Malcolm Marshall, UK and Global Leader of KPMG’s Information Protection and Business Resilience team says there are clear trends emerging and the possibility of a few ‘black swans’ in 2014. On the emergence of cyber security standards, Marshall said:“As governments worry about the scale of the cyber security threat, we can expect to see more national standards emerge, and greater pressure for “voluntary” compliance. The US NIST cyber security framework and the UK government’s ‘kitemark’ are just two examples.”
“On the back of emerging standards we will see the cyber insurance market develop and begin to provide market incentives for compliance, whether that is a willingness to insure or reduce premiums. Non-compliance will also lead to a legal debate over liability for incidents.”
Cyber intelligence will also grow as a business, suggested Marshall: “The number of firms offering cyber intelligence and claiming to mine the dark corners of the internet for information on threats and vulnerabilities will grow. Security companies will begin to put more of the Advanced Persistent Threat jigsaw together – a euphemism for state-sponsored cyber espionage.”
“Key financial institutions will automate the exchange of intelligence in real-time, with other critical national infrastructure sectors on their coat tails. But vital questions remain – how useful is data in really understanding the threat landscape, and how can firms really harness it to make decisions on their security stance and the level of risk they are prepared to carry?”
Highlighting mobility as a cause for an increase in e-crime over the next 12 months, Marshall said: “Organised crime will always follow the money with a growing range of malicious apps targeting on-line transactions, sophisticated spyware, and attack techniques which exploit the link between the user’s mobile phone and their home computer. We can also expect more targeted attacks as criminals tailor their email campaigns and carefully choose their watering holes to lure in unsuspecting users.”
According to Marshall, the debate on the future of the Internet will continue: “Snowden’s revelations have triggered a privacy debate which will continue to rage in 2014. Expect more disclosures, more calls for greater transparency over government actions, and more efforts by the Internet giants to persuade customers that their data is secure.”
Marshall cautioned that organisations and individuals can’t take the internet for granted. He said: “The internet contributes more than 8 per cent of our GDP, and this figure is predicted to grow to 12pc by 2016. But do we really understand our dependency on the network? Denial of service attacks have been on the rise since 2012, growing in scale and sophistication. Network engineers do an amazing job of keep the Internet running, but many of the protocols at its heart remain insecure. Attacks on directory and routing services have grown in 2013, and we have seen denial of service attacks against banks and media sites often linked to international tensions elsewhere in the world. A major outage of a country’s internet service may be on the cards, but if not, we can expect numerous disruptive DDOS attacks against individual firms sometimes with extortion in mind.”
McAfee Labs released its annual 2014 Predictions Report, analysing 2013 trends through its McAfee Global Threat Intelligence (GTI) service. In 2014, the IT security firm expects to see ransomware proliferate on mobile devices, as virtual currencies such as Bitcoin fuel the growth of ransomware across all platforms. ify and bypass some sandboxing and other local security measures. Social platforms will be used more aggressively to target the finances and personal information of consumers, and the intellectual property and trade secrets of business people, the firm says.
Vincent Weafer, senior vice president of McAfee Labs, said: “With target audiences so large, financing mechanisms so convenient, and cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014. The activity in mobile and social is representative of an increasing ‘black hat’ focus on the fastest growing and most digitally active consumer audiences, in which personal information is almost as attractive as banking passwords. The emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of architectures and common security tactics enable attacks that are very hard to uncover.”
McAfee Labs foresees the following trends in 2014:
1. Mobile malware will be the driver of growth in both technical innovation and the volume of attacks in the overall malware “market” in 2014. In the last two quarters reported, new PC malware growth was nearly flat, while appearances of new Android samples grew by 33%. With businesses and consumers continuing their shift to mobile, we expect to see ransomware aimed at mobile devices, attacks targeting near-field communications vulnerabilities, and attacks that corrupt valid apps to expropriate data without being detected.
2. Virtual currencies will fuel malicious ransomware attacks around the world. Although largely a positive development, virtual currencies provide cybercriminals the unregulated and anonymous payment infrastructure they need to collect money from their victims. Currencies such as Bitcoin will enable and accelerate new generations of ransomware such as the Cryptolocker threat of 2013.
3. In the spy vs. spy world of cybercrime and cyber warfare, criminal gangs and state actors will deploy new stealth attacks that will be harder than ever to identify and stop. There will be broad adoption of advanced evasion techniques, such as the use of sandbox-aware attacks that do not fully deploy unless they believe they are running directly on an unprotected device. Other attack technologies will include return-oriented programming attacks that cause legitimate applications to behave in malicious ways, self-deleting malware that covers its tracks after subverting a target, and advanced attacks on dedicated industrial control systems targeting public and private infrastructure.
4. “Social attacks” will be ubiquitous by the end of 2014. We expect to see more attacks that leverage social platform features to capture passwords or data about user contacts, location, or business activities. Such information can be used to target advertising or perpetrate virtual or real-world crimes. Either directly or through third parties, enterprises will increasingly use “reconnaissance attacks” to capture valuable user and organizational information to gain tactical and strategic advantages.
5. New PC and server attacks will target vulnerabilities above and below the operating system. In 2014, new PC attacks will exploit application vulnerabilities in HTML5, which allows websites to come alive with interaction, personalization, and rich capabilities for programmers. On the mobile platform, we expect to see attacks that will breach the browser’s “sandbox” and give attackers direct access to the device and its services. And cybercriminals will increasingly target vulnerabilities below the operating system in the storage stack and even the BIOS.
6. The evolving threat landscape will dictate adoption of big data security analytics to meet detection and performance requirements. In 2014, security vendors will continue to add new threat-reputation services and analytics tools that will enable them and their users to identify stealth and advanced persistent threats faster and more accurately than can be done today with basic “blacklisting” and “whitelisting” technologies.
7. Deployment of cloud-based corporate applications will create new attack surfaces that will be exploited by cybercriminals. Cybercriminals will look for more ways to exploit the ubiquitous hypervisors found in all data centers, the multitenant access and communications infrastructure implicit in cloud services, and management infrastructure used to provision and monitor large-scale cloud services. Because they lack sufficient leverage to demand security measures in line with their organizational needs, small businesses that purchase cloud-based services will continue to grapple with security risks unaddressed by cloud providers’ user agreements and operating procedures.
Meanwhile AppRiver has offered a list of IT security resolutions. The cloud-based email and Web security product firm suggests everyone must make 2014 the year they take control of their cyber security.
Troy Gill, AppRiver’s senior security analyst says: “A security breach is the digital equivalent of a wardrobe malfunction – except it can be very expensive in addition to a red face. With hackers and data thieves working desperately to steal confidential information, whether its company data or an individual’s personal information, 2014 must be the year we all take security to the next level.”
Passwords are an important security measure in an increasingly digital world – often the only lock to many areas of a person’s online life. It is this element that Troy advises individuals pay particular attention. He advises, “I recommend you change your passwords frequently. Think of it like changing the oil in your car. Sure, you might get some extra mileage out of the old stuff. But is it worth the cost if you’re wrong? As importantly, you need to make your passwords stronger. Making it hard to guess also makes it hard to remember but don’t write it down – instead become creative using a mix of upper and lower case letters, numbers and symbols that mean something to you but to others will appear completely random. And use different passwords for different accounts. This might strain the memory a little, but I’m pretty sure you’ve got some storage space left in your mental hard drive. Maybe skip the sudoku and use those brain cells to keep you safer online.”
Troy suggests organisations ‘Go hack yourself’ by periodically testing their security. He adds: “While we recommend having a professional firm conduct a security audit, there are less expensive measures you can employ For example, take a walk around your office and see who has their latest password on a sticky note by their desk. Check around outside and see if anyone has a clear view of your computer monitors. If you’re feeling really ambitious, look through your wastebaskets to get a preview of what a dumpster diver might find. Have systems in place to make sure people are who they say they are. For example, if someone shows up to fix your copier, make sure you know who called them, check their credentials and limit their access only to areas where they are working – and perhaps the bathroom.”
If a repeat of 2013’s breaches is to be avoided, every organisation needs to not only have a security plan — but follow it, he argues. Troy adds: “To paraphrase an old saying, the best time to develop an IT security plan was 10 years ago. The second best time is now. If you have a plan in place, great – just make sure that it’s being followed and updated frequently.”
About AppRiver
AppRiver is a Software-as-a-Service (SaaS) provider. For more information, please visit www.appriver.com.
And Kaspersky Lab is warning that after new smartphones were exchanged as gifts, from the iPhone 5S to the Google Nexus 5, yet more people will be walking the streets holding expensive devices, and crooks will be on the look-out for easy targets. Users need to be careful.
The IT security firm says mobile malware threat is getting ever more concerning. In the second quarter of this year, Kaspersky Lab reports that it found 29,695 new mobile malware modifications – malicious code samples that cyber criminals use to infect legitimate mobile applications. Given the amount of Christmas-themed apps out there, and how exploitative crooks are, expect some to contain malicious code.
The firm offers some tips for smartphones, new or old:
Get mobile AV software: The virus problem on PCs was not taken seriously until it became a major problem. When it comes to smartphones and tablets, users should take precautions to prevent data thieves getting a head start. Mobile protection solutions are imitating their larger-scale PC counterparts. Real-time protection, on-demand and scheduled antivirus scans, automatic updates and blocking of dangerous network connections, as well as firewalls to protect against hacker attacks, are now standard.
Invest in enhanced theft protection: Users can have certain features of their smartphones blocked, their memory cards wiped, their phones located via GPS and the phone numbers of any new SIM cards transmitted to them. Once their smartphones have been blocked, users can automatically have instructions for honest finders displayed on the screens.
Encrypt your mobile: Using fully encrypted data will also prevent private photos and videos from falling into the wrong hands. Or, security programs like Kaspersky Internet Security for Android can provide targeted protection for personal information. Addresses and phone numbers marked as “private” are removed from call and contact lists. This contact information also remains hidden when SMS messages or calls are received from these numbers.
Backup: Whether travelling this Christmas or not, backup your phone data. The software you will need to do this is either included with your mobile or available from the manufacturer’s website.
Keep an eye on your phone: It seems like simple advice, but many appear to be flouting it. According to the UK’s Office for National Statistics in 2011/12, the most common type of offence involving mobile phone theft happened when the phone was not in the owner’s possession at the time it was stolen. When on holiday, don’t leave it out on the restaurant table, in your hotel room, or in your car.
PIN protection: Keep your mobile’s PIN protection activated. If your phone is stolen, this function will prevent the thief from making calls at your expense – at least immediately. Owners of Android phones must enable their phone’s lock function, while iPhone owners should activate the PIN code.
Careful what you download: Adware and malware have found their way into major app stores, especially Google Play. Check reviews before you download and check the permissions of the application, just in case the app has the ability to reach into your contacts book or make off with other data you’d rather not share.
Filing a police report: If your smartphone is stolen, file a police report as soon as possible. Take your mobile’s “passport” with you to the local police station. This should include a hotline number for your service provider, your customer number, your phone number, your SIM card number and your 15-digit IMEI (International Mobile Equipment Identity number; the “serial number” for your mobile) – a particularly important piece of evidence if the thief if later apprehended. Tip: You’ll find your phone’s IMEI on the original packaging or underneath your battery. On many phones it can also be displayed by entering *#06# on the keypad.
SIM locking: Locking a SIM can help in the event of a theft too. Call your phone provider’s hotline and have it locked immediately. You should also send written confirmation of your request to your mobile phone provider as soon as possible for good measure. Let the hotline know that you’d like written confirmation of the time and date the SIM card was locked. This will serve as evidence that any calls placed after the SIM card was locked were not made by you.
