Happy New Year! At least, I sincerely hope the new year will be a happy one. But – at least in the Identity and Access marketplace – I fear it will be more of the same with banner headlines touting security breaches, insider scams and worse. Without further ado, here’s what my crystal ball sees coming down the pike in 2012.
Phishing ramps up, especially spear-phishing Phishing is the hacker’s “art” of getting authentication and/or identity information through social engineering methods. Typically this is done via email (for example, telling you to click a link to keep your bank account credentials updated) but can also be done by means of social networking sites (such as Facebook or Twitter). Spear-phishing is typically a combination of the two, when company information is harvested from, say, Facebook or LinkedIn then people in that organization are targeted via email. This was the method used for the RSA breach which has now been attributed to persons acting on behalf of a nation-state (rumored to be China, but no “smoking gun” has been revealed).
Standard old-fashioned phishing, due to its “scatter-shot” nature, is fairly easy to combat with email security apps. Bayesian filters, originally developed to keep spam out of your inbox, can be equally effective with the phishing emails which are usually about bank accounts, on-line retail accounts or other sites where credentials and/or credit card numbers can be expected to be found. Typically, the email recipient is re-directed to a fraudulent web site made to look like the legitimate one, or given an attachment with the email described as a form to fill out (with loads of identity information requested) which must be submitted in order to “regain access” to the site in question.
More recently, the attachments have included a Trojan-like payload which is insinuated onto the recipient’s computer when the attachment is opened and this is the preferred method for spear-phishing attacks. For example, the RSA attack was an email with the subject “2011 Recruitment Plan.” Attached was a spreadsheet titled “2011 Recruitment plan.xls.” The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (since corrected by Adobe).
It’s extremely difficult, if not impossible, to automate a defense against spear-phishing. Draconian measures would be needed such as forbidding employees to put company information on social networking sites or quarantining all email with attachments. The only effective measure in combating these types of attacks is user education. It’s expensive, it’s time-consuming and it’s less than 100% effective. In the RSA case, the infected employee retrieved the spear-phishing email from their trash folder!
Your money is better spent in strengthening protection on your valuable assets. Data encryption, for example, could have saved quite a few companies embarrassment in 2011, such as security consultant STRATFOR. Vow right now to encrypt all valuable data and all identity data for your organization.
New buzz words and phrases A buzzword you may or may not hear, but that you will surely be a target of is “cloudwashing.” By this is meant the effort by vendors to associate all of their products with “the cloud” as in cloud-based computing. Whether or not the product has anything to do with cloud-based computing it will, nevertheless, be touted as somehow enabling or protecting cloud data, access, configuration, or what have you. Don’t take their word for it, ask them to demonstrate these cloud properties before you buy. While the cloud is evolutionary, not revolutionary, it still has some unique requirements in the areas of identity and security that need to be properly addressed by apps and services designed specifically for that use – not one’s which only had their marketing brochures reprinted.
We first heard about BYOD (Bring Your Own Device) in 2011 in regard to employees wishing to add connectivity to the corporate network for their iPhones and iPads. 2012 will also see them wanting to connect their Android devices (phones and tablets) so that they can do the organization’s business “their way.” While your first thought might be to resist this effort at all costs, that “cost” could be your job. Your boss, and his boss all the way up will want to use their own devices (which are probably more powerful than the company issued ones). Instead, start working now on how to safely allow them to attach to the network. Make it part of your provisioning process, so that you can quickly and easily de-provision them when the need arises - which it will, as devices become lost or stolen and employees come and go. The concept of BYOD isn’t new (I was first approached by a marketing VP with such a request back in 1987), but the emphasis is about to become dominant.
All new attack vectors, now with bright, shiny things Malware, and malware purveyors, continually evolve. 2012 won’t halt that trend. I mentioned above the spear-phishing attacks, such as the one against RSA, which delivered a malware payload as an attachment to email. That’s a trick used in more generalized phishing, also, but the more used method is to phish someone to click on a link to a website (which might be disguised as one trusted by the target user) where a payload is surreptitiously attached to the target’s computer. But these attacks require the target to either open an attachment or click on a link that, hopefully, an educated user would recognize as a phishing attempt. So the hackers and crackers are developing new attack vectors.
One of the more insidious is to attack advertisement servers (such as Google’s DoubleClick service), either through “traditional” hacking into the server or by spear-phishing people with access to the server. These sophisticated attacks (see one description here) are hard to track down because they can be delivered from any site which uses ads from that server while the malware isn’t delivered with every ad request. You might think you got infected at funnykatz.com, but if you go back there you’ll find no evidence of something bad downloading to your machine.
Good, up-to-date anti-malware services should be installed for all users, but better education of those who have access to the powerful machines in your domain is also required. It’s really best to lock the door before the horse has a chance to wander outside!
Finally, the good news It isn’t all gloom and doom for 2012, I feel. There will be decided improvements on the privacy front. Not a complete victory, by any means, but an improvement.
The concept of Privacy Enhancing Technology (PET) isn’t new. It was defined almost 10 years ago in “Handbook of Privacy and Privacy-Enhancing Technologies” as “...a system of ICT measures protecting informational privacy by eliminating or minimising personal data thereby preventing unnecessary or unwanted processing of personal data, without the loss of the functionality of the information system.” Microsoft’s recently acquired uProve technology is a current example. I think we’ll see more of technologies like this in coming software offerings because of another “overnight sensation” that was many years in the making.
Way back in the last century, Dr. Ann Cavoukian came up with the concept of “Privacy by Design.” Here’s how she described it:
“Back in the ’90s, it was clear to me that the time was upon us when legislation and regulation would no longer be sufficient to safeguard privacy. In my view, with the increasing complexity and interconnectedness of information technologies, nothing short of building privacy right into system design could suffice. So I developed the concept of Privacy by Design (PbD), to describe the philosophy of embedding privacy proactively into technology itself – making it the default.”In other words, privacy shouldn’t be the icing on the cake, put on after the cake cools. It should be a major ingredient baked right in from the start.
Consider Facebook. A typical week or month at the social networking site goes like this:
- Facebook rolls out a re-design or a new feature to “enhance the user experience” (in reality, to enhance the advertiser’s experience);
- Privacy advocates discover all sorts of hidden flaws;
- Facebook scrambles to make corrections;
- Repeat.
In order to “accentuate the positive,” I’ll be hosting a webinar on January 26 on the subject of Privacy by Design. Joining me will be Dr. Cavoukian to explain the concept, Michelle Dennedy (Chief Privacy Officer at McAfee) creator of the iDennedy Project and author of the “Privacy Matters” blog as well as a surprise guest from the vendor community. Please join us for this fascinating topic.