In part one of this two-part podcast, special guest Andrew Jaquith of Perimeter E-Security joins the SearchSecurity editorial team in exploring the highs and lows of 2011 for the security industry.
Mobile device platforms were built with security in mind, but in 2011 cybercriminals have had some success in bypassing security features on the Android platform, and Apple’s lack of transparency make the security of the iPhone a mystery.
In this wide ranging discussion, SearchSecurity editors and special guest Andrew Jaquith of Perimeter eSecurity, explore whether 2011 was a good year for the security industry or if the latest security incidents highlight many of the industry’s faults.
Smartphones and other mobile devices gained the most attention in 2011. Android malware, SMS text messaging scams and rogue applications shined a light on some of the weaknesses of mobile platforms. Several high-profile data breaches also cast a shadow on any gains organizations have made to defend against attacks. Epsilon, RSA SecurID and Sony experienced major data security breaches. Meanwhile, hacktivist groups, namely Anonymous and Lulzsec, wreaked havoc on the Internet, attacking websites and crippling them with denial-of-service attacks.
In part 1 of this podcast:
WIN — The RSA SecurID breach: While the immediate details left security experts asking a lot of questions, RSA clearly had a response plan in place for a serious breach. The company briefed its largest customers and kept close contact with government contractors that ultimately were targeted by attacks as a result of the breach. While two-factor authentication competitors attempted to gain new customers as a result of the SecurID breach, RSA appears to have maintained its strong customer base. Meanwhile, the Sony breach response was the antithesis of RSA. Sony seemed to have no breach response in place resulting in a network outage for nearly a month. The company has since rebounded, hiring Philip Reitinger, a former Department of Homeland Security official, to lead its security efforts as its CISO.
WIN-FAIL — Mobile platform security: Google Android and Apple iOS have been built from the ground up with security in mind, but it takes experienced software coders to take advantage of the security features offered by both Android and Apple. Unfortunately, a glutton of new software coders has resulted in poorly coded applications or mobile apps designed to tap into too many of the device’s features (SMS, GPS) causing privacy and security concerns. In 2011, the security industry has seen an explosion in Android Trojans, rogue applications had to be removed from Google’s marketplace, and while malware hasn’t really targeted apple devices, iPhone security vulnerabilities and Apple’s lack of transparency into its security processes have raised some doubts about iPhone security. Security experts say that over time the mobile platforms will mature and new developers will become better coders. Until then, look out for rogue applications and application vulnerabilities that leak data.
View Part 2 of Security Wins and Fails of 2011
Look for a movement to weed out malicious mobile applications through mobile application scoring systems, according to Verizon’s ICSA Labs, which issued a list of security predictions for 2012.
By Robert Westervelt, News Director
Mobile malware and mobile application threats could pose major security and privacy challenges to enterprises in 2012, according to Roger Thompson, chief emerging threats researcher at Verizon Business’ ICSA Labs. Cybercriminals could use malicious mobile applications to steal sensitive data from smartphone users, including account credentials. Stolen credentials could be used to obtain access to corporate networks, Thompson said.
Smartphones, tablets and other mobile devices have helped fuel the use of social networks. Employees are sharing more information about themselves than ever before on Facebook, Twitter and other networks via mobile applications. That freely available data could be all that is necessary for an attacker to design a targeted and convincing social engineering attack against an employee, Thompson said.
“It may be no more than just completing the profile on people so they know what kind of goods to sell you; it might not even be overtly criminal,” he said.
Thompson, who was hired by ICSA Labs in November, helped draft the security device testing and certification organization’s security predictions for 2012. In addition to rising mobile malware and malicious applications, ICSA Labs predicts the industry will take action, providing users with application scoring systems so users download valid applications onto their devices. Scoring systems could reduce the risk of more malicious mobile applications and check highly used apps for serious mobile application vulnerabilities, Thompson said. Although it’s unclear what entity would create the mobile application scoring systems, Thompson said both Google and Apple control the marketplace for mobile apps and could very likely take the lead.
“If you install some new version of an application, even if it’s not overtly malicious, you have no idea what opportunities it may be opening up,” Thompson said. “An application might not be sending SMS messages, but it could be built into the game in case it’s needed in the future and that kind of unnecessary functionality could be leveraged by an attacker.”
ICSA also predicts health care organizations will have to gain a better understanding of the risks posed by digitalized health care data stored on mobile devices and how to better secure embedded medical devices from tampering and other cyberattacks. In addition, state public utility commissions will continue to make great strides on creating standards for the so-called “smart grid.” It’s likely, according to ICSA, that the federal government will step in with its own framework and requirements.
In this interview with SearchSecurity News Director Robert Westervelt, Thompson predicts how the threat landscape could evolve in 2012 and explains why mobile device use could pose serious risks to businesses.
Three experts weigh in on mobile security, discussing smartphone threats and the vulnerabilities they contain. Andrew Jaquith of Perimeter E-Security, Chris Wysopal of Veracode and James Lyne of Sophos each say there are signs of trouble ahead.
Continuous transaction monitoring has been used by enterprises to weed out potential fraud and costly business errors, but today the technology is being used to detect external threats such as account hijacking and stolen credentials. Patrick Taylor, CEO of Oversight Systems explains how CTM technology is merging with security information event management (SIEM) systems for broader visibility.
Do security pros have something to be thankful for in 2011? James Lyne of Sophos discusses some of the lessons learned this year and whether security defenses are keeping pace with attack techniques.
On Nov. 9, the FBI, Estonian authorities and Trend Micro announced that Operation Ghost Click had resulted in the takedown of Esthost, owner of the DNS Changer botnet. Touted as one of the largest botnet takedowns in history, the five-year-old scheme generated upwards of $14 million in fraudulent Internet advertising revenue.
In this edition of Security Wire Weekly, Paul Ferguson, Trend Micro’s Advanced Threats Researcher and key liaison with the FBI, discusses the DNS Changer botnet takedown, the implications for the industry at large and why it may signal the beginning of an even more dangerous era of botnets.
Jason Lewis, CTO of Lookingglass Cyber Solutions talks about the new Duqu malware. Lewis, a former global network exploitation and vulnerability analyst with NSA, said it was likely authored by a nation state, given the time and resources it takes to develop a sophisticated piece of malware.
Program notes: New Duqu malware shares Stuxnet Trojan code similarities
The SearchSecurity team discusses the value of CISSP certification, a Symantec report outlining the threats posed to Android devices and the latest Microsoft analysis of zero-day exploits.
Lenny Zeltser, a SANS Institute instructor and director at NCR Corp., discusses why enterprises struggle gain control over social networking use and defend against the threats posed by Facebook, Twitter and others. A mixture of security technology and reasonable guidelines could help reduce the risks.
Ponemon Institute study: Firms struggle to address social networking security risks, survey finds
Alex Eckelberry, vice president and general manager of GFI’s security division, talks about ways small and midsize businesses can address security and safeguard sensitive data without breaking the bank.