IT Security Issues for 2012

Friday, January 27, 2012

Simon Heron

A88973e7d0943d295c99820ab9aeed27

January is a good time of the year to look ahead and consider how emerging new technologies and solutions might impact your business. 

Redscan’s Simon Heron describes eight key trends that could have serious implications for IT security.

As always, the pace of technological innovation is fast and getting faster. Yet, at the same time, the work place is changing significantly, driven by organisations’ need to become more competitive and efficient. These two factors together mean that there is a lot of change on the horizon for 2012.

As the New Year progresses, IT professionals will need to be prepared for the following emerging trends and technologies:

Bring Your Own

The increase of Bring You Own (BYO) devices, where employees are allowed to use their tablets, smart phones and laptops on the company network, is not going to stop. 

The need to smear the boundary between work and leisure is compelling, not just from the new generation Y coming into the work place, but as a way for companies to maximise the use of their workforce in the light of international competition from the Far East. 

This will create a problem for IT departments, as they work out how to protect their organisations.

IPv6 Uptake

The last of the IPv4 addresses have been handed out to local authorities and, in some areas, these have already been allocated.  Microsoft has bought 666,624 IP addresses belonging to Nortel at the liquidation sale for US$7.5 million, which put the cost at US$11.25 per IP address.  This suggests that the price of IPv4 addresses is set to rise.

In 2012, this issue will affect websites that host their content on IPv4-only servers, and smart businesses will want to get an IPv6 address in addition to an IPv4 address, so that when the transition to IPv6 does come, they will be prepared. IPv6 isn’t backward-compatible with IPv4, but companies could “dual stack” their servers. 

However, a more cost effective approach will be to install firewalls that can be configured to offer IPv6 on the external, internet-facing side, and IPv4 on the LAN or Demilitarised Zone (DMZ) side, hence not disturbing the company network and minimising costs, as organisations can leave legacy systems in place that only deal with IPv4.

Web-Based Attacks

As more and more systems move “into the cloud”, web-based attacks (such as XSS, SQL injection and DDOS etc) will continue to gain ground. 

Companies increasingly depend on their websites, and these ‘shop windows’ allow prospective customers to browse and hopefully, buy their products or services. If this web site becomes infected or unavailable, the company suffers not just from the immediate loss of business, but from a much longer term loss of trust. 

Will customers ever want to buy from a site that has been infected or leave their credit or debit card details on a site where they might be abused or buy with the fear that the products or services might not be delivered?  In 2012, the focus will be on more testing and stronger defences.

Facebook and Twitter Accounts

It seems that more and more sites are presenting the option of logging in through Facebook or Twitter accounts.  In some cases, it is becoming exclusive.  If you want a Spotify account, you need to get a Facebook account first. 

Turntable.fm is another music-sharing service that requires a Facebook account, but even sites that are not exclusive make it difficult to find out how to login without using either Facebook or Twitter.  If this trend continues, then one username/password pair will access multiple accounts – and this is something that has traditionally been considered a bad policy. 

However, perhaps more of a concern is that Twitter and Facebook have been hacked in the past and it is likely that they will be targeted again in the future.  Just how much fun a hacker will have with this is something that is a worry.

Near Field Communication

Near field communication (NFC) technology for mobile payments or peer-to-peer networking makes it easier to do everything from paying for your burger to exchanging data.  But there have been a number of vulnerabilities, including poor algorithms and bad implementations, and thieves have been able to use services they have not paid for or take money from unsuspecting users.

Currently, you can buy the Google Nexus S phone, which carries an NFC chip and the Google Wallet companion app for syncing your credit cards to your phone and making mobile payments at participating vendors. 

Meanwhile, RIM is putting NFC chips into newer phones such as the BlackBerry 9900, and recently it introduced Tag, a RIM-specific feature that allows BlackBerry users to transfer contact information and documents.  Will this allow data leakage or IP theft?

The latest version of Android, Ice Cream Sandwich, is built to let app developers take advantage of the many uses for NFC, such as setting up peer-to peer connections between phones simply by tapping the phones’ backs to each other. So without a doubt, in 2012 you’ll see more phones with these chips built into them, as well as more apps that employ the technology.

Processing in the Cloud

Some devices such as smartphones, tablets and even cameras have the ability to process complex information on remote servers.  Apple’s Siri is a good example where this virtual assistant sends the voice request input from an iPhone 4S to Apple’s data centres which then process the audio, identify what is required and send the answer back to the phone. 

Google does this with pictures taken by the user.  A picture of a book or landmark taken by a user is sent to and analysed at a Google data centre, which returns a search page relevant to the image.

This way of enhancing the processing power of the smart device is only going to increase with more information being ‘invisibly’ sent to the cloud for processing.  The boundaries of where data is allowed to reside will, as a result, expand without the explicit knowledge of the data owner, and this could mean that a company becomes non-compliant with industry regulations.

HTML 5

Hopefully the take up of HTML 5 will mark an improvement in website security.  It will remove the need for using Adobe Flash with all the vulnerabilities that this application has introduced over the years. 

In November 2011, Adobe announced it would no longer develop its mobile Flash Player, because HTML 5 has been better received.  In some cases, HTML 5 will replace the need for apps, and this can only improve the security landscape. 

Furthermore, this technology should make it easier and cheaper for developers to introduce interactivity into browsers as they no longer need to buy and install proprietary plug-ins to create click-responsive graphics or to embed video.

Reduction in the Use of Optical-Disc Drives

How often are optical discs used these days, given that a movie can be downloaded in two minutes at any airport or coffee shop? The answer is: not often. What is more, when optical discs are used, these tasks frequently could have been done in a number of alternative ways. 

So in 2012, there will be fewer laptops with optical drives, which means that at least one way of infecting the network is going to be removed.  This is not a huge benefit, but something positive in light of the usual glum predictions!

Fewer Tablet Manufacturers

Another bit of good news, given the trend towards BYO, is that the number of tablet manufacturers is likely to reduce.  Whilst there is a good market for tablets, there is currently a huge number of companies trying to get into the space with tablets that are no match for Apple’s iPad. 

However, a few will get it right and will be able to compete in the long term; the others will fall by the wayside, simplifying the network landscape.

Cross-posted from Redscan

Possibly Related Articles:
13623
Security Awareness
Information Security
Cloud Security Enterprise Security Application Security Security Awareness Social Media Information Technology IPv6 HTML5 BYOD Simon Heron Near Field Communication Optical-Disc Drives
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.