Skip to main content

Emerging Threats

I was at a recent Information Systems Audit and Control Association event which discussed the future of threats to the individual and the enterprise, including concerns such as cyber attacks, advanced phishing, data governance and more.

Whilst working at Oracle as an EMEA consultant, I worked with many large organisation (> 30k employees) within the financial services and telecomms industries focusing on their approach to identity management - working out who has access to what and why.  This is still a fundamental approach to basic information security management, but now we are seeing information being accessed in a variety of different ways which in turns creates opportunities for information and data attacks in new and sophisticated ways.

  • Mobile - The increased use of mobile and hand held devices, whilst increases the ability for remote working, also increases the risks to the individual, from the likes of rogue apps, identity threat and virus's.  Whilst many major app stores have some basic verification of the validity of the app's content, not all do, creating an opportunity for badly written or in fact rogue apps to proliferate quickly across mobile devices.  Also, as phones become more adept at handling complex data such as video's, PDF's and even terminal services sessions, what protection does your mobile provide for things like anti-virus detection, personal firewall, buffer over flow protection, kernel safety and the the like?

  • Phishing - whilst not a new concept, phishing has now moved into new areas.  Quick Response, or QR Codes, allow smart phone users to scan what in essence is a 2D bar code.  This pictorial data representation is impossible to de-cypher by the naked eye.  Using a simple replace technique, sometimes using even a basic sticker, QR codes can now be replaced with a malicious version navigating the scanner to a rogue website or worse.

  • Third Party Content Management - Sounds like a convention of some sort doesn't it.  Third party content is what I would interpret as data, often social media, that is associated with an organisation or individual, that didn't derive from the organisation or individual in question.  A simple example could be a review of a hotel.  The review data actually originated from a visitor, but obviously references information about the hotel.  This content can proliferate virally across social networks such as Twitter, YouTube and Facebook if the information is sufficiently interesting or topical.  Why is this a threat?  Well the information could be of a malicious intent such as slander, or competitive fud, right through to a fraudulent website attempting to resell products in which it is not licensed to sell or review.  Due to the increased interconnected nature of the social graph, the rate at which this information can spread can become   a serious threat to an organisations brand or a users identity.

  • Email Break - This is really more of a threat for the individual than an organisation.  Most people will have a personal email address.  This address will be asked for when signing up to any on line service, store or social network.  The same will be true for on line banking.  This puts the users email address at the centre of their on line idenity -  a bit like the keys to the castle.  Whilst a hacker would need to potentially know several passwords in order to access the users many on line sites and stores, knowing just their email password gives them access to everything in one easy place.  Reminder emails, password resets, receipts and not to mention the ability to send emails on the users behalf.

  • Cyber Security Arms Race? - We're all pretty familiar with the cold-war arms race of nuclear subs, missiles and the rest.  But has this now evolved into something a lot less confrontational and more on line and subvert?  There have been several alleged on line Denial of Service attacks at a country level in recent years including the North and South Korea stand off which many claim included a cyber aspect.  The US recently created a cyber security special advisory team, with security veteran Howard Schmidt providing direct guidance to President Obama.  The increased threat of DoS attacks to bring down governmental, military and large corporate websites will only increase as more information is made available on line.

Whilst threats and attacks evolve constantly over time, the increased reliance on the internet will put increasing focus on the identification and prevention of on-line malicious activity.  Whilst once road, rail and food where the main stays of an effective social grouping, the internet has now become the main de-facto way of not only accessing data and information, but also ordering services, food, entertainment content, news and more either via personal computers but more likely by mobile devices not initially built with security in mind.


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…