Along with the explosion of new technologies, user habits, and social practices comes the inevitable wave of new security threats. Deb Shinder examines emerging vulnerabilities, from social networking to cloud computing to IP convergence.
We’re well into the new year now, and we’re beginning to see trends emerging on the security front. Some of the threats we’ll see this year will be similar to those in years past (after all, many of the basic con games now being perpetuated online were around long before the advent of computers and the Internet). However, attackers are becoming much more sophisticated in their methods to circumvent the increased levels of security built into operating systems and applications. Here are 10 security threats that are likely to become more prominent in 2009.
Note: This article is also available as a PDF download.
1: Social networking as an avenue of attack
Social networking has experienced a boom in popularity over the last few years. It’s now finding its way from the home into the workplace and up the generational ladder from the young folks into the mainstream. It’s a great way to stay in touch in a mobile society, and it can be a good tool for making business contacts and disseminating information to groups. However, popular social networking sites have been the target of attacks and scammers. Many people let their hair down when posting on these sites and share much more personal data (and even company data) than they should.
Think you’ll solve the problem just by blocking social networking sites on your company network? Not so fast. As Steve Riley pointed out in his recent talk on attack progressions at the 2009 MVP Summit, today’s young professionals are growing up with social networking, and they expect to have it available to them at work just as older employees expect to be able to use their office telephones for reasonable, limited personal calls. In addition, you lose the business benefits of social networking if you shut it down completely. After all, companies didn’t shut down e-mail because it could present a security threat. A better approach is to educate your workers about social networking practices and develop policies governing social media use. As an example, take a look at Intel’s Social Media Guidelines.
2: More attacks on the integrity of the data
Another point Steve made in his presentation is that “First they came for bandwidth; now they want to make a difference.” In the past, many attackers were looking for a free ride on your Internet connection (for example, by connecting to your wireless network and using it to access the Web, send e-mail, etc.). Then the nature of attacks progressed. Instead of the network being the target, it was the data. The next step was stealing data, but step after that is even more insidious: the malicious modification of data (making a difference).
This can result in catastrophic consequences: personal, financial, or even physical. If a hacker changed the information in a message to your spouse, it could harm your marriage. If the change were to a message to your boss, you might lose your job. Changing information on a reputable Web site regarding a company’s financial state could cause its stock prices to drop. A change to electronic medication orders on a hospital network could result in a patient’s death.
3: Attacks on mobile devices
Laptop computers have presented a known security risk for many years. Today, we are more mobile than ever, carrying important data around with us not just when we go on business trips but every day, everywhere we go, on smart phones that are really just small handheld computers. These devices have important business and personal e-mail, text messages, documents, contact information and personal information stored on them. Many of them have 8 or 16 GB of internal storage and you can add another 32 GB on a micro SD card. That’s much more storage space than the typical desktop computer had in the 1990s.
People lose their phones all the time, but many of these devices aren’t configured to require a password to start the system, the data on them isn’t encrypted, and very few protective measures have been taken. They are security disasters waiting to happen. Businesses should develop policies regarding the storage of company information on smartphones and require encryption of data on internal storage and on flash cards, strong passwords, use of phones that can be remotely wiped when lost, etc. Of course, you don’t have to lose the phone to have its data stolen. Attention should also be paid to the potential for attacks using Bluetooth and Wi-fi.
Virtualized environments are becoming commonplace in the business world. Server consolidation is a popular use of virtualization technologies. Desktop virtualization, application virtualization, presentation virtualization — all of these provide ways to save money, save space, and increase convenience for users and IT administrators alike. If it’s properly deployed, virtualization can even increase security — but that’s a big “if.” Virtualization makes security more complicated because it introduces another layer that must be secured. In essence, you now have to worry about two attack surfaces: the virtual machine and the physical machine on which it runs. And when you have multiple VMs running on a hypervisor, a compromise of the hypervisor could compromise all of those machines.
Another virtualization-related threat was demonstrated by the infamous Blue Pill VM rootkit. Hyperjacking is a form of attack by which the attacker installs a rogue hypervisor to take complete control of a server, and VM jumping/Guest hopping exploits hypervisor vulnerabilities to gain access to one host from another.
The easy portability of virtual images also presents a security issue. With modern virtualization technology, VMs can be easily cloned and installed to a different physical machine. The ability to go back to “snapshots” of past images can inadvertently wreak havoc with patch management.
5: Cloud computing
If virtualization was last year’s buzzword, this year it’s all about “the Cloud.” The uncertain economy and tight budgets have companies looking for ways to lower operating costs, and outsourcing e-mail, data storage, application delivery, and more to cloud providers can present some attractive potential savings. Microsoft, IBM, Google, Amazon, and other major companies are investing millions in cloud services.
Cloud advocates envision a day when we’ll all use inexpensive terminals to access our resources that are located someplace “out there.” But when your data is “out there,” how can you be sure that it’s protected from everyone else “out there?” In fact, the biggest obstacle to moving to the cloud, for many companies and individuals, is the security question. IDC recently surveyed 244 IT executives and CIOs about their attitudes toward cloud services, and 74.6% said security is the biggest challenge for the cloud computing model.
Google, a prominent player in the cloud space, is the subject of a recent complaint to the Federal Trade Commission (FTC) by the Electronic Privacy Information Center (EPIC), which seeks a suspension of Google’s cloud computing services until verifiable safeguards are established.
6: More targeted attacks on non-Windows operating systems
Although Windows still has 91% of the desktop OS market, there has been a big push in some quarters to deploy Linux or Macintosh as a supposedly more secure alternative. But are they really? One reason the non-Windows operating systems have enjoyed fewer attacks is the simple fact that the Windows installed base presents a much bigger target for attackers. Just as terrorists prefer to attack large gatherings of people where they can do the most damage, so do hackers prefer to write malware that will spread to the greatest number of computers — and that means Windows.
However, as other systems get more publicity and become more popular, they also become more attractive to the bad guys. Malware has been becoming less Windows-centric for the last few years; the 2007 Open Office worm, for example, infected Linux and Mac OS X systems as well as Windows. And Charlie Miller, a security researcher who won a recent hacking contest by breaking into a fully patched MacBook in a few seconds, said, “Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.”
Whatever the reality, the perception is that non-Windows operating systems are becoming more popular as Apple steps up its advertising campaign and vendors offer more netbooks preinstalled with Linux. As they become more high profile, look for hackers to spend more time and energy creating attacks that target non-Windows systems.
7: Third-party applications
Microsoft has put tremendous effort into securing the Windows operating system and its popular productivity applications, such as Microsoft Office. Linux and Mac receive regular security updates. As operating systems become more and more secure, attackers will focus less on OS exploits and more on application exploits. The major Web browsers are routinely updated to patch security vulnerabilities. But the vendors of many third-party applications are less security-aware. This is especially true of freeware applications written by independent developers. These programs, which may not have been written with security in mind to begin with and which do not automatically check for and download security updates, present an opportunity that we can expect attackers to take advantage of.
8: Side effects of green computing
Green computing is all the rage today, and saving energy is certainly a good thing — but as with beneficial medications, there can be unexpected and unwanted side effects. Recycling computer components, for instance, can expose sensitive data to strangers if you don’t ensure that hard drives have really been wiped cleaning. (Hint: Deleting files or even formatting disks doesn’t guarantee that the data is gone.)
On the other hand, such green initiatives as powering down systems that aren’t in use can actually enhance security, since a computer that’s turned off isn’t exposed to the network and isn’t accessible 24/7.
9: IP convergence
Convergence is the name of the game today, and we are seeing a melding of different technologies on the IP network. With our phones, cable TV boxes, Blu-ray players, game consoles, and even our washing machines connected to the network, we’re able to do things we never even imagined a decade ago. But all of those devices on an Internet-connected network present myriad “ways in” for an attacker that didn’t exist when only our computers used IP.
We can only hope that the manufacturers of all these devices put security at the forefront; otherwise, we may see a rash of new malware targeting vulnerabilities in our entertainment devices and household appliances.
Perhaps the greatest threat to the security of our networks, whether at work or at home, is overconfidence in our security solutions. Many home users believe that as long as they have a firewall and antivirus installed, they don’t have to worry about security. Businesses tend to put too much faith in the latest and greatest security solutions. For example, there is an assumption that biometric authentication is infallible and undefeatable — but it can be compromised in various ways, and when it is, the legitimate user it was meant to protect becomes the victim. If the system shows that your fingerprint was used to log on, you may be presumed guilty, and an investigation might not even be deemed necessary.
Another type of overconfidence is common among home users and in the business environment, especially with small companies. That’s the idea that “We don’t have anything worth hacking into so we don’t need to worry about security.” In today’s interconnected world, neglecting security doesn’t just put you at risk; it also puts others at risk. Your systems could be used as zombies to attack a whole different network.
End users on a business network often think of security as somebody else’s problem and operate on the assumption that the IT department is taking care of them, so they don’t have to do anything about security.
Overconfidence of any type is a dangerous security threat — but it’s one that you can most easily do something about because it doesn’t require expensive technology or sophisticated technical skills — just a change in attitude. We all have a responsibility to keep our own systems as secure as possible.
Finally: 10 Things… the newsletter!
Get the key facts on a wide range of technologies, techniques, strategies, and skills with the help of the concise need-to-know lists featured in TechRepublic’s 10 Things newsletter, delivered every Friday. Automatically sign up today.