Vulnerabilities / Threats //

Insider Threats

10:30 AM
Steve Durbin
Steve Durbin
Connect Directly
E-Mail vvv

A False Sense of Security

Emerging threats over the next two years stem from biometrics, regulations, and insiders.

Over the coming years, the foundations of today's digital world will shake — violently. Innovative and determined attackers, along with big changes to the way organizations conduct their operations, will combine to threaten even the strongest establishments.

At the Information Security Forum, we recently released "Threat Horizon 2020," the latest in an annual series of reports that provide businesses a forward-looking view of the increasing threats in today's always-on, interconnected world. In this report, we highlight the top threats to information security emerging over the next two years, as determined by our research.

Let's take a look at a few of our predictions and what they mean for your organization.

Biometrics Offer a False Sense of Security
Biometric authentication technologies will flood into every part of an organization, driven by consumer demands for convenience and the promise of added security for corporate information. However, organizations will quickly realize that they are not as protected as they thought as this sense of security turns out to be unfounded. Attackers will learn to find increasingly sophisticated ways to overcome biometric safeguards.

Demands for convenience and usability will drive organizations to move to biometric authentication methods as the default for all forms of computing and communication devices, replacing today's multifactor approach. However, any misplaced trust in the efficacy of one or more biometric methods will leave sensitive information exposed. Attacks on biometrics will affect finances and damage reputations.

Existing security policies will fall well short of addressing this issue as organizations — from the boardroom down — use new devices that depend on biometric technology. Failure to plan and prepare for this change will leave some organizations unwittingly using a single, vulnerable biometric factor to protect critical or sensitive information.

New Regulations Increase the Risk and Compliance Burden
By 2020, the number and complexity of new international and regional regulations to which organizations must adhere, combined with those already in place, will stretch compliance resources and mechanisms to breaking point. These new compliance demands will also result in an ever swelling "attack surface" that must be protected fully while attackers continually scan, probe, and seek to penetrate it.

For some organizations, the new compliance requirements will increase the amount of sensitive information — including customer details and business plans — that must be stockpiled and protected. Other organizations will see regulatory demands for data transparency resulting in information being made available to third parties that will transmit, process, and store it in multiple locations.

Balancing potentially conflicting demands while coping with the sheer volume of regulatory obligations, some companies may either divert essential staff away from critical risk mitigation activities or raise the impact of compliance failure to new levels. Business leaders will be faced with tough decisions. Those that make a wrong call may leave their organization facing extremely heavy fines and damaged reputations.

Trusted Professionals Divulge Organizational Weak Points
The relentless hunt for profits and never-ending changes in the workforce will create a constant atmosphere of uncertainty and insecurity that reduces loyalty to an organization. This lack of loyalty will be exploited: the temptations and significant rewards from leaking corporate secrets will be amplified by the growing market worth of those secrets, which include organizational weak points such as security vulnerabilities. Even trusted professionals will face temptation.

Most organizations recognize that passwords or keys to their mission-critical information assets are handed out sparingly and only to those that have both a need for them and are considered trustworthy. However, employees who pass initial vetting and background checks may now — or in the future — face any number of circumstances that entice them to break that trust: duress through coercion; being passed over for promotion; extortion or blackmail; offers of large amounts of money; or simply a change in personal circumstances.

While the insider threat has always been important, more than the organizational crown jewels are under threat. The establishment of bug bounty and ethical disclosure programs, together with a demand from cybercriminals and hackers, means the most secret of secrets (essential penetration test results and vulnerability reports, for example) are extremely valuable. Organizations that rely on existing mechanisms to ensure the trustworthiness of employees and contracted parties with access to sensitive information will find existing mechanisms inadequate.

Preparation Must Begin Now
To face mounting global threats, organizations must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in nontechnical roles.

The themes listed above could affect businesses operating in cyberspace at breakneck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren't prepared.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info


Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was Senior ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/4/2018 | 6:44:40 PM
the security issues
we always prefer security for our devices and also conscious of our privacy. but here I get proper ideas about the false sense of the security. I visited mobile repair Dubai for more details.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-24
WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.
PUBLISHED: 2019-04-24
An issue was discovered in Npcap 0.992. Sending a malformed .pcap file with the loopback adapter using either pcap_sendqueue_queue() or pcap_sendqueue_transmit() results in kernel pool corruption. This could lead to arbitrary code executing inside the Windows kernel and allow escalation of privilege...
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.