1 Combined Attacks

Combined attacks – those predicated across a convergence of different attack methods – will be a major threat in 2009 according to Robin Hollington, director of Comsec Consulting. Combinations of malicious code, Phishing, Spam and other online attacks are on the rise, and will soon be “running rampant”.

Spam already reaches a record 89% of email messages; Trojans comprise nearly 80% of malware, and hundreds of thousands of zombies and malicious websites now appear on a daily basis – and it’s still on the up.

2 Deperimeterisation

(we’re not sure but we think that’s pronounced, er, dee-perrim-itt-er-eye-zay-shun)
Both threat and necessity, deperimeterisation can be loosely described as the breaking down and blurring between traditional technology perimeters such as networks, applications, and physical security.

With traditional IT boundaries shifting and becoming more and more business-driven and determined based on strategic decisions, network perimeters need to be permeable and flexible but also secure. This will demand the adoption of multiple layers of security – a logistical and financial burden that, for some, will be a threat in itself.

3 Phishing – the net widens

Techniques for the fraudulent acquisition of sensitive data like usernames, passwords and credit card information via online ‘impersonation’ will continue to rise in both sophistication and prevalence. For Phishing 2009, see ‘Spearphishing’ and ‘Whaling’ – new methods which typically target particular companies, organisations, groups, or government agencies (and sometimes groups of high-level executives within such organisations or multiple organisations). Comsec describes such attacks as “the driving force behind combined attacks” (see 1.) 

4 Malware

From the nasty little applets that pop up gambling websites when you open your web browser to clever key-loggers, malware has become incredibly sophisticated in recent years and will continue to be developed as long as users transact over the Internet, says Steve Smith UK MD of risk management service provider Pentura. Moreover, the threat is sure to increase with the rise and spread of the dreaded botnet (groups of self-perpetuating and replicating malware infected clients).

5 VoIP (Vulnerability over IP)

Voice over IP carries with it a number of natural vulnerabilities and risks such as registration hijacking, server impersonation, and message body exploitation, along with IP phone hijacking, accounting data modification, phone-based DDos, identity theft, session hijacking, insertion of content (e.g. .wav files), and others. On a positive note, as VoIP technology has become more mainstream and widely adopted so too has the knowledge and practice of information security for VoIP platforms.

6 Black market values

Stolen credit cards, identities, online payment and bank account details are now among the commodities most frequently offered for sale on underground economy servers. And email passwords now sell for almost as much as bank accounts.
Along with the rise in BotNet, DoS (Denial of Service), Identity Theft, and DNS Dynamic attacks – this creates a whole new playing field in information security.

7 Wireless networks

Despite continuing publicity about the threat of unguarded wireless networks and data theft, people still don’t seem to get it, says Pentura’s Steve Smith. “Until positive action is taken it is still a real security risk, and burying your head in the sand and saying “We don’t have wireless here” won’t make the problem go away.”

8 JavaScript attacks

“Since JavaScript is the most-used scripting language for communication with web browsers, third-party applications such as Flash player, PDF readers and other multimedia applications now support JavaScript”, comments Yuval Ben-Itzhak, CTO of Finjan.

“This offers crimeware authors the opportunity to inject malicious code into the rich-content files used by online ads and user-generated content on Web 2.0 websites – which are becoming more popular in directing users to malware-infected content files. In Finjan’s H1/2008 Web Security Survey 46% of respondents stated that their organisations didn’t have Web 2.0 security policies in place.
 

9 Web application security

The Web application threat is no longer limited simply to online shopping menaces and now goes way beyond such issues, says Smith. All manner of applications are now accessed via web browsers – from social networking and rich content sites to online mail and CRM solutions – and as more and more sensitive information is held and accessed in this way, hackers are certain to see gains in crafting attacks to steal or corrupt it.

10 Improper IT disposal and data wiping

Data-laden hard drives, full memory sticks, old routers with valid VPN credentials – all these and more have ended up in the wrong hands, warns Aaron Day, operations director with IT disposal specialists TransIT. “Proper IT disposal is now essential from a legal standpoint, but it’s vital to consider security too.

With careless data practice being exposed in the media on virtually a weekly basis now, the targeted acquisition of old kit could soon become a mainstream tactic among the e-criminal fraternity.”

11 The unexpected vector

Contractors and trusted third parties will likely have access to some or all of a business’s data, while managed service providers will probably be able to connect to certain critical systems for support purposes. While such connections may well be unavoidable, having knowledge of them and understanding what your risks are is something that very few organisations truly have, says Pentura’s Steve Smith. “You might think you have, but you probably haven’t.”

12  Users

Contractors and trusted third parties will likely have access to some or all of a business’s data, while managed service providers will probably be able to connect to certain critical systems for support purposes. While such connections may well be unavoidable, having knowledge of them and understanding what your risks are is something that very few organisations truly have, says Pentura’s Steve Smith. “You might think you have, but you probably haven’t.”