Companies need to consider the warning signs of how IT security threats to their organisation are developing and what the weapons of choice are shaping up to be. At the top of my list are:
Mobile Phone Security
Traditional PC malware, such as Zeus, making the leap to smartphones is a growing area offering increased opportunities to criminals. While some may argue that malware is already targeting mobiles, a PC is still involved in the infection process. This is set to change.
This is because an individual’s mobile phone is increasingly being used as a means of verifying a user’s identity. The most obvious examples are among financial institutions. Banks will send an SMS to the registered mobile phone containing a code, which the individual then uses in an online verification process when completing transactions. However, malware on the PC intercepts the registration process and diverts subsequent SMS messages to a phone controlled by criminals who are then free to make ‘legitimate’ transactions.
Smartphone verification is set to increase, while mobile banking applications are becoming more widely available and adopted. At the same time, the various disparate mobile operating systems will begin to converge to a more open platform. These three developments will attract criminals’ interest, who will use the experience they have gained enhancing their PC malware to adapt it to directly infect smartphones in an effort to follow and intercept the money trail.
To overcome this threat, users will need to develop the same hygiene for their mobile phones as they do for their PCs. Links and attachments sent to their phones should be treated with caution, as many already do with PCs and emails. Organisations wishing to rely on mobile technology need to educate their stakeholders to the risks, laying out exactly how they will, and more importantly won’t, contact them and what they will and won’t ask them to do.
The Blurred Perimeter
While 10 years ago, the only device that would hook up to the enterprise would be corporate-owned, this is no longer true. Employees seeking a more flexible working environment use their own personal devices to link up, often utilising the corporate virtual private network (VPN). External partners are also granted access to the system to complete tasks and collaborate on projects. In fact, some organisations are considering opening up the virtual doors to allow customers to link directly into systems. All of this means the perimeter line of defence has become blurred as machines outside of the enterprise are embraced into the enterprise via the VPN.
Although this may have been happening for a number of years, usually individuals hacking into the system have initiated attacks. However, this threat is now evolving with malware that resides inside the browser that finds and modifies the traffic into the intranet. Zeus malware specifically designed to target enterprises by capturing the credentials from VPN gateways is also being developed. Criminal gangs can then use these credentials to unlock the gate and gain unrestricted access to all areas – customer relationship management (CRM) systems, financial accounts, and anything else they can translate into monetary gain.
To protect themselves, organisations need to view any user connecting through a VPN as a potential malware carrier. While restricting users’ access to more sensitive parts of the enterprise is one solution, it might not always be feasible. It’s a fine balancing act between granting users’ access and the risks this access poses.
While Zeus, and other similar malware, has existed before 2011, I believe a significant trend in the next 12 months is how it will continue to evolve and include more operating systems and browsers. Criminals have invested too much time and money in the malware – and it’s proved too resilient – for it to be replaced soon. Instead, its attack methods will become increasingly sophisticated, with tweaks made to the way it surgically injects into banks web pages. It is likely to be the leading platform for financial fraud in 2011.
While we continue to make improvements in the ability of organisations, such as banks, to detect Zeus on the server side, an area that needs to be improved is procedures within the bank to use the intelligence these solutions provide to identify, track and prevent fraud in real time.
No 2011 prediction would be complete without a look to the cloud. There is a degree of hype surrounding insecurities in the cloud based purely on speculation. It is arguably as secure as regular hardware applications. That said, I wouldn’t recommend moving every application you use to the cloud, but those that require scalability could certainly benefit. It just requires a degree of sensibility and a secure approach – and for staff not to take risks in the cloud that they wouldn’t take on their desktop.
Whereas consumers, at present, use a PC to connect and complete transactions online, platforms are diversifying rapidly. While it is true that the threat posed to the enterprise by any particular device may be trivial, the more you open up your services the more threats you face and it’s just going to get more complicated to prevent them all. While this diversity will not come to fruition immediately, organisations still need to start thinking ahead to prepare them for tomorrow.
Browser Threat to Main Frames
It’s true that this isn’t an issue for every organisation, but the scale of the problem and its potential effect on us all merits its inclusion in my list of security threats to watch.
Traditional organisations, such as banks, insurance companies and government organisations – particularly healthcare, have relied on ancient legacy mainframe systems and applications to store and manipulate their data records. ‘Green screens’ were used to communicate with the mainframe, display information and update records. However these entities have started to migrate their interface to web-based modern terminals. No longer hidden from view, browser infecting malware, such as Zeus and Spyl, have quickly discovered this and gained an insight into areas of the enterprise that they couldn’t hook into and target before, furthering fraudulent activity.
Organisations who either find themselves in this predicament, or are considering taking the leap to web-based services, need to focus their attention on securing the browser, which is where these attacks are occurring. Some banks have already heeded the warning and are becoming increasingly proficient at doing so – it is time for others to learn the lesson and lock down these databases before we all get hurt.
Finally, where would we be without a quick glance at the damage social networks pose. These networks are growing at an alarming rate and are almost impossible to mitigate against. Companies need to start thinking differently about how we tackle this growing phenomenon. Employees should be educated of the dangers displaying all of their personal lives on social network sites pose – both personally but also for the organisation.
For example, it may be possible that they become ‘befriended’ by someone who is purely interested in where they are employed. By monitoring what your employees are doing and saying, and even who they are ‘friends’ with, you can work together to limit the risk their online behaviour poses – you might even prevent them becoming victims to identity theft.
Companies need to intensify their fight against the malware controllers who, at the moment, have the upper hand in too many battles. Let’s work together to block them out and take them down.
Tim de Knegt, treasurer for the Port of Rotterdam, discusses how he is looking to bring more value to the Port's clients using blockchain.
Regulation technology is fast gaining currency by transforming how financial institutions can tackle compliance in a swift, comprehensive and less expensive manner.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.