The growth of the Internet as a ubiquitous part of life has made social networks and mobile devices more vulnerable to attack, with the users themselves often the weakest link.
Here are the top 10 cyber security threats that experts suggest non-techy people must be trained to recognise.
Social network attacks are a serious cyber security threat due to the popularity of social networks, which users can access not only by computer, but also by mobile phone.
Subscribing to social networks such as Facebook via mobile phone also means that users transmit their mobile numbers to the web and thus become a target for hackers who are searching for the personal information of Internet users.
''The more personal information you put out, the easier hackers can reach you,'' said Acis Professional Centre CEO Prinya Hom-anek.
Hackers use new techniques called ''intelligence information gathering'', which is more advanced than searching by Google, to carry out targeted attacks. Prinya pointed out that such software can link to the back-office of Facebook and Twitter and can search in-depth information from web servers.
Many users also don't know that the information they publish on social networks is easily searched by Google. Some carelessly post their organisations' information such as network diagrams or the minutes of meetings, which can be leaked to the public domain.
Users must use social network programs conscientiously and avoid unnecessarily publishing any sensitive or personal information, the expert noted.
Citing Gartner, he said that the greatest Internet threat in 2010 will be social network attacks and hacking.
Mobile attack. Mobile phones today can be as smart as a small computer, but they typically do not have anti-virus or anti-malware programs installed, meaning they are vulnerable to attack.
Prinya pointed out that hackers can install spyware on mobile phones and easily sniff the data of the targets, or even trap the phone without the owner's knowledge. Mobile spyware can also search the location of victims with GPS.
Prinya suggests that a good tactic to prevent mobile hacking is for users to lock their handsets and set complex passwords. Another way is by installing anti-virus or anti-malware programs.
''There are several anti-virus options but users have not embraced them,'' Prinya said, adding that care must also be taken when downloading applications to the handset, as these may cause the handset to hang or become a host for Trojan programs.
Moreover, hackers can attack through vulnerabilities in mobile operating systems such as Nokia Symbian, iPhone OSX or BlackBerry OS.
Prinya said handsets can be protected by installing the Patch program, but he accepted this is more difficult than on notebook or desktop computers.
Next-generation hacking. Hackers today carry out targeted attacks and have the clear objective of gathering money. The victims are typically executive or celebrity targets, which hackers can search information about using search engines such as google.com or bing.com, together with ''intelligent data gathering'' from the databases of social networks.
The most common technique used by hackers is to send malware to their targets, and when the targets turn on their computers or run certain programs, they will trigger a Trojan horse or Remote Administration Tool (RAT) which hackers can use to gain remote access to the targets' machines.
Prinya mentioned that 95 percent of these files have the extensions of .pif, .scr, .exe, .com, .vbs, .bat, .cmd or .hta and users should immediately delete any such files without running them, unless they are explicitly aware of their origin and purpose.
Prinya noted that victims in Thailand are often banking customers who unknowingly download Trojan Horse programs disguised as games. When the victim runs such program,s the hacker can access their banking information, including account details.
A new technique that is gaining in popularity sees hackers hide malicious code within common file types such as Microsoft Word (.doc), Microsoft Excel (.xls), and Adobe Acrobat (.pdf). Installing anti-malware software and using it to scan even trusted file types is essential, although it cannot guarantee 100 percent protection against such threats.
Internet banking transactions typically use Secure Socket Layer (SSL) protocol, as noticed by the https: prefix instead of http:, in order encrypt data in transit, but even then, hackers can use a type of program called Man-In-Middle Attack (MIM) software, which employs the ARP Poisoning technique to sniff the password.
Therefore the SSL protocol of Internet banking is not totally safe, so it is recommended that banking customers, ATM users or credit card holders examine their statements carefully before authorising payments.
Insider threats or organised crime. More than 50 percent of cyber security threats are caused by internal figures or disgruntled employees. The computer crime may be carried out by one person, perhaps by hacking a prepaid phone card system, for example, or in teams _ so-called ''organised crime''.
Recent high-profile examples have seen external hackers in China, Brazil, Russia and other Eastern European countries cooperating with internal employees in a criminal model known as CaaS (Crimeware-as-a-Service).
Human Resource Security Control, as defined in the ISO/IEC27001 security management system, is thus very important and should always be employed by organisations, in addition to frequent internal/external IT audits.
Insecure infrastructure and insecure outsourcing. As many organisations are likely to outsource at least some of their IT operations or infrastructure to third parties, many will use a managed security service provider (MSSP) for log and security management. This also covers the concept of Cloud Computing where SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service), which are all gaining in popularity.
However, Prinya said these companies should consider the CIA Triad (confidentiality, integrity and availability) when looking into outsourcers or service providers and carry this out based on the service level agreement. Also, customers should be concerned about the service contract in terms of responsibility for security.
New technology such as virtualisation and cloud computing brings both benefits and drawbacks. On the plus side, it reduces costs, but security issues are often a concern. Organisations should therefore apply best practices such as ITIL, CobiT or Risk IT Framework and choose only services which adhere to the ISO/IEC 27001 standard.
Misunderstanding about GRC/increase in regulatory compliance. Top management executives don't know or understand the concept of GRC (Governance, Risk Management, Compliance) for IT governance, information security governance and corporate governance.
This lack of attention to GRC therefore represents a risk to organisations.
Training in IT governance, corporate governance, information security governance and other best practices, such as ITIL and CobiT, helps to deal with this problem.
Prinya added that ISACA has announced a ''Risk IT Framework'' and ''IT Practitioner Guide'' to bridging the gap between COSO Enterprise Risk Management and ISO/IEC 27005 Information Security Risk Management, opening more ways for organisations to apply these best practices.
There is no ''DMZ'', leading to a rise in pervasive computing. People can use the Internet in many ways, such as with desktops, notebook sand mobile devices, and they can access content easier and quicker than ever before. But while this is more convenient, it is also more dangerous to IT organisations.
''We had always believe that file servers hosted behind the firewall at the demilitarized zone (DMZ) were highly secure, but we were totally mistaken,'' Prinya said, pointing out that the general firewall cannot prevent threats via web application.
Citing www.owasp.org, he said the 10 most critical web application security vulnerabilities covered Cross Site Scripting (XSS), Injection Flaws, Malicious Fire Execution, Insecure Direct Object Reference, Cross Site Request Forgery, Information Leakage and Improper Error Handling, Broken Authentication and Session Management, Insecure Cryptographic Storage, Insecure Communications, and Failure to Restrict URL Access.
Organisations should pay attention to IT assets and information which can be accessed via the Internet by always running patch management, and by hardening server/application/database and vulnerability management.
Increasing incidence of espionage and corporate fraud. Enemy countries have often engaged in espionage missions to each other. Cyber security threats at inter-national level are called ''Cyber Warfare'' and have been carried out with the objective of gaining strategic advantage in political disputes. Cyber warfare techniques include Information Operation (IO), Information Assurance (IA) and Computer Network Operations (CNO).
Furthermore, corporate fraud is currently on the increase and this can categorised into three types, including corruption, asset misappropriation and fraudulent statements.
Corporate fraud by occupational fraud has increased, with certain high-profile examples in the banking industry. Fraud auditing and fraud forensics are thus essential to cope with such incidents. Prinya said that organisation should focus on fraud prevention rather than "fraud detection, which is done after the fact.
Insecure coding / Insecure application development. Citing Gartner Research, Prinya said over 70 percent of security vulnerabilities exist at the application level. The root cause analysis thus is the effective solution by focusing on the improvement of program development to be more secure at every step of the software development life cycle. Secure application development depends on the whole processes, including software concepts, requirements, design, implementation/coding, testing and acceptance, as well as de ployment/operation/maintenance and disposal. It thus requires people, especially those involved with application programs, to gain an understanding of the problems which arise from insecure application development.
Lack of security awareness/Changing cultures of Generation Y. The majority of Internet users are teenagers and people of working age, which includes ''Generation Y'', or the so-called ''Click-Through Generation''.
Prinya said these people are usually not concerned about security of information. ''The Gen-Y just clicks 'Yes' or 'OK' on Internet pop-ups and they always put personal information on social networks without realising that this could be dangerous,'' he said.
He added that training in security awareness when using the Internet at home, work and on mobiles is crucial if users are to be made aware of Internet threats and to avoid becoming a target of social engineering attacks.
Prinya raised example cases in which a hacker pretends to be an existing friend of the victim via Windows Live Messenger by using an instant messaging bot, or lures the victim by appearing to be a beautiful girl.
Many people are deceived in this way into transferring money over the Internet. Awareness of threats is thus essential when accessing the Internet.
Security awareness training for employees is a ''must do'', not a ''should do'' for businesses. The Electronics Transaction Law, article 35, says public organisations must stage the security awareness training at least once a year in order to safeguard against Internet threats. All 10 of the information security threats above must be communicated to the non-IT management, executives and non-IT professionals so that they can be made aware of them and thus be careful when using computers so that organisations can comply with the standards and regulations as set out on GRC concept.