January 21, 2015
ATP: The Biggest Mobile Website Security Threat In 2015
Breaches to mobile website security will be the top threat in 2015 due to usage privileges in corporations that were not addressed this year and may continue to be neglected in 2015. But before discussing the specific threat for mobile website security, we need to go over general website threats to get a sense of perspective.
General Overview of Cyber Security in 2015
When looking ahead to website security issues in 2015, chief security officers are focusing on website security threats from the Internet invading their networks from traditional computing devices.
While they are preparing against an exhaustive list of possible threats, the biggest threat in 2015 is expected to come from an Advanced Persistent Threat. These are threats where an unauthorized person slips into a network and lurks undetected for a long time. Since the intruder is a spy or thief, there is no attack — and consequently no damage to the network to trigger an alarm to release effective countermeasures to block the intruder.
Kaspersky labs—developers of leading edge antivirus technologies—believe 2015 will be the year when cyber crimes merge with APT.
According to their Security Bulletin on Predictions for 2015:
“In 2015, we expect to see another stage in the evolution of cyber-criminal activity with the adoption of APT tactics and techniques in financially motivated online criminal activity. During a recent investigation, we discovered an attack in which an accountant’s computer was compromised and used to initiate a large transfer with a financial institution. It represented the emergence of an interesting trend: targeted attacks directly against banks. We are seeing an upsurge in malware incidents where banks are being breached using methods coming directly from the APT playbook. Once the attackers got into the banks’ networks, they siphon enough information to allow them to steal money directly from the bank in several ways: Remotely commanding ATMs to dispose cash; Performing SWIFT transfers from various customers accounts; Manipulating online banking systems to perform transfers in the background.”
How Mobile Security Fits Into This Picture
It’s a grim outlook and where mobile phones slip into this scenario is that they are the perfect spying device. Eventually, security administers will learn how to detect intruders from legacy computing devices like laptops, notebooks, and desktops, but few will be alert to the dangers of employee’s own mobile devices being hijacked to take over the role of electronic espionage.
Let’s take an in-depth look at how this is possible.
Almost every office worker now carries their mobile device when they go to work. Most of these devices are not flip phones, but smartphones like an Apple iPhone, a Blackberry, or Android. Mobile solutions for Android security and other devices have reached a level of considerable sophistication. Moreover, since there is usually rapid market innovation to either hold on to market share or increase market share, these mobile devices are becoming progressively more advanced with every new version.
While everyone is for innovation, in particular those who love to buy the latest version of their smartphone, the smarter the phone, the greater the threat to a company’s IT security. This is because these connected devices are being brought behind the network’s firewalls.
While the smartphone-toting employee is usually oblivious about the potential threat of their smartphones, information technology administrators are becoming acutely aware
We now have a situation where smartphones are becoming more advanced; more people are deciding to buy them to keep pace with their neighbors; and security teams are not sure what to do to secure these devices in the workplace.
While security administrators have been spending a huge amount of time, money, and other resources protecting their network from unauthorized access, employees are simply connecting their devices to the company’s network.
How dangerous is this situation? Think of it as dangerous as permitting a Trojan horse into an enterprise network.
The danger does not come directly from the employee, who is often unlikely to have malicious intents on compromising the company’s network. The danger comes from the device itself carrying undetected malware.
The idea of BYOD (bring your own device) has serious problems. The device can be used to leak out proprietary company information because they can be completely controlled by an attacker who uses built-in systems like microphones and GPS for surveillance. If an attacker targets the smartphone of a security administrator, he or she can find out where the servers are housed in the company offices or an attacker targets the smartphone of an executive, he or she can turn on the microphone and listen to private executive meetings. The software to do the hijacking would be introduced in much the same way that malware now sneaks into computing systems—often by tempting someone to download an innocent-looking, highly-useful application that has some embedded malware code in it.
5 Ways to Improve Mobile website security:
Given this threat scenario, there is actually a lot that can be done about it. Here are 7 suggestions:
1. An awareness campaign can be introduced in a company about mobile website security threats.
2. Security systems administrators can be educated on why mobile website security needs to be considered as seriously as regular website security.
3. Mobile devices should be electronically tagged so that an IT administrator is aware of what devices are plugged into their network. Currently, most admin don’t even know if a smartphone is connected to their network.
4. Smartphones have to be made compliant with IT corporate security policies.
5. Smartphone users should be made aware of the trusted third party users that are safe for downloading applications. Although Google, Apple, and Samsung have good systems in place to police their applications marketplace, additional security would be good technological redundancy.
While attackers will probably continue to attack the main breaches in a network’s security system, they will also try to pick the low hanging fruit of mobile technology to introduce ATPs into a company’s network. They understand that most companies are oblivious about the possible threats coming from smartphones, smartwatches, Google glasses and other smart devices. In 2015, banks and other financial institutions will need to upgrade their policies and software to meet with this less known threat to the integrity and security of their networks.