CICRA releases predictions on cyber security threats for 2012

Monday, 9 January 2012 00:00 -     - {{hitsCtrl.values.hits}}

CICRA, which specialises in cyber security threat prevention through education and penetration testing, has released its predictions on cyber security threats for 2012. Following are excerpts of an interview with Krishnan Rajagopal, Head of Consultants of CICRA on the cyber security predictions for 2012. A Malaysian national, Rajagopal is also a Consultant to Interpol and several Fortune 500 companies. He is also a highly acclaimed cyber security trainer for Certified Ethical Hacker (C|EH) programme offered by the EC-Council, USA

Q: 2011 was known for Distributed Denial of Service Attacks (DDOS attacks) in the cyber world. Will the year 2012 be any different?

A: Well, with all the crazy 2011 security breaches and exploits, notorious hacks... what can we expect from 2012? Well… nothing different actually! DDOS will still be there as a form of protest mechanism. It’s going to be a new style of protesting. But I would like to call 2012 the ‘year of mobile and social network attacks with a focus on identify theft’.

Q: Antivirus software always seems to be one step behind attacks of viruses, Trojans and malware. Why is this so? Is it because it’s like a chicken and egg situation?

A: Not really, see when a doctor wants to create a vaccine for a real world virus what happens is he usually starts by obtaining a live sample of the virus and then this live sample is studied and all attempts are made to understand how it replicates, he then tries to find its weakness and then builds a vaccine, so that we can prevent it from spreading.

This scene of operation also applies in the world of computer viruses as well. When a new virus is discovered in the wild, these antivirus coders must first get the copy of the actual virus and then what happens is, it is broken down and then the coders try to find out how it works and how to stop it – creating what we call as a signature.

I don’t know if you remember this story about a dumb guard and a criminal dressed in all yellow attire. Imagine I am a dumb guard and I am sitting down here and someone told me that a criminal would be coming and he would be wearing a yellow jacket, yellow pants and a yellow tie. When the criminal comes around, he removes his yellow jacket and changes it to a green jacket. Now as the guard, I take a look at him and see –yellow tie, yellow pants... Oh... green jacket, not a criminal at all!

The world of anti viruses still predominantly works on signatures and the hackers and criminals know how these things work. So they find ways to work around it... That is why we say that the anti viruses are always one step behind these hackers simply because of the fact that you need to be a proactive system rather than a reactive system in the current scene of anti viruses.

Q: You mentioned social media and mobile. Social media as we know is always a target. Will we see an improvement in security issues of Facebook and other social media sites?

A: Most definitely. Facebook sort of has taken the lead in this arena, it has spent massively on what we call Facebook Immune System (FIS) and it is a complex set of algorithms that monitors every photo that posted on the network, every status update, every click that is made by everyone of its 800 million users. This means 25 billion reads and writes or 650,000 actions a second.

Facebook is currently doing well at this. It is just that when this information is public, the hackers also know it. Herein lies the danger… Some recent threats have rendered the FIS unusable. We could expect more of these kinds of attacks unless these social networking sites keep their systems up-to-date and be ahead of the attackers rather than reactive.

Q: Cloud computing is going huge in 2012. Should we be worried about security issues in cloud computing?

A: I would say cloud computing at this point in time is synonymous with security risks. Any smart customers are going to ask tough questions and they need to consider getting a penetration test or a security assessment done by neutral party before committing to any vendor. The recent down time of Amazon’s cloud has led to lot of organisations thinking about security implications again and it is a serious issue that we need to think of.

Q: What are some of the threats that you foresee in cloud computing besides hacking, viruses and down time issues?

A: I would say lot of people overlook this privilege user access area. When your sensitive data is being processed outside the enterprise, that brings out a lot of risks, because you simply do not know the level of security controls that are present at your cloud vendor. That is one issue. So you need to ask your cloud providers to supply specific information on hiring processes on their privilege users and you need to have control over that.

Number two is the location of the data itself. Lots of people overlook that. When we use cloud computing, we probably won’t even know where our data stored. You might not even know which country your data is stored in. Try to stipulate this if it’s possible in your contractual agreement. So at least you know where it is. And then of course try to plan a site visit to see the physical sites.

Another area people overlook is segregation of data. In a typical cloud provider – data in the cloud typically in a shared environment. Your data is alongside data of other customers and obviously most vendors would use a common alibi of data encryption. That is not a cure-all. What you really need to do is find out what is exactly done to segregate data from the rest. What you have to find out is what measures will be taken if another customer that is using the same cloud gets attacked. Could it be possible that you are also a victim of the same attack? Then of course last two things that you probably need to think of are recovery and business continuity.

Q: Aren’t they serious issues too?

A: This is always a serious issue. And then of course the forensic investigation support. Most cloud vendors do not have proper logging systems. What happens is these cloud services become very difficult to investigate because the data spread out across many places and logs may not be there, more often than not.

When that happens, again if you cannot get a contractual commitment to support specific forms of investigation along with some sort of proof that the cloud vendor has done this before, then your best assumption is to say that investigation and discovery request will be impossible in the event of an incident.

Q: Mobiles could be the big thing in 2012. All smart phones these days have more information than some of our laptops. What are your security concerns for smart phones in 2012?

A: Having seen into my crystal ball... smart phone users and tablet users are at risk. Having said that again, let me take you back to the past. In the past of course cybercriminals were interested in credit cards. I think they have had enough of this. I think they probably have enough cards that they don’t know what to do with them anymore.

In 2012 what is going to happen is that your social media identity is the target, that’s more valuable for cyber criminals than your credit card itself. These bad guys are going to actively buy and sell social media credentials, in forums. The best method of doing this is by combining cloud computing and social network. We call this new form of attacks ‘blended attack method’. This is a new way.

What happens is, these attackers will now go through your social media friends as the first point of attack, and then of course this social media (easiest point of attack) access would be through your mobile device. We have seen that the Facebook app for example on your mobile device is less secure than a browser. We have seen that. So when they would get in to your mobile phones, they then get in to your Facebook… go through your list of friends and make use of the trust that friends have on you and then carry out the next form of attack. We have seen several attacks this year especially where they use compromised social networking accounts and they use the chat function in that account pretending to be the user itself to get to the right so-called victim in your list of friends and use that for their fraudulent activities or for cyber-attacks.

Q: Because obviously from Facebook and other social media sites you will know who is your relative, your brother, your sister, your mother, your father?

A: That’s for sure. People tend to post personal details on Facebook and it makes it easier for the criminal to predict. For example I could say, “I can’t wait to go to Japan next week”. Next week comes along the way and if I just log off the actual user (i.e. Britney Spears) from Facebook and the criminal uses Britney’s account pretending to be Britney Spears and says, “Hey look, you know John, I am stuck in Japan, I don’t know what to do… I have been robbed.” This is a common trend that we have observed in 2011. I think that is going to continue. Only thing is the first point of an attack could be the smart phone.

Q: So what can smart phone users do?

A: Thousands of mobile device attacks are coming in to smart phones in 2012. Some of the things to look out for are like London Olympics, US presidential election and Mayan calendar apocalyptic prophecy are going to be leading to a lot of opportunities for these cyber criminals. The reality of course is that it is no longer fiction.

In a nutshell, simple advice is:

  • Password-protect your phone, tablet or any other unit.
  • Do not open any e-mails if you do not know the sender.
  • Even if it is from a business you know, go to the browser and type their URL/website directly.
  • Don’t answer any text messages asking for personal information, be it a bank or anyone else. This is a new trend that we call SMiShing; Phishing over SMS.
  • Never ever, ever click on links.
  • Delete spam as much as you can. Don’t answer them ever. Even if Britney Spears is asking you for a date, don’t answer that.
  • Turn-off all Bluetooth devices, when you’re not using them/actively paired.
  • Every phone has got security guidelines by the vendor. Follow them.

Q: Antivirus software providers are all going to be updating their products very soon. If you don’t have the latest release of the antivirus software, is there a need to purchase the 2012 product, say I have a one purchased year ago?

A: If you have an active subscription, then you are fine. But if not, go out and get it. As long as you have a valid subscription, I think you don’t need to get another one.

Q: What are some of the basic steps that we users need to take in order to stay away from any sort of an attack, since we cannot stop telling people to be careful what you click? What are some of the basic steps that we can share?

A: I call them Britney’s Eight Steps for Cyber Security:

1. First of all use a firewall. Keep the threats out and keep the hackers out as well.

2. Then install antivirus software.

3. Keep it updated. Signatures have to be updated. Get the latest software updates, whether it is your operating system or your software. If someone is creating an update or a patch there is a reason for it. Most of the time it is security related. So the idea is to keep you tools sharp.

4. Then of course stop spyware. Have anti-spyware, especially if you are on Windows.

5. Make regular backups. You never know what is going to happen, so protect your data from disaster.

6. If you are on a wireless network, make sure that you understand that wireless networks are vulnerable; find the proper ways to get protected; they are all documented by the respective vendors; read them and follow the instructions. Use a complicated password. It doesn’t mean that when you are on WPA2 you could use the password “12345”.

7. Stop unwanted e-mails and try to have an empty spam box. Do not answer suspicious emails or spam. Delete spam directly.

8. Make sure you make efforts to browse the internet safely. Make your browser is safe by turning on the safe browsing feature. Avoid dodgy websites and of course if you are suspicious about any email address or any other thing, Google it to find out more about it before replying to an email or a message.

Q: What is your advice on data back-ups?

A: Most of us do not take back-ups seriously. You need to back-up your data at least once every week, whether you are using a laptop or a desktop. If you are using a cloud service, it is easier since it automatically syncs with your computer.

 

COMMENTS