2016: networks and mobile devices come under attack
App vulnerabilities and hidden SSL attacks main threats for networks and mobile devices in 2016
Backdoor attacks are going to increase in the coming year, as cyber criminals exploit patchy mobile security and SSL blindspots to gain access to private data and company networks. Many of the security products businesses rely upon are not equipped to monitor hidden gateways into the network. As a result, organisations will need to invest in plugging these gaps to ensure defences can mitigate against an increasingly varied and powerful threat landscape.
A false sense of security: SSL encryption
Over the past few years, SSL encryption has become popular for both application owners and hackers. Encryption improves security by providing data confidentiality and integrity. However, encryption also allows cyber criminals to conceal their exploits from security devices like firewalls, intrusion prevention systems and data loss prevention platforms. Some of these products cannot decrypt SSL without degrading performance, while others simply cannot decrypt SSL traffic at all because of their location in the network.
Today, encryption accounts for roughly one-third of all Internet traffic, and it’s expected to reach two-thirds of all traffic next year when Internet powerhouses like Netflix transition to SSL. As a result, encrypted traffic will become the ‘go-to’ way of distributing malware and executing cyber attacks simply. Whether sharing a malicious file on a social networking site or attaching malware to an email or instant message, many attacks will be cloaked in SSL.
On top of this threat, movements like Let’s Encrypt make it even easier for hackers to generate SSL certificates to sign malicious code or to host malicious HTTPS sites.
A ubiquitous threat: the mobile device
2016 will also see a sustained increase in the number of attacks targeting mobile devices. The sheer number of mobile devices, the amount of malware (20 million apps by the end of 2016, according to Trend Micro), and the inherent vulnerabilities present in even legitimate mobile apps means that a major breach is bound to happen.
To put it into perspective, Cisco recently released an advisory about a vulnerability in its WebEx for Androids app. This particular flaw leaves the app vulnerable to an exploit that could allow a secondary malicious app to acquire the same permissions as the WebEx application. Typically, an app will ask for permissions, effectively tipping the user to its intent. But by exploiting this vulnerability, the app can gain access without any notification. With millions of potential targets (as many as 5 million may have downloaded the app), it’s only a matter of time before a vulnerability like this results in a major incident. Fortunately, at this time there are no reports of this particular exploit resulting in a breach.
Additional threats exist in spear phishing attacks that exploit the fact that mobile users are more likely to click on a malicious link simply because it’s harder to identify it as suspicious on a smaller screen. Malware designed to look like valid apps can convince unsuspecting users to enter login data that can then be used to gain access to legitimate sites storing detailed personal and financial data. Mobile device users, particularly Android owners, need to remain diligent in validating what apps and attachments they choose to download.
What you can do to prepare for 2016
To counter the threat posed by SSL encryption, organisations can decrypt and inspect inbound and outbound traffic for cyber attacks. A dedicated SSL inspection platform enables third-party security devices to inspect encrypted traffic for threats and eliminate the blind spot in corporate defences.
To mitigate mobile threats, organisations should implement a multi-layered defence system that can protect cloud or on-premise servers as well as mobile devices. This will ensure that the system as a whole does not come under attack as a result of a single breached device. While employees cannot always predict the future, organisations will be ready to handle future risks with the right security technologies and processes in place.