Employees' Droids among biggest government cyber menaces

In 2012, agencies should worry about hackers attacking the growing number of federal employees toting their own iPhones and Droids to work, according to a forecast of next year's greatest cyber dangers compiled by M86 Security Labs.

On Tuesday, the network security firm is expected to release its annual predictions of the top computer threats to business and government organizations. At federal agencies, the biggest targets are likely to be employee-owned devices, a department's own public website and cloud services.

"The Android is very much a victim of its own success" because any developer can publish innovative -- or malicious -- software applications to Google's Android Market, Bradley Anstis, M86 vice president for technical strategy, said in an interview. Apple is more selective in vetting programs for its App Store. Most government agencies that M86 works with, including NASA, have a bring-your-own-device policy, he said.

"All organizations should be concerned with the increasing number of employees who use their own devices at work and sync organizational data, such as email and files, to these unmanaged devices," notes the report reviewed by Nextgov.

Agencies without policies to manage security on an employee's smartphone or tablet may have no way of protecting government data from online viruses, according to the research. "If they are using the devices to browse the Internet, can you control where they're going on the Internet," Anstis questioned.

Even devices that are centrally managed could be vulnerable to intrusions in 2012 because mobile antivirus software has not yet matured, the report says.

According to M86, in 2011, the top three trends in breaches were targeted attacks, such as one directed at security firm RSA to retrieve intelligence for piercing Lockheed Martin Corp.'s networks; social media threats; and mobile malware.

"Perhaps one of the most troubling security trends is the development of malware that exploits vulnerabilities on mobile devices," the report states. Criminals are taking advantage of the wireless market to penetrate smartphone hard drives and turn the devices into bots, or dummy computers that they can operate remotely.

Separately, an agency's own public home page could be one of the biggest online menaces for visitors in 2012, M86 researchers said. The massive Web traffic flowing to e-government services makes departmental Web pages attractive hideouts for malware.

"The most common way of getting malware into a channel is through Web browsing," Anstis said. "You go to a government site, thinking it will be a reputable site and so your defenses are down." The Treasury Department's website recently was compromised as a result of weak security on several external servers, according to the report.

Public-facing sites "allow remote attackers, such as botnet operators and traders, to compromise the corporate Web server, turning it into a redirector to their malware," the report adds.

The 2012 prognosis also is poor for cloud computing, where an off-site computer room provides data warehousing for multiple organizations via a Web connection, M86 researchers said.

"Because you're centralizing all that data it's going to become such a target for attackers," Anstis said. For example, if an attacker is able to breach the back-end security controls of an Amazon Web Services server farm, information belonging to many organizations could be exposed.

Anstis said agencies' move to the cloud is "admirable," but he warned they must be careful they're not "rushing headlong into a problem."

Next year, M86 expects more "advanced persistent threats," such as the sophisticated salvo against RSA that lingered until the right data to extract was found, as well as more network break-ins at large commercial organizations.