Computer security has been a growing issue for years, as you know if you’ve either received or are in the process of obtaining an information systems degree. Growth in terms of scale, for sure, but also a sort of evil evolution.
In addition to finding new variations on vulnerabilities in operating systems and applications, hackers and criminals continue to find brand new approaches to getting the data and identities they want. In response, security experts will have to adopt a new approach to manage risk and address threats.
For example, SMS-based text message attacks on smartphones are becoming far more common, according to Rodney Joffe, director of the Conficker Working Group, an association of security researchers. Similar to email attacks, the text message includes an attachment that is actually a malware payload.
Click on the file or image and the malware installs, afterward sending similar messages to those listed in the phone’s contact list. Last year’s Stuxnet worm attacked SCADA systems. SCADA stands for supervisory control and data acquisition and refers to the specialized networks, computers, and controllers that automate and run factories, power plants, oil pipelines, and virtually every form of industrial system. Stuxnet actually reprogrammed the software running machinery, though, in theory, such an attack could simply monitor production data and feed the results back to another party.
In either case, the result could be competitive disaster. Social networks have provided another opening to nefarious intent. A rogue employee can misuse a Twitter account or an outsider could potentially set up a phony presence, fooling customers, business partners, and even other employees. Business social network LinkedIn has already seen phishing scams.
Some unscrupulous people have set up fake Facebook pages for businesses and then used them to obtain personal information from consumers in return for fake specials or coupons. Even if it’s not an attack on the company’s systems, it can damage reputation. You can expect attacks that target the switch to IPv6. As companies start the shift to the new longer IP addresses (the addressable space that traditional IPv4 provided is exhausted), they will have to add equipment to translate between the two schemes. That will increase complexity and open new attacks, especially as the new devices haven’t been through the practical security wringer of actual use, so their defensive measures are unlikely to be adequate yet.
All these examples suggest that those involved in computer security have to consider a different approach. In the past, IT staff have patched systems, added defensive software, and tried to educate users, but all to keep up with incremental additions to the same types of exploits they had seen before. But things are changing far too quickly for this to continue to work. IT departments fall further behind.
What IT practitioners should do is understand how hackers and criminals think and then imagine the next steps they might take. Even if their guesses aren’t right, they’re less likely to be taken by surprise and may even see signs far enough in advance to take measures before a problem becomes unwieldy.