Second, a simple but powerful message must be consistently communicated throughout the organization: don’t accept friend requests from people you don’t know, especially if they’re attractive. Last month PC World reported on a team of cyberdefense specialists who broke through the defenses of an unnamed US federal agency by posing as attractive females on Facebook and LinkedIn. “Every time we include social engineering in our penetration tests we have a hundred percent success rate,” team member Aamir Lakhani told the magazine. A wide range of free threat-awareness training tools are available from Cisco; they provide valuable information that can be disseminated throughout a company’s security team as well as the organization at large.
Finally, a host of solutions from companies like EdgeWave, Websense and others enforce policies that permit the limited use of sites such as Facebook but disable attack surfaces enabled by in-app services like chat.
M2M security challenges are also growing, and require new solutions. When Pipeline examined M2M security early last year, Scott Swartz, founder and CEO of MetraTech, suggested that CSPs “provide a gateway between M2M endpoints and M2M management platforms and any external interface,” because it’snecessary that both control data and communication data are encrypted by a gateway in order to prevent spoofing and a host of other attacks. One solution is an embedded VPN gateway—Cavium and SSV Software Solutions are among the vendors that offer them—that encrypts packet data directly at the source and works well with cloud deployments.
Since we know that everything will eventually be hacked, security becomes a question of how to avoid damage and which doors to lock first. CSPs should expect intrusions and attacks aimed at mobile devices, social networks, connected TVs, BYOD deployments and cloud-enabled platforms, and in the near future M2M devices will become common targets. Fully testing network elements, software and code before they reach the wild is essential, as is sharing threat information in a secure, collaborative manner.
Generally speaking, CSPs have been relatively lax in regard to enforcing security policies across their user bases, a situation that must change as soon as possible. Since customers are carrying mobile devices in their pockets that have access to the network core, it may be wise for CSPs to imagine their business as one large IT organization; in an era of increasing threats, it seems strange not to extend a legible facsimile of internal IT security policies to the end-user device level. Customers need to be incentivized to approach device and application security with vigor.
Hackers will undoubtedly attack every potential surface, from connected washing machines to LinkedIn accounts. The level of damage from these attacks, however, will be directly proportional to the level of proactivity on the part of service providers, and with the solutions that are available today, there’s no reason to expect that the cost of the damage will rise any faster than the frequency of the attacks.