Happy now? Mobiles, cloud, big data now 'a growing security risk'

Wheels are about to fall off those bandwagons, warn EU advisors

By OUT-LAW.COM, 11th January 2013

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Innovations in mobile and cloud computing, social technology and the use of "big data" present an emerging risk to organisations' IT security, experts have warned.

The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for "most of the innovation expected in the area of IT" and warned that with their emergence would come an associated increased cyber threat.

ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over "poorly secured ... or unsecured channels". It said that the software used for such systems were not the most "mature", and added that devices were vulnerable to being lost or stolen due to their "mobility". The very fact that they are universally popular also enhances the threat of the technology being exposed to hackers, the agency added.

The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices, known as 'drive-by exploits', ENISA said.

"Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash," it said in a new report [96-page / 1.56MB PDF].

"The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code."

ENISA also warned of an increasing threat that confidential information could be compromised through data breaches, including where information is sent over mobile communication channels. In addition, it said that an "emerging issue" could arise due to the increasing use of mobile to make payments and for doing banking. These activities on mobile platforms "will gain the attention of attackers," it said.

Attackers are also likely to increasingly seek to exploit "low to medium maturity of security controls" contained within social networking technology, ENISA said. One of the main emerging threats in this context is the ability of hackers to "abuse" information that is already in the public domain in order to access social network accounts.

ENISA also warned that hackers will increasingly use "rogue certificates" in order to obtain "fake trust within components of trust infrastructure". Trust infrastructure is becoming of emerging importance as "electronic identity systems for the identification of citizens" are developed.

That's a nice silo of sensitive personal data, you've got there. Would be a shame if anything happened to it

"Trust infrastructure components may be used at all levels of information systems, i.e. from application level to network protocols," ENISA's report said. "Trust infrastructures are usually based on strong encryption technology and key management. Examples of trust infrastructures are authentication infrastructures, secure communication protocols, public key infrastructure components, etc."

"Trust infrastructures are extremely important for information security as they build the basis for securing information at many levels; and help authenticating partners or systems by establishing trusted interactions (i.e. trusted connections, trusted transactions, electronic signatures, etc.)," it said.

Due to the "concentration" of data that cloud computing technology provides for, there would be a greater potential impact if hackers successfully exploited weaknesses in those systems, ENISA said. It warned that cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.

ENISA added that 'big data', which it said is the aggregation of information generated "as a consequence of the proliferation of social technologies, cloud computing, mobile computing and the internet use in general", had also become an emerging security issue.

"Exploitation of big data will affect data privacy," ENISA said. "At the same time, exploitation of big data through adversaries might open doors to new type of attack vectors."

"A number of challenges have been identified for big data security. Indicatively, these challenges address data protection, data access control and data filtering issues for huge data amount that are beyond the processing power of contemporary Security Information and Event Management (SIEM) products," it said.