Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security Implications and Adoption of Evolving Technology ((5) Cloud and…
Security Implications and Adoption of Evolving Technology
(1) Current Threat Landscape :warning:
:arrow_up: dependence on technology,
:arrow_up: susceptible to cybersecurity risk
Collection of Threats
Cybersecurity Threat Landscape = Dynamic
Recent Trends
More sophisticated attacks and use of tools
Cyberwarfare
Big Data
Allow the potential of large scale breaches
Attack patterns used on mobile devices
Social Networks
Primary Channel of
Communication
Knowledge Collection
Marketing
Information Dissemination
Cloud Computing
Large concentrations of data within a small number of facilities
Attractive Targets
Types of Threats
Increasing
Malware
Web-based attacks
Web application attacks
Denial of Service
Insider threats
Malicious
Accidental
Exploit kits
Information Leakage
Ransomware
Cyber Espionage
Stable
Physical Damage/Theft/Loss
Phishing
Data Breaches
Identity Theft
Declining
Botnets
Spam
(2) Advanced Persistent Threats (APT)
Evolution of the Threat Landscape
Unsophisticated Attackers (Hackers)
On Internet
Have a vulnerability
Sophisticated Attackers (Hackers)
On Internet
Have information of value
Corporate Espionage (Hackers)
Current/former employee seeks financial gain from selling your IP
State-sponsored Attacks (APT)
Who you are
What you do
Value of your IP
APT
Targeted threat that is composed of various complex attack vectors
Can remain undetected for an extended time period
Not easily deflected by a determined, defensive response
Characteristics
Unprecedented degree of
Planning
Resources Employed
Techniques Used
Often follow a particular modus operanti (mode of operating)
Targets
Companies that contains high-value assets regardless of
Size
Industry Sector
Geographic Regions
Often encompass third-party organizations delivering services to targeted enterprises
Threat Sources
Intelligence Agencies
Seek: political, defense, or commercial trade secrets
Impact: Loss of trade secrets or commercial, competitive advantage
Criminal Groups
Seek: Money transfers, extortion opportunities, personal identify information or secrets for potential onward sale
Impact: Financial loss, large-scale customer data breach/loss of trade secrets
Terrorist Groups
Seek: Production of widespread terror through death, destruction, and disruption
Impact: Loss of production and services, stock market irregularities, and potential risk to human life
Activist Groups
Seek: Confidential information/disruption of services
Impact: Major data breach/loss of service
Armed Forces
Seek: Intelligence or positioning to support future attacks on critical national infrastructure
Impact: Serious damage to facilities in the event of a military conflict
Stages of Attack (Cycle)
->Target Selection --> Target Research --> Target Penetration --> Command & Control --> Target Discovery --> Data Exfiltration --> Intelligence Dissemination --> Information Exploitation - [INSERT IMAGE HERE]
(3) Mobile Technology - Vulnerabilities, Threats, and Risk
Threats
Improper platform usage
Insecure data storage
Insecure communication
Insecure authentication
Insufficient cryptography
Insecure authorization
Client code quality
Code tampering
Reverse engineering
Extraneous functionality
Technical Risks
Activity Monitoring and Data Retrieval
Messaging
Generic attacks on SMS text, MMS-enriched transmission of text & contents
Retrieval of online and offline email contents
Insertion of service commands by SMS cell broadcast texts
Arbitrary code execution via SMS/MMS
Redirect/Phishing attacks by HTML-enabled SMS text or email
Audio
Covert call initiation or call recording
Open microphone recording
Pictures/Video
Retrieval of pictures and videos by piggybacking the usual "share" functionality in most apps
Covert capture of video or pictures, including traceless wiping of such material
Geolocation
Monitoring & retrieval of GPS positioning data, including date and time stamps
Static Data
Intelligence or positioning to support future attacks on critical national infrastructure
History
Monitoring & retrieval of all history files in the device/SIM card
Calls
SMS
Browsing
Input
Stored passwords
Storage
Generic attacks on data and device storage
Hard disk
Solid state disk (SSD)
Unauthorized Network Connectivity
Email
Simple to complex data transmission (incl. large files)
SMS
Simple data transmission, limited command and control (service command) facility
HTTP get/post
Generic attack vector for browser-based connectivity, command and control
TCP/UDP socket
Lower-level attack vector for simple to complex data transmission
DNS exfiltration
Lower-level attack vector for simple to complex data transmission, slow but difficult to detect
Bluetooth
Simple to complex data transmission, profile-based command and control facility , generic attack vector for close proximity
WLAN/WiMAX
Generic attack vector for full command and control of target, equivalent to wired network
Web View/User Interface (UI) Impersonation
Sensitive Data Leakage
Amount of storage space is growing, the risk of data leakage is also increasing
Can be inadvertent
Can occur through side channel attacks, which Over prolonged time periods will allow the building of a detailed user profile
Private/Business habits
Behavior
Movements
Unsafe Sensitive Data Storage
Applications may store sensitive data
Credentials
Tokens as plaintext
Data stored by user is often replicated without encryption
Standardized files are stored unencrypted for convenience
Presentations
Spreadsheets
Mobile devices are often associated with cloud storage, which adds risk
Unsafe Sensitive Data Transmission
Mobile devices predominantly rely on wireless data transmission, creating a risk of unauthorized network connectivity, particularly when using a wireless LAN
Users are likely to use unsecured public networks for data transmission
Automatic network recognition, a common mobile OS feature, may link to WLANs available in the area, memorizing Service Set Identifiers (SSIDs) and channels
Paves the way for evil twin attacks
Drive-by Vulnerabilities
Restricted nature of mobile device application leads to an increased risk of drive-by attack
Mobile device size limits display and edit capabilities
Word processing, spreadsheet, and presentation software is optimized for opening and reading only, but may contain
Active hyperlinks
Macros
Embedded documents
This is known as an attack vector for malware and other exploits. Mobile apps may not recognize malformed links or provide warnings to users.
Users can be harmed by
insertion of illegal material
inadvertent use of "premium" services via SMS/MMS
bypass of authentication mechanisms
(4) Consumerization of IT and Mobile Devices
Consumerization of IT
Examples
Smart devices
Bring Your Own Device (BYOD) Strategies
The use of privately owned mobile devices for work has quickly taken hold
Pros
Shifts costs to user
Worker satisfaction
More frequent hardware upgrades
Cutting-edge technology with the latest features & capabilities
Cons
IT loss of control
Known/Unknown security risk
Acceptable Use Policy is more difficult to implement
Unclear compliance & ownership of data
New, freely available applications and services
Provide better user experiences for things than their respective corporate-approved counterparts
Note-taking
Video Conferencing
Email
Cloud Storage
Reorientation of technologies and services designed around the individual end user
Instead of being provided with company-issued devices and software, employees are using their own solutions that fit with their
Lifestyle
User needs
Preferences
Internet of Things
Refers to physical objects that possess embedded network and computing elements and communicate with other objects over a network
Types of Risk
Business Risk
Health and safety
Regulatory compliance
User privacy
Unexpected costs
Operational Risk
Inappropriate access to functionality
Shadow usage
Performance
Technical Risk
Device vulnerabilities
Device updates
Device Management
Big Data
Relies on data sets that are too large or too fast-changing to be analyzed using traditional database techniques or commonly used software tools
The change in analytics capabilities dealing with big data can bring technical and operational risk, including
Amplified technical impact
Larger data sets are in jeopardy if attacked
Privacy in data collection
Individuals may feel that revealed information is overly intrusive
Re-identification
During aggregation, semi-anonymous information may be converted to identifiable information, compromising individual privacy
a valuable enterprise asset - information
(5) Cloud and Digital Collaboration
Cloud Computing
Model for enabling convenient, on-demand access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
Networks
Servers
Storage
Applications and Services
Offers enterprises a way to save on the capital expenditure associated with traditional methods of managing IT
Common platforms offered
Software as a Service (SaaS)
Increases risk at the application layer, including
Zero-day exploits
Primary malware
Secondary malware
Bring business advantages, but also generate data-in-flow vulnerabilities that may be exploited by cybercrime and cyberwarfare
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Top Threats
Data Breaches
Data Loss
Account Hijacking
Insecure Application Programming Interfaces (APIs)
Denial-of-service (DoS)
Malicious insiders
Abuse of cloud services
Insufficient due diligence
Shared technology issues
Social Media
Involves creation and dissemination of content through social networks using the Internet.
Created highly effective communication platforms where any user, virtually anywhere in the world can freely create content and disseminate this information in real time to a global audience
Risk of Enterprise Use
Introduction of viruses/malware to the organizational network
Misinformation/Misleading information posted through a fraudulent or hijacked corporate presence
Unclear or undefined content rights to information posted
Customer dissatisfaction due to an expected increase in customer service response quality/timeliness
Mismanagement of electronic communications that may be impacted by retention regulations or e-discovery
Risk of Employee Use
Use of personal accounts to communicate work-related information
Employee posting of pictures or information that link them to the enterprise
Excessive employee use of social media in the workplace
Employee access to social media via enterprise-supplied mobile devices