The latest types of security exploits target connected cars and airplanes. Attacks aiming the essential systems of these kind of machines take the idea of cyber warfare to a whole new level. Since firewalls cannot offer the needed degree of protection, security defense must take a dramatic turn in order to raise to the challenge.
The denomination to remember is “operational security”. It starts with the more realistic assumption that any perimeter security can be breached. The system must recognize the breach in progress and act to block the attack. The auto industry recently got the wakeup call from the demo hacking of a Chrysler Jeep’s UConnect head unit by two security experts. Immediately after, Chrysler recalled 1.4M vehicles.
This happened in July #2015. In May 2015 another security expert claimed it had hacked an airplane system and caused a slight sideways flight alteration. This led to a meeting in June where international high-level representatives from the aircraft industry gathered to discuss and establish a risk management strategy.
Let’s call this a short reality check for mid-2015.
Predicted 2015 security #trends
What were the predicted trends for this year in security?
In 2014, Steve Durbin, managing director of the Information Security Forum (ISF) was right when warning about expecting the unpredictable. He also spoke of the incumbent duties from privacy regulations – the organizations should watch very carefully how private data is handled. Otherwise, the costs may be high. Seven months later and we have the living proof of the OPM security breach and its consequences.
The IT security budgets are re-evaluated. Too late for the breaches that already took place, but their memory triggered a more scrutinizing attitude. Fewer resources increase risks, and many governmental and private organizations are not willing to take these risks anymore. #cybersecurity is expected to come up in the U.S. Senate this week. Meanwhile, in UK, a £1 million grant was specifically designed for SMEs.
A serious rise in funding is therefore to be expected as a reaction to the latest cyber-attacks.
Third party providers are to be more and more targeted by hackers. Since companies move to SaaS and public cloud, the attackers are following the storage data. All the new attack surfaces require extra securing. Virtualization efforts are being made, leaving hybrid environments behind and moving security controls to the cloud.
Attempted SQL injections (60% of all web application attacks), other web application attacks and DDoS incidents (e.g. towards financial institutions) are on the rise. Using vulnerable content management systems (CMS), the attackers upload their scripts to the high bandwidth servers – the vulnerable entry point method of attack, applied to wireless or network – connected systems.
Mobility is again the star. Since it has exponentially proliferated, it represents a challenge and an opportunity for cyber exploits. Numerous possible entry points are opening up for attackers and organizations still have to catch up on their defense mechanisms. Finding the weakest link in a connected chain of networks often leads to mobile devices. As they move away from the core organizations with strong IT security systems to their weaker partners, attackers also target peripheral devices (mobile devices) instead of the main computers.
IoT and BYOD raise the cyber #challenges. In many cases, the new devices are not even basically hack proofed. New tech calls for the real awareness of every employee regarding the responsible practices and security safe work habits. Many attacks that succeeded were not sophisticated and used known vulnerabilities, but were facilitated by human behavior. Underwriters Laboratories (UL), in partnership with the White House, explore a cybersecurity certification for devices.
As for BYOD, any company should establish its own plan and limit the number of employees accessing confidential data via mobile devices.
Cloud architecture is also important in what concerns using encryption properly. Syncing over the cloud replicates the same initial experience, making it even more important to secure one’s data to begin with. Using recommended server configuration tips and installing a SSL Certificate are two important moves for controlling your system and your encryption degree.
Other 2015 security threats
Amongst the #mid-year dominating trends in cybersecurity we also find ransomware, #social engineering, intentional insiders acting as points of entry, web based infections, browser based exploits, and cyber thefts.
CryptoWall is the main ransomware targeting small businesses. Eliminating backups’ redundancy might help. Responsible employee security practices – one more time an effective measure.
Social engineering translates into strategizing when launching an attack on a networked system. Knowing the target’s human profile allows hackers to launch the right bait. Employers’ predictability and routine offers exploitable patterns for the cyber attackers.
Potentially disgruntled employees surpass careless employees, and may act as an intentional inside entry point. Watching out for such cases or even hiring outside specialists to do so might be a good decision.
Various techniques can prevent cyber theft. Being PCI compliant is the basic in digital payment. As a merchandiser and/or a client, meeting the PCI standards means eliminating part of the risks.
So far, 2015 confronted the security specialists with the less predictable digital–to-physical situation of cars and airplanes hacking and with the insufficiently known risks of mobility and IoT.
The predicted trends have generally confirmed, as in types of attacks, new targets, budget needs or ransomware persistence.
A mid-year assessment might add some new priorities for the security professionals or rearrange the previous ones. Better safe than sorry – and the security events so far should provide enough clues to what staying cyber safe in 2015 means.
