The past year has seen its share of newly emerging or persistent threats that security and IT executives need to be aware of and in many cases defend against.
We asked security executives and industry analysts to weigh in on what they think were the biggest threats in 2013, and why organizations should care about these possible intrusions. Here are some of the threats they cited.
More Sophisticated DDoS
Attacks continue to become more sophisticated, and that includes advancements in increasing the bandwidth of distributed denial-of-service (DDoS) attacks. The trend has accelerated in recent months, says John South, CSO at Heartland Payment Systems, a large payments processor.
"Prior DDoS attacks leveraged the many thousands of personal computers that a typical botnet herd might utilize for the their attack engine," South says. "However, the huge multiplier in the newer efforts were botnets that consisted of compromised server-class equipment with much more capacity and horsepower."
Where a typical DDoS attack in 2012 might range into 3 or 4 Gbps, South says, the new attacks have bursts of more than 100 Gbps. "Many security professionals designed their DDoS strategies around the lower numbers, thinking that would be sufficient to stem a DDoS threat," he says. "Many institutions have had to rearchitect their network security strategies under the bandwidths that the newer threats pose."
This year saw the continued rise of DoS as a cyber weapon, says Mark Lobel, principal in PricewaterhouseCoopers' advisory practice focusing on security. "The bad actors don't necessarily have to steal your product or service," Lobel says. "They just have to make sure you can't deliver that product or service to your customers, which is a much lower bar than getting in, finding the data and getting away cleanly."
Attack of the Botnets
Associated with DDoS attacks is the "lethality" of the botnets that have been spreading through systems, South says.
"Using phishing techniques that have gained a much higher level of sophistication, they have been able to drop malware onto large numbers of personal and server-class equipment," South says.
Whereas the phishing attempts several years ago might have been replete with spelling and grammar errors, "the phishermen today have upped their social engineering skills and coupled these with much more credible messaging," South says. "Their success in compromising computer systems, and in turn accessing personal identity, credit card and bank account data, is illustrated in the increasing number of account takeovers that were seen in 2013."
Although phishing attacks have been around for years, they remain "a persistent, annoying but too-often effective approach [for] gaining a foothold into organizations," says Richard Greenberg, information security officer at Los Angeles County Public Health.
"Security awareness training programs can make a dent into this problem, but people who are not security practitioners cannot really be expected to be the defenders of the kingdom," Greenberg says.
Companies can try for modest gains in awareness, "but we are kidding ourselves if we think every employee will never click on a link or attachment in their email," Greenberg says. "It only takes one successful click to inject a rootkit, keylogger [or] trojan, allowing a hacker illegal entry into your environment. Clearly this is a problem to keep in our sites."
Ignored Insider Threats
Attacks from within organizations are nothing new. But the number of threats from these seemingly trusted parties is on the rise, says Michael Cox, president of SoCal Privacy Consultants.
"Many Web-facing organizations are strictly focused on external threats, which include espionage agents, saboteurs, and cyber criminals," Cox says. "However, businesses are constantly being surprised by breaches caused by workforce members and third-party services providers."
Since these trusted parties have the greatest access to sensitive information, the average cost of breaches caused by trusted parties is greater than those caused by external threats, Cox says. "The false sense of security organizations have with trusted parties has allowed breaches by these actors to grow more rapidly than those by external threats."
For employees, the primary causes of breaches are inadequate awareness and training programs, roles-based access controls and activity monitoring, Cox says. For third-party service providers, inadequate due diligence and monitoring programs are the primary causes.
Another threat that was prevalent in 2013 and will be in 2014 is the production and distribution of insecure applications.
"The proliferation of e-commerce and mobile applications has enabled many companies to have greater connectivity with their clients," South says. But we have yet to solve the resulting problems that have been present for well over the past 10 years: injection and cross-site scripting threats."
Security professionals continue to produce code that's easily compromised, South says, given the level of sophistication of the attackers. "With the emergence of NOSql databases and their associated injection attacks, the ability to compromise Internet-facing applications may well continue to increase rather than decrease," he says.
Concerns about network security "have rightfully been overtaken by concerns about the applications and services running thereon," says Jason Taule, chief security and privacy officer of FEi Systems, a healthcare technology integrator. "Both internal development teams as well as the commercial software market are paying increased attention to the demand for secure code."
The security of an application and the credentials one uses to gain access are only as strong as the process by which a user's identity was vetted to begin with, Taule says. "Requiring that a user insert a PIV card into a reader, offer up a biometric, and enter a password does nothing if these credentials weren't provided to the correct individual," he says.
The increasing sensitivity of information and the growing importance of application functionality "require that we give as much thought to identity proofing as subsequent access control," Taule says.
Data Supply Chain Threats
Data supply chain breaches are an emerging threat, says Timothy Ryan, managing director of Kroll Advisory Solutions' Cyber Investigations practice and former supervisory special agent with the Federal Bureau of Investigation.
"What we've seen this past year is that many companies are not fully aware of all the different parties that are handling or processing their data," Ryan says. "Some companies have outsourced some portion of data processing to a subcontractor, only to find out that the vendor did not have adequate security measures in place, or that they did not know how to handle an incident, or that the company did not notify them right away when there was an issue."
In multi-tenant environments, system administrators can sometimes cut corners, says Wendy Nather, research director, security at 451 Research.
"They may use the same privileged account passwords for each of their tenants, and they may insist on broad network access that an enterprise wouldn't normally allow to anyone else on the Internet," Nather says. "In this way, the third party becomes a jumping-off point for an attacker who wants to get to a particular enterprise."
Unauthorized Access by Former Employees
Unauthorized network access, especially by former employees, continues to be a security issue for many companies, Ryan says.
"What we're finding is that some companies do not fully sever all the access that former employees were provided," Ryan says. His firm is often called in prior to the termination of an employee to make sure the company effectively terminates access for that individual.
"There have also been incidents where we are called in to investigate an employee whose access was not terminated properly and help assess what has been stolen and how to remediate the issue," Ryan says.
The reason why these employees might be accessing this information varies, Ryan notes. At times, it could be to steal intellectual property–such as a source code–that the individual might be interested in selling or using personally. "Or they may be accessing a network to try and secure information about pending litigation," he says. "They may be the subject of a lawsuit and trying to gather information about their termination or related issues."
Embedded Systems Vulnerabilities
Many non-traditional devices are increasingly on networks these days, Taule says, including Internet-enabled cameras, digital video recorders, badge readers and other non-PC devices with an IP address.
"And for those of you who think the Internet of Things–or 'Internet of Vulnerabilities' as I recently heard a colleague quip–is still years off, just ask a peer who works in a hospital and has to deal with untold numbers of network enabled/connected medical devices," Taule says.
"We are fooling ourselves if we think we have our risk exposure well in hand simply by managing the threats to traditional network devices," Taule says. "We must expand our situation awareness capabilities to provide full coverage for everything connected to the network."
The Growth of Bitcoin
Bitcoin, the open source electronic money and payment network that uses cryptography to secure transactions, comes with its own set of security risks, says Ariel Silverstone, an independent consulting CISO.
Bitcoin is the harbinger of a more digital economy, Silverstone says, but it's vulnerabilities–from the hacking of hosting sites to pure crypto attacks–are just being discovered.
"The fact that multiple attacks on Bitcoin have been so successful, I suspect will lead to renewed attempts at attacking money- and transaction- transferring mechanisms," Silverstone says. "These, such as PayPal, Swift, and also business and bank-initiated environments, transfer trillions of dollars per day. Many of them rely on little security [and are] susceptible to attacks."