The more you know about the likely avenues of cybercrime attack, the better you can protect yourself against them, says Alan Calder.
There is never a time for complacency in information security. All users remain under the permanent threat of cybercrime, so the most important thing is to know your enemy. If you do, you greatly increase the strength of your protection. Here are the main information security threats right now.
1. Vulnerable web apps
First on the list are website attacks that exploit poorly secured web applications. Finding the open door of an insecure application is the essential first step in any website attack.
I expect a sharp rise in this mode of entry by cybercriminals. Apart from practising good website security, such as regular application of all relevant patches, it is a good idea to have a basic understanding of common hacking techniques, such as SQL injection and cross-site scripting.
2. Sophisticated phishing and pharming
Fake emails and scams for money from 'banks' or 'HMRC' have become increasingly difficult to tell from the real thing. There is a clear rise in interest among criminals in online identity theft.
Antivirus software and spyware removal software cannot protect against these attacks single-handedly. Effort must go into user education in this area to cut exposure to risk.
We have seen huge increases in spam, almost to levels of denial of service. About 90 percent of all email messages are either spam or phishing attempts, according to computer security software provider Symantec. Staff opening an infected attachment can easily unleash a worm or virus onto your corporate network.
4. Social media attacks
There has been an increase in social media attacks, exploiting inadequate password security and insecure free apps. The security settings for personal and sensitive data on social networking sites are not transparent, meaning individuals are not always aware of how much personal information is accessible to possibly undesirable third parties.
5. Sharp jump in identity theft
Identity fraud involves someone pretending to be somebody else to steal money or gain other benefits. Even seven years ago, the Home Office was estimating that this type of electronic burglary was costing the UK at least £1.3bn per annum. By 2006 the Home Office increased that figure to £1.7bn, and observers now believe the real annual figure could be significantly higher.
6. Theft of credit-card details
Perhaps only five percent of e-commerce websites are PCI DSS-secure. The payment card industry is seeing frightening increases in the hacking of merchant security systems to obtain card data, particularly with merchants that accept cardholder information over the internet.
7. Exploiting the latest technology
New technologies such as voice over internet protocol, virtualisation and even the iPhone all introduce security risks, as hackers immediately start finding ways to exploit inherent vulnerabilities.
One example is the exploitation of IP-based telephone systems to perform 'vishing' campaigns. Vishing makes calls from a compromised phone system that appears to be a trusted source to the receiver of the call, enticing the receiver to divulge confidential information.
8. Increased outsourcing
Many companies — large and small — have turned to outsourcing services as a cost-saving strategy but, consequently, large amounts of sensitive data, including customer and employee personal information, are being shared with outside vendors.
It is imperative that any partner of you or your business, with access to sensitive customer information, deploys adequate safeguards to protect that information.
9. Rise in super-portable data
Every week there seems to be a report of data loss because of a stolen laptop or misplaced portable data. USB devices that hold 64GB of data make it very easy for employees to transport massive amounts of information out the door — potentially to your rivals.
You can have all the latest technology to secure your internet perimeter but if your employees are not trained in how to follow and enforce your security policies, you may not be prepared to stop an enemy walking in the front door to gain access to your data.
Compared with many of the investments made by organisations, data protection compliance comes at a bargain price. Any organisation not addressing information security with a formal compliance regime is not only risking financial penalties; if you let your customers down, your very survival will be on the line.
Alan Calder is chief executive of security and compliance organisation IT Governance.