Cyber security threats grow in sophistication, subtlety
- — 16 October, 2008 09:26
We can expect such attacks to increase. Jon Ramsey, CTO for SecureWorks, says there are several reasons why: such attacks are inexpensive to mount compared with conventional warfighting; cyber defenses are weak or non-existent; the Internet offers "plausible deniability" for attackers; there are no "rules of engagement" to govern such cyber conflicts among nations.
VoIP and mobile devices
VoIP traffic, like e-mail, will be targeted for fraud, theft, and other scams. As wireless VoIP expands, denial of service becomes more than an inconvenience: in the case of service provider, an attacker could attempt to blackmail the provider with widespread voice disruption, according to Tom Cross, a researcher with the IBM Internet Security Systems X-Force team.
Mobile devices will draw cyber criminals as the handhelds are used more often for transacting business and accessing sensitive data such as credit reports, according to Dave Amster, vice president of security investigations for Equifax. One prospect is that smartphones will be targeted for immense malware driven mobile botnets.
The very lack of open security standards in mobility today is actually a good thing, because it provides industry players the chance to develop and apply them comprehensively, an opportunity missed for PCs, according to the report.
Cyber criminals are increasingly professional, organized and profit-driven, the report argues. It notes that would-be criminals now can buy, lease, subscribe, or pay-as-you-go to obtain the latest in malware kits, complete with product guarantees and even service-level agreements. According to one researcher in the report, a few even have multiple language customer support.
The costs of cybercrime to business is mounting.
Gunter Ollmann, chief security strategist for IBM Internet Security Systems, identifies three tiers in this unfolding criminal industry: low-level criminals who buy and use kits to execute specific crimes; skilled developers, often in groups, working to develop new components for their commercial malware-creation products; and "managed service providers" that can apply and sustain malware attacks on a global scale.
Meeting these threats will require a three-pronged initiative, according to the report: technology, regulation, and education. Technology such as DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to sign e-mails, coupled with user education, can almost entirely eliminate phishing as a problem, according to some security researchers. One possible avenue for government regulation is modeled on auto insurance, which auto owners in most states are required to buy. Government could require purchase and update of appropriate security applications, according to researchers.