Sydney, 22 November 2011 – Pure Hacking, Australia’s leading specialist information security consultancy, today advised that organisations are still underestimating the threats to company data security and the consequences of malicious attacks. The lack of appropriate investment and security processes for corporate data networks will more than likely see 2012 eclipse the current level of data and IP theft. Major security challenges include corporate data leakage, industrial espionage, internet attacks and physical security threats.
“Corporate data leakage from internal sources is the single major security factor affecting Australian organisations today,” said Ty Miller, CTO, Pure Hacking. “This is because IT and management teams have underestimated the issues that arise when you connect more personal devices to the network and allow these personal devices to travel without restriction. This all contributes to a modern form of internal corporate espionage. “
For Pure Hacking the continued integration of both corporate and personal smartphones and tablets into corporate environments will continue to blur the security boundaries for these organisations. Lost, stolen and compromised mobile devices will lead to major corporate data leakage.
“We don’t expect this to become less of an issue anytime soon. The increased adoption of personally owned laptops and mobile devices into any corporate environment, rather than corporate-supplied machines built with a standard operating environment, will also facilitate corporate data theft issues. This type of infrastructure will not restrict access for internal employees and contractors to confidential internal documents, data and valuable intellectual property,” Miller commented.
Expanding a corporate profile to social networking sites also poses a challenge for security management. “Eventually high profile social networking sites will become a major central identity and authentication provider for organisations. Our tests throughout the year have revealed that individuals compromise their own identities and the safety of their data by not understanding the challenges of security in social networking sites,” he said.
Pure Hacking has also outlined a range of security issues for corporate data network management in 2012:
- Industrial Espionage – A clear understanding of the economic value of specific types of data will increase network attacks by unethical corporations and organised crime networks for financial gain, as well as competitive advantage over rival hacktivist groups.
- Rebirth of Wireless Attacks – Most smartphones are only equipped to support simple authentication mechanisms, such as “Pre-Shared Key” (password). This potentially increases the likelihood of successfully gaining access to private mobile wireless hotspots and an increase direct mobile device attacks, internet connection hijacking, and man-in-the-middle attacks such as DNS spoofing and session hijacking.
- Extortion through Hacking – With little prosecution outcomes, a migration away from hacking for fun to a move towards compromising companies for profit will escalate in 2012, especially extortion via hacking incidents. Some attackers may be deterred from stealing credit cards however “donations” may be extorted from companies via hacking incidents. This can either be achieved via threats of corporate data publication, destruction or simple Denial-of-Service mechanisms at key times.
- Cyber Warfare – 2012 may very well see the next sophisticated worm develop, with expectations that another well-funded highly intelligent complex attack may occur, whether it is another sophisticated worm or a major Information Technology conspiracy.
- Phishing + Client-side Exploitation: Compromised Smartphones – “Phishing + Client-side Exploitation” are likely to morph from the traditional phishing attack via email towards SMS-based phishing attacks. This technique shift allows phishers to bypass security controls such as spam and anti-virus gateways to connect to corporate networks and tunnel back data to the attacker by pivoting through the phone.
- Physical security threat: Hardware Hacking and Offline Hard Disk Encryption Brute Forcing (2 in 1) – Lost and stolen mobile devices and laptops will be the most common physical security concern for organisations. Attackers will bypass security controls by manipulating hardware components within the device or attacking encryption mechanisms offline through new types of brute force attacks. Access to corporate data and remote access to corporate systems is the successful outcome.
“Organisations are not fully investigating the claims of compliance for smaller service providers in areas such as the Payment Card Industry Data Security Standard (PCI DSS), as well as not committing a realistic level of security investment to ensure that their suppliers and their own operations meet these obligations. This also extends to cloud computing security claims from ISPs, hosting and cloud application providers. Their networks may be compromised and this puts your data in an undermined position,” concluded Miller.