Security continues to be the number one challenge for BIT
due to the fact that our state’s data and technology systems are an attractive
target to organized crime. We must secure these targets from criminals, hostile
foreign governments and malicious cyber attacks. BIT studies the attack vectors
to better understand their operations and to better defend state resources.
In a continued effort to educate state employees on cyber
security awareness, each month the BIT blog will feature at least one security
article. Below is a brief round up of some of the emerging trends and threats
ahead for 2013, listed in no particular order, but items that we all need to be
aware of.
Mobile Devices
As the use of mobile devices grew in 2012, so too has the
volume of attacks targeted to them. Every new smart phone, tablet or other
mobile device provides another opportunity for a potential cyber attack. Many
enterprises have incorporated these devices into their networks. In some cases,
organizations are allowing employees to “Bring Your Own Device” (BYOD) or in
state government we refer to it as the Remote Access Device (RAD) policy. This
increases the cyber security risks for an organization particularly if it does
not have control over the employee’s personal mobile device. Risks include
access to corporate email and files, as well as the ability for the mobile
device apps to download malware, such as keyloggers or programs that eavesdrop
on phone calls and text messages.
Social Media
The use of social media sites has grown beyond just sharing
personal information, such as vacation photos and messaging. These sites are
used for advertising, purchasing and gaming. For 2013, attackers will look to
exploit this volume and variety of data being shared to credentials or other
Personally Identifiable Information (PII), such as social security numbers.
Spear Phishing Attacks
Spear phishing is a deceptive communication, such as an
e-mail, text or tweet, targeting a specific individual, seeking to obtain
unauthorized access to personal or sensitive data. Spear phishing attempts are
not typically initiated by "random hackers" but are more likely to be
conducted by perpetrators seeking financial gain, trade secrets or sensitive
information.
Ransomware
Ransomware is a type of malware that is used for extortion.
The attacker distributes malware that will take over a system by encrypting the
contents or locking the system; the attacker then demands money from the victim
in exchange for releasing the data and/or unlocking the system. Once payment is
delivered, the attacker may or may not provide the data or access to the
system. Even if access is restored, the integrity of the data is still in
question.
Hactivism
Attacks carried out as cyber protests for politically or
socially motivated purposes, or “just because they can” have increased, and are
expected to continue in 2013. Common strategies used by hactivist groups
include denial of service attacks and web-based attacks, such as SQL Injections. Once a system is compromised, the attacker
will harvest data, such as user credentials, to gain access to additional data,
emails, credentials, credit card data and other sensitive information.
Advanced Persistent Threat
Advanced Persistent Threat (APT) refers to a long-term
pattern of targeted hacking attacks using subversive and stealthy means to gain
continual, persistent exfiltration of data. The entry point for these type of
espionage activities is often the unsuspecting end-user or weak perimeter
security.
What Can You Do?
By using sound cyber security practices, users and
organizations can strengthen readiness and response to help defend against the
myriad of challenges and mitigate potential impacts of incidents:
- Enable encryption
and password features on your smart phones and other mobile devices.
- Use strong
passwords that combine upper and lower case letters, numbers, and special
characters, and do not share them with anyone. Use a separate password for
every account. In particular, do not use the same password for your work
account on any other system.
- Do not use
your work email address as a "User Name" on non-work related sites or
systems.
- Be cautious
regarding all communications; think before you click. Use common sense when
communicating with users you DO and DO NOT know. Do not open email or related
attachments from unknown sources.
- Do not reveal
too much information about yourself online. Depending on the information you
reveal, you could become the target of identity or property theft.
- Be careful
with whom you communicate or provide information on social media sites. Those ‘friends’ or games might be looking to
steal your information.
- If the device
is used for work purposes, do not share that device with friends or family.
- Please contact BIT staff for additional questions or concerns on state government cyber security policies.