The security threat landscape in 2009 looks set to keep UK enterprises on their toes. Organised crime groups are growing more sophisticated, and meanwhile, enterprises are extending their boundaries through the use of mobile and remote computing, allowing unwary workers to leave the door open to attacks.
- Data loss
- Insider threat
- Organised crime
- High-tech crime
- IT director's view: Stuart Cochran, Mitchells Hire Drive
- IT director's view: Steve Turner, Gill Akaster
- Useful links
The increased use of the internet for remote business applications, online data sharing and collaboration will present more opportunities for theft and data loss, according to Ovum analyst Gary Barnett.
"One of the biggest emerging security challenges in 2009 is the increased use of software as a service [SaaS]," he says, because it has the potential to offer attackers more routes into an enterprise's IT systems. "Security is bleeding across our traditional organisational boundaries," he says.
Laptop and PDA theft will also continue to provide a physical challenge, says Barnett. "We can carry much more data now, and people are storing customer information on iPods, or throwing data onto an 8GB memory stick. How hard would it be to encrypt it? And why do laptops not ship with data encryption as standard?"
Barnett predicts that 2009 will be the year that businesses start to implement some of the lessons of previous years' disasters.
However, he says, "I can confidently predict at least two big embarrassing lessons from public sector or finance. With mergers and acquisition activity, tonnes of data get transferred by disk or tape and there is much scope for data loss."
Mike Gillespie, managing director of security consultancy Advent IM, agrees that securing physical data - electronic, hard copy and in transit - will be a big issue for 2009.
As well as using measures such as firewalls and intrusion detection systems, Gillespie, a trusted consultant, recommends that following the principles of ISO27001 remains the best way to address and strengthen information security. This involves regular auditing within the organisation to gauge the risk from potential security threats to the business.
"Threat and risk assessments are key to ensure risks are mitigated within organisations. This also requires controls to be put in place, which need to be proportionate to the level of risk," he says.
Data leakage, in general, will continue to pose a problem for CSOs in 2009, says Charles Southey, chief information officer at Sophos.
"Many web threats are designed to steal data from compromised computers, and data leakage, either malicious or accidental, is likely to become an ever-larger concern, especially with the increasing use of mobile technologies," he says.
Southey believes companies will increasingly adopt data loss prevention systems this year, to control the movement of data, the use of devices such as USB drives, and to ensure that sensitive information is properly encrypted.
But experts believe the threat will rise this year, as more people merge their working and home lives.
Daniel Dresner from the National Computing Centre (NCC) says, "The thing that concerns me most is the idea that there is a magic door people go into when they go to work, and that you are a private person when you leave work."
The reality is that employees spend a lot of time sharing personal and business information on social networking sites with "a trusting innocence", says Dresner. This leaves themselves and the organisation open to phishing and spam attacks. "We need to keep an eye on risk," he says.
"Your human firewall is one of your most valuable assets. Companies think that they have a higher level of internal security than they actually have, and find it is not as effective as they believe," adds Dresner.
Paul Simmonds, a board member of The Jericho Forum, a global grouping of CSOs, says Jericho's focus for 2009 is on securing the wider enterprise to tackle issues that centre on insider threat.
The top three issues for 2009 are: securing cloud computing building on deperimeterisation, as organisations are forced to allow more access through their borders and collaboration oriented architectures (COA), which involves technology that allows enterprises to collaborate securely with partners, vendors and customers online.
"In particular, the Jericho Forum is looking at how to enable federation in a cloud model, and hereby reap one of the key benefits of going to a cloud model," says Simmonds. Federation is a concept that involves securely sharing personal identity information for collaboration and communication purposes.
David Porter, head of security at business and technology consultancy Detica, says that employees being lax with security is one thing, but a bigger issue for 2009 is "insider exploitation".
"As the credit crunch bites, we are certain to see an increase in criminal activities involving vulnerable organisational insiders who will be bribed or coerced into committing fraud or leaking confidential data in collusion with professional organised criminal gangs," he says.
IT director's view: Stuart Cochran, head of IT at Glasgow vehicle rental company Mitchells Hire Drive.
Cochran recently identified a number of IT threats associated with the firm's planned expansion, and put in place a new IT infrastructure and secure network based on BT Secure Services.
He says, "Without a doubt the biggest threats we face these days are those that exist on the internet. When looking to expand, we realised that we needed to make sure our data can be shared easily and securely between employees at different offices. Previously, we have taken a piecemeal approach to communications, for example, providing each office with its own protection. However, to expand, we now need something a lot more robust.
Information Security Forum (ISF) is also warning of an increase in malicious threats, including attacks from organised crime and industrial espionage, as well as a rise in mobile malware and Web 2.0 vulnerabilities. ISF members include many of the world's largest business and public sector organisations.
ISF is already seeing a shift from indiscriminate events to highly targeted and planned attacks by organised crime groups, that are developing more sophisticated "business" models for extorting the e-economy and money laundering.
A combination of social engineering and technical attacks are increasingly being used to steal identities and information to commit fraud.
"Criminal groups now see online crime as a lucrative and low-risk alternative to robbing a bank," says Andy Jones, a senior research consultant at the ISF.
"With the problems of protecting large volumes of sensitive information held in organisations electronically, businesses are also under increasing threat from targeted espionage and the loss of competitive advantage or intellectual property," he says.
David Litchfield, a security expert at NGSSoftware, says that organised and other forms of computer crime, coupled with the severe economic downturn, will be disastrous for UK businesses.
"There is a direct correlation between national falling prosperity and increasing crime rates, so as more people feel the bite, the more inclined they are to become involved in illegal activity. To help mitigate the effects of the downturn, IT directors should prioritise by placing data security, particularly database server security, at the top of the pile.
"Targeted electronic attacks, such as Office document-borne Trojans, or drive-by downloads by foreign nations such as China, will increase, or certainly not abate, over 2009. As these attacks often use zero-day vulnerabilities they can be quite difficult to mitigate."
However, Litchfield adds that resources such as the Centre for the Protection of National Infrastructure (CPNI) provide good guidance on helping to protect organisations.
IT director's view: Steve Turner, IT manager at Plymouth law firm Gill Akaster
The firm has six legal departments, all of which require different web browsing policies, and Turner implemented Websense Web Security and Email Security to monitor and manage web and e-mail.
He says, "Today, the biggest risk online is from hacking, viruses and spam. Even trusted websites are now littered with malware which threatens the security of our network.
"Web 2.0 is a whole area that we have had to deal with recently. Clearly, there is increased risk with sites that make use of dynamic content. Social networking sites are also potential diversions from work at hand."
UK high-tech crime is becoming more sophisticated and targeted, according to several experts.
Peter Yapp, head of forensics at consultancy Control Risks, says the credit crunch is already starting to produce more detected instances of fraud, and noticeably higher levels of both financial crime and cyber crime.
"The landscape is very different from 10 years ago. We have more technically-savvy unemployed workers, who will potentially generate more cyber crime, and there is more technology to attack than 10 years ago," says Yapp.
"I do not think we are geared up for this in terms of the law enforcement ability to protect businesses in the US or UK, and it is probably too late now to put measures in place," he says.
Yapp adds that cyber attacks are now much more targeted and well-planned, and go after specific companies and key individuals, including CSOs. "There has been a move from phishing to 'spear phishing'. The more high-profile the company - or executive - the more likely they are to face an attack," he says.
Security intelligence firm iDefense concurs that UK high-tech crime is becoming more sophisticated. Its 2009 Cyber Threats and Trends report predicts that this year, criminals will exploit the global financial crisis in a variety of ways.
The report says that technical code-based threats will continue to grow in sophistication, and cyber criminals have formed groups which will focus their combined efforts on building their own infrastructure and attacking internet infrastructure for profit.
Last year, iDefense said law enforcement had moderate success combating these kinds of criminals, with such efforts as the FBI's Operation Dark Market where law enforcement officials from various countries launched an elaborate sting to arrest several individuals.
Significantly for the UK, the Serious Organised Crime Agency (SOCA) played a hand in Dark Market.
SOCA now runs the activities of the former National Hi-Tech Crime Unit, which operated from 2001 to 2006, successfully prosecuting a number of hackers, virus writers and internet fraudsters.
- The National Computing Centre
- The Jericho Forum
- Information Security Forum
- Centre for the Protection of National Infrastructure
- Serious Organised Crime Agency
- Feature sponsored by IBM
This was first published in January 2009