We’ve done a pleasant end-of-year recap, so now it’s time for one that will motivate you for next year through fear. As another year winds down it’s time for the annual roundup of the worst security issues to spring up in the past 12 months.
This year’s list comes to us from CSO, who spoke to security executives and industry analysts and came up with this list that highlights eight risks you should be extra careful to guard against next year. Some of these are constant but growing threats, some should be common sense and some might take you by surprise.
More Sophisticatede DDoS
“Prior DDoS attacks leveraged the many thousands of personal computers that a typical botnet herd might utilize for the their attack engine,” [John South, CSO at Heartland Payment Systems] says. “However, the huge multiplier in the newer efforts were botnets that consisted of compromised server-class equipment with much more capacity and horsepower.”
Where a typical DDoS attack in 2012 might range into 3 or 4 Gbps, South says, the new attacks have bursts of more than 100 Gbps.
Attack of the Botnets
Whereas the phishing attempts several years ago might have been replete with spelling and grammar errors, “the phishermen today have upped their social engineering skills and coupled these with much more credible messaging,” South says. “Their success in compromising computer systems, and in turn accessing personal identity, credit card and bank account data, is illustrated in the increasing number of account takeovers that were seen in 2013.”
Ignored Insider Threats
“Many Web-facing organizations are strictly focused on external threats, which include espionage agents, saboteurs, and cyber criminals,” [Michael Cox, president of SoCal Privacy Consultants] says. “However, businesses are constantly being surprised by breaches caused by workforce members and third-party services providers.”
Since these trusted parties have the greatest access to sensitive information, the average cost of breaches caused by trusted parties is greater than those caused by external threats, Cox says. “The false sense of security organizations have with trusted parties has allowed breaches by these actors to grow more rapidly than those by external threats.”
Another threat that was prevalent in 2013 and will be in 2014 is the production and distribution of insecure applications. …
Security professionals continue to produce code that’s easily compromised, South says, given the level of sophistication of the attackers. “With the emergence of NOSql databases and their associated injection attacks, the ability to compromise Internet-facing applications may well continue to increase rather than decrease,” he says.
Data Supply Chain Threats
“What we’ve seen this past year is that many companies are not fully aware of all the different parties that are handling or processing their data,” [says Timothy Ryan, managing director of Kroll Advisory Solutions' Cyber Investigations practice and former supervisory special agent with the Federal Bureau of Investigation]. “Some companies have outsourced some portion of data processing to a subcontractor, only to find out that the vendor did not have adequate security measures in place, or that they did not know how to handle an incident, or that the company did not notify them right away when there was an issue.”
Unauthorized Access by Former Employees
The reason why these employees might be accessing this information varies, Ryan notes. At times, it could be to steal intellectual property–such as a source code–that the individual might be interested in selling or using personally. “Or they may be accessing a network to try and secure information about pending litigation,” he says. “They may be the subject of a lawsuit and trying to gather information about their termination or related issues.”
Embedded Systems Vulnerabilities
Many non-traditional devices are increasingly on networks these days, Taule says, including Internet-enabled cameras, digital video recorders, badge readers and other non-PC devices with an IP address.
“And for those of you who think the Internet of Things–or ‘Internet of Vulnerabilities’ as I recently heard a colleague quip–is still years off, just ask a peer who works in a hospital and has to deal with untold numbers of network enabled/connected medical devices,” Taule says.
“We are fooling ourselves if we think we have our risk exposure well in hand simply by managing the threats to traditional network devices,” Taule says. “We must expand our situation awareness capabilities to provide full coverage for everything connected to the network.”
The Growth of Bitcoin
Bitcoin is the harbinger of a more digital economy, Silverstone says, but it’s vulnerabilities–from the hacking of hosting sites to pure crypto attacks–are just being discovered.
“The fact that multiple attacks on Bitcoin have been so successful, I suspect will lead to renewed attempts at attacking money- and transaction- transferring mechanisms,” [Ariel Silverstone, an independent consulting CISO] says. “These, such as PayPal, Swift, and also business and bank-initiated environments, transfer trillions of dollars per day. Many of them rely on little security [and are] susceptible to attacks.”
So have a nice, relaxing holiday season, but once the first of the year rolls around be sure you know the security risks and how to protect yourself, your company and your users!