More malicious attacks on the threat horizon, warns ISF

The Information Security Forum (ISF) is warning of an increase in malicious threats including attacks from organised crime and industrial espionage, along with a rise in mobile malware and Web 2.0 vulnerabilities.

These are just some of the predictions that will heighten information security challenges over the next few years, highlighted in an ISF report entitled Threat Horizon 2010. The report draws on the knowledge and practical experiences of ISF Members, comprising some 300 of the world's largest business and public sector organisations.

The ISF is already seeing a shift from indiscriminate events to highly targeted and planned attacks by organised crime groups that are developing more sophisticated 'business' models for extorting the e-economy and money laundering. A combination of social engineering and technical attacks are increasingly being used to steal identities and information in order to commit fraud.

"Criminal groups now see online crime as a lucrative and low risk alternative to robbing a bank," says Andy Jones, a Senior Research Consultant at the ISF and the report's author. "And with the problems of protecting large volumes of sensitive information held in organisations electronically, businesses are also under the increasing threat from targeted espionage and the loss of competitive advantage or intellectual property."

The ISF also warns of the proliferation of malware aimed at mobile devices, which do not have the same anti-virus or security controls as traditional networks and PCs. The growing trend of mobile and remote working will inevitably attract new forms of mobile malware designed, for example, to create fraudulent payments or denial of service attacks.

"The mobile internet is still in its relative infancy and it is important that consumers do not lose confidence in mobile transactions," says Jones. "Companies will also face new challenges to manage and secure their corporate mobile devices to prevent employees from leaking information, either voluntarily or involuntarily."

A third area of growing risk according to the ISF is the rise of social networking sites such as Facebook and Bebo that have become a popular part of office culture. In addition to providing another channel for the accidental leakage of corporate information, the ISF believes that cyber criminals will adapt new methods of attack to target the vulnerabilities of social networking sites. Virtual worlds such as Second Life may also present new risks if brand damage in the virtual world translates back into the real world.

Other threats on the horizon according to the ISF include the weakening of infrastructures due to power cuts and internet failures; tougher legislation and compliance burdens; increased outsourcing and off-shoring operations; insecure coding that is vulnerable to attack; and erosion of the traditional network boundary that leaves data at greater risk.

And finally, the ISF report highlights the risk presented by a new techno-generation corporate culture driven by a younger, more technologically aware workforce. While more technically adept, these new employees must also be made fully aware of information risks and the need for tighter controls that may restrict their IT freedom.

"While predicting the future is an inexact science, we have drawn on the collaborative knowledge and experiences of nearly 300 ISF Member organisations to provide an insight into the infosecurity challenges that lay ahead," said Andy Jones. "The report that is available to ISF Members will allow organisations to take informed, cost-effective and proactive actions in order to mitigate these emerging risks."

Threat Horizon 2010 is one of over 200 authoritative reports along with information risk methodologies and benchmarking tools  that are available free of charge to ISF Members. The ISF is a not-for-profit international association of almost 300 leading international organisations that has already invested over US$100 million in research and the development of practical, business driven solutions to information security and risk management problems.