Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security Implications and Adoption of Evolving Technology - Coggle Diagram
Security Implications and Adoption of Evolving Technology
(4) Consumerization of IT and Mobile Devices
Internet of Things
Types of Risk
Operational Risk
Shadow usage
Performance
Inappropriate access to functionality
Technical Risk
Device vulnerabilities
Device Management
Device updates
Business Risk
User privacy
Health and safety
Unexpected costs
Regulatory compliance
Refers to physical objects that possess embedded network and computing elements and communicate with other objects over a network
Big Data
The change in analytics capabilities dealing with big data can bring technical and operational risk, including
Amplified technical impact
Larger data sets are in jeopardy if attacked
Privacy in data collection
Individuals may feel that revealed information is overly intrusive
Re-identification
During aggregation, semi-anonymous information may be converted to identifiable information, compromising individual privacy
Relies on data sets that are too large or too fast-changing to be analyzed using traditional database techniques or commonly used software tools
a valuable enterprise asset - information
Consumerization of IT
Examples
Bring Your Own Device (BYOD) Strategies
Cons
Acceptable Use Policy is more difficult to implement
IT loss of control
Known/Unknown security risk
Unclear compliance & ownership of data
Pros
Shifts costs to user
Cutting-edge technology with the latest features & capabilities
Worker satisfaction
More frequent hardware upgrades
The use of privately owned mobile devices for work has quickly taken hold
Smart devices
New, freely available applications and services
Provide better user experiences for things than their respective corporate-approved counterparts
Email
Cloud Storage
Note-taking
Video Conferencing
Instead of being provided with company-issued devices and software, employees are using their own solutions that fit with their
Preferences
User needs
Lifestyle
Reorientation of technologies and services designed around the individual end user
(1) Current Threat Landscape :warning:
Cybersecurity Threat Landscape = Dynamic
Types of Threats
Increasing
Insider threats
Accidental
Malicious
Web application attacks
Denial of Service
Malware
Ransomware
Cyber Espionage
Information Leakage
Exploit kits
Web-based attacks
Declining
Spam
Botnets
Stable
Phishing
Physical Damage/Theft/Loss
Identity Theft
Data Breaches
Recent Trends
Social Networks
Primary Channel of
Marketing
Information Dissemination
Communication
Knowledge Collection
Cloud Computing
Large concentrations of data within a small number of facilities
Attractive Targets
Attack patterns used on mobile devices
Cyberwarfare
Big Data
Allow the potential of large scale breaches
More sophisticated attacks and use of tools
:arrow_up: dependence on technology,
:arrow_up: susceptible to cybersecurity risk
Collection of Threats
(2) Advanced Persistent Threats (APT)
APT
Characteristics
Unprecedented degree of
Resources Employed
Techniques Used
Planning
Often follow a particular modus operanti (mode of operating)
Threat Sources
Armed Forces
Impact: Serious damage to facilities in the event of a military conflict
Seek: Intelligence or positioning to support future attacks on critical national infrastructure
Criminal Groups
Impact: Financial loss, large-scale customer data breach/loss of trade secrets
Seek: Money transfers, extortion opportunities, personal identify information or secrets for potential onward sale
Terrorist Groups
Seek: Production of widespread terror through death, destruction, and disruption
Impact: Loss of production and services, stock market irregularities, and potential risk to human life
Intelligence Agencies
Impact: Loss of trade secrets or commercial, competitive advantage
Seek: political, defense, or commercial trade secrets
Activist Groups
Impact: Major data breach/loss of service
Seek: Confidential information/disruption of services
Targets
Companies that contains high-value assets regardless of
Industry Sector
Size
ооооооооооооооооооооооооs
Can remain undetected for an extended time period
Not easily deflected by a determined, defensive response
Targeted threat that is composed of various complex attack vectors
Stages of Attack (Cycle)
->Target Selection --> Target Research --> Target Penetration --> Command & Control --> Target Discovery --> Data Exfiltration --> Intelligence Dissemination --> Information Exploitation - [INSERT IMAGE HERE]
Often encompass third-party organizations delivering services to targeted enterprises
Evolution of the Threat Landscape
State-sponsored Attacks (APT)
Who you are
What you do
Value of your IP
Sophisticated Attackers (Hackers)
On Internet
Have information of value
Unsophisticated Attackers (Hackers)
Have a vulnerability
On Internet
Corporate Espionage (Hackers)
Current/former employee seeks financial gain from selling your IP
(5) Cloud and Digital Collaboration
Social Media
Risk of Enterprise Use
Introduction of viruses/malware to the organizational network
Mismanagement of electronic communications that may be impacted by retention regulations or e-discovery
Unclear or undefined content rights to information posted
Misinformation/Misleading information posted through a fraudulent or hijacked corporate presence
Customer dissatisfaction due to an expected increase in customer service response quality/timeliness
Created highly effective communication platforms where any user, virtually anywhere in the world can freely create content and disseminate this information in real time to a global audience
Risk of Employee Use
Employee posting of pictures or information that link them to the enterprise
Use of personal accounts to communicate work-related information
Employee access to social media via enterprise-supplied mobile devices
Excessive employee use of social media in the workplace
Involves creation and dissemination of content through social networks using the Internet.
Top Threats
Denial-of-service (DoS)
Abuse of cloud services
Insecure Application Programming Interfaces (APIs)
Shared technology issues
Malicious insiders
Account Hijacking
Data Breaches
Insufficient due diligence
Data Loss
Cloud Computing
Model for enabling convenient, on-demand access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
Networks
Applications and Services
Storage
Servers
Offers enterprises a way to save on the capital expenditure associated with traditional methods of managing IT
Common platforms offered
Platform as a Service (PaaS)
Software as a Service (SaaS)
Increases risk at the application layer, including
Zero-day exploits
Primary malware
Secondary malware
Bring business advantages, but also generate data-in-flow vulnerabilities that may be exploited by cybercrime and cyberwarfare
Infrastructure as a Service (IaaS)
(3) Mobile Technology - Vulnerabilities, Threats, and Risk
Technical Risks
Drive-by Vulnerabilities
Users can be harmed by
insertion of illegal material
bypass of authentication mechanisms
inadvertent use of "premium" services via SMS/MMS
Mobile device size limits display and edit capabilities
Restricted nature of mobile device application leads to an increased risk of drive-by attack
Word processing, spreadsheet, and presentation software is optimized for opening and reading only, but may contain
Macros
Embedded documents
Active hyperlinks
This is known as an attack vector for malware and other exploits. Mobile apps may not recognize malformed links or provide warnings to users.
Unsafe Sensitive Data Storage
Standardized files are stored unencrypted for convenience
Presentations
Spreadsheets
Mobile devices are often associated with cloud storage, which adds risk
Applications may store sensitive data
Tokens as plaintext
Credentials
Data stored by user is often replicated without encryption
Unauthorized Network Connectivity
SMS
Simple data transmission, limited command and control (service command) facility
TCP/UDP socket
Lower-level attack vector for simple to complex data transmission
WLAN/WiMAX
Generic attack vector for full command and control of target, equivalent to wired network
Bluetooth
Simple to complex data transmission, profile-based command and control facility , generic attack vector for close proximity
HTTP get/post
Generic attack vector for browser-based connectivity, command and control
Email
Simple to complex data transmission (incl. large files)
DNS exfiltration
Lower-level attack vector for simple to complex data transmission, slow but difficult to detect
Activity Monitoring and Data Retrieval
History
Monitoring & retrieval of all history files in the device/SIM card
Input
Browsing
Calls
Stored passwords
SMS
Audio
Covert call initiation or call recording
Open microphone recording
Storage
Generic attacks on data and device storage
Hard disk
Solid state disk (SSD)
Pictures/Video
Retrieval of pictures and videos by piggybacking the usual "share" functionality in most apps
Covert capture of video or pictures, including traceless wiping of such material
Geolocation
Monitoring & retrieval of GPS positioning data, including date and time stamps
Messaging
Retrieval of online and offline email contents
Arbitrary code execution via SMS/MMS
Generic attacks on SMS text, MMS-enriched transmission of text & contents
Redirect/Phishing attacks by HTML-enabled SMS text or email
Insertion of service commands by SMS cell broadcast texts
Static Data
Intelligence or positioning to support future attacks on critical national infrastructure
Sensitive Data Leakage
Can occur through side channel attacks, which Over prolonged time periods will allow the building of a detailed user profile
Behavior
Private/Business habits
Movements
Can be inadvertent
Amount of storage space is growing, the risk of data leakage is also increasing
Unsafe Sensitive Data Transmission
Users are likely to use unsecured public networks for data transmission
Automatic network recognition, a common mobile OS feature, may link to WLANs available in the area, memorizing Service Set Identifiers (SSIDs) and channels
Paves the way for evil twin attacks
Mobile devices predominantly rely on wireless data transmission, creating a risk of unauthorized network connectivity, particularly when using a wireless LAN
Web View/User Interface (UI) Impersonation
Threats
Code tampering
Extraneous functionality
Insufficient cryptography
Improper platform usage
Insecure data storage
Reverse engineering
Client code quality
Insecure communication
Insecure authentication
Insecure authorization