Cyber security is an area of great interest and concern in the business community. It is that time of the year when numerous IT security firms and service providers set out to foresee and outline the potential threats and probable solutions for the new year to combat them. It is a constant quest to notify the netizens with adequate information to keep them safe and secure. Some of the upcoming threats to watch out for in 2014 might startle even the die-hard IT administrators and individuals using a wide array of personal devices. Read on to find out.
We will see one major data breach incident a month, cautions Trend Micro. Mobile banking will suffer from more cyberattacks; basic two-step verification will no longer be sufficient. Cybercriminals will increasingly use targeted-attack-type methodologies like open source research and highly customised spear phishing, along with multiple exploits. In the context of targeted attacks, we will see more click-jacking and watering hole attacks, new exploits of choice, and attacks via mobile devices. Pretty scary isn’t it, but staying cautious can go a long way in protecting your assets—but more on it later.
According to Dhanya Thakkar, managing director, India & SAARC, Trend Micro, “2013 played host to major mobile threats, a trend which is expected to continue in 2014. This year is all about mobile banking. Unfortunately, we can also expect mobile threats like man-in-the-middle (MitM) attacks to increase in 2014. Android will remain the most dominant OS in the market. But this dominance will continue to be exploited, as we predict the volume of malicious and high-risk Android apps to reach 3 million by the end of 2014.”
The “next big thing,” according to Thakkar, that cybercriminals are waiting for could come from the world of augmented reality (AR). Virtual reality headsets will become a disruptive technology. Not only will they change the gaming space, they will also be used for other purposes like attending conference calls and posting on social networks. These smart devices will become more desirable as the years progress.
“Expect isolated attacks to start in a couple of years,” says Thakkar. “These AR headsets will become the new favoured target to obtain personal information. Their built-in cameras will be used for privacy attacks, giving cybercriminals a bird’s eye view of users’ daily activities and a means to record details like bank PINs and other personal information.”
The continued worsening of the threats we are familiar with today will grow to the next level, says the Trend Micro India MD. Among the familiar threats, an increasing sophistication in attacks against mobile banking, mobile malware continuing to skyrocket and cross the three million mark for Android in 2014, and the expiration of support for Windows XP and Java 6 that together will create an unprecedented pool of vulnerable users for attackers.
From a business point of view, enterprises expect one single solution to address the overall BYOD challenge which is not practically feasible, says McAfee, a wholly-owned subsidiary of Intel. BYOD needs to be looked at from different dimensions like data loss prevention, network access control, authentication system, internal intrusion prevention systems, internal firewalls, securing Wi-Fi etc. This demands that companies re-look at the security architecture and rebuild it to fit BYOD needs.
Another major trend, the Internet of Things is permeating the marketplace, bringing physical objects together through remote accessibility across the internet without the need for human intervention, using the same wireless networks and internet protocol (IP) that connects your computer to the internet. According to Ericsson, there will be 50 billion IP-connected devices by 2020, up from 1 billion just a year ago. This phenomenon has exploded the threat scope for these devices with ATMs, point-of-sale (POS) terminals, kiosks, medical equipment, SCADA systems and other embedded devices being hacked in ever-increasing numbers.
As always, the goals with predictions aren’t to scare but instead to draw attention to possible developments based on current trends to foster discussion and also drive research forward to meet the emerging threats as quickly as possible. According to McAfee, in the wake of a sophisticated threat landscape and newly emerged business models, security cannot be seen as an instrument to stop bad things from occurring but instead as an enabler for more efficient, effective, and agile business. This realisation is steadily coming into effect with the paradigm of security moving from mere device safety to protection of assets with increased awareness of risk management and the reputational cost.
This year, there will be greater consciousness for security to be approached from a combination of endpoint, network, and data-centric controls for discovery, prevention, detection, response, and audit rather than each of these elements in a siloed manner. This interlocked approach, ensures better intelligence exchange arming companies with situational awareness and real time for quick and strategic action.
“Organisations should begin at the core,” says Thakkar. Protecting your core data or “crown jewels” is a priority, as this is a favoured threat actor target. “They will try to get inside corporate networks to steal data. Classify the data (blueprints and databases) in your core. It’s best to assume that someone is already inside your network. Make sure your organisation uses the proper tools and protocols to properly protect your network. Proper employee education will also help mitigate risks associated with data breaches.”
Also, protecting your digital life means protecting every device you own. Even with the rising popularity of mobile devices, don’t ignore your computers. Install and regularly patch security software to stay safe from attacks, especially those that rely on vulnerability exploitation. With so many internet-ready devices, you should also secure your home network. A secure network is the baseline for security, especially for devices that lack security features or options.
Sanjoy Sen, senior director, Deloitte Touche Tohmatsu India, says, “The weakest link in your cyber security isn’t your technology; it’s your people. Social engineering attacks that use targeted phishing emails or other techniques often hoodwink users into revealing confidential information or trick them into downloading malware. This makes it easier for cybercriminals to penetrate your network, without even resorting to more traditional hacking methods. Educate your employees to make sure they’re aware of these risks and threats.”
The new year is a perfect time to get your systems into shape, too.