Malware (Rising Threat)
There are so many methods employed today to get malware installed on systems. One primary method is through the use of client-side software vulnerabilities. These are usually 3rd party applications that are exploited such as Adobe Acrobat, QuickTime, Flash, and even Microsoft Office. Client-side applications are not patched nearly as frequently as operating system vulnerabilities. Browsers remain a top target for vulnerabilities that criminals want to exploit as well.
Malware is most often getting installed on systems when the user is lured through any number of methods to malicious or compromised websites that can exploit one of these client-side vulnerabilities. Once the malicious software is installed, it acts as a Trojan horse software program performing any number of malevolent acts including information stealing keyloggers, fast flux botnets, relays, and remote control agents.
The FBI reported that for the first time ever, revenue from cybercrime had exceeded drug trafficking as the most lucrative illegal global business, estimated at taking in more than $1 billion annually in profits.
Exploited Vulnerabilities (Steady Threat)
Vulnerability exploit is at the heart of hacking and data breaches. Worms, viruses, malware, and a host of other attack types often rely on vulnerability exploit to infect, spread, and perform the actions cyber criminals want.
According to a Verizon study, the vast majority of data security breaches where vulnerability exploit was used relied upon vulnerabilities that had patches available for more than 6 months. There are several reasons this remains an issue. First, it only takes one unpatched system for your entire organization to be compromised. One system not up-to-date is all a hacker needs. Second, there are many applications loaded onto each and every system, many of which have weaknesses that can be exploited. Often these 3rd party applications are not patched. Few application vendors automatically update their software so this is a manual process if you don’t use a commercial patch management package.
Careless and untrained employees will continue to be a very serious threat to organizations in 2010. Remember that insiders can be broken down into 3 categories: careless & untrained employees, employees that are duped or fall prey to social engineering type attacks, and malicious employees. In a recent research report released by RSA, accidental disclosure of sensitive information occurs far more frequently than deliberate incidents.
Careless insiders can be devastating to an organization. What is worse, this category of threat is one of the most controllable. Policies, procedures, training and a little technology can make a world of difference in reducing an organization’s risk to careless insiders.
Mobile Devices (Rising Threat)
Mobile devices have become a plague for information security professionals. They are an easy way for a malicious employee to remove data from the corporate network. There are worms and other malware that specifically target these devices, such as the iPhone worm that would steal banking data and enlist these devices in a botnet. There was also the iPhone game maker that designed his game to harvest user information.
USB thumb drives are also a problem. In the case of the Virginia Department of Education, an unencrypted flash drive containing personally identifiable information of more than 103,000 former students (including social security numbers) went missing. Many times it isn’t the data that leaves on these little devices, but rather what they bring in. For example, the infected USB key that shut down a town council for four days. The USB drive was infected with Conficker and spread to many systems inside the network, wreaking havoc and costing them just under $1,000,000.
Mobile devices, especially laptops, are the main culprits. Tens of thousands of laptops are stolen each year. Often these have sensitive data that require public disclosure as a data breach.
Social Networking (Rising Threat)
Social networking sites such as Facebook, MySpace, Twitter, and many others have literally changed the way many people communicate with one another. Due to many publicly disclosed breaches and compromises, we saw that these sites can be very real and serious threats to organizations. There are many Trojans, worms, phishing and other attacks targeted specifically at the users of these sites.
People that utilize these sites for entertainment purposes, such as online games, are rewarded for accepting friend requests even from people they don’t know. This is very fertile ground for identity thieves. Some might say that there isn’t enough information on their account to do any identity theft, but criminals are very resourceful. Just a little bit of information correlated with other sources of available information on the Internet can give someone all they need to steal your identity.
Social networking sites are breeding grounds for SPAM, scams, scareware, and a host of other attacks.
Social Engineering (Steady Threat)
Social engineering is always a popular tool used by cyber criminals. Often, the more difficult it is to exploit vulnerabilities natively, the more they rely on social engineering to make up the difference. Phishing in email is a social engineering threat, but is a phishing email on Facebook a social engineering threat? Or is it a social media threat?
A method that found a tremendous amount of success in 2009 is scareware. The two most effect methods were the “Blue Screen of Death” scareware and Fake Anti-Virus scareware. In the blue screen of death case, users would see what looks like a Microsoft blue screen of death and then be prompted to fix the issue by downloading and installing software. The phony program was called SystemSecurity and collects money from the user to remove the ‘blue screen”. In an even more successful campaign, cyber thieves would have pop-up messages appear on the desktop of the user telling them they were infected with a virus. They would be prompted to buy, download there and install a program to remove the infection. These programs were so insidious that they would actually disable the anti-virus software you already have loaded. Until resolved, the computer is nearly unusable. Cyber criminals are earning tens of thousands of dollars from these scams.
Zero-Day Exploits (Steady Threat)
Zero-day exploits are when an attacker can compromise a system based on a known vulnerability but no patch or fix exists.Many of these zero-day flaws reside in browsers and popular 3rd party applications.The zero-day vulnerability may not even be in your systems, it could be in your providers. For example, web hosting provider Vaserv had an attack against 100,000 of their websites based on a zero-day exploit. The HyperVM software they were using to run many virtual websites was compromised. In this attack, the perpetrators destroyed the sites.Some companies did not have backups of website data and files.
Cloud Computing Security Threats (Rising Threat)
Cloud computing is a concept that is becoming very popular. While it still means a lot of things to a lot of people, using cloud based (i.e. Internet based) applications may not be as secure as you might hope. There were many stories in 2009 regarding cloud based security. Many are calling for forced encryption to access many of these services. While it seems ludicrous that this isn’t done by default, you can’t simply assume cloud apps are secure.
Some cloud computing security threats come in the form of vulnerabilities such as the October 2009 story that attackers exploited a web application flaw to hijack Yahoo Mail accounts. This was a brute force attack where the hackers use software to systematically guess the passwords. Someone even went so far as to post the passwords, where there were many common ones such as “password” and “123456”. Poor password policies and software that doesn’t limit this type of attack will always lead to compromise.