As enterprises strive to innovate and reinvent themselves through digital transformation strategies, business processes are being reshaped, productivity gets redefined and customer experience is once again at the forefront. This new landscape is forcing leaders to address new challenges. Hyperconnectivity, mobility and the Internet of Things (IoT) have created new business models:

  • In 2015, Uber, the world’s largest taxi company, owns no vehicles.
  • Facebook, the world’s most popular media owner, creates no content.
  • Alibaba, the world’s most valuable retailer, has no inventory.
  • Airbnb, the world’s largest accommodation provider, owns no real estate.

They have also played a substantial role in changing socioeconomic behaviors:

  • According to the International Labour Organization, by the end of 2015, there will be more than 7.3 billion people in the world, of which 4.3 billion will be in the employment market. That gives us a 60 percent employment-to-population ratio.
  • At the same time, the August 2014 Symantec Intelligence Report predicted that 1.3 billion people — or 30 percent of the population — will routinely work remotely. There will also be 4.9 billion connected things, according to Gartner Predicts 2015; the IoT is already everywhere.
  • The digital phenomenon is transforming businesses and lives and has given us the power to change the world around us. Millennials, or members of Generation Y born between 1980 and the early 1990s, currently represent close to 20 percent of the working population. That number will rise to 75 percent by the end of 2025. This generation will clearly drive the new workforce behaviors; they grew up with technology, are keen to learn new things, want flexibility and have high expectations of their employers. They are also considered assets by companies that understand that expensive attrition will be generated by lack of geographical or work-life flexibility, as well as lack of up-to-date technology.

We all remember when Wi-Fi was regarded with suspicion by information security professionals, and we also remember when employees started to bring their own devices to work and demanded connectivity. The IoT is the next evolution.

Good Things Come to Those Who Bait

Young professionals, while technology savvy, may lack cybersecurity shrewdness and can leave their employers exposed to cyberattacks. Several behavioral studies point to the fact that these workers have lost unencrypted computers or mobile devices, often with unrestricted access to corporate information. Many also admit to being unaware of their company’s security policy or, worse, to not believing security to be their responsibility.

How often have we heard of data breaches resulting from employee behaviors, either from falling victim to phishing attacks, managing passwords in unprotected documents or sharing passwords across applications or with family or colleagues? And how often do we see those sharing corporate documents to cloud applications without the knowledge of their IT department, emailing work files to personal accounts or copying data to portable devices?

In today’s hyperconnected world, individuals have numerous online personas and interact with multiple websites and applications on a daily basis both within and outside of the enterprise. The growth of the mobile workforce may make it easier for criminals to hack their way to private data, helped by the fact that the IoT only increases retention of sensitive information. And criminals evolve with the times while we struggle with legacy infrastructures. Phishing scams have now moved to social sites, and lawyers are warned about the ethics involved with inaccurate LinkedIn endorsements.

The results are startling:

  • In the U.K., identity crime represented 48 percent of all fraud in 2014, and 82 percent of identity-related crime was committed online, according to CIFAS Fraudscape 2015.
  • Verizon’s 2015 Data Breach Investigations Report found that 23 percent of recipients open phishing emails and 11 percent click on attachments. About 50 percent open emails and click on links within the first hour. A phishing campaign of just 10 emails has a 90 percent success rate.

With more mobility, social media, bring-your-own-device (BYOD) policies and the oncoming tide of the IoT, from wearables to connected cars, the biggest challenge to any business is coping with modern working practices. Meanwhile, the biggest hurdle for information security professionals is enabling their business with secure solutions that foster innovation and growth.

On Cloud Nine

It’s no wonder we are experiencing an increased reliance on cloud and managed services and third-party suppliers of all kinds to cater to this new normal. The main reasons for this popularity are:

  • Price;
  • Flexibility;
  • A desire for mobile working, independent of specific machines;
  • A pursuit of the holy grail of omnichannel delivery.

This, in turn, brings new challenges:

  • Regulations, including privacy, geography, tenancy, collocation and jurisdiction;
  • Privacy and security issues, such as data ownership, remote access, risk and asset management and more.

Consequently, many will wonder whether we have reached a point where a new approach to security is needed. The majority of businesses are struggling to strike the right balance between application performance, availability and security because of disjointed, complex and hard-to-manage infrastructures. This is exacerbated by the growth in BYOD and the mobile workforce, resulting in an estimated 45 percent increase in security risks from within an organization’s network by 2017, according to Freeform Dynamics. With cloud and mobility on the rise, the perimeter firewall will handle more internal-to-internal traffic and, by 2018, cloud will represent 76 percent of total data center traffic, according to the Cisco Global Cloud Index: Forecast and Methodology 2013–2018.

Are We Ready for the Application Economy?

Most will agree that new working patterns will challenge application access and security and that poor or unpredictable application performance negatively impacts a business. Consequently, many recognize the need to move from network perimeter to application perimeter, but very few have deployed any form of application delivery control. This is confirmed in “The State of Mobile Application Insecurity,” which highlighted some worrying trends:

  • About 40 percent of large companies, including many Fortune 500 businesses, are not taking proper precautions to secure their mobile apps.
  • One-third of companies never test their apps.
  • Only 5.5 percent of the total app development budget is allocated toward ensuring mobile apps are secure.

The challenge is clear: As employees move toward increasingly complex and challenging digital footprints, demanding easy and secure access to their information and applications, IT divisions must have tighter security, complete oversight and proper controls in place to ensure that the corporation and its assets are protected.

Hyperconnectivity and the growth of the application economy combined with the lack of business readiness have facilitated the explosion of cybercrime, highlighting the need for a paradigm shift from network perimeter to application perimeter. As the IoT increases the potential attack surface to even more personally identifiable information, we must embrace a new approach to security. This becomes more pressing as time goes by.

The growth in mobility and connected devices, including wearables, increases the value of security services. In addition, identity and authentication technologies are seen as a potential gold mine for technology entrepreneurs, startups and venture capitalists. In a recent survey by ESG Research, 55 percent of information security professionals believe that username-password authentication should be completely eliminated or relegated to nonbusiness critical applications only. This paves the way for new approaches to identity and access management as well as multifactor authentication, which has already seen recent innovation in the form of biometrics. Indeed, the IoT will redefine the concept of “identity management” to include what people own, share and use.

Many national regulators have issued guidelines and best practice on these topics, including the U.K. Information Commissioner’s Office. The impending Payment Services Directive 2 will provide an unprecedented boost to security and authentication companies in Europe. Numerous other examples can be found, including national digital identity initiatives.

Read the Ponemon Study on the State of Mobile Application Insecurity

Be Prepared for the Internet of Things

As businesses become aware of the increased threats associated with new technologies such as the IoT or struggle with BYOD, they will face new challenges. These obstacles include increased security threats, data privacy concerns, identity and access management, compliance and regulatory requirements and ownership of technology and data.

When criminals increase in sophistication and get better at knowing you and your business, it’s time to stack the odds in your favor:

  • Know Yourself:
    • Classify your information and application assets.
    • Develop and enhance an application security strategy.
    • Understand your risk and threat profile.
  • Invest in People:
    • Track new working behaviors and trends.
    • Implement flexible and focused security strategies and usage policies.
    • Understand your customers.
    • Increase training and raise awareness.
  • Be Prepared:
    • Monitor identity and authentication trends closely.
    • Prioritize BYOD integration strategies for legacy infrastructure.
    • Begin logging, monitoring and sharing threat intelligence.
    • Practice effective and inclusive incident monitoring and response.

After all, technology evolves, but human behavior doesn’t. To quote Niccolo Machiavelli, circa 1532, “Men are so simple and yield so readily to the desires of the moment that he who will trick will always find another who will suffer to be tricked.”

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read