CIO - IT executives know one thing about security: Be prepared. Over the past few months, many large companies had to deal with the Heartbleed virus, which is capable of stealing logins and passwords on Internet servers.
But what comes next? CIO.com asked security companies, consultants and IT experts to discuss other potential flaws that are ripe for exploit. These five should catch your attention.
1. Apache: Hitting 'Heartbeat' of the Internet
Several analysts mentioned a threat related to the Apache server, essentially the heartbeat of the Internet. (Apache servers control how Web addressing works.) " Apache has massive market penetration, runs across a variety of OS platforms and is also maintained by the open source community," says security analyst Troy Hunt. "A previously undisclosed flaw, such as a local file inclusion risk, could enable an attacker to pull arbitrary files from the system."
2. Programming Backdoors: Easy Access for Admins - and Hackers
When developers create software that runs at a retail store or as a custom app for the marketing team, they sometimes leave a "backdoor" method to authenticate without using the proper login system. Hackers could exploit this, says Vince Berk, the CEO of FlowTraq, a network security company. While programmers leave the door open for testing the app, they might not realize how a hacker could gain access to the entire network.
3. Amazon Web Services: Could Single Sign-on Pose a Problem?
You don't hear about this one as a threat, but Tom Smith, the vice president of business development and strategy at CloudEntr, a cloud security company, says AWS is a prime target because it's so widely used.
As companies start embracing the " social login" technique to authenticate users with an account at a service such as Facebook, AWS becomes even more susceptible. Smith says hackers who gain access using social login could potentially tap into the underlying infrastructure as well.
[ Then Again ... What the CIA Private Cloud Really Says About Amazon Web Services ]
4. RAM Scraping: Steal Data at Point of De-encryption
One of the great challenges of IT is that, to protect a storage medium or service, companies use encryption. However, at some point - to gain entry, say, or process a transaction - data must be unencrypted, usually to RAM.
Dave Frymier, CISO of Unisys, says a hacker could "scrape" RAM to steal the data as it sits in an unencrypted state. (That's what happened to Target.) "This RAM scraping issue is one of the reasons we don't see greater adoption of public cloud computing in regulated industries," he says.
[ Analysis: Is the Federal Government Ready to Embrace the Cloud? ]
5. PHP: Popularity Could Be Its Downfall
Yes, Heartbleed attacked the OpenSSL library that accounts for about 60 percent of all Web servers. However, PHP is an even great target, as it's used on 80 percent of today's servers. What's more, the server-side scripting language is easy to use for new Web programmers who might not be thinking about security.
Barry Shteiman, the director of security strategy at Imperva, a data center security company, says hackers could even create a bug and try to sell it to the highest bidder, pinging off the news that put many companies into a recent tailspin with Heartbleed.
John Brandon is a former IT manager at a Fortune 100 company who now writes about technology. He has written more than 2,500 articles in the past 10 years. You can follow him on Twitter @jmbrandonbb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.
Read more about security in CIO's Security Drilldown.
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- Platfora Big Data Analytics for Network Security Platfora amplifies the effectiveness of network security analysis, providing Big Data Analytics capability to augment existing security infrastructure for known threats, and advanced...
- API Playbook: Drive API Adoption Through Developer Engagement Learn the best practices of how to engage developers, whether your goal is to attract external developers to your public APIs or improve...
- Leverage the Power of APIs to Turbocharge Your Mobile Strategy: 7 Steps to a Successful API Program In this guide, Intel® Services-which offers industry-leading API management solutions for over 150 top enterprises, including Best Buy, Netflix, Expedia, ESPN, and The...
- API Management: The Key to Improving the Consumer Travel Experience Join PhoCusWright's Senior Technology Analyst, Norm Rose, as he shares his insights on how travel suppliers and intermediaries can improve industry data flow...
- Tips to Simplify Database Administration and Development Make your job easier while getting the most from the leading productivity tool for database professionals. Learn tips from Dell Software's Oracle® ACE,... All Cyberwarfare White Papers | Webcasts