Earlier this week I attended a webinar by Websense on their 2014 Security Predictions Report. Websense, Inc. is a San Diego-based global leader in protecting organizations from the latest cyberattacks and data theft. I encourage you to get and read this report explaining their eight predictions and recommendations because it will help you plan your security strategy as we move in to 2014.
Whether you own a business or not, there was one important point that Bob Hansmann, Websense Product Marketing Director, made in the live webinar that is not in the report. Last year I wrote about Your Smart House in the Cloud. Home security is also changing, with traditional home security services and traditional ISPs like Comcast or Verizon offering the ability to monitor and control your house from a smart phone. Want to see what your children are doing while you’re on a busy trip? No problem. Forget to set the thermostat? No problem. As Mr. Hansmann pointed out, whatever you can do through the Cloud, so can criminals or government agencies. The security of these remote monitoring capabilities is not very good. A criminal can unlock your door, disable your monitors, get whatever they want, and reset everything after they leave. Or, watch what you and your family are doing whenever they want. My advice: do not enable any remote monitoring or control facilities for your smart house until the vendors can supply appropriate levels of security.
Back to work. Websense expects that the flavor of attacks will change in important ways.
You may actually see fewer attacks. Yes, the “attack everyone and see who lets us in” attacks will continue, because the cyber criminals automated those processes and they don’t cost much to launch. However, expect to see much more targeted attacks. These attacks will be against a small set of your IT infrastructure or even a single server or workstation with the goal or getting just one or a few paths into your environment. Security vendor FishEye points out that some of these attacks may be memory-resident malware which are very difficult to prevent as nothing changes on the system’s disks. It is a lot harder for your IT security team to detect one or a few systems behaving strangely, and a single system with old protection software or unpatched operating systems can offer a quick path into your IT environment. For example, Java is the number one exploited platform. Yet a recent Websense survey showed over 50% of their customers are running Java platforms that are at least one year old.
Accompanying the much more focused attacks are an increasing trend towards attacking the weakest link in the chain. Cybercriminals are largely giving up on attacking the big boys like Chase, American Express, and the big credit card processors – their security is very good and they constantly monitoring their networks. Instead, they attack the middleman like the attack against a chain of gas stations in my local area. Hundreds of gas stations with weak or no security between the gas pump and the server inside the store were an easy target. Similarly, attacking the BYOD (“bring your own device”) systems of your employees, contractors, partners or even frequent visitors may provide an easy access to your most sensitive data.
One of the newer trends is to hold your data hostage. The cybercriminals encrypt your data on your server, and then send you an email explaining how much to pay in order to buy the key to get your data back. In most cases, paying does not get your data back – you just threw some money away. The best defense is to make sure that you have your data backed up somewhere that the cybercriminals can not get to, and recover your data. Just pretend you lost the data for some reason and use your standard backup and recovery plan.
In spite of all the warnings, many companies are still not paying attention to the simplest user access controls, allowing employees, contracts and partners to have access to their servers long after they have no reason for any access at all. Especially as employees transition from full-time to “30-hour” employees, employees change to contractors, and contractors come and go, it is critical that your company have a strict process for quickly reacting to any personnel assignment changes and that this process is audited at least annually. If your security policy is either “access nothing” or “access everything” you really need to determine whether that is the right policy. In most companies, there are different classes of data with different user roles who should have access. Giving your payroll clerk access to your engineering documents is a bad idea, or an engineer accessing your payroll information.
The last word:
As I post this, yesterday was December 7, 2013, the 72nd anniversary of the Japanese attack on the US military at Pearl Harbor. The attack killed 2,402 Americans and wounded 1,282 more. Almost all of these casualties were military personnel. This attack had a huge impact on the people of the United States, and over the next four years on the entire world.
Cybercriminals, and governments, are currently experimenting at the beginning of Cyber War I. This war has the potential to kill or financially ruin more people than all of World War II did, and in the process profoundly change the way we do business and interact with other people. Do you remember all the predictions of the catastrophes Y2K would cause with power grid and dam failures, elevators and airplanes falling to the ground, crashing the stock markets and banking systems? None of these happened then, primarily because an army of people took preventive measures. Today, all of these bad events, and many more, are now possible. There are no uniforms in Cyber War I, but there are hundreds, probably thousands, of small and large groups participating: criminal, hacktivists, religious, and governmental. Criminals are in it for the money, hacktivists are after intellectual property or for the grief they can cause a company, while religious and government groups have “collateral damage” as the goal. Work hard to make sure your family and your business is not one of the casualties.
As an aside, the attacks on our privacy by our own and other governments do not make us safer.
Keep your sense of humor.