has no idea the information has been stolen.
Search poisoning and index poison¡þing are other techniques being used to launch malware. The scenario works like this: A person enters a term into a search engine and clicks on one of the results, which is actually a bogus result.
After multiple redirects, the user eventually lands on a page that has nothing to do with the original search, but the site is used to deliver malware to the unsuspecting person¡¯s computer.
The factor that is making this technique more prevalent and dangerous is the attackers¡¯ use of Search Engine Optimization, or SEO, to improve the rankings of their phony sites in the search results, increasing the likelihood of them being chosen.
Yet another growing phenomenon in the world of cyber threats is the use of Advanced Persistent Threats (APT). As opposed to other threats that tend to look for random victims of opportunity, an APT targets a specific entity, quite often with tenacity.
When defensive measures are employed, new techniques are used to penetrate the defense. Targets can include computer systems, corporations, critical infra¡þstructure, and governments, which are important targets for espionage and intelli¡þgence gathering.
In many instances, ¡°hacktivists¡± use organized cyber activity with the goal of disrupting a company, an industry, or a government. They will attempt to overwhelm and cripple an organization¡¯s operations with denial-of-service campaigns, or they will post compromised sensitive data that can publicly embarrass an organization. Such attacks are relentless and their campaigns can last for years.
In the face of these growing threats, Mustaque Ahamad, director of the Georgia Tech Information Security Center, concludes that a coordinated effort will be required to properly address the complex issue of cyber-security.
As he puts it, ¡°If we are going to prevent motivated adversaries from attacking our systems, stealing our data, and harming our critical infrastructure, the broader community of security researchers, including academia, the private sector, and government, must work together to understand emerging threats and to develop proactive security solutions to safeguard the Internet and physical infrastructure that relies on it.¡±
¡×¡×¡×¡×¡×¡×¡×¡×¡×¡×
UK¡¯s National Center for Secure Information Technologies echoes this need for a collective strategy for next-generation research.2 The Center¡¯s September 2011 report offers the three top research priorities:
1. Developing self-learning, self-aware cyber security technologies that learn from cyber attacks 2. Protecting smart utility grids 3. Enhancing the security of mobile networks
The National Institute of Standards and Technology has taken a positive step toward protecting ¡°smart grid¡± cyber technology.3 It issued a guideline that identifies the standards necessary for converting our aging electrical grid into an advanced, digital infrastructure.
The guideline includes high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and information useful in designing ways to protect power grids from attacks. The NIST is advocating a layered approach to security that has identified 137 interfaces that are points of data exchange within different smart grid systems.
¡×¡×¡×¡×¡×¡×¡×¡×¡×¡×
To combat threats to mobile phones, scientists at The University of Manchester are in the process of developing greatly improved facial-recognition technology that could replace passwords and PIN numbers for phones.4
Running in real time, this software tracks a number of facial landmarks, making it more accurate than existing trackers that merely approximate the position and scale of the face. This type of verification is already in use on laptops and webcams, but this represents its first move to mobile devices.
In another effort to help protect against cyber attacks on mobile devices, many companies are using an approach called encapsulation. This multilevel defense encapsulates and encrypts the cor¡þporate portion of an employee¡¯s smartphone, which not only protects it, but enables problems to be addressed remotely if the phone is compromised.
Another area that is getting serious attention for safeguards against cyber attacks is cloud computing. Increasingly, businesses, individuals, and governments are relying on the cloud which, in turn, has become a prime target.
A team of scientists at the Vienna Center for Quantum Science and Technology believes it has the answer for secure cloud computing; it uses the principles of quantum mechanics.5
This approach takes advantage of a strange characteristic of quantum computers: they can receive encrypted input, process the data, and output results, all without decrypting the data, something that is impossible with classical computing.
This technology has the potential to provide perfectly secure cloud computing where a non-quantum computer taps into a quantum computer in the cloud for processing.
In light of this trend, we offer the following forecasts for your consideration:
First, if fraud and identity theft are not satisfactorily addressed, e-commerce and banking will soon begin to suffer.
As attacks multiply and the negative results are publicized, consumers will be reluctant to trust online processes. Desktop computers will continue to be viewed as secure but, increasingly, mobile Internet access will not be trusted, and for good reason. Right now, most users are oblivious to the risks mobile devices face from online threats. As these risks become more widely known, and as Internet usage from mobile devices becomes greater than from desktop computers, there will be a large step backwards in e-commerce if effective security measures are not put in place.
Second, despite all of the online saber-rattling, we won¡¯t see an all-out cyber war develop.
Although many experts within the defense establishment believe this to be a significant possibility, and although threats are increasing, it is highly unlikely that an attack on a massive scale will ever take place. Fueling this concern about an all-out war is the expanded use of iPhones, e-mail, and social media on virtually every point on the globe. To many, cyber war is the logical ? and inevitable ? next step. What will happen, however, is the continuation of skirmishes where weaknesses are exploited and holes are patched. Certain companies and government agencies will feel as they are in a war when they come under prolonged cyber attack. But these will be isolated events, and defenses will continue to play catch-up with attacks.
Third, the beneficiaries of the increased demand for cyber security will be the innovators who can provide reliable, affordable solutions.
As both the risks and the recognition of those risks continue to multiply, users will see the benefit of paying for increasingly sophisticated security systems and apps that keep their data secure. Many freeware versions of these solutions will also be available, and a winning business model might be based on giving users access to premium services in exchange for opting in to location-based ads on their mobile devices or ¡°liking¡± certain brands on social media sites.
References List :1. To access the complete "2012 Cyber Threat Report," visit the Georgia Tech Security Summit website at: http://gtsecuritysummit.com 2. To access the cyber security report from the National Center for Secure Information Technologies, visit their website at http://www.csit.qub.ac.uk 3. For access to the National Institute of Standards and Technologys "Smart Grid Security Guidelines," visit the their website at: http://www.nist.gov 4. For more information about mobile face trackers, visit the University of Manchester website at: http://www.manchester.ac.uk 5. Science, January 20, 2012, "Demonstration of Blind Quantum Computing," by Stefanie Barz, et al. ¨Ï Copyright 2012 by the American Association for the Advancement of Science. All rights reserved. http://www.sciencemag.org