Threat Horizon 2015: More danger from known threats


Published on

Ponencia / Lecture

Adrian Davis. Principal Research Analyst, Information Security Forum

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Cybercrime grows upIn 2011 the ISF coined “Malspace” to describe the organised global industry that has evolved to commit cybercrime, espionage and other malevolent activity in cyberspace. Expect this industry to mature significantly. More than an increase in cybercrime, this is an increase in criminality – the state or quality of criminal and other malevolent activity. The next few years will see new players, new skills, new alliances and new approaches. The time it takes to develop or modify an attack will shorten even more. The sophistication, variety and robustness of attacks will increase. { Crime-sourcing becoming more common (laundering, ddos, flash-rob). Hacking request hotline by LulzSec, solving CAPTCHAs, Craigslist hire of road workers to escape bank robbery. #312, Forbes YES} {Digitally rich vs digitally poor economies – the divide, Member opinion, #488 YES} {Cloud harvesting, #78, Member opinion, YES} Malspace will mature more quickly than many people expect, just as modern industries have developed more quickly than their predecessors. Malspace’s participants are early adopters, collaborating online using systems their target organisations don’t even use internally, let alone with other organisations. They will increasingly use crime-sourcing – finding random people online to come together to commit crime – because of its appeal and effectiveness. They operate with few, if any, organisational, ethical or other constraints, and within a sanctuary of anonymity. Their innovation could well be enviable.Technical and non-technical sophisticationAccording to McAfee, technical attacks will increasingly focus on hardware and firmware, circumventing improvements in operating systems and application security . {#414, Vincent Weaver, Sen VP, McAffee, same as text} The increased sophistication will also apply to non-technical methods; fake emails that prompt action (phishing) will become more convincing as they use more accurate data harvested from social networks and GPS-enabled smartphones. Attackers will still look for the easiest possible route, {#438, Symantec, NO}{#240, WebSense, NO} and for every gang that moves up the scale of complexity, others will fill the space they leave, using simple methods. The ISF report Cyber Security Strategies, noted that Malspace already operates “on the scale and with the sophistication of other global industries”. It will grow as its marketplaces mature, its networks develop, its organisations become more efficient and its systems improve. It is not only a growth industry; it is accessible to a wide audience.No slowdown in sightAll the drivers increasing the size, effectiveness and maturity of Malspace will persist. The incentives for criminals to make money will remain powerful, driven further by stagnating economies. The organisations and individuals with money and information to be stolen will increase their use of and dependence on technology, constantly creating more and larger targets. {ISF Opinion, #168, NO} The avalanche of new technologies, combined with the incessant business need for their rapid adoption, will continuously introduce new vulnerabilities that create opportunities for cybercrime. Cloud computing, new top-level domain names and mobile banking are but a few examples.Use of simple methods such as social engineering, often through fake emails (phishing), will increase. They’re easy and inexpensive – perfect for new criminals to adopt quickly as they require no skill or investment. They’ll continue to be effective as long as easily available information helps create believable messages. {#135, Websense, NO} Some of the most successful attacks to date have been like these, such as the €40 million fraud that shut down the European Emissions Trading System. {Der Spiegel, already in text} The risk increases with mobile devices; there is enough information in a CEO’s smartphone to create the most convincing fraudulent email. {#326, Booz Allen, NO}{ Doxing - Attacks aimed to expose companies or individuals and their online presence (CEO Citibank, CEO Goldman, CEO BoA) #310, The Register, YES}Expect more sophisticated thinking and complex attacks. A number of incidents in 2011 proved the effectiveness of attacking security providers – the cyber equivalent of breaking into a locksmith’s to steal the master key. {APT attack at RSA from a nation state#117, RSA, YES} { Possible involvement of foreign intelligence agencies digital certificates forging, Diginotar et cetera- #195, Diginotar, NO} {Attacks at #529, VeriSign, NO} {#56, Member opinion, NO} – MOVE ALL TO CYBER ARMS RACE?There aren’t many checks that might slow the evolution of Malspace. Criminals will still operate remotely, masking their locations and operating in jurisdictions far from where the crimes are perpetrated. Countries thought to be friendly hosts to cyber criminals aren’t yet feeling international pressure to change, nor do they have the expertise or resources to do so. On the contrary: they can have an economic incentive to allow cybercrime to prosper.While some cyber criminals have been discredited among their peers – such as those whose credit card database was flooded with fake numbers, decreasing its value – such cases are few and hardly represent a threat to the black market. There is little to dampen the ability of criminals to collaborate, find markets to buy or sell their services, or refine their skills.Encouraging signs from law enforcementThere is some indication that law enforcement activity will continue to improve as greater focus is brought to breaking up crime rings – demonstrated by a small number of significant arrests in 2010 and 2011. {Anonymous and Lulzsec arrests - #152, McAffee, MAYBE} { In 2010, the Secret Service arrested more than 1,200 suspects for cybercrime violations - #544, Verizon DB investigations report, YES} Real challenges remain: jurisdictional barriers, a shortage of skills and technology, a scarcity of useful intelligence and cuts to public funding. The arrests and shutdown of illustrate additional challenges: within days, quite apart from the serious hacktivist backlash, significant doubt was raised about the evidence and basis for the charges. It’s promising that sophisticated government agencies have announced plans to work with the private sector to tackle cyber attacks. More of these previously secretive agencies should follow this lead, sharing cyber attack intelligence and security solutions.The impact from cybercrime creates an urgent need to add security to the foundation of the Internet itself, but this is more easily said than done. The ability to trace perpetrators to their location remains elusive. There is more progress toward trusted email; this would enable organisations to block fake email from un-trusted sources, decreasing the success of phishing attacks. Also promising are cloud services that can instantly increase capacity in response to an attack, in effect providing load balancing so web sites don’t become unavailable when they’re flooded by malicious requests. { How will Governments/law enforcement response to technologies that could potentially be used for disruptive and destructive purposes, for example SMS, BBM, Twitter used in protests - #26, Member opinion, WRONG PLACE?} {See emails 29 or 30 January about BITS, tweet about MS, Facebook, Google collaboration, YES} (“threat magnifiers” box)Mobile malware, especially targeting mobile bankingDomain name abuse associated with ICANN expanding to new top level domains and non-latin domain namesCloud computing attacks such as cloud harvesting: systematic buying of infrastructure as a service and scanning it for IP or PIIAttacks focusing on the Internet’s infrastructure (HTML5, Flash, Java, IPv6, SSL, etc.)McAffee Revels Its 2012 Threat Predictions by Vincent Weafer, senior vice president of McAfee Labs, 28 Dec 2011
  • Back to the futureLike criminals, the nations and states in Malspace who have been developing more sophisticated ways to attack via cyberspace will become even better organised, skilled and effective. Those who haven’t will start. While alleged state-sponsored attacks have been high profile and newsworthy, some organisations have downplayed the risk: targets are more limited than those of criminals, accusations are largely unproven, losses are neither immediate nor easy to quantify, and warfare can be pigeonholed as an issue for governments. But state involvement is game changing. States and governments can’t step into this pond without causing huge ripples. They can invest vastly greater resources. They have the power to shut down communications. {SOPA, Threat of Blackberry ban India & UAE, YES}. They can set laws without understanding the consequences to organisations. And they can operate to their own ideologies – which can be vastly different from those of other countries.A cold war with consequencesExpect collateral damage. Stuxnet, the malicious software that damaged Iran’s centrifuges, was carefully crafted to affect only its intended targets. Copycat versions are unlikely to be as precise and could inadvertently shut down an organisation’s facilities, the local power supply, communications network or some other part of the critical national infrastructure. This extends not only to organisations but also to those in their supply chains, creating further risk. Expect more unconventional ways of creating conventional disruption.There is also a greater threat of service interruption as demonstrated during the Arab Spring. As one of the ISF Congress 2011 keynote speakers said, the Internet does have borders and governments can close them. While the true potential of the newest cyber weapons is a secret known only to their creators, they are likely to have progressed significantly since Stuxnet was developed three or four years ago.{ “If we can give them bad information, or we can make them doubt the good information they have, -#504, NY Times, NO} { Hacking by foreign governments and businesses costs the UK economy billions of pounds, - #101, Computerweekly, NO} { New developed countries jump over technical development steps - go directly to new technologies- #206, Member opinion, YES}{involvement of foreign intelligence in certificate fraud #195, YES {Lurid attacks - #194, El Reg, No}The business cost of espionageEspionage will extend from the obvious – organisations in the military and defence industry – to include the mundane: anyone whose intellectual property can turn a profit or confer an advantage. Research, designs, patent applications, product roadmaps, business plans and corporate strategy will all be sought. Priority targets will include anyone who might have this information, including research and development departments, staff, executives and trusted suppliers.Organisations today don’t yet know the value of information they’ve lost over the last few years. As the true cost of that loss becomes apparent it will need to be addressed, perhaps with some unusual and possibly embarrassing financial restatements.Overt government involvementIn 2011 several countries dived into cyberspace, publishing national cybersecurity strategies and visibly increasing investments. The US alone expects to spend $2.3 – $3.2 billion on cybersecurity in FY2012, about 0.5% of the defence budget. What is more, the US army is now investing heavily in three specific areas: special operations forces, drone aircraft and cybersecurity. {Already in text, #502, NY Times, YES}In 2011 the US and the UK declared that any cyber attack against their countries could be viewed as an act of war, clearing the way for them to respond as they would to traditional acts of war. We can expect them to be true to their word, and for more countries to follow suit. Affordable, effective attacksStuxnet proved the viability of cyber attacks in advancing state goals. Not only was it successful in damaging Iran’s nuclear programme; for its estimated $1 million development cost, it accomplished its goal at a fraction of the risk and cost of military intervention, much more quickly, and (albeit temporarily) succeeded where embargoes and other diplomatic action failed. With success like that, it will have followers.Furthermore, its relatively low cost is a bargain, and it significantly lowers the barriers to competing in the cyber arms race. Anyone with the financial resources and the skills can now construct their own sophisticated cyber weapons. {Economics for targeted, sophisticated attacks is different to general malware, #212, IBM X-Force, YES} [[Steve: can we say “It’s even conceivable that there will be pressure on anti-virus vendors to exclude their normal protection to some countries.” or are there already export restrictions on AV software?]]Some organisations are convinced that their new product and market plans are being systematically targeted by cyber espionage. While there is no evidence that the systems have been compromised – that is in itself a possible indication of a sophisticated attack – proof is likely to come when local companies launch cheaper imitation products in emerging markets. {Already in text, Hubert – P&G} {Developing countries jump over technical development stages, go directly to new technologies #206, Member opinion, YES} (“threat magnifiers” box)Rooting smartphones for cyber espionage (eavesdropping voice calls and microphone, location tracking, email interception)Attacking and cracking VoIPSystematic IP theft enables developing marketsA dramatic increase in Duqu type reconnaissance attacks at national infrastructure and critical industry level when countries start profiling their friends and enemiesBig data profiling of organisations’ activities, eg predicting poor fiscal performance before annual report is published
  • All aboardAnyone not already using the Internet to advance their cause will start. This could include customer affinity groups, community associations, terrorists, dictators, political parties, urban gangs – the list is endless. In August 2011 the ISF stated that WikiLeaks, Anonymous and Lulzsec had shown activists what profit-driven criminals had known for some time – that technology and the Internet confer great advantage on attackers. The cost, effort and risk to the attacker are low, the reward is high, and the targets are all in one place – the Internet. The paper also predicted that as more activists – whether lawful or unlawful – see the power of online activism, activity is likely to rise, increasing the risk to organisations. The following month, Occupy Wall Street occupied a park in New York, and within weeks there were hundreds of Occupy movements around the world. The Occupy movement brought western democracies their equivalent of the Arab Spring. The Internet has long united people of similar interests, from eBay’s mythical Pez collectors to Facebook’s “friends”. Fuelled by a stagnating economy and anger at slow or ineffective political processes, we can expect more political organising, including some along socio-economic or other class lines.As popular democracy moves online, any cause can potentially mobilise overwhelming momentum to stop unpopular government decisions, as we saw in 2012 with SOPA and PIPA.Organising at the push of a buttonOnline organising will become easier, as protest channels and tools become available to greater numbers, easier to use, more sophisticated and more effective.{Digital and physical demonstrations converge, #308, McAffee, YES}, {Massing up crowds easy - #313, Symantec, YES} In January 2012, retaliating against the shutdown of, Anonymous distributed links that surreptitiously launched attacks. The links went viral and a number of sites were flooded, attacked by innocent people who thought they were just reading about the issue. Expect to see more crowdsourcing – where groups of strangers are mobilised, with or without their knowledge of all the details, to contribute to some overall goal. We will see more of the physical equivalent, flash-mob organising, where conspirators issue an online call for people to come together spontaneously in the real world. The goal can be anything from performance of a silly dance at a train station, to creating distractions that enable a crime, to a massive blockade of an organisation’s headquarters or other facility. A wide-reaching riskOnline organising and the speed of communications also greatly increases the potential for panic, whether it’s a run on a bank, false rumours of a food shortage or a launch of a must-have product. Combined with online democracy it can lead to major civil uprisings as seen in the Arab Spring or London riots. Cyber criminals were among the first, followed by activists, and any cause or group who hasn’t yet realised the power of the internet will do so within the next two years. One of the scariest prospects (by definition) is terrorism, as discussed below. {Pirate bay winning seats in Europe #300, MAYBE} The international character of hacktivism leaves multinational organisations with nowhere to hide or regroup.It’s here to stayWhile this prediction can be somewhat moderated by governments shutting down Internet access, for the immediate future this is limited to non-democratic jurisdictions. Even in the West, any ability to disable services that threaten the public interest (tweets during a riot, say) will need due process and won’t help organisations suffering an online public relations disaster. {real time insights into consumer pulse - #161, McKinsey, YES}{government censorship - #27, Member opinion, NO}Those used to economic prosperity are increasingly disgruntled with the continued economic malaise combined with the amnesty provided to those they view as having caused the financial crisis. The core complaint is unlikely to be resolved quickly, and the Occupy movement could be a peaceful precursor of trouble to come: rioting organised online and the masses taking matters into their own hands.(“threat magnifiers” box)Crowd sourcing (not just the good kind)Flash-mob type incidentsDemocracy moving online - any popular cause can succeed (not just the good ones)Civil movements such as the Arab Spring or Occupy Wall StreetBank runs, withdrawing money and stocking up on essentials in response to real or false rumours about the economy (for example, potential Greek exit from the Eurozone)FBI probes Anonymous intercept of US-UK hacking call {}Doxing increases – targeting unpopular individuals through their smartphones and social networksGovernments monitoring and censoring communications channels such as social networks and instant messengers
  • With the increasing convergence of cyber and physical worlds, attacks are no longer limited to office computers and networks; they can now have physical impact in the real world. We have seen successful attacks on pacemakers and cars. It’s theoretically possible to attack smart fridges and televisions, remotely unlock prison gates, set printers on fire, or control heating and lighting. {#239, #402, #414 Vincent Weafer, sen VP McAffee, YES} {In text - #409, Black Hat, YES} {In text - #410, The Register, yes} {Hacking air traffic systems #408, New Scientist, YES}We should expect some attempts. The risk exists independently of the probability of such an attack being successful: just as having a bomb isn’t necessary to call in a bomb threat and close an airport terminal. Any believable, well publicised threat can cause disruption and panic. Headlines in 2011 reported that hackers remotely damaged a rather unthreatening water pump, but in truth the “hacker” was an engineer connecting remotely while on holiday abroad.The attackers won’t necessarily be terrorists; what’s to stop hacktivists from turning out the lights or messing with the climate control systems at a target? We might also see cybercriminals threatening to shut off critical manufacturing components in an attempt to blackmail organisations. {#408, New Scientist, YES}{#411, Member opinion, YES#413, The Economist, MAYBE}As cyber weapons make their way into the wrong hands –terrorists, activists or cyber criminals – they will be used or threatened to be used for financial or ideological gain.…that are hard to secureThere are barriers to securing industrial control systems, so the opportunity to attack them will persist for some time. Many of these systems weren’t built to be connected, let alone to be secure. Adding security can slow them down or interfere with timing – hardly acceptable for systems that control physical equipment in real time. Replacing the systems isn’t always possible, and when it is it can be costly and hugely disruptive. {Michael’s SCADA email, YES}Cyber weapons, like their nuclear or biological counterparts, are sought by states, hackers and terrorists. State-developed cyber weapons have raised the bar as they inspire and prove what’s possible. They can also be studied and reverse engineered. Importantly, cyber weapons have a lower barrier to entry, are less expensive and safer. They don’t require warehouses, factories, transportation, or hazardous material handling capabilities. They also can be easily leaked, copied and distributed via the Internet. A number of publicly available and commercial software systems for testing security now also include modules that attempt to break in to industrial control systems and embedded systems. Use of these tools isn’t limited to the good guys. (“threat magnifiers” box)Hacking appliance robots or unattended aircraft drones or using them as an attack vectorAttacks resulting with loss of life and cyber assassination plots (attacking medical devices, changing traffic lights, remotely disabling vehicle brakes)Connectivity of all devices, driven by efficiency
  • Transparency everywhere…Expect further movement toward increasingly transparent disclosures regarding security over the next few years. This will be driven not only by new regulation and standards, but also by increasing demands from customers and business partners in our interconnected, interdependent business world. Organisations are more reliant than ever on each other, and information security affects all interconnected parties. Not only will the requirement to report incidents increase, the emphasis will also shift to reporting the performance of security and its ability to protect customer data. Security is now becoming everyone’s concern; more organisations and individuals are demanding assurance about how their information is handled. …has unintended consequencesThere is risk of more regulation that, while perhaps sounding good in principle, can have serious unintended consequences. If a number of organisations comply with new transparency requirements and all report the same vulnerability, attackers could reasonably assume the same vulnerability is widespread. Attacks will follow.Attempts to cover up inadequate security arrangements won’t help: there will be penalties for inaccurate reporting in addition to customer backlash. We expect both regulators and business partners to require a more robust reporting approach that moves away from the audit snapshot common today. The changeable state of security is likely to be one of the drivers for continuous, real-time governance, risk and compliance reporting in the future. Momentum everywhereSince California introduced the requirement to report incidents and notify affected individuals ten years ago, 47 of the 50 US states and many countries around the world have adopted similar laws. Expect this increase to continue: the EU has announced new provisions as it overhauls its data protection directive. The US Securities and Exchange Commission (SEC) issued guidance that companies should {companies must disclose known or potential cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky} disclose incidents that could affect the value of shareholder investments.This trend is further fuelled by increased reporting by news media, greater public and corporate understanding of what it means, and a demand for greater transparency by the owners of the information – whether they are individuals or organisations in another’s supply chain. {EU law- #355, SC Magazine, NO} {Breach notification overload#369, Member opinion, YES} One survey even stated that client requirements are now the number one driver for information security spending. A silver lining with some risk{Client requirement is the main driver in infosec spending, #431, PwC GSISS, YES} {Companies fined against what’s already on the internet #398, Member opinion, YES} Transparency ISF work, ISO 27036A key finding in the ISF Cyber Security Strategies report was that it is essential for competitors, governments, customers, suppliers and organisations like the ISF to share intelligence about threats and incidents in order to address them effectively. There is widespread recognition that safety and survival in cyberspace cannot be achieved in isolation. {#452, #453, Business week, NO (repetition)} Governments have recently taken this first important step: in 2012 a three-month pilot was launched in the UK to allow defence, finance, telecommunications, pharmaceuticals, and energy organisations to exchange actionable information on cyber threats. Some countries are suggesting amnesty for organisations that report breaches resulting from sophisticated attacks they could not be reasonably expected to prevent. Transparency is now firmly on the corporate agenda, both as a business objective and to rebuild trust following the financial crisis, and it’s hard to imagine a return to the secrecyequals security mentality when incidents were dealt with internally. {Federal judge asks organisations to disclose when hacked #500, MAYBE ?}Trust levels are generally low and suspicions will lead to adverse inferences. Concerns that transparency could publicise weaknesses – making it easier for hackers and cybercriminals to attack – are justified, but won’t outshine the long-term business benefits. Instead, an organisation that is forced to report security risks will probably have as much to fear from customers and business partners as from hackers. {Dodd Frank act whistleblowing offers 30% awards from tip-offs, #322, The Economist, YES} {Fraud from transparency #149, YES}
  • Privacy, privacy everywhereNew privacy requirements will come from everywhere: consumers, business customers and regulators. The EU has announced changes that will have a wide-reaching effect and extend to non-EU businesses. Two US Senators introduced a new privacy bill in April 2011, and another introduced one in May. When discussions resume it’s expected the bills will follow the European example.India passed legislation that requires organisations processing personal data to obtain written consent from customers.The proposed US legislation is supported by some prominent companies who issued a joint statement saying they have “long advocated for comprehensive federal privacy legislation”, adding that “the complexity of existing privacy regulations makes it difficult for many businesses to comply with the law.” Consumer groups criticised the proposals saying they needed to be strengthened. {Reuters}Few organisations are immune{Make this a source PRECISE the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 is such an example of a cyberlaw currently tried in the US lawmaking process.}Upcoming EU privacy regulations impose harsh changes and will affect many global organisations – even some that don’t consider themselves to have European operations. Any organisation that handles information about EU citizens will be subject to the higher standard of data protection. Organisations will need to decide whether to invest in the necessary security and legal controls, outsource them to someone who can, or exit the market. They will also need to consider the message their actions send to their customers.Attempts by governments to pass sweeping cyberspace laws will create further disruption in an attempt to regulate an area that is poorly understood and evolving quickly and in ways yet unimagined. Another silver liningThe EU’s intention is to make data protection rules more business friendly and allow innovation. This will be accomplished by simplification and an elimination of inconsistency between existing laws. “Binding corporate rules” will simplify the process for transferring and processing personal information outside the EU. {#363 - #367, Viviane Reding, European Commission, YES}While this is welcome, it will be tough for legislators to balance increased consumer protection with the desire not to further burden organisations in an already-stagnant economy. Some proposed regulations have already been challenged as being too stringent.Changes that are business friendly and allow innovation will be helpful to all, as will actions that simplify and harmonise regulations. While some pundits suggest that the Facebook generation’s relaxed attitudes to privacy may dampen these efforts, any relaxation in privacy regulations is unlikely as long as data loss leads to fraud and other crime risk, as it does when credit card numbers or identities are stolen.BRIC countries create a cyber haven?Some of the economic growth in Asia and South America has been attributed to fewer regulatory restrictions. Privacy is no different, so it’s conceivable that organisations could seek refuge in more favourable jurisdictions. (“threat magnifiers” box)Possible creation of cyber havens: countries providing data hosting without onerous regulations or without thorough enforcement of regulation Regulations similar to SOPA, FIPA, ACTA New EU directive catches up on the cloud, fails to address big data, augmented reality and other new conceptsMore people and countries coming online
  • The good guys are being outspentIt would be normal to see investment increase at this stage of the economic cycle: the crisis has long passed, indicators should be moving up, and austerity should be giving way to renewal and investment. It’s time for neglected defences to be replaced and strengthened. But this is not a normal economic cycle, and now is not an easy time to ask for increased funding. The outlook is bleak, and cost pressures will remain everywhere. {Public company is in trouble, #193, The Economist, MAYBE} {Poor economic climate - #172, #183 Member opinion ,YES}The Economist declared 2012 as the year of self-induced stagnation for the developed West. China could be heading into a sharp slowdown.But cyber criminals have been investing and will continue to do so. Malspace isn’t feeling the same effects; economic pressures don’t diminish criminals’ ability to attack. Quite the reverse: like any growing industry, some profit is being reinvested to fund new, better criminal campaigns. It will become increasingly easy and inexpensive to buy criminal technology and services. And there’s no guarantee that all your competitors will operate above the law.Organisations that miss this and fail to bring their security and resilience up to scratch are likely to suffer. Some improvement in sightThe economic outlook in many developed countries looks bland, if not bleak, with continued stagnation and talk of further recessions. Along with positive news in some countries, there is fear of more shocks in others, driven by rising national debts and even potential currency collapse. Many organisations have put off reinvestment in their core businesses, and would be expecting to restart that investment now. If further stagnation delays core reinvestment further, they may find it challenging to fund information security – especially if they still see it as a cost centre rather than a strategic business enabler. Whereas ISF Members generally report that their information security functions are growing, one survey reported security budgets shrinking and deferrals of security related initiatives. In Europe and US, reluctance to fund security projects has resulted in erosion of key capabilities including security strategy, identity management, business continuity and disaster recovery arrangements. This puts organisations at a disadvantage compared to their Asian competitors who generally have not reduced information security spend. {GSSIS}Even organisations that know the importance of funding information security today still have a legacy of under-investment from which they cannot recover in a single budget year. “The greatest obstacles to effective information security are lack of funding and leadership at the top of the house.” —Global state of information security surveyFunding looks likely to remain a challenge. Adding to the economic malaise, The Economist reports {} rising costs because of natural disasters; these impact some organisations directly and affect many others through increased costs in the supply chain. Further, disasters can force organisations to quickly adopt new or different suppliers, often without the time needed to perform security due diligence. Finally, a number of long-established IT solutions, where security has been locked down and properly understood, are coming of age and will need to be replaced. This will add additional costs to already constrained budgets.(“threat magnifiers” box)Hidden security costs of seemingly attractive business initiativesLimited spending on continuous education hinders security’s ability security to keep up with latest threats The year of self-induced stagnation, The Economist, 17 Nov 2011Global state of information security survey 2012, Eye of the storm, 28 Sep 2011Counting the cost of calamities, The Economist, 14 Jan 2012
  • A new digital divideOrganisational pressure on functions such as IT and information security will continue as long as the economy remains stagnant and the business struggles to comprehend the risks. As long as the function is viewed as a cost centre rather than a business enabler, there is greater risk of poor decision making.This will lead to a new form of digital divide: between organisations that understand and exploit IT and information security – and can afford it – and those who don’t understand it or can’t afford it.Leading organisations will appreciate the strategic value of the channels, systems and information they hold, and will invest appropriately. They’ll see the benefit of using digital channels and will keep up with the pace of change. Their information security leaders will understand the business almost as well as they understand information security.The rest will suffer competitive disadvantage and heightened risk of damaging security incidents.Outsourcing and agilityTraditional IT infrastructure and IT security is increasingly moving off shore to provide 24x7 coverage, further propelled by cloud computing, mobile devices and virtual desktops. {#76, Symantec} (#72, PwC} IT security will be increasingly challenged by outsourced business propositions, which suggest that technical functions such as network protection, intrusion detection and logging are better handled by, say, a cloud service provider. In some organisations, this will create pressure for in-house functions to justify their continued existence. Expect some organisations to shift in-house IT security roles to managing these functions externally, concentrating on service levels, contracting and reporting. One think tank speculates about a new business model that focuses on agility – the ability of an organisation to reinvent itself quickly. As the benefits of crowd sourcing become more apparent, projects will mobilise much more quickly with ad hoc crews coming together and disbanding upon completion. Technology that supports agility, such as cloud computing and social networking, is a must, but must also be secure. As the focus of the information security role changes from IT and IT security to governance, risk and compliance, it is essential that leaders in this space have a greater understanding of the business.(“threat magnifiers” box)Cost reductionCompetitionDesire for silver bullets
  • Their name will forever be synonymous with the case study of the online disaster. The bleeding edge can be bloodyOrganisations are unlikely to slow their adoption of new technology or decrease their participation in cyberspace, nor is the pace of technological development likely to slow. Along with business benefits each new technology brings potential vulnerabilities and methods for attack – adding to the complexity within cyberspace and increasing possible unforeseen interactions.The benefits of technology create a relentless drive for organisations to employ those technologies and adopt new ways to do business in cyberspace. But they often do so before the risks are known, let alone understood, and well before appropriate security solutions are available. [[David to fix]]: and organisations will continue to be hit hard.Organisations don’t always understand their dependence on technology. How many have assessed the impact of being accidentally delisted from Google, or of finding Facebook, iTunes, LinkedIn, Twitter or Wikipedia offline for an extended period? What happens if a country that hosts a lot of data and outsourcing is hit with UN sanctions for something political and unrelated to information security?Big data: the next big thing?Big data refers to performing increasingly sophisticated analysis on massive amounts of data. Pressure will mount on organisations to embrace big data because of the enormous insights and competitive advantage it can provide. Computers will increasingly crunch numbers to find answers previously thought unknowable. This will introduce new problems: for example, poor quality information or untested models can send organisations off course. Big data in the cloud will also create a host of new, highly attractive targets. Big data might be able to improve information security if the same sophisticated analysis can applied to relevant security data, however such solutions don’t appear to be imminent. “The Internet of Things”The number of smart and connected devices is rising sharply. Increasingly interconnected and able to sense their physical world surroundings, they collectively form what is known as “the Internet of Things.” More than just providing new ways for humans to interact with devices, gesture and voice recognition also make devices more contextually and situationally aware. When this awareness is combined with huge volumes of relevant data, it takes devices out of the realm of black and white computer logic and into reasoning that mimics the functioning of a human brain.According to IBM this means that the planet is becoming more instrumented and intelligent, with smart supply chains, smart countries, smart retail, smart water management, smart energy grids, smart healthcare, smart traffic systems and so on.{#498, CISCO, YES} {#15, IBM, YES} {#3, BBC, YES}Various reports refer to the information explosion; some suggesting that the volume of data stored by organisations rises by 60% annually; others suggesting that 80% of the world’s data was created in the last two years.Mobile is kingDisparate mobile devices are present across many organisations, creating more risk. The combination of their ubiquity, the predominance of two systems (Apple’s iOS and Google’s Android) and the treasure trove of data they contain has made it worthwhile for criminals to write malicious software for these devices.There is also a looming battle between security restrictions and ease of use. People won’t be satisfied with just contacts, calendars and emails; they’ll want access to more critical business applications and the sensitive data they contain. It may be just a matter of time before an insider mistake involving a mobile device sends corporate information viral.The problem isn’t easily solved. The rapid introduction of a variety of devices could leave security vendors playing catch-up for years to come.The Economist forecasts a major explosion in mobile payments, location-based services and augmented reality.
  • Data, data everywhereMore organisations will fall victim to information security incidents at their suppliers. From bank account details held by payroll providers to product plans being shared with creative agencies, a modern organisation’s data is increasingly spread across many parties. And while the IT function can, in theory at least, provide an inventory of all the data they hold, it’s difficult to do that throughout the supply chain, impossible, even, if different parts of the business are doing their own thing.Organisations are digitising their supply chains, adding automatic restocking and automatic ordering, and federating inventory management. They’re outsourcing many functions and rely on specialised firms for a range of advice. {#159, Member interview, YES}The dependencies are only going to increase, as are the risks of security incidents at supply chain partners.Growth and the decreasing cost of 3D printers – devices that can create three-dimensional products from digital blueprints – will increase the appeal of stealing intellectual property, the frequency of supply chain partners being targeted and the amount and quality of counterfeit product on the market. Complex and costly riskThe risk is complex. First, innocuous data is more valuable. Banks hold more than customer addresses and account numbers: they might know credit ratings, spending patterns and annual income. Most organisations hold more than basic employee information such as social security or national insurance numbers: they may also have salary data, passport numbers and detailed CVs. Telephone companies might know voicemail passwords and calling patterns. These are but a few examples of information criminals seek out for its value in identity theft and social engineering.Second, outsourcers may have outsourcers. If an organisation has trouble creating an inventory of data on its own systems, or indentifying personal or sensitive data, how can it do so with its suppliers’ suppliers?Finally, it’s worth taking a broad view of the supply chain. Rather than limiting it to the vendors with whom you spend the most money on raw materials or parts, for example, from an information security perspective it could also include legal and other professional advisors, creative agencies, even office cleaners. The World Economic Forum reports that 30% of organisations estimate losses up to 5% of annual revenue due to supply chain disruption. They also identified data and information sharing as one of the top three areas in need of improvement to secure the supply chain. {#507, WEF, YES} (“threat magnifiers” box)Supply chain disruptions require switch to less secure suppliers leading to data loss New models for addressing supply chain transport risk, World Economic Forum, 2012
  • 52% - Well, there are few threats out there that we couldn't imagine only 12 months ago (52%)38% - You're right, I can't really think of anything significantly new (38%)
  • Many of the threats in this year’s report have been around for awhile, but they’ve evolved. Attackers aren’t the proverbial teenager in a bedroom; they’re online collectives, organised criminal gangs and nation states, collaborating and competing in what we call Malspace.Early viruses were more likely to crash than do damage; a recent one infected 75,000 systems in ten minutes. New malware uses a phone’s camera to secretly take pictures – the software chooses the better ones and transmits them so an attacker can perform reconnaissance by modelling the office space.
  • This isn’t a slam on outsourcing – it’s a slam on doing it wrong
  • Gatorade anecdote is taking out of his beverage an ingredient called brominated vegetable oil.The chemical shares an ingredient, bromine, with some flame retardants.
  • We’re broad: from nation states to people in our own countries after our IP
  • 2012 was the year of… 2013 was…
  • Threat Horizon 2015: More danger from known threats

    1. 1. ISF Threat Horizon Dr Adrian Davis, PhD, MBA, MBCS, CITP, CISMP Principal Research Analyst Information Security Forum
    2. 2. Agenda • The challenge • Our answer: Threat Horizon • 2013... • 2014… • 2015… • What can I do?
    3. 3. What is the ISF? An international association of over 320 leading global organisations, which... • • addresses key issues in information risk management through research and collaboration develops practical tools and guidance • is fully independent, not-for-profit organisation driven by its Members • promotes networking within its membership The leading, global authority on information security and information risk management
    4. 4. About predicting the future “It is impossible for men in the future to fly like birds. Flying is reserved for the angels.” —Milton Wright, Bishop , 1870, father of Orville and Wilbur Wright “This ‘telephone’ has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us.” — Western Union internal memo 1876 “I think there is a world market for maybe five computers.” — Thomas Watson, chairman of IBM 1943
    5. 5. …and the pace of change is accelerating Source:
    6. 6. The ISF Threat Horizon “ The brand is pivotal to us. How do you protect the brand? You look into the crystal ball, and the crystal ball is called the Threat Horizon. ”
    7. 7. How the ISF Threat Horizon helps Threat Horizon: • is annual • identifies threats to information security over 24 months • is written for a business and information security audience.
    8. 8. ISF Threat Horizon methodology (cool) Information Security Forum 8
    9. 9. 2013...
    10. 10. 2013 PLEST
    11. 11. The world of 2013 A view of the business and technical trends.... State vs. State Government intervention P OLITICAL L EGAL Breach notification E CONOMIC Cost of resources State vs. Non-state Digital human rights Rise of Africa S OCIO-CULTURAL T ECHNICAL meconomy Single-issue activism Location services 4G/LTE networks IPv6 adoption Smart grids
    12. 12. The information security trends of 2013 Considering the PLEST framework, several major trends emerge: Data leakage P L EGAL E Beyond cloud OLITICAL CONOMIC S T Blended attacks OCIO-CULURAL ECHNICAL Attacks on infrastructure Hacktivism Data quality issues New e-crime opportunities Securing the supply chain Device revolution
    13. 13. An overview of the threats On the radar but not manageable On the radar and manageable Below the radar Black swans
    14. 14. Threats for 2013 • On the radar and manageable • Uncontrolled introduction of consumer devices • Loss of trust / inability to prove identity and authenticate • Loss of workforce loyalty – loss of organisational culture and knowledge • On the radar but not manageable • State-sponsored cyber-activity • Social media • Embedded location services
    15. 15. Threats for 2013 • Below the radar • Governmental requirements • Co-ordinated attacks for extortion, blackmail, bribery or stock manipulation • RFID exploits • Black swans • Hardware back doors (lowlevel attacks / vulnerabilities) in chips, SCADA • Solar activity disrupts communications globally
    16. 16. 2014...
    17. 17. Predictions for 2014
    19. 19. Cyber criminality increases as Malspace matures further • Significant increase in maturity of the industry • Crime-sourcing more common • Attacking the cloud, mobile platforms
    20. 20. Welcome to malspace – Global highly-functional industry that supports all aspects of modern crime – Supports the development and sale of: • sophisticated attack tools • services to help plan and coordinate attacks • laundering of stolen assets. The tools that we use are also available to our attackers Cyber Security Strategies Copyright © 2011 Information Security Forum Limited
    21. 21. The cyber arms race leads to a cyber cold war • Stuxnet proved the effectiveness of cyber weapons (vis-à-vis military action) • Investments into cyber resilience and intelligence sharing • Scale of cyber espionage becoming apparent, starting to hurt
    22. 22. More causes come online; activists get more active • New players • Protesting tools fully available • Increasing speed, reach and impetus of online democracy
    23. 23. Cyberspace gets physical • Real impact • Utilities hacked • Lives at stake
    25. 25. New requirements shine a light in dark corners, exposing weaknesses • Secrecy does not equal security • Transparency everywhere – regulations – business partners – customers • Whistle-blowing, fraud and cyber attacks
    26. 26. A focus on privacy distracts from other efforts • Incoming privacy regulations • New technologies, new concerns • Cyber havens
    27. 27. The regulatory storm… – Governments and regulators are demanding action – The results often have extra-territorial impacts: • • • • • EU Data Privacy Directive US FATCA US Dodd-Frank Act PCI DSS Proposed EU Directive on Network and Information Security
    28. 28. …is getting stronger • Monetary Authority of Singapore (MAS) – June 2012 notice: “[..] inform the Authority in writing within 30 minutes upon the discovery of all IT security incidents [...]” • ( 12/13%20June%202012%20Notice%20On%20Technology%20Risk%20Mana gement.pdf)
    30. 30. “CERT Australia: 44% of attacks originate from within the organisation…”
    31. 31. Cost pressures stifle investment; an undervalued function can’t keep up • West in self-induced stagnation • Legacy of underinvestment kicking back • Deteriorating security awareness
    32. 32. A clouded understanding leads to an outsourced mess • Strategically unsound business decisions strain security • IT security increasingly outsourced • Organisations in a digital divide
    33. 33. New technologies overwhelm • Mobile is king • The Internet of Things • Big data runs businesses off course
    34. 34. The supply chain springs a leak, as the insider threat comes from outside • Closer business relationships lead to unforeseen security challenges • Increased risk complexity • Your business information is your supplier’s data
    35. 35. IT is a key disruptor in supply chains... Risks Triggers for disruption 64% 63% Reliance on Oil shared data 59% natural disasters 59% 46% fragment ation conflict 57% 44% shocks subcontr acting 53% visibility 30% Information and communications
    36. 36. 2015...
    37. 37. Predictions for 2015 Information Security Forum 41
    38. 38. Predictions for 2015 Is there anything that’s really new? Information Security Forum 42
    39. 39. Predictions for 2015 Does “new” really matter? Threats have evolved. Attackers are organised. Attacks are sophisticated. Old threats are more dangerous and pose more risk to our organisations It’s not so much about “new” than about the potential to do harm. Information Security Forum 43
    41. 41. The CEO doesn’t get it • • • • Organisations’ dependence on cyberspace is still increasing The increasing knowledge from the board doesn’t always match Understanding cyber risks and rewards is fundamental to trust Organisations that do get it see business benefits Information Security Forum 45
    42. 42. Organisations can’t find the right people • Skills shortage is a main obstacle to deliver • Educational system can’t provide people with relevant experience • High unemployment make immigration a sensitive subject for governments
    43. 43. Outsourcing security backfires • Evolving environments require to maintain control on information security strategy • Loss of key capacities will disconnect the business from the information security strategy • Outsourcers are partners Information Security Forum 47
    45. 45. Insiders fuel corporate activism • People place their own ethics and perceptions above those of their employers • Organisations will be scrutinised by employees, contractors and customers • Hacktivists will join the fights Information Security Forum 49
    46. 46. Hacktivists create fear, uncertainty and doubt • Reputation becomes the target • Organisations have less time than ever to respond • People use non-verified sources of information such as Youtube or Twitter • Organisations will be guilty until proven innocent Information Security Forum 50
    48. 48. Crime as a Service (CaaS) upgrades to v2.0 • Criminal organisations have a huge and diverse talent pool readily available • Attacks are becoming even more sophisticated and targeted • Persons’ information is eclipsed by organisations’ information Information Security Forum 52
    49. 49. Information leaks all the time • The combination of sources provide valuable information • People need to realise the true value of information • Organisations need to define what is public information Information Security Forum 53
    51. 51. BYOC adds unmanaged risks • Amount of information is still increasing exponentially • So is the demand for access, anywhere, anytime and from any device • People already have their own cloud Information Security Forum 55
    52. 52. BYOD further increases information risk exposure • Organisations won’t be able to ignore bring your own device (BYOD) initiatives • Integration is complex and needs careful consideration • It’s the consumer oriented features which make a device popular • The number different architectures and their updates can be a support nightmare Information Security Forum 56
    54. 54. Governments and regulators won’t do it for you • • • • Governments have a role in securing cyberspace Governments are expecting organisations to do their part Regulations can’t keep up with the speed of technology No one can better protect an organisations’ information than the organisation itself Information Security Forum 58
    56. 56. It’s as much about the predictions… • …as what you do with them.
    57. 57. Recommendations 1. 2. 3. 4. 5. 6. 7. Prepare for the strategic challenge of cyberspace Build cyber resilience into your organisation Create or enhance your strategy and governance Develop an incident management capability Secure your supply chain Focus on the basics Keep looking forwards
    58. 58. 1. Prepare for the strategic challenge of cyberspace • CYBERSPACE – Always-on, technologically interconnected world – Made up of people, organisations, information and technology • CYBERSECURITY – Organisation’s ability to secure its people, information, systems and reputation – Builds on information security – the basics and principles are the same
    59. 59. 2. Build cyber resilience into your organisation – Organisation’s capability to withstand impacts from threats materialising in cyberspace – Covers all threats – even the one we don’t know about – Driven by agile, broader risk management • Linking information risk to ERM Cyber Security Strategies Copyright © 2011 Information Security Forum Limited
    60. 60. 3. Create or enhance your strategy and governance A plan of action to take the information security function from mission to vision
    61. 61. 3. Create or enhance your strategy and governance Aligned to ISO/IEC 27014
    62. 62. 4. Develop an incident management capability •There are five key components which need to be addressed to establish an effective information security incident management capability. Post incident analysis and forensics are vital. The results from these should change risk assessments that select controls
    63. 63. 5. Secure your supply chain: Follow the information 1. Approve • Build support 2. Prepare • Create the tools and build on existing risk management 3. Discover • Categorise, prioritise and assess existing contracts 4. Embed • Build information risk management in to the vendor lifecycle and new contracts Aligned to ISO/IEC 27036 67
    64. 64. 6. Focus on the basics: collaborate – Adopt a consistent approach to security – Integrate security in the business – Share information on attacks – Build awareness across your customers, suppliers and employees – Build up a threat picture
    65. 65. 7. Keep looking forwards… go beyond the horizon • • • • • • • • Biometrics Embedded chips Quantum computing SPIT Nano-technology AI New interfaces Everyone connected to everything
    66. 66. Conclusion
    67. 67. The threat is changing and evolving… • Bring your own device (BYOD, 2013) is now bring your own Cloud (BYOC, 2015) • Loss of knowledge (2013) has become lack of knowledge (2015) • State-sponsored cyber activity (2013) is hotting up (2014) and merging with Cybercrime 2.0 (2015) • Supply chains first appeared in 2014; now they are a key threat source (2015), via outsourcing and the cloud (2014, 2015) • Social media (2013) has become hacktivism (2014 and 2015) Information Security Forum 72
    68. 68. The threat is changing and evolving… • The greatest threat is, and always will be, people – We’ve always stressed the people aspect • The threats are not only from the bad guys: – Good guys make mistakes – People who don’t want to, or cannot, understand the ‘cyber world’ – Missed opportunities • Remember, there are many positives – You can minimise your vulnerabilities – The Internet, along with mobile devices, offers an unparalleled opportunity to create new businesses, services and products – Treat these as business risk to be managed and overcome Information Security Forum 73
    69. 69. Information Security Forum