Things just became really interesting.
The recent news is awash with worrying claims from a credible source of “hidden” spying chips embedded within the motherboard of a leading server manufacturer. As yet, no manufacturer has released a statement confirming their existence but the information illuminating the potential is compelling. Surely it forces us all to consider our own personal, personal and professional “digital state” in this heavily connected world. Do we technically appraise every computer based device we use at design and component level to determine the source, use and security impact of all of the minute elements that make the device work. Of course we don’t, not only would the majority of us struggle to find out how to even open the device (have you tried to open a modern mobile phone with the myriad of specialist tools and hidden pressure points to make things pop open), we no way of actually understanding the function and outcome delivered by the components (when they work in harmony).
Can we be sure the most innocuous of household device has no secret and potentially malicious embedded elements that whilst not explicitly installed to be utilized in a nefarious way in the right hands can’t be leveraged to invoke a surveillance, recording or tracking function? It is this total ambivalence to the likelihood of it, until possibly today that means the potential may be more likely that we ever dreamed.
The days of hardcoded firmware delivering static intelligence to all but the most expensive and programmable devices is from a bygone era. Even the simplest digital device consists of user or system driven remotely programmable aspects that in some cases are core to the function of the device. Whether it’s used from software updates, device troubleshooting or in the case of some advanced modern vehicles to deliver totally new functionality, device or system programmability is a fundamental aspect of modern IT that enhances the consumer or user experience by making it “personal”.
Could we be shifting to a position of worry so great that we “sweep for bugs” when entering a room or prior to switching a device on in true James Bond mode – highly unlikely. But I suggest the recent announcements will ensure many IT leaders and operational teams increase the priority of network based security visibility platforms, AI or machine learning systems that examine and re-examine the most granular elements of telemetry and security aware behavioral analytics platforms that understand things we can’t comprehend.
Ask yourself when considering the IT platforms that underpin your business (or social existence), what can you really see, are you sure you know how they work and do you really understand the security heart that beats within?
Who would have thought, we are not even close to the iconic year 2020 and already we may be worrying about the moral intent in the digital soul of our machines. The future ahead is likely to be way more interesting than we have ever previously dreamed.
Until next time.
LOB CTO UK – Computacenter Networking and Security
It has become an intellectual tug of war to determine which is more important in the “connected” or “digital age” – networks or applications. Silly argument I hear you say, it’s obviously the …… not easy to answer. In the pre-connected world (if it really did exist), personal computing was as personal as possible, with no connectivity to / with anyone else. Local application, local storage, local processing and a local user made the need for a network superfluous. Fast forward to the present day with distributed processing, “the Internet”, streaming, “always on”, cloud based interaction and a socio digital culture with collaboration and engagement at its core. Without a network, the media rich, highly collaborative now fundamental “always present and connected” mode we embody at work or play is at best compromised and at worst eliminated.
We cannot envisage a world where the network doesn’t work, whether mobile carrier based entities or the home Wi-Fi, if you can’t connect you won’t connect. I spend most days in positive disruption mode challenging colleagues and customers to rethink the traditional approach to enterprise networking with the onus on automation to unlock agility and consolidation to drive simplification. The enterprise networks that underpin today’s digital reality are a wonderful amalgam of technology, people, process plus twenty years’ experience of “getting things to work”. But more is required by the network than a functional existence, as the carrier of our “Digital DNA” an optimised, flexible, agile network holds to the key to many of our future successes. It’s time to be “bold” – to embark on the network evolution required enterprises must dare to dream and envision the secure transport layer required for enhance current user interaction and energise future business outcomes. And when the dream presents the storyboard of how things should or must be, “make it so”.
Technical feature wars labouring the technology based rationale for network modification will be fruitless with a dead heat between vendors the likely end result. Only a user experience driven or business change inspired network transformation agenda will contain the intellectual and emotional energy required to overcome the cultural tides ahead. Wait and see changes and nothing, the time for change is now. With the right network, with tomorrow’s network today a potentially business limiting factor becomes business enabling. And not forgetting, if you get stuck – drop me a line.
“If you can’t connect you won’t connect”
Until next time.
Chief Technologist Computacenter UK – Networking and Security.
Once a year either at the end of an old or the start of a new year, I deliver a view on the forthcoming year. Common to many industry analysts who “call” the market, it’s a view based on customer sentiment (I speak to many many customers), extensive research, market knowledge and many years of experience (an elegant way of writing “gut feel”). This year I will release the “Security 10 for 2017” earlier than normal to reduce the comparison to other market perspectives that will appear on mass in January. Important note: the views within are my own and do not constitute the views of Computacenter Group.
This overview will be slightly longer than my normal 400 – 500 words, however I hope you understand the content deserves the extra literary real estate. Happy reading.
1: IOT attacks will increase
Focus on IOT non-human devices with weak security may increase as they become the ideal candidates to be used as botnets or drones. The weaker security layers within IOT devices with less evolved security components may result in the industry acting in catch up mode as each compromise signposts the remediation required and the next likely targets. There is no easy fix in sight with between 24 and 50 million IOT connected devices expected by 2020 but security basics including changing default passwords and remaining in tune with vendor software and patch updates are mandatory first steps. Key tip when considering IOT to deliver a business outcome, start with security in mind and end with security by default.
2: DDOS mega attacks will continue and worsen
DDOS attacks haven’t gone away, in fact Akamai cite a 125% increase in year on year attacks. With an increased volume of bots enabled via compromised IOT platforms and the real world turmoil generated by the massive DYN DDOS attack in October, attackers may consider the potential for disruption second to none. DDOS protection solutions have been deploy and forget for far too long with insufficient proactive scrutiny of logs and early warning alerts that may indicate a future larger attack is pending. Now is the time to fully understand the protection delivered by the service provider as a minimum to determine the likelihood of a successful attack.
3: Rise of insider (user) driven attacks.
Sadly humans can be a weak link with non-malicious user errors and insiders encouraged, bribed or bullied into undertaking actions that compromise systems. As client and datacentre security solutions increase in capability, therefore deliver enhanced protection, the user remains the least protected vector. User awareness, education and (with emphasis on accountability and liability) is continually highlighted as essential – now is the time to act and assign the highest priority level possible to security education for end users.
4: Last minute rush for GDPR compliance
Common to other historical compliance requirements, GDPR may suffer from a yearlong “wait and see” with the result slow progress, then a crisis driven rush to design and deploy solutions. GDPR shines a light on privacy with emphasis on data that contains personally identifiable information must be secure by default. The journey to compliance starts with awareness of the key GDPR directives, quickly followed by the need to understand the type of data in existence, where it resides across the enterprise and whether it is within the scope of GDPR. GDPR assessment and remediation solutions will be a major business impacting activity through 2017.
5: Social engineering attacks may become undetectable
Social engineering attacks may become so personalised and well-crafted they may be hard to detect from a human or systems perspective. Whether it’s sales driven “Black Friday” or the Christmas “social” season updates, the endless stream of social media publicised events may act as a catalyst to drive increased volumes of “better than good enough” phishing messages with amazing offers (that sadly deliver a malware payload or redirect). Social engineering is an area positively affected by enhanced user awareness and education.
6: Ransomware may spiral out of control
2016 has proved a successful year for ransomware with ransoms increasing in size and frequency – 2017 may see attacks increase rather than decrease. Recent vendor commentary indicates as many as 54% of UK businesses have experienced some form of attack (source: malwareBytes). Ransomware authors based of the sheer volume of malware released have access to an unprecedented amount of potential human targets. Client security solution enhancement, with the arrival of specialist anti exploit solutions may slow the ransomware march but not without the assistance of greatly increased end user security education. The fear of modern ransomware will drive a review of existing endpoint security technologies to reduce or eliminate the number of “first casualties” as surely one casualty is one too many
7: Cloud computing specific attacks will increase.
With organisations moving to the cloud, dedicated attacks (compromised permissions, etc) on cloud delivered applications and workloads may become the norm based on the potential to gain the largest prize. Cloud platforms are extremely well protected but the long list of potential attack vectors including credential theft, DDOS, data theft, compromise via zero day exploits and many other general security attacks (but targeted at cloud computing) may steadily increase as enterprises accelerate their use of cloud computing solution delivery modes.
8: Credential theft will continue to rise.
A robust digital identity is fast becoming a key deliverable within modern enterprises to facilitate secure single sign on across multiple platforms. This makes a stolen credential more lucrative than ever. Digital identity and credential theft may rise to the top of the security risk agenda for many organisations with digital credentials the golden key to both known and unknown “digital enterprise locks”. Attackers are familiar with the process of stealing credentials for access or to create subsequent hidden and elevated credentials for use during an attack. A least privilege, zero trust approach to IT security must become the new normal.
9: Banking and payment system attacks will increase.
As the world moves to digital payment by default, compromise of a payment system, ATM, contactless platform or digital financial services intermediary may deliver a major shock to the confidence of the financial sector as a whole. We now have attacks on banking and payment systems that have successfully breached existing defences leveraging both known and unknown techniques. This may encourage attackers to invest further to ensure they remain one step ahead of not just those defending but equally other assailants seeking to attack first then disappear. Enhanced visibility is a must with assistance delivered by big data and machine learning enabled advanced security platforms to proactively stargaze “what could happen next” before it occurs.
10: Dedicated attacks on “HomeHub” smart technology
We are entering an era of smart home devices and intelligent digital assistants. This style of attack may exhibit nothing previously seen and include highly non standard attack modes including homes held to “thermal ransom” with heating systems shut down or the potential for unexpected orders / purchases from voice activated digital assistants that may not be detected until a later date. It is a valid assumption that “smart home” technology with wireless enabled devices, creating and accessing data continually will permeate even the most basic home / work environment. Protection of smart home / IOT platforms will evolve as adoption increases, but the initial lag may create a window of opportunity for attackers.
The “Security 10 for 2017”mentioned could be 20, 30 or 100 depending on the enterprise, vertical market and enterprise current state. A few of the perspectives mentioned may concur with other industry / market watchers and others may even deliver a totally different viewpoint. However all are areas of potential attack or compromise that should be considered to determine the likelihood of a successful attack and therefore form part of a pre-emptive protection or remediation plan for 2017.
2017 will be the year good enough security may not be “good enough”. Now is the time respond to minimize the need to react.
Until next time.
Chief Technologist Computacenter UK: Networking, Security and Collaboration
Important note: the views within are my own and do not constitute the views of Computacenter Group.
I haven’t scribbled a blog for a while. Rather than bombard the web with yet more content and conjecture to add to the mass already present, I need a “discussion catalyst” to compel me to write. And it arrived on the front page of the Times newspaper today proclaiming “500m users hit by the biggest hack in history” (due to recently released findings from a 2014 attack).
I mentioned in previous blogs and commentary that those no longer sensationalist, but instead factual headlines may sadly continue with each one correctly announcing a breach bigger than the last. It’s time to rethink information security because the rules of the game have fundamentally changed. As an IT industry with extremely competent security professionals the time has come for hard conversations, which discuss difficult problems that drive and deliver far reaching change. The legacy approach to design, implement and support information security platforms should not be fully jettisoned overnight but a failure to understand the efficacy of the whole solution to deliver “known, measured and maintained (or enhanced)” levels of security can no longer be accepted as valid or sound behaviour (I apologise if this is overly hard hitting).
There are numerous highly viable reasons why a multi-vendor security infrastructure and security software environment can deliver secure business / IT workload outcomes. But any environment with siloed platforms that do not inform or update each other via vendor proprietary, industry standard data exchange layers or leverage other platforms that correlate and represent actionable information may be as useful as no security layer at all. I am not advocating a single vendor security environment (although it can unlock a number of notable advantages) but I am leaning to a “greatly reduced” vendor environment as the complex web of devices pervasive across many enterprise IT estates, delivers a false sense of security can be the perfect landing zone for an attacker.
Add to that, the importance and non-negotiable educational requirement to formally enhance the knowledge of IT system and application users of the “responsibility and accountability” they personally hold to protect the digital assets they interact with daily. Almost without exception the major hacks and attacks originate from an inadvertently compromised user (tricked or bribed) with the end result a valid way in for an attacker to undertake the reconnaissance necessary to undertake the main attack. It’s time for all IT users to change their level of understanding and intimacy with IT security outcomes with the result a major step towards helping the wider enterprise security programme to operate effectively.
The Times newspaper headline displayed the passport picture and details of Michelle Obama – as we continue to discuss the growing importance of digital identity with a passport one indelible example of an identity deemed more important than most, a system attack that successfully obtained the personal details of one of the most highly protected individuals in the world highlights that no one is safe and everyone is a potential target.
IT security 2020 is required today and required now. It starts with an understanding of current IT and digital assets, gap analysis of posture aligned with compliance, platforms and systems that interact together, user education and greatly increased end to end visibility of the whole estate. I could go on as the steps required are many fold, but they are not steps we don’t already know or shouldn’t be undertaking today. No change is unacceptable, more of the same is unacceptable. Sadly we can be sure that the next big breach will be bigger than the last but ideally no one wants to the star of the headline.
Time for security change – change is now
Until next time
“There will never be “silence” in the information security world.”
As the world at large reluctantly accepts digital data flows are fast becoming as important as air (ok, that’s stretching the concept slightly but it’s not completely outlandish), protection of those data flows becomes as important as protecting any other key to life. But every day new threats appear, new security challenges become apparent and our attempts to keep them at bay continue to look futile.
Today news of a Stuxnet clone has surfaced that seems to expose links to the now infamous malware that affected SCADA industrial control systems – how long it has existed or evidence of compromise is unknown. IBM researchers have discovered increased coverage of the mobile banking malware Marcher, thus increasing the target landscape of unsuspecting mobile users who may succumb to fictitious notification of funds availability. And the ever present curse of zero day, is again top of mind with Trustwave researchers highlighting as many as 1.5 billion unpatched devices may be vulnerable to a recently discovered Microsoft exploit.
I have highlighted just a few of the ongoing public announcements of security threat and compromise, a full chronicle would be never ending as new information appears in real time minute by minute. Emotionally, some may deem defence against attack a battle that cannot be won with strong evidence to support the point but that is potentially an over simplification. Fundamental security principles and good practice, no different from those applied in non-information technology arenas will help thwart attacks, increase awareness and visibility of an attack in process and accelerate remediation after attack (plus signpost future steps to realise better defence).
I started this outline with a view there will never be “silence” in the security world and for me long may that continue. Both users and organisations should adopt a state of ongoing vigilance, zero complacency and never believe the security problem is solved or the battle won. By getting the basics right, improving understanding of known good states, increasing visibility and measurement of the changes of state from known states (or the highlight of unknown or inconsistent states) and a pragmatic approach to defence based on prioritisation of the “noise” beyond the silence will help to drive positive security solutions rather than signify problems.
Want to know more, keen to rethink security – visit the Computacenter team at Infosec Europe at Olympia London from Tuesday 7th June to Thursday 9th June, stand #E295. We look forward to hosting you and will have a team of business and technology aware security specialists available to discuss security impacts – your way. I hope to see you there.
Until Infosec at Olympia
Chief Technologist: Networking, Security and Collaboration
The security market is continuing to heat up. For once it’s less aligned with the potential for immense revenues (that potential and reality has been ever present in the security arena), but more to do with an acknowledgement that do nothing results in – “nothing”.
I have enjoyed meeting numerous enterprise customers at such an early stage in the year and the consensus is the same – “not sure which elements to keep or kill, not sure if investment in traditional platforms vs. accelerated deployment of new software centric or cloud security elements is the way forward”? And for once the concerns are common and consistent (less trail blazers or total laggards than you may think).
As someone working within a company calibrated by customer desires, I am already revisiting the security vendor strategic stories of 2015 to determine how they intend to navigate customers to a better place through 2016. And I am sensing a change across the board with new messaging, revised strategies and arrow head focus on a handful of key strategic attributes. The first one is visibility. Management and visibility of security (and networking) assets and outcomes has been an age old point of concern for many years in IT. A handful of vendors have successfully placed security infrastructure and solution management at the core of their value based offering and reaped the rewards, but even those vendors haven’t emphasised with real assertion the importance of seeing all robustly enough.
And the second key attribute is one of integration. The days of multiple, siloed platforms with individual consoles, ring fenced data repositories and inconsistent interaction with other platforms may soon be the solution behaviour of a bygone age (I’m an optimist) – every vendor is now emphasising the importance of increased visibility and superior integration as the cornerstone of their solution playbooks. Thankfully integration doesn’t mean, “Single vendor” with the normal mode one that welcomes third party and even competitive interaction via open APIs or data exchange frameworks. And the end result will be one of enterprises able to see more, therefore do more, therefore defend / remediate better than ever before.
But surely (and I feel the vultures circling) capturing or seeing more without additional layers to correlate, aggregate, evaluate and accurately isolate relevant events erodes more time than it delivers value? Agreed, however at first glance, this is an area of high investment from existing vendors and new market entrants often utilising human insight to augment systems based logic to deliver the best of both worlds.
This may be an early call but I feel the future is looking brighter in the security arena (maybe because finally we can actually see it). With vendors now delivering platforms and solutions enterprise customers can embrace immediately to unlock value immediately, now really is the time for change. But not without thorough understanding of business expectations and security impact aligned with desired operational and posture centric benefits.
Until next time
Chief Technologist – Computacenter UK, Networking, Security and Digital Collaboration.
Happy New Year and may 2016 be your most successful and effective yet. It’s the time of year where every analyst, strategist and technologist delivers a number of market or technology based predictions for the year. In reality they are educated guesses because no one really knows what will happen, but the activity is essential (and one you should personally undertake) because it ensures you have an outward focus (external focus) that is as fundamental to your business success (or at least viable) as your internal view. And best of all with market predictions, they are not guarantees of change as they are based on all of the indicators, assumptions, dependencies or guesses remaining consistent. Over the coming months I will share three 2016 perspectives for the Security, Networking and Digital collaboration (UC in old school terms) marketplaces. The views are my own but leverage extensive market and customer research most notably based on real world customer dialogue and challenges through 2015.
The Security challenge in 2016 could be the back breaker the industry is currently dreading. There are numerous forces and events that will ensure 2016 requires so much business change (positive change) that the door will be widened to any party focused on attacks and breaching defences. There are numerous (too many to actually affect or process) security related impacts that any forward thinking enterprise must consider through 2016 – many are documented heavily within industry white papers and vendor solutions updates. However I will concentrate on six, a few common, others not that are currently giving me most food for thought as I work on strategies for 2016.
The relentless rise of the mobile enterprise (Mobility): Mobility delivers one of the most acute security challenges today. The mobile worker, enterprise, user is no longer a fad or a secondary persona – it is the norm for many enterprises and will ultimately become the norm for all. Driven via the smart device (most commonly a phone) bonded permanently to the hand of many a user and an almost infinite pool of “relevant” applications, the need (not desire) for every digital activity to be available, everywhere, all of the time will deliver a security challenge second to none.
The connectivity issue that previously stalled the mobility drive is somewhat alleviated with fast wireless connectivity available in the home and enterprise and pretty fast connectively (sometimes) outside and on the move. That has moved any business obstacles to launch a mobility drive away from networking and connectivity and pushed it straight into the hands of the security team to ensure where a connection is made it is sure, and where data is accessed it is controlled. Some say it is an impossible task but that is conceding defeat too easily. It is a challenging but not an impossible task and an enterprise serious about affecting security change could start with:
- A top down perspective on the attitude towards risk for the enterprise (what really are “business breaking events”)
- A rigorous understanding of the regulatory framework that governs the enterprise (compliance)
- Comprehensive visibility of data assets within (where are they, what are they, how important are they, do they need to be protected, and to what level)
- Full understanding of how can someone get to them (connectivity and access)
- A real time, dynamic view of the secure persona or posture of the users.
I have simplified the workflow and challenge greatly (and many other perspectives must be considered and the order could change) but tools, processes, services and systems exist today that will really make a dent in the “secure mobile enterprise” challenge. It’s too easy to blend a “mobile enterprise” persona into existing and potentially legacy approaches to mobilising users and delivering business services – resist the temptation and use the time for change to undertake a “back to basics” information security review. Do nothing or do slowly because only a small group are mobile is a flawed theory – now is the time to act.
The next big thing – IOT: The Internet of Things (and or the internet of everything) has captured the imagination of analysts and marketers alike. The connected world of “things” sending and receiving data, commonly over IP protocols but others are emerging, opens the door to a 21st century world previously impossible to imagine. Picture the world of connected cites, healthcare devices talking directly to medical professionals, smart homes exchanging data with utility companies – in fact forget the picture those services, solutions and “outcomes” are already here today. And there lies the problem, the IOT use cases are currently very fluid, personalised and often driven by imaginative use of existing and sometimes emerging technology. With IOT implementations and ideas so cutting edge, the challenge of securing the outcome becomes even greater.
At the risk of becoming an innovation “kill joy” only one recommendation exists of real validity, design any IOT / IOE solution with security acting as the core design frame to minimise the unthinkable challenge of a security retro fit to a solution beyond go live. This sounds like a simple and obvious recommendation (obvious yes, simple no) but is often bypassed due to the enthusiasm, complexity and excitement surrounding the implementation or benefit of the “things” solution. It is fundamental to success to challenge all vendors, integrators and consultancies on secure IOT principles as soon as the “drawing board” solution development phase begins. I fear the IOT security challenge with so many current and future unknowns will be one of the ticking time bombs of the greatest impact over the coming years.
It’s too early in the year for extra long blogs (you have barely cleared your Christmas inbox) so part two of this blog will be next week. I hope the richness of the outline above adds colour to your strategy and planning activities through Q1 to allow you to identify security topics that really require top priority focus through 2016. Two more topics next week and before January concludes the complete story will be told.
Until next week
Happy New Year
Chief Technologist Computacenter UK, Networking, Security and Digital Collaboration (UC)