As the new year begins, CIOs and IT Managers need to prepare for the threats that they will face in the new year.
Convergence of data security and privacy regulation worldwide
Continuing data breaches force more and more governments - and even private industries - to consider more in-depth security regulations to protect citizens. But another interesting trend seems to be flying under the radar: as enterprises contend with additional data laws, a consolidation will take place across borders. Recently, for instance, the FTC reached out to the EU to begin the process of investigating where both sides of the Atlantic can unify data security laws. Companies will comply, but will find the task of complying with multiple mandates across borders very difficult. Governments will respond - in fact already are - to define a common framework to make life easier for themselves and for enterprises housing data.
Privacy vs. security in social networks
There are two key factors at stake: security and trust. While privacy concerns the ability to keep personal information hidden from other application users, security controls the way in which people use the information of others. Trust impacts our ability to make decisions based on the information we receive through social networks.
In today’s social networking platform, both security and trust are in danger. Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities are quickly translating into massive worm out brakes.
Next year, we expect social platforms to invest more resources in improving the security posture of the platform. These measures will provide improved protection against application layer attacks, stronger authentication and account control features, as well as better malware detection systems.
Nation-sponsored hacking and Internet traffic re-routing
Nation-sponsored hacking specifically-targeted cyber-attacks will incorporate concepts and techniques from the commercial hacker industry. These campaigns will contain a different malware payload than the traditional attacks conducted for monetary gain. However, these attacks will use similar techniques. These attacks will borrow techniques, such as automation and viral distribution, making them all the more powerful and potentially more successful. An example of such an attack is Stuxnet, which is not searching for data to monetize, rather it is focused on gaining control of crucial infrastructure.
For the enterprise as well as government, this means increasing monitoring of traffic and setting security controls across all organization layers.
The insider threat – it’s much more, much more, than you had imagined
Attention will grow as a consequence of an increased flow of incident reports where data theft and security breaches are tied to employees and other insiders. The cause of this trend will be the emphasis put on new regulations covering the act of notification and disclosure (rather on the actual protection of data).
To deter insider threats, organizations should therefore:
- Enforce access controls such that access is based only a business need-to-know level. This includes eliminating excessive privileges.
- Provide the proper access auditing tools to data centers. These auditing tools should monitor who accesses what data.
Sophisticated Man in the browser attacks will become more common
While avoiding infection by Proxy Trojans is presumably the responsibility of consumers, Man in the Browser (MitB) attacks are quickly becoming a concern of online service providers. The actual rate of infection and the proliferation of the many types of MitB malware suggest that providers must be able to serve (and protect) customers who might be infected with one type of malware or another. Just as the evolution of vehicle safety drove manufacturers to include device such as ABS, Air Bags and ESP, rather than rely on us to drive carefully, so will online service providers need to invest in mechanisms that allow them to conduct business with allegedly infected consumers. Among the technologies that we foresee as helpful are strong device identification, client profiling, fast security code evolution, session flow tracking and site-to-client authentication.
File security is center stage
With today’s available tools, controlling access and usage of these files can be an extremelydaunting task. Since each file is an autonomous entity, with respect to content ownership and access control (contrary to a database record), maintaining control of who can access a file is almost impossible as is keeping track of access to those files that contain sensitive information. The inability to maintain control may result in excessive access privileges and an inadequate audit trail of access to sensitive information.
Data security goes to the cloud
Taking together all the types of cloud forms (private and public, SaaS, PaaS and IaaS) Imperva can see a set of challenges for both providers and consumers. These can be summarized as following:
- Maintaining bulletproof partitions between datasets of different customers;
- Providing different levels of data security to applications sharing the same logical or physical platforms;
- Protecting customer data from the prying eyes of cloud administrators;
- Providing solutions that operate over a specialized infrastructure (VM, Amazon AMI); Managing application and data security for a large number of applications inside the cloud.
Mobile devices and data security
The past couple of years have witnessed a dramatic surge in the number of sophisticated mobile devices being used as access points to online services and enterprise networks. Add to the mix a growing variety of applications that are a gateway to enterprise systems, including CRM, ERP, and document management. While we are used to concerning ourselves with lost or stolen laptops, it turns out that missing mobile devices may be just as big of a pain point.
As mobile devices become main stream, online service providers will create a special version of the applications to match each device platform. We anticipate this process; will cause older vulnerabilities to surface once again. In particular, mistakes around identification and authentication. Thus, the applications will become vulnerable to mistakenly trusting attributes of the data stream that can be forged by an attacker.
Furthermore, some assumptions regarding ‘strong’ multifactor authentication schemes are becoming obsolete. Take, for example, applications that use a one-time password (OTP) for validation of sensitive transactions being defeated by a Trojan that is able to access the OTP delivered through SMS.
Mobile malware will proliferate as malicious code becomes available for these platforms (e.g. Zitmo) and the complex applications (not to mention the usual human flaws) make it easy, if not easier, to infect a mobile device with malware, as with any standard desktop platform.
Better funded hackers will take the lead
Smaller cyber-gangs will go out of business. Why? Security researchers will continue to look into the hacker operations and will unearth the smaller or less diligent criminals. In general, the hacker industry will react by investing more resources in their attack techniques and detection evasion. The hackers that cannot make this investment will go out of business. Other cyber-criminal organizations will “buy-out” other groups or merge their operations with other groups. This will lead to the second change. The current powerful cyber-crime organizations will consolidate their power and grow (after all, antitrust laws don’t apply to them).
Cyber security becomes a business process
Today, cyber security can't be separated from business operations. For this reason, how security teams must view and approach their roles has changed dramatically. For example, in the past, a CIO’s role was laptop distribution. Today, CIOs build supply chains. In the past, CISOs distributed anti-virus and set up firewalls. Today, they must know where data resides, where it moves and how to protect it, which requires a serious, comprehensive data security practice. This means security teams need to become business process experts to keep the bad guys disarmed while keeping the good guys productive.