Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat Horizon 2015: More danger from known threats

5,831 views

Published on

Ponencia / Lecture

Adrian Davis. Principal Research Analyst, Information Security Forum

Published in: Technology
  • Be the first to comment

Threat Horizon 2015: More danger from known threats

  1. 1. ISF Threat Horizon Dr Adrian Davis, PhD, MBA, MBCS, CITP, CISMP Principal Research Analyst Information Security Forum
  2. 2. Agenda • The challenge • Our answer: Threat Horizon • 2013... • 2014… • 2015… • What can I do?
  3. 3. What is the ISF? An international association of over 320 leading global organisations, which... • • addresses key issues in information risk management through research and collaboration develops practical tools and guidance • is fully independent, not-for-profit organisation driven by its Members • promotes networking within its membership The leading, global authority on information security and information risk management
  4. 4. About predicting the future “It is impossible for men in the future to fly like birds. Flying is reserved for the angels.” —Milton Wright, Bishop , 1870, father of Orville and Wilbur Wright “This ‘telephone’ has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us.” — Western Union internal memo 1876 “I think there is a world market for maybe five computers.” — Thomas Watson, chairman of IBM 1943
  5. 5. …and the pace of change is accelerating Source: http://directorblue.blogspot.com/2011/07/time-to-reach-20-million-users.html
  6. 6. The ISF Threat Horizon “ The brand is pivotal to us. How do you protect the brand? You look into the crystal ball, and the crystal ball is called the Threat Horizon. ”
  7. 7. How the ISF Threat Horizon helps Threat Horizon: • is annual • identifies threats to information security over 24 months • is written for a business and information security audience.
  8. 8. ISF Threat Horizon methodology (cool) Information Security Forum 8
  9. 9. 2013...
  10. 10. 2013 PLEST
  11. 11. The world of 2013 A view of the business and technical trends.... State vs. State Government intervention P OLITICAL L EGAL Breach notification E CONOMIC Cost of resources State vs. Non-state Digital human rights Rise of Africa S OCIO-CULTURAL T ECHNICAL meconomy Single-issue activism Location services 4G/LTE networks IPv6 adoption Smart grids
  12. 12. The information security trends of 2013 Considering the PLEST framework, several major trends emerge: Data leakage P L EGAL E Beyond cloud OLITICAL CONOMIC S T Blended attacks OCIO-CULURAL ECHNICAL Attacks on infrastructure Hacktivism Data quality issues New e-crime opportunities Securing the supply chain Device revolution
  13. 13. An overview of the threats On the radar but not manageable On the radar and manageable Below the radar Black swans
  14. 14. Threats for 2013 • On the radar and manageable • Uncontrolled introduction of consumer devices • Loss of trust / inability to prove identity and authenticate • Loss of workforce loyalty – loss of organisational culture and knowledge • On the radar but not manageable • State-sponsored cyber-activity • Social media • Embedded location services
  15. 15. Threats for 2013 • Below the radar • Governmental requirements • Co-ordinated attacks for extortion, blackmail, bribery or stock manipulation • RFID exploits • Black swans • Hardware back doors (lowlevel attacks / vulnerabilities) in chips, SCADA • Solar activity disrupts communications globally
  16. 16. 2014...
  17. 17. Predictions for 2014
  18. 18. EXTERNAL THREATS
  19. 19. Cyber criminality increases as Malspace matures further • Significant increase in maturity of the industry • Crime-sourcing more common • Attacking the cloud, mobile platforms
  20. 20. Welcome to malspace – Global highly-functional industry that supports all aspects of modern crime – Supports the development and sale of: • sophisticated attack tools • services to help plan and coordinate attacks • laundering of stolen assets. The tools that we use are also available to our attackers www.securityforum.org Cyber Security Strategies Copyright © 2011 Information Security Forum Limited
  21. 21. The cyber arms race leads to a cyber cold war • Stuxnet proved the effectiveness of cyber weapons (vis-à-vis military action) • Investments into cyber resilience and intelligence sharing • Scale of cyber espionage becoming apparent, starting to hurt
  22. 22. More causes come online; activists get more active • New players • Protesting tools fully available • Increasing speed, reach and impetus of online democracy
  23. 23. Cyberspace gets physical • Real impact • Utilities hacked • Lives at stake
  24. 24. REGULATORY THREATS
  25. 25. New requirements shine a light in dark corners, exposing weaknesses • Secrecy does not equal security • Transparency everywhere – regulations – business partners – customers • Whistle-blowing, fraud and cyber attacks
  26. 26. A focus on privacy distracts from other efforts • Incoming privacy regulations • New technologies, new concerns • Cyber havens
  27. 27. The regulatory storm… – Governments and regulators are demanding action – The results often have extra-territorial impacts: • • • • • EU Data Privacy Directive US FATCA US Dodd-Frank Act PCI DSS Proposed EU Directive on Network and Information Security
  28. 28. …is getting stronger • Monetary Authority of Singapore (MAS) – June 2012 notice: “[..] inform the Authority in writing within 30 minutes upon the discovery of all IT security incidents [...]” • (http://www.mas.gov.sg/~/media/resource/publications/consult_papers/20 12/13%20June%202012%20Notice%20On%20Technology%20Risk%20Mana gement.pdf)
  29. 29. INTERNAL THREATS
  30. 30. “CERT Australia: 44% of attacks originate from within the organisation…”
  31. 31. Cost pressures stifle investment; an undervalued function can’t keep up • West in self-induced stagnation • Legacy of underinvestment kicking back • Deteriorating security awareness
  32. 32. A clouded understanding leads to an outsourced mess • Strategically unsound business decisions strain security • IT security increasingly outsourced • Organisations in a digital divide
  33. 33. New technologies overwhelm • Mobile is king • The Internet of Things • Big data runs businesses off course
  34. 34. The supply chain springs a leak, as the insider threat comes from outside • Closer business relationships lead to unforeseen security challenges • Increased risk complexity • Your business information is your supplier’s data
  35. 35. IT is a key disruptor in supply chains... Risks Triggers for disruption 64% 63% Reliance on Oil shared data 59% natural disasters 59% 46% fragment ation conflict 57% 44% shocks subcontr acting 53% visibility 30% Information and communications
  36. 36. 2015...
  37. 37. Predictions for 2015 Information Security Forum 41
  38. 38. Predictions for 2015 Is there anything that’s really new? Information Security Forum 42
  39. 39. Predictions for 2015 Does “new” really matter? Threats have evolved. Attackers are organised. Attacks are sophisticated. Old threats are more dangerous and pose more risk to our organisations It’s not so much about “new” than about the potential to do harm. Information Security Forum 43
  40. 40. CYBER RISK IS CHALLENGING
  41. 41. The CEO doesn’t get it • • • • Organisations’ dependence on cyberspace is still increasing The increasing knowledge from the board doesn’t always match Understanding cyber risks and rewards is fundamental to trust Organisations that do get it see business benefits Information Security Forum 45
  42. 42. Organisations can’t find the right people • Skills shortage is a main obstacle to deliver • Educational system can’t provide people with relevant experience • High unemployment make immigration a sensitive subject for governments
  43. 43. Outsourcing security backfires • Evolving environments require to maintain control on information security strategy • Loss of key capacities will disconnect the business from the information security strategy • Outsourcers are partners Information Security Forum 47
  44. 44. REPUTATION IS THE NEW TARGET
  45. 45. Insiders fuel corporate activism • People place their own ethics and perceptions above those of their employers • Organisations will be scrutinised by employees, contractors and customers • Hacktivists will join the fights Information Security Forum 49
  46. 46. Hacktivists create fear, uncertainty and doubt • Reputation becomes the target • Organisations have less time than ever to respond • People use non-verified sources of information such as Youtube or Twitter • Organisations will be guilty until proven innocent Information Security Forum 50
  47. 47. CYBER RISK IS CHALLENGING
  48. 48. Crime as a Service (CaaS) upgrades to v2.0 • Criminal organisations have a huge and diverse talent pool readily available • Attacks are becoming even more sophisticated and targeted • Persons’ information is eclipsed by organisations’ information Information Security Forum 52
  49. 49. Information leaks all the time • The combination of sources provide valuable information • People need to realise the true value of information • Organisations need to define what is public information Information Security Forum 53
  50. 50. CHANGING PACE OF TECHNOLOGY
  51. 51. BYOC adds unmanaged risks • Amount of information is still increasing exponentially • So is the demand for access, anywhere, anytime and from any device • People already have their own cloud Information Security Forum 55
  52. 52. BYOD further increases information risk exposure • Organisations won’t be able to ignore bring your own device (BYOD) initiatives • Integration is complex and needs careful consideration • It’s the consumer oriented features which make a device popular • The number different architectures and their updates can be a support nightmare Information Security Forum 56
  53. 53. DO NOT MISUNDERSTAND THE ROLE OF GOVERNMENT
  54. 54. Governments and regulators won’t do it for you • • • • Governments have a role in securing cyberspace Governments are expecting organisations to do their part Regulations can’t keep up with the speed of technology No one can better protect an organisations’ information than the organisation itself Information Security Forum 58
  55. 55. WHAT CAN I DO? RECOMMENDATIONS
  56. 56. It’s as much about the predictions… • …as what you do with them.
  57. 57. Recommendations 1. 2. 3. 4. 5. 6. 7. Prepare for the strategic challenge of cyberspace Build cyber resilience into your organisation Create or enhance your strategy and governance Develop an incident management capability Secure your supply chain Focus on the basics Keep looking forwards
  58. 58. 1. Prepare for the strategic challenge of cyberspace • CYBERSPACE – Always-on, technologically interconnected world – Made up of people, organisations, information and technology • CYBERSECURITY – Organisation’s ability to secure its people, information, systems and reputation – Builds on information security – the basics and principles are the same
  59. 59. 2. Build cyber resilience into your organisation – Organisation’s capability to withstand impacts from threats materialising in cyberspace – Covers all threats – even the one we don’t know about – Driven by agile, broader risk management • Linking information risk to ERM www.securityforum.org Cyber Security Strategies Copyright © 2011 Information Security Forum Limited
  60. 60. 3. Create or enhance your strategy and governance A plan of action to take the information security function from mission to vision
  61. 61. 3. Create or enhance your strategy and governance Aligned to ISO/IEC 27014
  62. 62. 4. Develop an incident management capability •There are five key components which need to be addressed to establish an effective information security incident management capability. Post incident analysis and forensics are vital. The results from these should change risk assessments that select controls
  63. 63. 5. Secure your supply chain: Follow the information 1. Approve • Build support 2. Prepare • Create the tools and build on existing risk management 3. Discover • Categorise, prioritise and assess existing contracts 4. Embed • Build information risk management in to the vendor lifecycle and new contracts Aligned to ISO/IEC 27036 67
  64. 64. 6. Focus on the basics: collaborate – Adopt a consistent approach to security – Integrate security in the business – Share information on attacks – Build awareness across your customers, suppliers and employees – Build up a threat picture
  65. 65. 7. Keep looking forwards… go beyond the horizon • • • • • • • • Biometrics Embedded chips Quantum computing SPIT Nano-technology AI New interfaces Everyone connected to everything
  66. 66. Conclusion
  67. 67. The threat is changing and evolving… • Bring your own device (BYOD, 2013) is now bring your own Cloud (BYOC, 2015) • Loss of knowledge (2013) has become lack of knowledge (2015) • State-sponsored cyber activity (2013) is hotting up (2014) and merging with Cybercrime 2.0 (2015) • Supply chains first appeared in 2014; now they are a key threat source (2015), via outsourcing and the cloud (2014, 2015) • Social media (2013) has become hacktivism (2014 and 2015) Information Security Forum 72
  68. 68. The threat is changing and evolving… • The greatest threat is, and always will be, people – We’ve always stressed the people aspect • The threats are not only from the bad guys: – Good guys make mistakes – People who don’t want to, or cannot, understand the ‘cyber world’ – Missed opportunities • Remember, there are many positives – You can minimise your vulnerabilities – The Internet, along with mobile devices, offers an unparalleled opportunity to create new businesses, services and products – Treat these as business risk to be managed and overcome Information Security Forum 73
  69. 69. Information Security Forum adrian.davis@securityforum.org www.securityforum.org http://uk.linkedin.com/in/adriandaviscitp/

×