If you look outside your window this time of year you may be affected by two kinds of seasonal sadness: One is from plunging temperatures and grey skies. The other by representatives of security vendors who drop in with their annual predictions.
The latest is Jon Clay, core technology marketing manager at Trend Micro Inc., who came to the ITWorldCanada.com office Tuesday during a three-city trip across Canada this week. He’s talking to some of the firm’s 10,000 corporate customers here about its threat predictions for 2014.
Like predictions from all security vendors for the past 20 years, they’re pretty grim:
–There will be one major data breach incident revealed a month;
–Mobile banking will suffer from more man-in-the-middle attacks; basic two-step verification will no longer be sufficient;
–Cybercriminals will increasingly use targeted-attack-type methodologies like open source research and highly customized spear phishing, along with multiple exploits;
–Speaking of targeted attacks, there will be more clickjacking and watering
hole attacks, new exploits of choice, and attacks via mobile devices;
–Attacks leveraging vulnerabilities in widely used but unsupported software like Java 6 and Windows XP will intensify;
–Cyber-criminals have a place to hide: Called The Deep Web, it’s like an Internet within the Internet where search engines don’t search;
–Public distrust in the Internet will rise, especially after the exposure of state-sponsored monitoring activities (ie: the U.S. and – perhaps — Spain).
Given that Trend Micro advises organizations to start their defences by assuming their networks have already been penetrated, I asked Clay why shouldn’t we despair about the state of network security.
“There’s a lot more good happening on the Internet than bad,” he said, pointing to the use of the Web for communications and education.
Still, he admitted that there’s a lot of work do be done to secure the Internet and organizations.
“We have to evolve, continually modify the tools and techniques to identify criminal behaviour.”
One solution he is cool on is the idea floated by NSS Labs last month of a multi-million dollar program – perhaps supported by governments – of paying people to find software bugs.
“Bug bounties are good for the legitimate people, the white hackers of the world. But most criminals aren’t going to subscribe to a bug bounty program because they can make more money with the exploit.
“Responsible disclosure would be nice,” he added – meaning people would freely send in vulnerabilities they find.
Meanwhile here’s what Trend Micro advises organizations to do:
Begin at the core. Protecting your core data or “crown jewels” is a priority, as this is a favored threat actor target. They will try to get inside corporate networks to steal data.
Classify the data (e.g., blueprints and databases) in your core. This will help you assess which requires additional protection and identify the steps you should take.
It’s best to assume that someone is already inside your network. Make sure your organization use the proper tools and protocols to properly protect your network. Proper employee education will also help mitigate risks associated with data breaches.
Adopting consumerization means considering the creation and implementation of a comprehensive set of security guidelines for all kinds of devices. Note that attackers can and will use any device to get in to target networks.
The bot threat
Some of the most serious threats networks face today are "bots," remotely controlled robotic programs that strike in many different ways and deliver destructive payloads, self propagating to infect more and more systems and eventually forming a "botnet."