The RSA security event was hosted last week in San Francisco. Circa 40000 people converged together at the immense Moscone Centre to understand information security challenges & solutions old, new and very very new that may help to protect and defend us all in an increasingly complex digital world.
The core thread of this year’s event, the “Human Element” is the most important aspect of the IT security world. Human behaviour guided by a proactive security persona can deliver positive defence against all but the most focussed and complex attacks. However, humans are equally the ideal vector targeted for compromise to ensure attacks are successful.
The recent virus outbreak of Covid-19 (Coronavirus) did affect the RSA event in numerous ways. For the first time a number (not many) of large segments of floor space remained empty based on the last minute withdrawal of a handful of security vendors. The normal on stand giveaways contained a “must have” in various forms and packages – “hand sanitizer” (thankfully something finally got rid of stress balls). The fear of virus transmission via handshakes was highly evident with a ” will they, won’t they” shake hands mental dance undertaken by many even with hand sanitizer available to minimize the spread of the virus. I fear the fist and elbow bumping used by many continue through the year (please “no”).
With so many vendors, activities, people sensory overload quickly overtook physical tiredness. The “Human Element” remained the key theme for the event but wasn’t alone as the main story. All attendees will summarise their own event messaging take aways based on their own rationale for attendance but the following resonated from my personal perspective.
- The “Human Element” of course
- Security automation
- The impact of threat intelligence (fundamental)
- Next generation security operations
- The growing importance of the Mitre framework
- Device, connection and person security visibility
- Cloud & application development secure outcomes
- The benefits of a platform approach to security architecture
There were many many more topics than the eight above, but I noticed they were most prominent from my perspective in the underpinning storyboards of many vendors.
It was pleasing to see increased numbers of vendors reinforcing optimum security is not about prevention or detection but instead both with accelerated remediation to a known good state the ultimate security operational goal. It is impossible to prevent all inbound attacks especially when “the Human Element” remains the most important and accessible part of the digital engagement chain. Simplification, enhanced visibility, a dynamic platform plus a single page view integrating all vendors must be the essential goal for any vendor aiming for mastery.
I have mentioned a few times on these pages the benefits to all of “brilliant basics”. It’s time for us to strive for operational simplicity always (automation can help) to make a secure outcome, the default outcome for the system or application user whether it is a person or a “thing”. The user should not need to consider “switching on security” for a particular task or outcome, it must be inherent, automatically appear (ideally invisibly) and protect the user activity by design. We can do this today in both application development and security operational delivery environments but in too many cases allow culture and traditional ways of working to stall our progress towards a secure by default digital world. Synergy is the way forward to ensure a win win for all.
In summary the RSA security event remains a “must attend” event for anyone in enterprise information technology and security operations. The focus by attackers using the “Human Element” as the most effective control stack to breach should highlight to all that simplicity, knowledge and potentially automation of security controls to empower those same humans will ensure they become the first & best line of defence. We must be on our guard. Be aware on this same note, large scale email phishing campaigns with information updates about Covid-19 are circulating in the wild and starting to have an impact as increased numbers of curious users engage to gain more information. Turn up your defences, warn and educate yourself and your users.
The “Human Element” is without doubt the most important element in the security chain – working together we can also make it the strongest one.
Until next time.
Business Line CTO Computacenter UK (Networking and Security)
Email inboxes around the globe are filled though January with a flurry of IT market and technology predictions. I’ve been guilty of writing them in the past but chose not to this year. However, a few people have nudged me and requested at least a summary or a few ideas on a few significant IT security areas to consider through 2020 (not predictions). One thing I can convey with certainty, is that fact we actually don’t know what will happen in the security arena moving forward, we can assume and theorise but don’t really know. The business and technology landscape has never been more uncertain, with well skilled and financed attackers (at times more so than the defenders) due to the potential for immense rewards. To that end organisations need to be aware, pragmatic, agile with effective security controls and actionable remediation strategies to help them deliver “Secure IT”.
So, what might happen
The “Windows 7” platform will be a highly targeted attack vector (whether embedded, full function or other). Whilst many users remain emotionally and operationally wedded to the now reliable and robust legacy operating system, the end of operating system support and patches for Windows 7 software platforms means enterprises as a minimum must evolve away from Windows 7 to Windows 10 or to another secure and supported operating environment. If a move from Windows 7 cannot be undertaken in a timely manner, compensatory controls for example the use of virtual patching may add a layer of defence but that will very short lived. A move from the Windows 7 operating platform is the only outcome to maximise user and system security.
Next up, “connected things”. IOT is the collective term frequently used to describe connected devices, often without an interface for human input but “connected things” collect, process, transmit and sometimes store data. The sheer volume of connected things increases the security challenge with defenders requiring real time visibility, always on controls as they seek to minimise or eliminate the potential for attack. To make matters worse, many of the “things” become invisible to the human eye hidden in ceilings, behind walls or embedded in other devices. But they remain highly visible to attackers are easily located with simplistic scanning tools and can be used to launch highly damaging attacks (or as a beachhead to enter a networked environment). Visibility visibility visibility is everything – you can’t secure things you cannot digitally see. Connected device visibility platforms or advanced NAC systems help to determine the type, status, behaviour of all connected devices. This allows them to determine posture, grant and revoke access, supply data inputs to asset and CMDB databases but more importantly to help organisations to create and maintain a baseline of “normal or known good security”.
And last but not least, “the human vector” remains a key consideration in 2020. Un-informed users have the potential to become the weakest link in the security chain, but informed, engaged, security conscious users become one of the most significant elements of optimum security. Users have the power to make intellectual and dynamic decisions, interpreting situations in a way technology based controls cannot. With users as educated, security advocates and technical security controls working together in harmony, end to end optimum security becomes a reality not a dream.
As a recap, to maintain a security by design and by default in 2020 for users, business & consumers, three areas will be high on my list:
- Acceleration of the move from Windows 7 (or to secondary compensatory security deployed if a platform move is not possible)
- Optimum visibility of connected things (traditional connected devices and IOT) to ensure they can be located, patched, secured.
- Inspirational education of “the human” to intentionally become the strongest security link in the digital chain.
Through 2020 we must strive to make intentional security simple to consume, manage, operate and EFFECTIVE. This will help users, organisations and the industry to shift the current mindset and position security positively as the essential enabler of the digital world. Its time to start now, start today.
Until Next time.
Business Line CTO Networking and Security – Computacenter UK
In this blog, we look at how taking a Zero Trust approach to developing and provisioning apps can help to prevent security breaches.
Guest blog from Simon Minton, Global Cyber Security Advisor at Cisco
The security threat of using apps
Sharing meeting notes. Processing customer transactions. Logging expenses. Signing contracts. More and more business processes are getting the app treatment. And that means more and more data is being exposed to potential security threats.
How businesses are using the cloud
To ensure apps deliver on stakeholders’ agility and efficiency expectations, organisations are increasingly using the cloud to provision functionality to users both in the workplace and beyond. Apps aren’t just being provisioned via the cloud; they are being developed in the cloud too – and that introduces another layer of complexity and risk.
Cloud-native development enables organisations to build and update apps quickly. But the speed at which apps evolve can result in security being overlooked – especially as organisations increasingly bring application development back in-house due to its strategic and competitive importance.
Join the DevSecOps revolution
The need to balance security with agility has given rise to a new operating model in the app development world. DevSecOps isn’t just about adopting new processes and tools; it’s about adopting a new mindset in which everyone in the app lifecycle is responsible for security – whether they are a developer, a business stakeholder or a user.
What is DevSecOps?
DevSecOps shifts security from a bolt-on activity late in the process of application development, when much of the architecture has already been defined, to a fundamental part of the design, build and continuous delivery.
In order for DevSecOps principles to take root in an organisation, developers need to be encouraged to take ownership of security, much like they are incentivised to develop metrics around application availability and performance.
Reducing the impact of data breaches when using apps
Most data breaches occur from two interlinking scenarios; an exploitation of either the application itself and/or exploitation of the infrastructure hosting the application. Several recent high profile breaches occurred because of a misconfiguration of the supporting cloud infrastructure. The shared security model adopted by all cloud providers puts the onus on its customers to ensure that cloud services are properly configured.
Ensuring developers and IT security teams work together to proactively remediate misconfigurations in an application or infrastructure can help to reduce the impact from an incident or breach. Data analytics will be increasingly important for both teams when pinpointing application and cloud misconfigurations as well as malicious activity.
Monitoring solutions that leverage machine learning and behavioural modelling can provide visibility of activity not only on the network but also within the development environment and across cloud resources – which can act as an early warning of a potential security breach on an app or within the broader ecosystem.
For example, Cisco Stealthwatch collects and analyses network and cloud telemetry and correlates threat behaviours seen locally within the enterprise with those seen globally to detect anomalies that might be malicious.
To trust or not to trust?
Advanced threat detection solutions can also help to identify policy violations and misconfigured cloud assets that could compromise the future security of an app. But visibility into potential app vulnerabilities needs to go one step further.
With internal and external developers increasingly using internet-based open source elements, such as software libraries, to accelerate time-to-market, apps have become a patchwork of unseen – and often unknown – components. All of which could introduce unexpected risks and dependencies.
Around 80% of an enterprise application is created using open source software libraries downloaded from the internet. Organisations often have very limited understanding of the risks inherent in these libraries or lack the policies needed to remediate known vulnerabilities.
Adopting a Zero Trust approach to app development
By adopting a Zero Trust approach (where everything must be validated before it can be trusted) to app development, organisations will be able to identify potential security flaws much earlier. This will not only save time and money but also avoid reputational damage.
A Zero Trust approach can also be extended beyond the development stage to the entire lifecycle of the app. Users and devices accessing apps also need to be regularly validated to ensure they are not trying to launch an attack or steal data.
By getting smarter about how they provision and develop apps from the cloud, organisations will be able to protect thousands of employees and customers and provide a richer and safer app experience.
Everyone loves a sequel – just look at how well the latest Toy Story instalment is performing at the box offices. But there’s one sequel that we could all do without: Ransomware 2. It’s back, and like the best horror movie villains, it’s nastier and bolder than ever before.
Ransomware 2 has already claimed a number of high-profile victims. At the end of June, two US cities paid around $500,000 each to get files and data unlocked following successful attacks. The bill for Norsk Hydro, a global aluminium producer, was even higher. It didn’t pay the ransom, but it still paid the price.
The entire workforce had to resort to pen and paper when ransomware took hold across 22,000 computers in 40 different countries – Norsk Hydro is still recovering nearly three months later. On average, a ransomware attack results in seven days of downtime.
Although the Norsk Hydro’s tough stance has boosted its reputation; it’s also damaged its bottom line – the cost of the attack has already topped £45 million. The company is not the first to end up with a multi-million dollar bill: the Baltimore City government was hit with a massive ransomware attack that left it crippled for over a month, with a loss value of more than $18 million.
The resurgence of ransomware is not surprising – it’s a proven business model and a repeatable one. It works not only at an enterprise level but a personal level too. Individuals can be just as willing to pay a ransom to unlock personal data, such as family photos and financial files, if they are the targeted by an attack.
So how do you avoid joining the ransomware ranks? Although ransomware is powered by malicious software, it still needs human interaction to succeed. Just one click on a spam email or an infected ad is all it needs for a ransomware attack to be initiated. Even a visit to a legitimate website can land you in trouble, if the site is infected with code installed to redirect users to a malicious website.
Better user education can help prevent ransomware being unleashed – whether it’s on a home device or a business computer – but it will never completely eliminate the risk. So organisations need to be ready to fight back when the ransomware ball starts rolling, which means they need robust protection from the DNS layer to the email and the endpoint.
Blocking spam and phishing emails along with malicious attachments and URLs is an important first step. But the need to balance employee flexibility with IT security means the net can never be fully closed.
Even if someone clicks on a malicious link or file, organisations can still supress an attack. If ransomware can’t connect back to the mothership, it can’t be activated.
With thousands of DNS requests being initiated across an enterprise every day, detecting which ones are genuine and which are malicious requires highly sophisticated technology. Instead of proxying all web traffic, intelligent ransomware defence solutions will route requests to risky domains for deeper URL and file inspection. They will also be able to draw on contextual security to identify unusual and potentially unsafe requests from individual endpoints.
These insights enable IT teams to make quick risk judgements that block threats without blocking genuine business activity. With new risks emerging all the time, ransomware defence solutions need to receive constant updates on the latest sources of malicious content.
If the call back to a command and control server is successful, there are still ways to contain a ransomware attack before it proliferates across an entire organisation. For example, dynamic segmentation can prevent ransomware from travelling across the network – helping to avoid a full-scale outage as experienced by Norsk Hydro.
By taking a layered approach to security, organisations and individuals can mount multiple defences against ransomware whether it’s launched via the web or email. And they will need every one of these defences because Ransomware 2 looks like it’s going to be a blockbuster. Ransomware damages are predicted to reach $11.5 billion in 2019.
Stay safe until next time.
Business Line CTO Computacenter UK – Networking and Security
Happy New Year and I hope the festive break was “a break”. Some continue to work throughout the festive season (or the global economy would meltdown), but for many back to work for 2019 started in earnest this week. I have so far avoided 2019 “predictions”, “prophecies”, “educated articulation of interesting stuff” to date based on so many of them circulating the social media and email landscape. However, a fair few messages asking for a perspective on the networking and security world for 2019 have stimulated me to scribble a few words.
And here comes the shock, I will be quite boring with my summary of the market and technology impacts for 2019 (well at least the first half) because I will continue to encourage to all who will listen that the most important edict they can institutionalize in their own psyche and the organisational operational IT approach is to ensure the basics are “brilliant”. Modern business should only have a single state, secure business with an unintentionally insecure environment almost unthinkable in the digital age. As the creation, processing, analysis and management of digital data streams continue to underpin and energize both user and business outcomes an intentionally secure by design philosophy is the only way to stem the attack tide.
Security isn’t the task of security professionals alone, but every application or system user with a level of consciousness about the consequence of breach or failure must now acknowledge “intentional security” is the responsibility of all.
Ensuring the basics are brilliant, with security controls mapped to business activity, outcome and consequence, with auditing and automation leveraged to optimize operations will increase the level of certainly of a user or organisations security posture.
· Privileged account security
· Multi factor authentication
· Managed encryption.
· Vulnerability management PLUS
· Identity management PLUS
· Enterprise anti phishing with associated user education
· Intelligent endpoint security (user or things)
Can you embrace how boring the list above may seem – hopefully that’s the case. The list above are subset of the “Brilliant Basics” that MUST underpin the secure defences of all. You are possibly about to click away from this screen buoyed by the view “we have got all of those” and that may be the case. But even with great guidance from Cyber Essentials, CIS, NIST, etc many organisations I meet are a snippet of “luck” away from a comprehensive breach due to absence, failure or poor execution of the controls above with the negative consequence avoidable.
If there is no auditable and actively managed operational state of the items mentioned above integrated together to ensure security is seamless, intentional, proactive why consider the wealth of advanced and esoteric new products showcased daily – get the basics right.
So my 2019 ask so early in the year is to be brutal and rigorously appraise the brilliance of your “basic” security controls. Are they operational consistent, audited, integrated, holistic, bidirectional from an information and threat exchange, automated where possible – score your current state.
Why make it easier to be breached when organisations highly engineered, often very expensive, operational complex defences fail due to the failure to control the controllables or optimise the known basic elements.
Until next time.
LOB CTO – Networking and Security Computacenter UK
Note: This perspective is the viewpoint of Colin Williams and does not constitute an opinion of Computacenter Group.
This must be the “strangest” of strange states as our consumer society evolves from zero “Black Fridays” to two – and gives my original article a second lease of life. The early bird resellers launched Black Friday part one last week attempting to steal a march on the masses, but the real frenzy and furore starts now with the default Black Friday fast approaching followed by Cyber Monday just around the corner.
These two shopping days were absent from my childhood as I lived a world of window shopping that on the odd occasions evolved to in store browsing when I sought to interact and engage with the myriad of products I hoped I could one day afford to buy. Click and collect didn’t exist but via a very thick paper based catalogue “click and deliver” was a highly rewarding activity with the click of buttons on the home phone followed by that feeling of Christmas when the catalogue item was delivered via the postal service (nothing ever fitted or looked as amazing as the catalogue pictures).
But as we fast forward to the present day with frequent announcements of the demise of the high street, much of our in store browsing is online (and frequently from a mobile device), click and collect / deliver an essential way of life and our approach to product selection and purchasing is now unrecognisable from a decade ago. Our immersion in social networks, digital procurement platforms and financial systems have helped to make many of us digital by default when we shift into product buying mode because the sheer breadth of offerings and convenience is unmatched.
But it comes with a health risk. The “digital me (or you)” and our always on entity existing on both known and unknown public platforms, ensures we become valid targets for attackers seeking to emulate our digital personas for financial gain. Black Friday signals the start of one of the busiest and most frenzied trading weekends of the year. The mix of in store and online price reductions results in both “want and need” based purchasing to ensure “too good to be true” deals are not missed, culminating on Cyber Monday with an online price war second to none.
Secure business, secure purchasing, secure user experience are often assumed by customers without a second thought of the cyber threat spectre waiting in the wings. This leaves many combing the net for deals, offers, codes or any other digital token to make “cheap” even “cheaper”, blissfully unware that many of those “benefits” are fake, malware ridden or designed to harvest personal credentials for future use.
Cyber Monday 2017 surpassed $6.7bn of sales which for both retailers and cyber treat actors is a prize too lucrative to ignore (stat CNBC). For retailers, getting the security basics right will be essential to ensure successful and secure consumer trading outcomes. DDOS mitigation, enhanced phishing protection, web application security, anti-malware, access review and least privilege are essential controls that must be tested and optimised in advance of the starting gun for Black Friday.
For consumers / users, education and heightened levels of cyber vigilance plus a realisation that too good to be true – “is too good to be true” when interacting with online systems prior to and beyond the Black Friday / Cyber Monday weekend. This is the time of year where spam and phishing Email volumes reach unprecedented levels with social engineering used to make those “offers” too compelling to ignore. DONT CLICK emails for “amazing deals and offers” – pure and simple as a moment of weakness may result in malware, ransomware or other forms of compromise taking hold of your digital persona and potentially that of your company. Its safer to visit the website of the vendor in question “directly”, no need to click a link that may not be from the company in question.
If you want to be “online smart” a few simple things can deliver HUGE security enhancements to your Black Friday shopping experience. Ensure you turn on the two-factor (or multi) authentication and notification options on your various online email services and accounts with further security improvements gained by using a password manager to ensure different passwords are applied to various services you use.
Building the walls higher just won’t do, both vendors and consumers must work in tandem to ensure the most secure possible online and digital trading experience is realised by all reducing the potential for data breach or subsequent misuse.
Safe and happy shopping during Black Friday and Cyber Monday 2018 (and beyond).
Until next time.
LOB CTO UK: Networking and Security – Computacenter UK
Things just became really interesting.
The recent news is awash with worrying claims from a credible source of “hidden” spying chips embedded within the motherboard of a leading server manufacturer. As yet, no manufacturer has released a statement confirming their existence but the information illuminating the potential is compelling. Surely it forces us all to consider our own personal, personal and professional “digital state” in this heavily connected world. Do we technically appraise every computer based device we use at design and component level to determine the source, use and security impact of all of the minute elements that make the device work. Of course we don’t, not only would the majority of us struggle to find out how to even open the device (have you tried to open a modern mobile phone with the myriad of specialist tools and hidden pressure points to make things pop open), we no way of actually understanding the function and outcome delivered by the components (when they work in harmony).
Can we be sure the most innocuous of household device has no secret and potentially malicious embedded elements that whilst not explicitly installed to be utilized in a nefarious way in the right hands can’t be leveraged to invoke a surveillance, recording or tracking function? It is this total ambivalence to the likelihood of it, until possibly today that means the potential may be more likely that we ever dreamed.
The days of hardcoded firmware delivering static intelligence to all but the most expensive and programmable devices is from a bygone era. Even the simplest digital device consists of user or system driven remotely programmable aspects that in some cases are core to the function of the device. Whether it’s used from software updates, device troubleshooting or in the case of some advanced modern vehicles to deliver totally new functionality, device or system programmability is a fundamental aspect of modern IT that enhances the consumer or user experience by making it “personal”.
Could we be shifting to a position of worry so great that we “sweep for bugs” when entering a room or prior to switching a device on in true James Bond mode – highly unlikely. But I suggest the recent announcements will ensure many IT leaders and operational teams increase the priority of network based security visibility platforms, AI or machine learning systems that examine and re-examine the most granular elements of telemetry and security aware behavioral analytics platforms that understand things we can’t comprehend.
Ask yourself when considering the IT platforms that underpin your business (or social existence), what can you really see, are you sure you know how they work and do you really understand the security heart that beats within?
Who would have thought, we are not even close to the iconic year 2020 and already we may be worrying about the moral intent in the digital soul of our machines. The future ahead is likely to be way more interesting than we have ever previously dreamed.
Until next time.
LOB CTO UK – Computacenter Networking and Security
It has become an intellectual tug of war to determine which is more important in the “connected” or “digital age” – networks or applications. Silly argument I hear you say, it’s obviously the …… not easy to answer. In the pre-connected world (if it really did exist), personal computing was as personal as possible, with no connectivity to / with anyone else. Local application, local storage, local processing and a local user made the need for a network superfluous. Fast forward to the present day with distributed processing, “the Internet”, streaming, “always on”, cloud based interaction and a socio digital culture with collaboration and engagement at its core. Without a network, the media rich, highly collaborative now fundamental “always present and connected” mode we embody at work or play is at best compromised and at worst eliminated.
We cannot envisage a world where the network doesn’t work, whether mobile carrier based entities or the home Wi-Fi, if you can’t connect you won’t connect. I spend most days in positive disruption mode challenging colleagues and customers to rethink the traditional approach to enterprise networking with the onus on automation to unlock agility and consolidation to drive simplification. The enterprise networks that underpin today’s digital reality are a wonderful amalgam of technology, people, process plus twenty years’ experience of “getting things to work”. But more is required by the network than a functional existence, as the carrier of our “Digital DNA” an optimised, flexible, agile network holds to the key to many of our future successes. It’s time to be “bold” – to embark on the network evolution required enterprises must dare to dream and envision the secure transport layer required for enhance current user interaction and energise future business outcomes. And when the dream presents the storyboard of how things should or must be, “make it so”.
Technical feature wars labouring the technology based rationale for network modification will be fruitless with a dead heat between vendors the likely end result. Only a user experience driven or business change inspired network transformation agenda will contain the intellectual and emotional energy required to overcome the cultural tides ahead. Wait and see changes and nothing, the time for change is now. With the right network, with tomorrow’s network today a potentially business limiting factor becomes business enabling. And not forgetting, if you get stuck – drop me a line.
“If you can’t connect you won’t connect”
Until next time.
Chief Technologist Computacenter UK – Networking and Security.
Once a year either at the end of an old or the start of a new year, I deliver a view on the forthcoming year. Common to many industry analysts who “call” the market, it’s a view based on customer sentiment (I speak to many many customers), extensive research, market knowledge and many years of experience (an elegant way of writing “gut feel”). This year I will release the “Security 10 for 2017” earlier than normal to reduce the comparison to other market perspectives that will appear on mass in January. Important note: the views within are my own and do not constitute the views of Computacenter Group.
This overview will be slightly longer than my normal 400 – 500 words, however I hope you understand the content deserves the extra literary real estate. Happy reading.
1: IOT attacks will increase
Focus on IOT non-human devices with weak security may increase as they become the ideal candidates to be used as botnets or drones. The weaker security layers within IOT devices with less evolved security components may result in the industry acting in catch up mode as each compromise signposts the remediation required and the next likely targets. There is no easy fix in sight with between 24 and 50 million IOT connected devices expected by 2020 but security basics including changing default passwords and remaining in tune with vendor software and patch updates are mandatory first steps. Key tip when considering IOT to deliver a business outcome, start with security in mind and end with security by default.
2: DDOS mega attacks will continue and worsen
DDOS attacks haven’t gone away, in fact Akamai cite a 125% increase in year on year attacks. With an increased volume of bots enabled via compromised IOT platforms and the real world turmoil generated by the massive DYN DDOS attack in October, attackers may consider the potential for disruption second to none. DDOS protection solutions have been deploy and forget for far too long with insufficient proactive scrutiny of logs and early warning alerts that may indicate a future larger attack is pending. Now is the time to fully understand the protection delivered by the service provider as a minimum to determine the likelihood of a successful attack.
3: Rise of insider (user) driven attacks.
Sadly humans can be a weak link with non-malicious user errors and insiders encouraged, bribed or bullied into undertaking actions that compromise systems. As client and datacentre security solutions increase in capability, therefore deliver enhanced protection, the user remains the least protected vector. User awareness, education and (with emphasis on accountability and liability) is continually highlighted as essential – now is the time to act and assign the highest priority level possible to security education for end users.
4: Last minute rush for GDPR compliance
Common to other historical compliance requirements, GDPR may suffer from a yearlong “wait and see” with the result slow progress, then a crisis driven rush to design and deploy solutions. GDPR shines a light on privacy with emphasis on data that contains personally identifiable information must be secure by default. The journey to compliance starts with awareness of the key GDPR directives, quickly followed by the need to understand the type of data in existence, where it resides across the enterprise and whether it is within the scope of GDPR. GDPR assessment and remediation solutions will be a major business impacting activity through 2017.
5: Social engineering attacks may become undetectable
Social engineering attacks may become so personalised and well-crafted they may be hard to detect from a human or systems perspective. Whether it’s sales driven “Black Friday” or the Christmas “social” season updates, the endless stream of social media publicised events may act as a catalyst to drive increased volumes of “better than good enough” phishing messages with amazing offers (that sadly deliver a malware payload or redirect). Social engineering is an area positively affected by enhanced user awareness and education.
6: Ransomware may spiral out of control
2016 has proved a successful year for ransomware with ransoms increasing in size and frequency – 2017 may see attacks increase rather than decrease. Recent vendor commentary indicates as many as 54% of UK businesses have experienced some form of attack (source: malwareBytes). Ransomware authors based of the sheer volume of malware released have access to an unprecedented amount of potential human targets. Client security solution enhancement, with the arrival of specialist anti exploit solutions may slow the ransomware march but not without the assistance of greatly increased end user security education. The fear of modern ransomware will drive a review of existing endpoint security technologies to reduce or eliminate the number of “first casualties” as surely one casualty is one too many
7: Cloud computing specific attacks will increase.
With organisations moving to the cloud, dedicated attacks (compromised permissions, etc) on cloud delivered applications and workloads may become the norm based on the potential to gain the largest prize. Cloud platforms are extremely well protected but the long list of potential attack vectors including credential theft, DDOS, data theft, compromise via zero day exploits and many other general security attacks (but targeted at cloud computing) may steadily increase as enterprises accelerate their use of cloud computing solution delivery modes.
8: Credential theft will continue to rise.
A robust digital identity is fast becoming a key deliverable within modern enterprises to facilitate secure single sign on across multiple platforms. This makes a stolen credential more lucrative than ever. Digital identity and credential theft may rise to the top of the security risk agenda for many organisations with digital credentials the golden key to both known and unknown “digital enterprise locks”. Attackers are familiar with the process of stealing credentials for access or to create subsequent hidden and elevated credentials for use during an attack. A least privilege, zero trust approach to IT security must become the new normal.
9: Banking and payment system attacks will increase.
As the world moves to digital payment by default, compromise of a payment system, ATM, contactless platform or digital financial services intermediary may deliver a major shock to the confidence of the financial sector as a whole. We now have attacks on banking and payment systems that have successfully breached existing defences leveraging both known and unknown techniques. This may encourage attackers to invest further to ensure they remain one step ahead of not just those defending but equally other assailants seeking to attack first then disappear. Enhanced visibility is a must with assistance delivered by big data and machine learning enabled advanced security platforms to proactively stargaze “what could happen next” before it occurs.
10: Dedicated attacks on “HomeHub” smart technology
We are entering an era of smart home devices and intelligent digital assistants. This style of attack may exhibit nothing previously seen and include highly non standard attack modes including homes held to “thermal ransom” with heating systems shut down or the potential for unexpected orders / purchases from voice activated digital assistants that may not be detected until a later date. It is a valid assumption that “smart home” technology with wireless enabled devices, creating and accessing data continually will permeate even the most basic home / work environment. Protection of smart home / IOT platforms will evolve as adoption increases, but the initial lag may create a window of opportunity for attackers.
The “Security 10 for 2017”mentioned could be 20, 30 or 100 depending on the enterprise, vertical market and enterprise current state. A few of the perspectives mentioned may concur with other industry / market watchers and others may even deliver a totally different viewpoint. However all are areas of potential attack or compromise that should be considered to determine the likelihood of a successful attack and therefore form part of a pre-emptive protection or remediation plan for 2017.
2017 will be the year good enough security may not be “good enough”. Now is the time respond to minimize the need to react.
Until next time.
Chief Technologist Computacenter UK: Networking, Security and Collaboration
Important note: the views within are my own and do not constitute the views of Computacenter Group.
I haven’t scribbled a blog for a while. Rather than bombard the web with yet more content and conjecture to add to the mass already present, I need a “discussion catalyst” to compel me to write. And it arrived on the front page of the Times newspaper today proclaiming “500m users hit by the biggest hack in history” (due to recently released findings from a 2014 attack).
I mentioned in previous blogs and commentary that those no longer sensationalist, but instead factual headlines may sadly continue with each one correctly announcing a breach bigger than the last. It’s time to rethink information security because the rules of the game have fundamentally changed. As an IT industry with extremely competent security professionals the time has come for hard conversations, which discuss difficult problems that drive and deliver far reaching change. The legacy approach to design, implement and support information security platforms should not be fully jettisoned overnight but a failure to understand the efficacy of the whole solution to deliver “known, measured and maintained (or enhanced)” levels of security can no longer be accepted as valid or sound behaviour (I apologise if this is overly hard hitting).
There are numerous highly viable reasons why a multi-vendor security infrastructure and security software environment can deliver secure business / IT workload outcomes. But any environment with siloed platforms that do not inform or update each other via vendor proprietary, industry standard data exchange layers or leverage other platforms that correlate and represent actionable information may be as useful as no security layer at all. I am not advocating a single vendor security environment (although it can unlock a number of notable advantages) but I am leaning to a “greatly reduced” vendor environment as the complex web of devices pervasive across many enterprise IT estates, delivers a false sense of security can be the perfect landing zone for an attacker.
Add to that, the importance and non-negotiable educational requirement to formally enhance the knowledge of IT system and application users of the “responsibility and accountability” they personally hold to protect the digital assets they interact with daily. Almost without exception the major hacks and attacks originate from an inadvertently compromised user (tricked or bribed) with the end result a valid way in for an attacker to undertake the reconnaissance necessary to undertake the main attack. It’s time for all IT users to change their level of understanding and intimacy with IT security outcomes with the result a major step towards helping the wider enterprise security programme to operate effectively.
The Times newspaper headline displayed the passport picture and details of Michelle Obama – as we continue to discuss the growing importance of digital identity with a passport one indelible example of an identity deemed more important than most, a system attack that successfully obtained the personal details of one of the most highly protected individuals in the world highlights that no one is safe and everyone is a potential target.
IT security 2020 is required today and required now. It starts with an understanding of current IT and digital assets, gap analysis of posture aligned with compliance, platforms and systems that interact together, user education and greatly increased end to end visibility of the whole estate. I could go on as the steps required are many fold, but they are not steps we don’t already know or shouldn’t be undertaking today. No change is unacceptable, more of the same is unacceptable. Sadly we can be sure that the next big breach will be bigger than the last but ideally no one wants to the star of the headline.
Time for security change – change is now
Until next time