Top 10 Security Concerns

In the world of Information Technology (IT) threats are constantly evolving.  In some cases the existing threats become more advanced and in other cases new forms of threats are formed.  Some of the threats relate to a host being compromised and converted to a bot which can lead to a botnet or launching a Distributed Denial of Service attack.  That attack can stem from a multitude of sources but the insider threat as well as network access from mobile devices can contribute to a DDoS attack and many other issues.  These infractions are typically first seen as security policy violations and can be avoided if the polices are enforced.  The threats also stem from software that isn't updated or from users who don't exercise caution in their Web browsing.  Another series of threats are those that exist from tricking users with fake certificates, which can lead to further forms of spying, targeted attacks or data acquisition.  There are always threats but it's important to know how to mitigate them.

Distributed Denial of Service (DDoS) attacks

When a machine is infected and controlled by an adversary it becomes a bot.  When the intent is to make that machine request services or send repeated requests to a server the network is under a Denial of Service attack. If more than one machine were to be compromised and they were to be used in this manner this would be a DDoS attack. The network is now under a DDoS attack but the main issue is how the machines got infected in the first place.  These attacks are symptoms of much larger issues and the impact to the business is detrimental. The goal is to crash or reduce the network availability to an unacceptable level.  With more and more attack vectors these attacks need to be identified and mitigated immediately.

Botnets

This is a direct correlation to a DoS or DDoS attack.  When a machine is compromised it becomes a bot.  The DDoS is just one way to use the infected hosts.  When multiple machines are compromised a botnet (network of bots) is formed.  To have machines on a network that can be remotely controlled, regardless of whether the user is at the computer or not, can lead to a variety of malicious behavior.

Insider Threat

Generally speaking, what is the biggest threat to a company's network?  Is it a world famous hacking group, a rival company or a rampant virus?  Most executive are surprised to learn the highest probability of significant danger to a company is from an insider threat.  This is usually a disgruntled employee or one with personal financial issues that reluctantly embarks down the road of corporate espionage.  This is partially why security clearances focus on matters such as this; these people are prime targets and are more susceptible to bribery. That person has all the access that the attackers need. In some cases they can get a briefcase of cash for simply inserting a malicious USB into a computer.

Mobility

When a device accesses the network remotely the network is in essence getting expanded. If the device were a portable or mobile device there are a variety of new issues that need to be considered. The device can be lost, stolen, cloned, piggy backed on, etc. The accessing of the corporate network on a personal device also introduces the risk that allows malware from the unprotected host onto the corporate network.  All of these are issues that come with allowing personal mobile devices to a network. Bring Your Own Devices (BYOD), and allowing them access to the network presents a new set of security concerns.

Inadequate or Unenforced Security Policies

It widely believed that many violations of policies lead to security infractions.  Internet chatting is a common example where people chat with their friends and exchange files or open a port for communication.  This is forbidden in many corporate environments but it is not enforced.  The result is a series of security risks that ensue.  An even bigger concern is that of polices that are loosely written, if at all.  The lack of security policy enforced makes it plausible for employees to engage in behavior that can be detrimental to the network. 

Un-Patched Software

Anytime any software is installed there are some flaws in it.  The longer the software exists the longer an adversary has to create a virus or an attack that focuses on a weakness and as a result the level of security decreases.  Typically there is a regular flow of patches, updates and fixes for nearly every conceivable piece of software.  If the updates are not deployed the software becomes a risk and a liability.

Generation Y-Factor

This generation classification is somewhat odd because it encompasses a 24 year period from 1976 - 2000 and in some reports up to 2004.  By default there could be two generations in the generation Y classification.  This is also a generation that has experienced a technical boom.  This group of people, especially the younger group has a reputation, perhaps well deserved, that they rush through websites.  This fast paced behavior with a lack of attention to detail has earned them the nickname of the "click-through" generation.  These users generally click through windows so fast that they don't read the warnings and tend to ignore risks and visit sites that are more prone to dangers.

Legal Surveillance Tools

The growth of Web-based threats and more elaborate cyber criminals has resulted in security groups and law enforcement increasing their awareness to monitor this type of activity.  The ability to track, follow, and research a person has become far less complex in the last 10 years.  The basic levels of these tools are now readily available to the public and can be used for myriad malicious purposes.  The secondary problem that stems from this is that there isn't always a clear cut line of what is legal and what is illegal.  However, the clearly identified legal tools offer an amazing amount of information on an unsuspecting victim.  There is so much that can be legally learned about another person that many are questioning how these legal surveillance tools are not a violation of one's privacy.

Fake Security Certificates

Most users really don't know what a security certificate does but most people feel it is needed.  When users navigate to a site and are asked to click a link to verify or add a certificate, they usually do it without hesitation.  They just believe they are supposed to do that and it's the safe thing to do.  The problem is there is a surge of threat actors who prey on this idea and are using fake security certificates. These certificates may be loaded with viruses or they may be used to breach a sites security measures.  At which point they are in the network and can launch far more dangerous attacks.

Targeted attacks and espionage

The act of a "hacker" breaking into a system is something we've all heard of.  We've also heard, “this couldn't happen to me, I don't have anything they want.”  That is not true.  There are many attacks that are geared to general users as well as companies.  The adversaries attack general users and gain data such as bank account info, social security numbers, credit cards, insurance information and personally identifiable information.  These attacks also happen at the corporate level but the data is used to generate income by selling this information in the DarkMarket. The gathering of data is not just relegated to the corporate world.  In fact, by attacking a victim through their personal life it can make attacking a company, through that same person, a much easier task.

Conclusion

Many of these threats can be reduced and in some cases eliminated.  There doesn't need to be as much network risk as we are currently seeing in today's day and age.  The main thing that needs to change is the user's mindset.  People need to question things more and simply be aware of what they are doing.  We are in a technical age where the level of threats and risk are only rivaled by the number of users that are naive to the threats.

Afshin is currently an instructor at a college where he teaches a wide array of technical courses that are constantly evolving to meet the current standard of the IT community.  He also sits on the board of directors for the Veterans Workshop.  A charity designed to train disabled veterans and equip them with the skills necessary to be highly competitive in the world of technology.  Up to early 2015 he was a Senior Security Analyst in a Security Operations Center (SOC) for a major defense contractor and is working towards his Ph.D in Information Assurance and Security.  He held this position for several years and worked hand in hand with a team of analysts that scour the internal network on a daily basis looking for threats and leveraging intelligence gained from public, private and government sources.  Prior to this position Afshin spent 15 years working in the teaching world instructing on all common of the shelf programs, networking, security and various other genres of education.