ABSTRACT
Internet and online security is one of the most important issues facing not only companies and organizations but individuals as well. These concerns are driven by the fact that as the world increasingly grows to use and rely on computers, mobile devices, and the internet; cybercriminals and others including government agencies, are progressively turning their attention to means and methods of exploiting weaknesses in the system. Unfortunately, weaknesses in the system, either through the diversity of devices that are available for use or the means by which those device access the internet or go online, are growing. Despite these trends and issues, however, organizations and individuals to have a number or tools at their disposal that can be employed to establish, at least, a basic level of security. This short paper will attempt to provide background on the internet and online security threat landscape, as well as some recommendation one what organizations and individuals can do to eliminate those threats or mitigate their harms.
Maintaining internet and online security, according to the software and hardware security company Sophos, became a much tougher endeavor in 2013 and those difficulties are likely to continue for the near and long-term. The reason for the growing hardship are the threefold. First, users are making use of a wider array of devices that access the internet that provide cybercriminals and attackers with more vectors to exploit. Second, easily exploitable operating systems and software remain popular among the public. Third, diversification in the methods that cybercriminal employ to conduct an attack make constant surveillance a critical duty rather than a part-time task.
Three threats that Sophos identified illustrate the growing complexity of internet on online security. The Internet of Things (IoT) refers to the range of devices with networking functionality that can communicate with each other over the internet. With more and more devices having access to the internet, Sophos warns that cybercriminal have more links in a defense chain to attack (Sophos, 2014). One successfully, attack, moreover, will allow attackers to access other connected devices. Consequently, the potential of an attacker ultimately accessing important information increases. Android remains the most commonly available operating system on mobile phones. The problem with Android’s ubiquity, according to Sophos, is that it is also one of the easiest operating systems to exploit (Sophos, 2014). Accordingly, cybercriminal have been able to conduct extensive criminal conduct through weaknesses in the Android system. While Android has worked to decrease its exploitability, it remains a high security risk. Lastly, an advanced persistent threat (APT) refers to a targeted attack by a cybercriminal over days, weeks, and even months until a weakness is found and exploited. In the past, APTs were mainly focused on industrial espionage. Nowadays, however, according to Sophos APTS are increasing seem to be focused on gaining access to financial organizations, to basically commit fraud (Sophos, 2014).
One area that Sophos and much of the internet and online security industry point to a primary issue of concern is the security of mobile devices. To be sure, in a 2013 survey of information technology (IT) security professionals, mobile devices “will pose the biggest threat” people’s, organizations’ and companies’ internet and online security in the coming years (Brooks, 2013). The main reason that experts state for the growing mobile device threat is the increasing use by the public to access and use the mobile device for work, communications, living, and entertainment. That threats to mobile devices are the most critical and disturbing trend in internet and online security is reasonable. As mentioned earlier, with the growing interconnectivity of the range of devices including one’s mobile device, cybercriminals have many more avenues to access your mobile device. For example, if a Wi-Fi connected coffee maker does not have robust security features, a hacker can access it, and use it to access your phone which thinking that the coffee maker is a trusted device does not block its accessing of your phone. Moreover, once a phone is compromised, it can act as a Trojan Horse for your company. Again, here the company’s network trusts your phone, and hackers can exploit that trust to access the company’s network.
According to Sophos, there are at least five major internet and online security threat that a mobile device maybe be subject to if they are compromised by malware, and APT, or hack attack. These threats include: (1) conducting surveillance, such as via the device’s camera or GPS software; (2) identity theft, such as remotely sending an SMS text message; (3) financial criminal activity, such as encrypting the device’s content and asking at owner to pay a fee to decrypt it; and (4) data theft, such as accessing the device’s setting and copying account details, contact lists, phone numbers and call logs (Sophos, 2014).
Despite these threats, organizations are not without the means to protect themselves and their mobile devices from internet and online security threats. One method is for the organization to draft and implement a comprehensive mobile device security policy (Sophos. 2013). This policy, which should be drafted with the input of the organization’s internet and online security team or in the alternative a trusted internet and online security company would provide the requirements that a device must comply with if an employee wants “bring their own device” to work. This will help increase security as it will build in safety measures for devices and allow the security team a measure of control and management ability if a breach occurs. A second, security measure that should be considered for employee mobile devices is to download and install a reputable anti-virus and online security software. While no security software can guarantee complete and permanent protect, software from a reputable security company can provide specific protections against the most common types of attacks and intrusions. Internet and online security companies, such as Sophos, are constantly monitoring the threat landscape and using what they learn to update and strengthen their security software. Accordingly, having this basic security on your mobile device is akin to looking the door and windows to one’s home and enabling the alarm system. In other words, it makes it harder for an attacker to enter and warns you when they do.
Beside threats to mobile devices, one of the more alarming internet and online security threats is what Sophos termed the “undermining of hardware, infrastructure and software at the core” (Sophos, 2014). What this refers to is either building backdoors into the software, infrastructure, and hardware; or the mistaken creation of a backdoor by a producer and a finding of the backdoor by another. In both these cases, if the backdoor is known or found, there is no need for the attacker to circumvent security measures. Indeed, security measure would be futile because the attacker can simply go through the backdoor. In other words, there is no defense to someone that has e key to the house. The ways to decrease or eliminate backdoors are twofold. First, manufacturer must be held responsible to their products. Failure to test a product before putting it on the market for security flaws should not be allowed. That is to say, products that are on the market should have a warranty of security establishing that there are no known backdoors for the product. Secondly, companies must be allowed to oppose, as in the Apple versus FBI case, being forced by government agencies to either produce backdoors or supply the keys to the front door.
References
Brooks, C. (2013, Dec. 24). Mobile devices will be biggest business security threat in 2014. Retrieved from http://www.businessnewsdaily.com/5670-mobile-devices-will-be-biggest-business-security-threat-in-2014.html
Sophos. (2013, Jul.). Sample mobile device security policy. Retrieved from https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/Sophos-sample-mobile-device-security-policy.pdf
Sophos. (2014). Security Threat Report 2014: Smarter, shadier, stealthier malware. Retrieved from https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf