Feeds

Happy now? Mobiles, cloud, big data now 'a growing security risk'

Wheels are about to fall off those bandwagons, warn EU advisors

Secure remote control for conventional and virtual desktops

Innovations in mobile and cloud computing, social technology and the use of "big data" present an emerging risk to organisations' IT security, experts have warned.

The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for "most of the innovation expected in the area of IT" and warned that with their emergence would come an associated increased cyber threat.

ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over "poorly secured ... or unsecured channels". It said that the software used for such systems were not the most "mature", and added that devices were vulnerable to being lost or stolen due to their "mobility". The very fact that they are universally popular also enhances the threat of the technology being exposed to hackers, the agency added.

The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices, known as 'drive-by exploits', ENISA said.

"Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash," it said in a new report [96-page / 1.56MB PDF].

"The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code."

ENISA also warned of an increasing threat that confidential information could be compromised through data breaches, including where information is sent over mobile communication channels. In addition, it said that an "emerging issue" could arise due to the increasing use of mobile to make payments and for doing banking. These activities on mobile platforms "will gain the attention of attackers," it said.

Attackers are also likely to increasingly seek to exploit "low to medium maturity of security controls" contained within social networking technology, ENISA said. One of the main emerging threats in this context is the ability of hackers to "abuse" information that is already in the public domain in order to access social network accounts.

ENISA also warned that hackers will increasingly use "rogue certificates" in order to obtain "fake trust within components of trust infrastructure". Trust infrastructure is becoming of emerging importance as "electronic identity systems for the identification of citizens" are developed.

That's a nice silo of sensitive personal data, you've got there. Would be a shame if anything happened to it

"Trust infrastructure components may be used at all levels of information systems, i.e. from application level to network protocols," ENISA's report said. "Trust infrastructures are usually based on strong encryption technology and key management. Examples of trust infrastructures are authentication infrastructures, secure communication protocols, public key infrastructure components, etc."

"Trust infrastructures are extremely important for information security as they build the basis for securing information at many levels; and help authenticating partners or systems by establishing trusted interactions (i.e. trusted connections, trusted transactions, electronic signatures, etc.)," it said.

Due to the "concentration" of data that cloud computing technology provides for, there would be a greater potential impact if hackers successfully exploited weaknesses in those systems, ENISA said. It warned that cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.

ENISA added that 'big data', which it said is the aggregation of information generated "as a consequence of the proliferation of social technologies, cloud computing, mobile computing and the internet use in general", had also become an emerging security issue.

"Exploitation of big data will affect data privacy," ENISA said. "At the same time, exploitation of big data through adversaries might open doors to new type of attack vectors."

"A number of challenges have been identified for big data security. Indicatively, these challenges address data protection, data access control and data filtering issues for huge data amount that are beyond the processing power of contemporary Security Information and Event Management (SIEM) products," it said.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.