This trend was caused by advances in network protection and stricter regulation both of which have helped to make it more difficult for hackers to compromise systems and create widespread disruption.
Traditional techniques such as SQL Injection, Web App diversion and unauthorized access of the server are now bypassed in favor of the most rewarding social engineering practices that provide the necessary information to carry out systematic attacks very organized.
The most influential security trends to watch in 2012 are:
1. The human perimeter
Attackers are increasingly exploiting the weakest part of the LAN / WAN users. Social engineering is becoming the attack vector leading to Advanced Persistent Threats (APTs) due to the fact that hackers harvest data directly from users, forcing them to dispose of the information or persuade them to click on attachments or web links.
Expectation: other examples of social engineering attacks combined with email, zero day exploits perpetrated against RSA and its customers, Operation Aurora and Google GMail.
Prevention: training staff and refresher courses are essential. Security processes can be seen as hindering work practices to ensure the procedures are appropriate for the company to prevent users to circumvent them. Use one part of the email sender to identify suspicious e-mail.
2. Media mining
Users are now hyperconnected, communication on multiple points of contact, e-mail from social media sites such as Facebook, LinkedIn and Twitter, forums and interactive websites. The importance of these social media channels will increase because of the immediacy and collaborative work opportunities they offer. Contactless payments are also on the rise and vulnerabilities specific to radio communications could see the compromise of wireless technologies.
All these channels of communication are sources of “information leakage” and data can be extracted for various attacks.
Expectation: social media and media sites will become active extract information to break passwords, perform identity theft or social engineering network access or a building. Other routes such as RFID and radio frequency channels can also provide valuable personal information by voice mail hacking or intercepting calls.
Prevention: The work/leisure divide no longer exists so be prepared to educate users on how to protect their anonymity and lock information on social media sites. Provide clear guidelines on acceptable use.
3. ‘Bring your own’ device issues
User-owned smartphones and tablets are now housed in the workplace with “acceptable use” policies that allow the company to monitor problem areas such as authentication and file transfer procedures. However, much more basic problems, such as “shoulder surfing” are rarely discussed. The highly visible screens make it relatively easy to take surfing in public places and observe log-in details during the authentication process.
Expectation: the opportunistic theft will increase as hackers record log-in details or monitor the details of the transaction and then replicate these.
Prevention: Revise restrictions on access network via remote connections and wireless. Strengthen access control through the renewal of password regularly, two-factor authentication to VPN, review access privileges based on roles and conduct regular audits and penetration testing.
4. USB jacking
USB ports are the Achilles heel of a computer. USB vulnerabilities emerged this year that include payloads new shortcuts used to infect files and a terminal running fully patched Windows 7. Microsoft took quick action, but the incident demonstrates that new forms of malware USB are emerging.
I detected a new threat in the form of USB drives designed that can be used to hack a client device. The payload USB is able to gain access to the memory of the computer and take control of the device itself locked in sleep mode. Once the attacker has gained control of the PC via the USB port, they can browse the information stored on the hard drive before trying to access the network.
Expectation: The emergence of new malware will help the USB become a greater threat to the PC and enterprise networks.
Prevention: Ensure security policy provides clear guidance on control and USB external devices: users often mistakenly believe that only devices used earlier are vulnerable. Traditional USB malware can be detected by scanning of removable devices and disable the autorun feature. New breeds of malware will require more sophisticated monitoring techniques.
5. Cloud concerns
While security concerns on housing data in the cloud have so far proved unfounded, in we 2011 saw attacks against DNS/SSL certificate authorities (CAs). The CA use SSL certificates on Web servers to authenticate to other computers, including browsers. Despite claiming to be “safe”, such licenses are easily compromised.
Next year we could see the emergence of APTs targeting data in virtual environments. The ramifications of an attack of a cloud-based virtualization software used for customer data separate, for example, could be catastrophic.
Problems also remain in the control and ownership of data in the cloud. Recent legislation, such as the U.S. Patriot Act, which essentially gives the U.S. government the right to access data in the cloud, without authorization of the user, may also curb the enthusiasm for technology.
Expectation: the adoption of cloud computing among medium and large businesses will slow due to legislative changes. APTs seek to exploit the data cloud. There will be a streamlining of the cloud as companies consider how to use it to greater effect, without compromising data integrity.
Prevention: Ensure that non-sensitive data is kept in the cloud and provide guidance on the use of file sharing based on the cloud. Protect wired and wireless networks through the use of a DMZ, with sensitive information held off-line or on a separate network.
Much like car theft, we’re now getting the point where security systems are deterring would-be thieves from directly targeting corporate systems. Instead we are witnessing a growth in the direct collection of data, equivalent to the free carjacking. Social engineering and e-mail handling is used to solicit information to achieve these targeted attacks.
The question should not be the will of these attacks occur, but am I ready? Only through a combination of user education and regular penetration testing that the organization can hope to combat these evolving threats and others.