With the pace of technical innovation rapidly increasing, the challenges in the realm of IT security issues become ever more complex. Every new innovation brings with it security concerns new and old. The hacker industry views every new innovation as a new opportunity to exploit new vulnerabilities before IT professionals identify the new threats. This causes many in the field of information security to embrace a reactive instead of pro-active mindset.
It is important to realize that good security fundamentals can go a long way toward preventing networks from being compromised, even by new attacks. Armed with vigilant security professionals always seeking out new vulnerabilities and countering them while maintaining a strong security culture, businesses are not helpless against the persistent and determined elements of hacker industry. Below is a list of the top IT security issues and vulnerabilities, some specific, some general, that should give business leaders a good idea of what can be done to harden their networks against a wide range of attacks.
Sponsored Research on IT Security Issues and Related Topics
Business Research Guide’s Top 10 IT Security Issues of 2012
Man in the Broswer (MitB) Attack
This attack is primarily used to modify financial transactions in online banking. Essentially it uses browser based malware to perform a variation of a Man in the Middle attack. When a person executes a financial transaction with their bank, the malware intercepts and modifies the transaction, while displaying the result intended by the client in the browser, the client remains unsuspecting until he notices the irregularities in his account.
The MitB attack can also be used to intercept and redirect other types of information depending on the goals of the attacker. Some versions of this malware uninstall afterwords, leaving no trace. Typically businesses see it as the responsibility of the client to manage their own security, but as some versions of this attack are undetectable even by anti-virus software, many are instituting business practices that aid in circumventing this type of attack. The most common method is “Out of Band” verification, which uses a method of verification that does not involve the client’s browser, most often SMS. This measure can be circumvented if the client’s mobile device is also compromised by MitB malware but it does provide more protection the alternative.
The Inside Man
Trust is important. Employers must have some trust in their employees. Where is the line between trust and security to be drawn? Any company dealing with sensitive information is vulnerable to exploitation by their employees. Now more than ever businesses must take every precaution to protect themselves and their customers from an internal threat. Nothing undermines a company’s credibility like customer information being compromised from the inside. Extensive background checks are one obvious solution, these at least assure businesses that they aren’t hiring a known criminal. Another solution is to limit access to sensitive information to a need to know basis. This protects not only your customers and your business, but also protects your employees from being implicated in crimes they could not have committed. Should something questionable occur, it also narrows the suspect list and expedites the investigation so that the situation can be resolved quickly before damage is done.
Wireless Network Security
As wireless technology has become standard in many businesses, the threat of wireless attack is increased significantly. Even encrypted wireless networks can be penetrated. No company wireless network should ever be connected to an internal network that stores sensitive company or customer information. Wireless networks can be convenient for companies but that convenience works both ways.
Weak passwords are the bane of every IT manager’s existence. Attackers have only to compromise the right account through brute force or dictionary attacks and they can gain access to a plethora of sensitive data. Long passwords are inconvenient, and can be difficult to remember, but companies don’t lose millions of dollars per year to long passwords. There are many misconceptions in password construction that persist even among IT professionals. A little bit of research on this topic can go a long way toward simplifying the process and creating more secure passwords, thus minimizing IT security issues in this area. Limited password entries leading to an account freeze is another important aspect of account security both internally and externally.
Smartphones, Tablets and Wireless Devices
The rate at which phones and tablets are advancing in versatility and processing power is increasing exponentially. Along with these advancements comes additional IT security issues. Mobile malware designed to compromise a network simply upon the connection of the phone or device. Because most people do not think of their phone as a computer yet, they often do not consider the need for anti-virus software for their mobile device. This means phones can be used as a trojan horse to compromise networks from the inside. This is another reason why no wireless network, encrypted or otherwise, should have access to sensitive company information.
There has been a significant increase in cyber attacks originating in antagonistic industrializing nations. This is quickly becoming the most common origin for “Advanced Persistent Threat” attacks. These attacks employ persistence and multiple attack vectors as their primary weapon. Because they are fully funded and sponsored by the government, they do not have the same resource restictions as private groups. This means time is on their side. One might think that these attacks would be levied toward government resources but this is not always the case.
Industrializing nations seeking to catch up to more developed nations may direct cyber attacks at businesses in order to steal their intellectual property; saving themselves the cost of research and development or even reverse engineering. There are many companies developing software to combat these attacks by detecting intrusions and patching the breach before it is too late. It is important to implement security procedures that buy time should an intrusion occur so that one successful penetration does not compromise an entire network. Heavily restricted account permissions and encyption can help safeguard sensitive data against these attacks.
More Government Regulation
Governments are becoming more involved with public sector security, especially privacy protection. These regulations can cause a false sense of security. Meeting government regulations should be viewed as the minimum security required to secure networks and data. Meeting the regulations is a good start, but the hacker industry is clever and persistent. Businesses should be prepared to go the extra mile in regards to security for the safety of themselves and their customers.
IT Security Issues and Social Engineering
Confidence men have been compromising sensitive data for thousands of years and are no less adept at gaining unauthorized access to networks. The best passwords and encryption in the world will not protect a business from somebody capable of walking through their doors and convincing somebody to tell them their password. Some of the most serious data breaches and IT security issues in history have resulted from just that. Strict policies on what information should not be shared among co-workers or anybody under any circumstances should be instituted. Employees should be educated on various social engineering tactics employed by criminals to acquire information that can lead to the penetration of networks and data theft.
SQL Injections and IT Security Issues
These are simple attacks against known exploits. They take advantage of sloppy code and sloppy security measures. These are one of the easiest types of attacks to execute and can be very effective if the necessary precautions have not been taken. A well designed database query language can go a long way toward preventing these attacks. This type of attack is so simple, and still overlooked by many businesses, but the right kind of attack can be used to cause database to dump its information to the attacker. This kind of attack is commonly used to steal credit card and other personal information.
IT Security Issues with Uncompartmentalized Data
Data compartmentalization and access control is important when securing a network. Data access should be on a need to know basis. One compromised account should never allow broad access to company or customer data. This is built in damage control. Banks do not give the vault combination to every employee for a reason. In addition, each data set should be assigned a security value and should be secured according to that value. This way a business remains efficient while ensuring that all data is secured in direct proportion to its value.
Further Reading on IT Security Issues