Five threats to watch out for in 2014
Leading pen tester reveals his main security concerns for the next 12 months
Peter Wood First Base
According to Peter Wood, CEO of pen-testing specialist First Base Technologies, 2014 will give CSOs and CISOs several challenges - most of which are being driven by the ingenuity and lateral thinking approach of the cybercriminals and hackers behind these types of attacks.
The first attack vector will, he predicts, involve on-premises attacks, such as the ones that have been used against Santander and Barclays.
The problem that these attacks highlight, he says, is that physical security is every bit as important as its electronic equivalent, even though many organisations focus on the latter to the detriment of the former.
"This shows that we [as an industry] need to develop clear and well-defined security strategies to deal with this type of issue. It's clear to me that better staff vigilance, improved visitor control and better kit on the desk is needed," he explained.
The second attack vector to be concerned about in 2014, he says, will be the increasing use of cloud technology to launch an attack against an organisation.
There are two sub-aspects here, he adds, the first of which is the fact that more organisations have a large volume of data in the cloud with no assurance that the data is encrypted [by the cloud provider]. To deal with this, he explained, companies will need to develop a much improved governance strategy.
The second sub-aspect, he went on to say, is the use of powerful cloud attack resources to launch a brute force password attack on an organisation's local systems.
"I was doing some research recently and found that, even when using a 10 character passphrase, this can be cracked using a brute force attack in around six days. This time shortens to just two hours where a simple alphanumeric password is used. Coupled with social engineering, it is clear that even the most complex single passphrase can be cracked using a cloud-based resource," he said.
Because of this, Wood advises that users should employ a unique pass-sentence known only to them, and which is around 25, 30 or more characters long, making it all but uncrackable, even using the most powerful cloud technology.
The third attack hacker modus operandi to be watched out for in 2014, he told SCMagazineUK.com, involves the use of mobile devices on public access WiFi services, owing to fact that it is all too easy to intercept data flowing to or form the smartphone using this approach.
"The biggest problem here is getting people to recognise that there is a real problem. We need to talk to employees and people generally about the grave risks of using public access WiFi services without encryption or a VPN of some type," he explained.
The fourth attack vector to be aware of in 2014, he says, is the emergence of genuine APTs - Advanced Persistent Attacks - where he adds there is very real evidence of these in the marketplace.
"The problem with real APTs is that there is very little security technology around at the moment that counter this type of attack, which can be hybrid in nature, making it difficulty to counter using conventional security systems," he said.
The fifth - and arguably the most important - security threat to watch out for in 2014, says the First Base CEO, is the rising threat posed by the Internet of Everything, where machine-to-machine and device-to-device communications are commonplace. And because of a lack of human intervention, he adds, this means that the security of these devices is wholly automated - with all the potential loopholes spotted by hackers going undetected.
"This actually creates an insecure Internet of things, which is something you do not hear anyone talking about. My own belief is that today's Internet is not secure enough, so that does not auger well for the future Internet of Everything," he explained.