In 2011, enterprise IT departments will face the added challenge of safeguarding all those employee smart phones and the corporate data they carry as hackers will make smart devices a prime target, warns one security expert.
Patrick Runald, senior manager of security research at San Diego, Calif.-based security technology vendor Websense Inc., in explaining the first of five of his company’s security predictions for 2011, said the problem is enterprises fail to treat smart phones as if they were laptops by using secure connections such as VPN.
“You wouldn’t allow a company-owned laptop to just connect anywhere without any type of security, which typically happens with these smart phone devices,” said Runald. “Well why not use the same on iPads and iPhones and Androids?”
It doesn’t help that it is next to impossible to deploy a security technology on a smart device given the development kit is often closed, said Runald. So, 2011 will be the year when IT departments must implement smart device usage policies, such as not allowing employees to store a customer database on their devices. Runald suggests storing that data securely behind the firewall or with a cloud storage vendor.
Here are the remaining four security predictions by Websense for 2011:
Prediction #2: Expect one or two Stuxnet-type attacks in 2011 now that hackers have proven it can be done and it works. Such attacks are highly complex in design so they will not emerge frequently.
“We believe it’s the first of more to come,” said Runald. “It opened up the avenue for other groups or states that are thinking about doing these types of attacks.”
But while Stuxnet-type attacks are highly targeted at national infrastructure systems, Runald said enterprises can’t afford to ignore them. The lesson for any enterprise is in the success that Stuxnet had by infiltrating the target through the well-known channel that is the USB key.
Prediction #3: In 2011, blended threats—which use multiple vectors such as e-mail, Web, social media sites and data leaks—will evolve and spread through social media. Such threats will be script-based or embedded in rich media instead of the traditional binary files. Runald said 2010 saw an increase in well-designed blended threats that were “probably the best we’ve ever seen” and a precursor of things to come in 2011.
Prediction #4: Hackers will manipulate search algorithms in popular social media sites to expose visitors to malware. With enterprises increasingly using social media sites for corporate initiatives, policies should be put in place to avoid accidental posting of confidential information or other potentially damaging behaviour, said Runald.
“Now with enterprises feeling pressure to open up access to Facebook, Twitter and LinkedIn … it opens up a brand new avenue for not only attacks but also for potential data breaches as well,” said Runald.
It’s proven, he added, that Facebook has been successfully used by hackers to bypass security tools.
Prediction #5: Data loss prevention (DLP) strategies and technologies will be ever more important in 2011 as more zero-day vulnerabilities will be discovered.
Past incidents in 2010 of data leaks already point to more of the same in 2011. While attacks like Stuxnet are tricky to protect against, Runald said the attack is only really successful if data is allowed to leave the target enterprise.
DLP tools must be an addition to an enterprise’s security posture, said Runald. “We believe DLP is the missing piece that enterprise haven’t implemented,” he said.
Follow Kathleen Lau on Twitter: @KathleenLau
