Cyberspace in the 21st Century demands that organisations know where their information is, how secure it is and what measures are necessary, or sufficient, for effective data protection? The Senetas Leadership team comes together to share news and views related to information security and data protection in the face of new and emerging cyber threats. They comment on the latest trends and business strategies that minimise the risk to personal and corporate information.
Your comments are welcome.
By John DuBois
Issues in advance of the annual global security conference, RSA San Francisco, the RSA2011 cybercrime trends report makes chilling reading for business as the new threats target their employees.
Cybercrime shows no signs of diminishing, rather the report says increasingly sophisticated new threats once targeting consumers now have enterprise employees in the cross-hairs.
The largest threat is to mobile data. Cybercriminals know how to follow the money. Analysts IDC expect nearly 25 billion mobile apps to be downloaded in 2011, up from just over 10 billion in 2010. So it is no surprise the new cyber-targets are smartphones and tablets with their potential to store and transmit Gigabytes of corporate information: email contacts, customer data, business plans or personally identifiable information such as mobile banking or online payment authentication data.
In fact the report suggests it is the very effort to secure mobile banking transactions by the use of SMS authentication that has led cybercriminals to target phones with the latest mobile malware. Denial of service attacks now hit mobiles and the tools to conduct these scams are sold for as little as $25. Man-in-the-middle attacks once targeting corporate networks now look for a bank’s one-time passcode sent by SMS to authenticate an individual’s mobile banking transaction and then the SMS is forwarded directly to the cybercriminals phone.
Smishing, or SMS Phishing is the new scam where an SMS is sent to a mobile customer apparently from a nationwide bank seeking personal information. SMS Bombing is a service offered by cybercriminals to bombard thousands of mobile users by SMS, even spoofing the sender ID so it looks legitimate. The RSA report suggests mobile users are three times more likely to enter their personal information in response to Smishing that desktop users.
We have heard the stories of attacks on Governments and their agencies, some of them State-sponsored. These coordinated arracks, described as “advanced persistent threats” (APTs), are now hitting enterprises. An example of an APT was Ghost Net which in 2008/09 infected high value computers in government ministries and embassies in Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados, Bhutan, India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan as well as the ASEAN Secretariat and Asian Development Bank. Now the APTs are a problem for businesses whose executives have mobile devices that link to the corporate network – a potential entry point for Trojans that can capture identity and authentication details to enable access to email, CRM, even HR records.
The RSA report found that 88 per cent of Fortune 500 companies “had botnet activity associated with their domains and 60 % had email addresses compromised by malware”.
Keeping ahead of the increasingly sophisticated cybercriminals is a full-time job. And reports of a new variation of the Zeus Trojan, responsible for 90% of worldwide banking fraud, effectively a super Trojan, have cybercrime fighters concerned. Trojans like Stuxnet, which target systems that operate critical infrastructure are a real concern as they could potentially cripple power or water supplies. And there’s evidence that industrial espionage might be the next focus with new malware, Lamp Trojan, designed specifically to grab Microsoft Office documents, spreadsheets and presentation files.
There is no one single fix for the plethora of cybercriminal phishing, but our approach at Senetas is a simple one: if your corporate and personal data is properly encrypted at rest and in motion, we can show you that any data cybercrims capture is absolutely worthless.
John
Comments
Post has no comments.