Once a year either at the end of an old or the start of a new year, I deliver a view on the forthcoming year. Common to many industry analysts who “call” the market, it’s a view based on customer sentiment (I speak to many many customers), extensive research, market knowledge and many years of experience (an elegant way of writing “gut feel”). This year I will release the “Security 10 for 2017” earlier than normal to reduce the comparison to other market perspectives that will appear on mass in January. Important note: the views within are my own and do not constitute the views of Computacenter Group.
This overview will be slightly longer than my normal 400 – 500 words, however I hope you understand the content deserves the extra literary real estate. Happy reading.
1: IOT attacks will increase
Focus on IOT non-human devices with weak security may increase as they become the ideal candidates to be used as botnets or drones. The weaker security layers within IOT devices with less evolved security components may result in the industry acting in catch up mode as each compromise signposts the remediation required and the next likely targets. There is no easy fix in sight with between 24 and 50 million IOT connected devices expected by 2020 but security basics including changing default passwords and remaining in tune with vendor software and patch updates are mandatory first steps. Key tip when considering IOT to deliver a business outcome, start with security in mind and end with security by default.
2: DDOS mega attacks will continue and worsen
DDOS attacks haven’t gone away, in fact Akamai cite a 125% increase in year on year attacks. With an increased volume of bots enabled via compromised IOT platforms and the real world turmoil generated by the massive DYN DDOS attack in October, attackers may consider the potential for disruption second to none. DDOS protection solutions have been deploy and forget for far too long with insufficient proactive scrutiny of logs and early warning alerts that may indicate a future larger attack is pending. Now is the time to fully understand the protection delivered by the service provider as a minimum to determine the likelihood of a successful attack.
3: Rise of insider (user) driven attacks.
Sadly humans can be a weak link with non-malicious user errors and insiders encouraged, bribed or bullied into undertaking actions that compromise systems. As client and datacentre security solutions increase in capability, therefore deliver enhanced protection, the user remains the least protected vector. User awareness, education and (with emphasis on accountability and liability) is continually highlighted as essential – now is the time to act and assign the highest priority level possible to security education for end users.
4: Last minute rush for GDPR compliance
Common to other historical compliance requirements, GDPR may suffer from a yearlong “wait and see” with the result slow progress, then a crisis driven rush to design and deploy solutions. GDPR shines a light on privacy with emphasis on data that contains personally identifiable information must be secure by default. The journey to compliance starts with awareness of the key GDPR directives, quickly followed by the need to understand the type of data in existence, where it resides across the enterprise and whether it is within the scope of GDPR. GDPR assessment and remediation solutions will be a major business impacting activity through 2017.
5: Social engineering attacks may become undetectable
Social engineering attacks may become so personalised and well-crafted they may be hard to detect from a human or systems perspective. Whether it’s sales driven “Black Friday” or the Christmas “social” season updates, the endless stream of social media publicised events may act as a catalyst to drive increased volumes of “better than good enough” phishing messages with amazing offers (that sadly deliver a malware payload or redirect). Social engineering is an area positively affected by enhanced user awareness and education.
6: Ransomware may spiral out of control
2016 has proved a successful year for ransomware with ransoms increasing in size and frequency – 2017 may see attacks increase rather than decrease. Recent vendor commentary indicates as many as 54% of UK businesses have experienced some form of attack (source: malwareBytes). Ransomware authors based of the sheer volume of malware released have access to an unprecedented amount of potential human targets. Client security solution enhancement, with the arrival of specialist anti exploit solutions may slow the ransomware march but not without the assistance of greatly increased end user security education. The fear of modern ransomware will drive a review of existing endpoint security technologies to reduce or eliminate the number of “first casualties” as surely one casualty is one too many
7: Cloud computing specific attacks will increase.
With organisations moving to the cloud, dedicated attacks (compromised permissions, etc) on cloud delivered applications and workloads may become the norm based on the potential to gain the largest prize. Cloud platforms are extremely well protected but the long list of potential attack vectors including credential theft, DDOS, data theft, compromise via zero day exploits and many other general security attacks (but targeted at cloud computing) may steadily increase as enterprises accelerate their use of cloud computing solution delivery modes.
8: Credential theft will continue to rise.
A robust digital identity is fast becoming a key deliverable within modern enterprises to facilitate secure single sign on across multiple platforms. This makes a stolen credential more lucrative than ever. Digital identity and credential theft may rise to the top of the security risk agenda for many organisations with digital credentials the golden key to both known and unknown “digital enterprise locks”. Attackers are familiar with the process of stealing credentials for access or to create subsequent hidden and elevated credentials for use during an attack. A least privilege, zero trust approach to IT security must become the new normal.
9: Banking and payment system attacks will increase.
As the world moves to digital payment by default, compromise of a payment system, ATM, contactless platform or digital financial services intermediary may deliver a major shock to the confidence of the financial sector as a whole. We now have attacks on banking and payment systems that have successfully breached existing defences leveraging both known and unknown techniques. This may encourage attackers to invest further to ensure they remain one step ahead of not just those defending but equally other assailants seeking to attack first then disappear. Enhanced visibility is a must with assistance delivered by big data and machine learning enabled advanced security platforms to proactively stargaze “what could happen next” before it occurs.
10: Dedicated attacks on “HomeHub” smart technology
We are entering an era of smart home devices and intelligent digital assistants. This style of attack may exhibit nothing previously seen and include highly non standard attack modes including homes held to “thermal ransom” with heating systems shut down or the potential for unexpected orders / purchases from voice activated digital assistants that may not be detected until a later date. It is a valid assumption that “smart home” technology with wireless enabled devices, creating and accessing data continually will permeate even the most basic home / work environment. Protection of smart home / IOT platforms will evolve as adoption increases, but the initial lag may create a window of opportunity for attackers.
The “Security 10 for 2017”mentioned could be 20, 30 or 100 depending on the enterprise, vertical market and enterprise current state. A few of the perspectives mentioned may concur with other industry / market watchers and others may even deliver a totally different viewpoint. However all are areas of potential attack or compromise that should be considered to determine the likelihood of a successful attack and therefore form part of a pre-emptive protection or remediation plan for 2017.
2017 will be the year good enough security may not be “good enough”. Now is the time respond to minimize the need to react.
Until next time.
Chief Technologist Computacenter UK: Networking, Security and Collaboration
Important note: the views within are my own and do not constitute the views of Computacenter Group.
I haven’t scribbled a blog for a while. Rather than bombard the web with yet more content and conjecture to add to the mass already present, I need a “discussion catalyst” to compel me to write. And it arrived on the front page of the Times newspaper today proclaiming “500m users hit by the biggest hack in history” (due to recently released findings from a 2014 attack).
I mentioned in previous blogs and commentary that those no longer sensationalist, but instead factual headlines may sadly continue with each one correctly announcing a breach bigger than the last. It’s time to rethink information security because the rules of the game have fundamentally changed. As an IT industry with extremely competent security professionals the time has come for hard conversations, which discuss difficult problems that drive and deliver far reaching change. The legacy approach to design, implement and support information security platforms should not be fully jettisoned overnight but a failure to understand the efficacy of the whole solution to deliver “known, measured and maintained (or enhanced)” levels of security can no longer be accepted as valid or sound behaviour (I apologise if this is overly hard hitting).
There are numerous highly viable reasons why a multi-vendor security infrastructure and security software environment can deliver secure business / IT workload outcomes. But any environment with siloed platforms that do not inform or update each other via vendor proprietary, industry standard data exchange layers or leverage other platforms that correlate and represent actionable information may be as useful as no security layer at all. I am not advocating a single vendor security environment (although it can unlock a number of notable advantages) but I am leaning to a “greatly reduced” vendor environment as the complex web of devices pervasive across many enterprise IT estates, delivers a false sense of security can be the perfect landing zone for an attacker.
Add to that, the importance and non-negotiable educational requirement to formally enhance the knowledge of IT system and application users of the “responsibility and accountability” they personally hold to protect the digital assets they interact with daily. Almost without exception the major hacks and attacks originate from an inadvertently compromised user (tricked or bribed) with the end result a valid way in for an attacker to undertake the reconnaissance necessary to undertake the main attack. It’s time for all IT users to change their level of understanding and intimacy with IT security outcomes with the result a major step towards helping the wider enterprise security programme to operate effectively.
The Times newspaper headline displayed the passport picture and details of Michelle Obama – as we continue to discuss the growing importance of digital identity with a passport one indelible example of an identity deemed more important than most, a system attack that successfully obtained the personal details of one of the most highly protected individuals in the world highlights that no one is safe and everyone is a potential target.
IT security 2020 is required today and required now. It starts with an understanding of current IT and digital assets, gap analysis of posture aligned with compliance, platforms and systems that interact together, user education and greatly increased end to end visibility of the whole estate. I could go on as the steps required are many fold, but they are not steps we don’t already know or shouldn’t be undertaking today. No change is unacceptable, more of the same is unacceptable. Sadly we can be sure that the next big breach will be bigger than the last but ideally no one wants to the star of the headline.
Time for security change – change is now
Until next time
“There will never be “silence” in the information security world.”
As the world at large reluctantly accepts digital data flows are fast becoming as important as air (ok, that’s stretching the concept slightly but it’s not completely outlandish), protection of those data flows becomes as important as protecting any other key to life. But every day new threats appear, new security challenges become apparent and our attempts to keep them at bay continue to look futile.
Today news of a Stuxnet clone has surfaced that seems to expose links to the now infamous malware that affected SCADA industrial control systems – how long it has existed or evidence of compromise is unknown. IBM researchers have discovered increased coverage of the mobile banking malware Marcher, thus increasing the target landscape of unsuspecting mobile users who may succumb to fictitious notification of funds availability. And the ever present curse of zero day, is again top of mind with Trustwave researchers highlighting as many as 1.5 billion unpatched devices may be vulnerable to a recently discovered Microsoft exploit.
I have highlighted just a few of the ongoing public announcements of security threat and compromise, a full chronicle would be never ending as new information appears in real time minute by minute. Emotionally, some may deem defence against attack a battle that cannot be won with strong evidence to support the point but that is potentially an over simplification. Fundamental security principles and good practice, no different from those applied in non-information technology arenas will help thwart attacks, increase awareness and visibility of an attack in process and accelerate remediation after attack (plus signpost future steps to realise better defence).
I started this outline with a view there will never be “silence” in the security world and for me long may that continue. Both users and organisations should adopt a state of ongoing vigilance, zero complacency and never believe the security problem is solved or the battle won. By getting the basics right, improving understanding of known good states, increasing visibility and measurement of the changes of state from known states (or the highlight of unknown or inconsistent states) and a pragmatic approach to defence based on prioritisation of the “noise” beyond the silence will help to drive positive security solutions rather than signify problems.
Want to know more, keen to rethink security – visit the Computacenter team at Infosec Europe at Olympia London from Tuesday 7th June to Thursday 9th June, stand #E295. We look forward to hosting you and will have a team of business and technology aware security specialists available to discuss security impacts – your way. I hope to see you there.
Until Infosec at Olympia
Chief Technologist: Networking, Security and Collaboration
The security market is continuing to heat up. For once it’s less aligned with the potential for immense revenues (that potential and reality has been ever present in the security arena), but more to do with an acknowledgement that do nothing results in – “nothing”.
I have enjoyed meeting numerous enterprise customers at such an early stage in the year and the consensus is the same – “not sure which elements to keep or kill, not sure if investment in traditional platforms vs. accelerated deployment of new software centric or cloud security elements is the way forward”? And for once the concerns are common and consistent (less trail blazers or total laggards than you may think).
As someone working within a company calibrated by customer desires, I am already revisiting the security vendor strategic stories of 2015 to determine how they intend to navigate customers to a better place through 2016. And I am sensing a change across the board with new messaging, revised strategies and arrow head focus on a handful of key strategic attributes. The first one is visibility. Management and visibility of security (and networking) assets and outcomes has been an age old point of concern for many years in IT. A handful of vendors have successfully placed security infrastructure and solution management at the core of their value based offering and reaped the rewards, but even those vendors haven’t emphasised with real assertion the importance of seeing all robustly enough.
And the second key attribute is one of integration. The days of multiple, siloed platforms with individual consoles, ring fenced data repositories and inconsistent interaction with other platforms may soon be the solution behaviour of a bygone age (I’m an optimist) – every vendor is now emphasising the importance of increased visibility and superior integration as the cornerstone of their solution playbooks. Thankfully integration doesn’t mean, “Single vendor” with the normal mode one that welcomes third party and even competitive interaction via open APIs or data exchange frameworks. And the end result will be one of enterprises able to see more, therefore do more, therefore defend / remediate better than ever before.
But surely (and I feel the vultures circling) capturing or seeing more without additional layers to correlate, aggregate, evaluate and accurately isolate relevant events erodes more time than it delivers value? Agreed, however at first glance, this is an area of high investment from existing vendors and new market entrants often utilising human insight to augment systems based logic to deliver the best of both worlds.
This may be an early call but I feel the future is looking brighter in the security arena (maybe because finally we can actually see it). With vendors now delivering platforms and solutions enterprise customers can embrace immediately to unlock value immediately, now really is the time for change. But not without thorough understanding of business expectations and security impact aligned with desired operational and posture centric benefits.
Until next time
Chief Technologist – Computacenter UK, Networking, Security and Digital Collaboration.
Happy New Year and may 2016 be your most successful and effective yet. It’s the time of year where every analyst, strategist and technologist delivers a number of market or technology based predictions for the year. In reality they are educated guesses because no one really knows what will happen, but the activity is essential (and one you should personally undertake) because it ensures you have an outward focus (external focus) that is as fundamental to your business success (or at least viable) as your internal view. And best of all with market predictions, they are not guarantees of change as they are based on all of the indicators, assumptions, dependencies or guesses remaining consistent. Over the coming months I will share three 2016 perspectives for the Security, Networking and Digital collaboration (UC in old school terms) marketplaces. The views are my own but leverage extensive market and customer research most notably based on real world customer dialogue and challenges through 2015.
The Security challenge in 2016 could be the back breaker the industry is currently dreading. There are numerous forces and events that will ensure 2016 requires so much business change (positive change) that the door will be widened to any party focused on attacks and breaching defences. There are numerous (too many to actually affect or process) security related impacts that any forward thinking enterprise must consider through 2016 – many are documented heavily within industry white papers and vendor solutions updates. However I will concentrate on six, a few common, others not that are currently giving me most food for thought as I work on strategies for 2016.
The relentless rise of the mobile enterprise (Mobility): Mobility delivers one of the most acute security challenges today. The mobile worker, enterprise, user is no longer a fad or a secondary persona – it is the norm for many enterprises and will ultimately become the norm for all. Driven via the smart device (most commonly a phone) bonded permanently to the hand of many a user and an almost infinite pool of “relevant” applications, the need (not desire) for every digital activity to be available, everywhere, all of the time will deliver a security challenge second to none.
The connectivity issue that previously stalled the mobility drive is somewhat alleviated with fast wireless connectivity available in the home and enterprise and pretty fast connectively (sometimes) outside and on the move. That has moved any business obstacles to launch a mobility drive away from networking and connectivity and pushed it straight into the hands of the security team to ensure where a connection is made it is sure, and where data is accessed it is controlled. Some say it is an impossible task but that is conceding defeat too easily. It is a challenging but not an impossible task and an enterprise serious about affecting security change could start with:
- A top down perspective on the attitude towards risk for the enterprise (what really are “business breaking events”)
- A rigorous understanding of the regulatory framework that governs the enterprise (compliance)
- Comprehensive visibility of data assets within (where are they, what are they, how important are they, do they need to be protected, and to what level)
- Full understanding of how can someone get to them (connectivity and access)
- A real time, dynamic view of the secure persona or posture of the users.
I have simplified the workflow and challenge greatly (and many other perspectives must be considered and the order could change) but tools, processes, services and systems exist today that will really make a dent in the “secure mobile enterprise” challenge. It’s too easy to blend a “mobile enterprise” persona into existing and potentially legacy approaches to mobilising users and delivering business services – resist the temptation and use the time for change to undertake a “back to basics” information security review. Do nothing or do slowly because only a small group are mobile is a flawed theory – now is the time to act.
The next big thing – IOT: The Internet of Things (and or the internet of everything) has captured the imagination of analysts and marketers alike. The connected world of “things” sending and receiving data, commonly over IP protocols but others are emerging, opens the door to a 21st century world previously impossible to imagine. Picture the world of connected cites, healthcare devices talking directly to medical professionals, smart homes exchanging data with utility companies – in fact forget the picture those services, solutions and “outcomes” are already here today. And there lies the problem, the IOT use cases are currently very fluid, personalised and often driven by imaginative use of existing and sometimes emerging technology. With IOT implementations and ideas so cutting edge, the challenge of securing the outcome becomes even greater.
At the risk of becoming an innovation “kill joy” only one recommendation exists of real validity, design any IOT / IOE solution with security acting as the core design frame to minimise the unthinkable challenge of a security retro fit to a solution beyond go live. This sounds like a simple and obvious recommendation (obvious yes, simple no) but is often bypassed due to the enthusiasm, complexity and excitement surrounding the implementation or benefit of the “things” solution. It is fundamental to success to challenge all vendors, integrators and consultancies on secure IOT principles as soon as the “drawing board” solution development phase begins. I fear the IOT security challenge with so many current and future unknowns will be one of the ticking time bombs of the greatest impact over the coming years.
It’s too early in the year for extra long blogs (you have barely cleared your Christmas inbox) so part two of this blog will be next week. I hope the richness of the outline above adds colour to your strategy and planning activities through Q1 to allow you to identify security topics that really require top priority focus through 2016. Two more topics next week and before January concludes the complete story will be told.
Until next week
Happy New Year
Chief Technologist Computacenter UK, Networking, Security and Digital Collaboration (UC)
“Cybercrime may now be bigger than the drug trade”, quoted the City of London police commissioner Adrian Leppard.
Security breach announcements that were once a rarity in the non IT world are now BBC front page news on a regular basis. Whether it’s the attack and successful removal of data from a previous unknown (but now well known) dating site or the more recent attack and potentially successful data breach of a major consumer telecoms services provider, Cyber attacks are the norm. Is it time to accept them as a necessary by product of the relentless creation and consumption of digital data, sadly yes. But to accept they exist does not mean an acceptance that an attack should be effective when there are so many steps that can be taken to reduce the potential for success. Defending and securing IT systems are not an easy task as the approach includes people, process and systems. To keep all three security aware and congruent at all times is a challenge with that one “out of sync” moment the attack window for a hacker. Do nothing or “do something but slowly” is a sure-fire way to be the next big story on the front page of the BBC news broadcast. It’s time for new thinking, new skills and better visibility EVERYWHERE or the enterprise will NEVER be secure.
Many years ago a large IT company ran a brilliant ad campaign about the need to think differently. In the case of IT systems and Cyber security, thinking differently should include a rigorous appraisal of existing defences, a perspective on the most valuable digital assets within the organisation (and the additional protection they require) and most importantly the need for people to change the way they interact with digital systems (vigilance). To defend against an attack, it’s time to “think like an attacker” and not based on a viewpoint that attacks follow standardised behaviour, are seeking random targets and lack rigour and planning. Today’s attackers or attack teams are extremely well trained, often well funded and have razor sharp focus on the target and expected outcome. Old school thinking based on technology will fall short in this new digital age. It’s time for new school thinking based on the psychology of an attacker as that will surely deliver greater value (protection).
We are in the midst of an enterprise business landscape with an aging work population aligned with traditional IT skills needing to evolve to a revised “digital rich” skills portfolio. This new skillset is likely to be software influenced and will definitely drive the need to think differently, learn now and learn very differently. And to further compound matters the emerging work force of Generation Y and Z thinkers may not be viewing Information Technology as the “must join” profession of circa 25 years ago. Modern enterprises face the quandary of an old workforce with dated security skills, coupled with a new workforce with skills too new to make an impact – who then will solve the security challenges we currently face? Sadly the skills problem will not be resolved overnight with a major investment in academic level cyber awareness, new age security skills training on mass for existing networking and security personnel plus enhanced employee security education as a mandatory activity within all enterprises. It’s time for enterprise organisations to encourage everyone who embraces the benefits of IT to also part be of the solution to the cyber security challenge.
There has been an age old management quote highlighting the difficultly managing things that can’t be seen – so why believe it to be different with data and information technology outcomes. Digital data is now the DNA of modern enterprises with the potential to ignite ongoing success or collapse an organisation to failure. Full visibility of data from edge to core with the potential to preempt attacks or fast remediate breaches is now an essential element of the enterprise IT systems operational playbook. Breaches will occur in a digital data rich enterprise due to the challenge of continually appraising human, IT and non IT systems behaviour in context and in sync. However enhanced visibility leveraging optimised data analytics can highlight anomalies or areas for further investigation earlier with the hope it’s early enough for the correct intervention prior to a breach. And if an when a breach unfortunately occurs, “flight recorder” type data playback of the pre and post breach state will accelerate the time to triage and remediate plus reduce the potential for a mirrored attack. Many highlight “encryption everywhere” as one of the most impact full strategies for data protection and the emerging and very interesting “software defined perimeter (SDP)” approach (zero trust access control and data movement) as instant fixes. There is no doubt that both will be highly effective protection elements but only as part of a wholesale rethink of security defence, protection and breach remediation.
Enterprises MUST now change their approach and security solutions expectations. The increased use of mobile solutions, cloud computing and virtualisation are not creating a problem for security professions but instead delivering the potential to “reset” security protection and defence within the enterprise. The days of “adding more layers”, often bigger or higher than previously delivered are no more – instead it’s time to design a solution for an enterprise in a state of continual attack not in “comfortable defence”. Effective digital systems security WILL be a primary business enabler in the digital age as enterprises that fail to defend well, remediate quickly and understand attacks may not survive for long enough to fully recover.
Until next time.
Chief Technologist – Networking, Security, UC – Computacenter UK
Not visiting Infosec this year is “not an option” – Knowledge really is power (Computacenter stand L69)
Computacenter will be exhibiting at Infosec Europe, the industry leading “must attend” security event this week (2nd– 4th June) at Olympia, London.
Normally as Computacenter we send a delegation of sales, strategy and technology professionals to listen, observe, exchange viewpoints and take away as much security insight as is possible across “three days”. The customer benefits of Infosec are numerous but the potential to access “everything security in one location” is the one that makes it so compelling for all. This year the Computacenter approach is very different – for the first time Computacenter will be presenting from its own stand at Infosec Europe (stand L69). Why this year over previous years – with the security challenges faced by the social and professional world now regular “dining table” conversations, this year is the year all enterprises must make “right sight security, right way, right now” priority one.
Whether its identity theft, corporate hacking, data loss, protecting users, cyber threat or the myriad of other breaches and issues, security is the board level topic that now cannot slip down the board level agenda. This for Computacenter places security at the top of the list of customer engagement areas which in turn means our investments in capability and solutions will positively affect the security challenges faced by our customers. As Europe’s leading systems integrator for enabling the users of enterprise customers, Computacenter is keen to help organisations tackle the security challenge head on. It’s no longer a case of waiting to remediate on mass when a breach occurs or over equipping the enterprise with an excess of security defences in the hope that it will make breach near impossible.
Attacks are ongoing, breaches happen and even the best defence is only as effective as its last successful defence. The picture painted is now one of the need to maintain a state of continual but relevant awareness aligned with a more rigorous understanding of critical vs non critical information assets. With an increasingly mobile, always on workforce a new state of security awareness and visibility required that is a very different in stance from those of past eras. The Computacenter stand at Infosec (location L69) will allow attendees to discuss datacenter grade core security and the impact on the enterprise edge of the new “work anywhere on any device” employee.
“We believe security is not a short term topic of interest but will continue to be one of the most fundamental enablers of business success or demise within modern organisations.” For that reason and many others I look forward to welcoming you to the Computacenter stand at Infosec Europe (Stand L69) from 2nd June to 4th June.
Until next time (at Infosec Europe this week)