News

Mobile malware, targeted attacks top online security threats in 2012

Ben Cole, Site Editor

Facebook officials recently confirmed that a virus posted images of pornography and violence on users’ profiles. If a recent report predicting online security threats is to be believed, the Facebook spam attack

    Requires Free Membership to View

is only the beginning.

M86 Security Labs’ Threat Predictions 2012 report states that targeted attacks against big-name companies -- like the ones faced by Sony Corp., RSA and now Facebook in 2011 -- will likely continue. The report also cites growing social media vulnerability and a dramatic increase in mobile malware threats as top IT security concerns in 2012. 

“Mobile usage at the moment is kind of like the Wild West,” said Bradley Anstis, vice president of technical strategy at M86 Security Inc. in Irvine, Calif. “There’s really very little security controls around to address mobile malware and the sort of attacks that people are launching through that platform.”

M86 Security’s findings echo other predictions for the biggest online security threats facing IT officers. McAfee Labs recently released Threat Report for Third Quarter 2011, which states that mobile malware growth is on target to exceed that of 2010, and predicts 2011 should become “the busiest year” in mobile malware’s history. Research from IDC Financial Insights predicts that spending on risk management functions will reach more than $74 billion by 2015.

In addition, the IDC Financial Insights report predicts that growth in IT spending on risk management will outpace the growth of overall IT spending in financial services, and will top 15% of the sector’s total IT spending in 2012. According to IDC, the key drivers of this growth will be regulatory uncertainty and compliance demands, mandates to improve overall corporate governance and financial performance, and the need to modernize and protect critical risk management infrastructures.

“Portability of information is so much greater than it used to be -- more people are using things like smartphones and tablets,” said Todd Pack, president and chief operating officer of Financial Advisers of America LLC (FAA). “It’s great, but these things are housing an unbelievable amount of information, and are much more susceptible to being stolen or hacked.”

Targeted online security threats expected

Sony and RSA are just two examples of prominent companies that sustained significant, costly targeted attacks that compromised user data and affected business continuity, Anstis said.

M86 Security Labs expects more of the same in 2012, with cybercriminals exploiting stolen digital certificates and using “zero-day” and multi-stage attacks to infiltrate organizations and access personal, corporate and, in some cases, classified government information. Email is particularly vulnerable to attack, Anstis said, especially because sensitive information is consistently shared via the platform.

“A lot of companies are becoming less concerned about the myriad malware that anyone can come across -- what they are most concerned about is an attack that has been targeted to them,” Anstis said. “Increasingly, those attacks are coming through email. We need to start thinking about how we can get those proactive technologies over on the email channel -- we cannot forget about it.”

M86 also predicts cybercriminals will continue to capitalize on the popularity of social media. One common social networking scam is  “likejacking,” in which users are tricked into liking and sharing with friends a malicious page that seems trustworthy.

Shortened URLs and fake surveys are other methods increasingly used in social engineering scams to encourage users to perform seemingly legitimate actions but instead download malware or steal data.

But mobile malware threats stand out as the looming online security threat, if only because of their ubiquity and the past success of malware attacks. Anstis said the Android platform became highly targeted as cybercriminals tried to intercept security controls deployed to protect users from banking Trojans.

Not helping malware vulnerability is the growing numbers of users syncing personal mobile devices with their office computers. This drives cybercriminals to escalate efforts to use these devices as bots.

“The problem with that is, the IT security department is left scrambling trying to come up with a solution,” Anstis said. “Mobile devices typically have just as much access as a desktop inside the organization.”

Staff perpetuates mobile malware, other threats 

Employees, from executives on down, are the ones driving malware into organizations. The trend could lead to more restrictions placed on Internet access, as made evident by Dr. John D. Halamka, CIO of Beth Israel Deaconess Medical Center. In a recent post to his blog, Life as a Healthcare CIO, Halamka announced that malware threats have led the hospital to pilot Internet access restrictions in a few departments to determine if it reduces the amount of malware.

As users sync employer files, emails and other data to their unmanaged personal devices, organizations will need to prepare for the ensuing security and compliance issues with a solid bring your own device (BYOD) policy, Anstis said.

There’s really very little security controls around to address mobile malware and the sort of attacks that people are launching through that platform.

Bradley Anstis, vice president of technical strategy, M86 Security Inc.

Pack said that when FAA conducts audits of companies that have Wi-Fi, it checks to make sure the network is secure and staff members are locking down computers even when they leave their desks for only a few minutes. He also said companies can go so far as to have a privacy policy for cleaning crews that are on-site after hours.

Laptop encryption is another step companies can take to protect themselves, Pack added. He gave one example of a state regulator who audited a large insurance carrier and had on his laptop all of the client information that had been reviewed -- including personal information and Social Security numbers.

The regulator’s laptop was stolen.

“There were 40,000 customer names, and confidential information was stolen off that laptop,” Pack said. “Even the regulators can’t protect the information. If you have an encryption system … that can help.”

Properly backing up computers is another step companies can take to protect themselves. Some firms back up computers and the information is taken to a remote site, which is sometimes in a private home, Pack said.

“What happens if your house gets broken into? Your entire database is sitting in this thing,” Pack said. “So we require them to either find a third-party vendor that does automated backups off-site, or they have to keep it in a safety deposit box at a bank or someplace secure like that.”

Organizations will need to extend their security policies, including providing secure Internet browsing to their mobile devices. At the same time, companies should ensure that personal devices accessing corporate Wi-Fi and networks are included under the same policies, Anstis said.

He added that this makes BYOD policies important because it’s difficult for organizations to force users to install measurement software on their own devices.

 “We really need to start thinking about our policies around mobile devices -- not only the ones we are handing out to employees, but also the ones they are bringing in,” Anstis said.

Let us know what you think about the story; email Ben Cole, Associate Editor.