Recently in Future Trends Category

I've been very busy this year as you might gather from my rather thin postings. It's a positive sign in fact as it reflects the mushrooming demands of a growing industry which has a long way further to grow.      

One thing that is currently occupying my attention is the subject of APTs, which I'm currently researching for a new publication. It's an interesting and fast moving topic. Ten years ago nobody was interested in this level of threat. I was even accused of being a 'doomsayer' by ZDNet for warning about such risks. But what strikes me about APTs today is that nearly all of the published information about them is either factual analysis about how they work, or promotional claims about new technologies to make them go away.

What's lacking are the learning points from actual attacks. It's understandable given that most companies prefer to keep quiet about attacks. Yet this is the information we need. If we'd been warned earlier about the full facts of these attacks we might have done things differently.  

We need to know things such as: What should we do differently? How can we discover an attack? What measures should be implemented to minimise future risks?  This information is still hard to come by. Implementing ISO standards does not solve the problem. Committees, responsibilities and policies certainly don't deliver enough.

Going beyond today's best practices should be the focus of security researchers today. Too many are still trying to invent new ways of outdated controls to unsympathetic executive boards. I have occasional debates with Fred Piper on the subject of whether today's practices are better than nothing. I claim they're not because they're an expensive distraction. He says they still serve some use. But we both agree they're not good enough.

So I invite anybody who has a great new idea on how to reduce the risk of APTs to contribute it to my current research. You'll get full credit. We need your innovation. At the same time, I must encourage anyone who has experienced an APT attack to share their views on what they would do differently in the future. We need your experience.   

What will 2013 hold for information security professionals? Certainly a lot more serious incidents as we've been incubating a raft of potential crises for the past two decades. But what specifically can we expect? Will it be more of same? Or could we see the dawn of a new era? The answer is likely to be a little of both. Here are my top five forecasts for 2013.

Attacks get nastier

Data breaches are bad enough, but at least they don't disrupt business operations. Long term data damage is much worse. I've been forecasting this as a future risk for the last decade. It will begin to hit home during 2013, with rapid growth in cyber extortion and vandalism, perhaps coupled with the emergence of real cyber terrorism. Expect much nastier attacks and watch out for the beginnings of organised protection rackets.

Big challenges from Big Data

Big Data is the latest technology in a long term trend of increasingly powerful user access, enabling new dimensions in data mining, fusion and navigation, as well as new opportunities for big data breaches. Only compliance and expensive licence fees stand in the way of a user free-for-all in data access. But it spells the end of the 'least privilege' principle.     

Final death of corporate perimeters

Many enterprises, including big banks, still cling to the fig-leaf protection provided by private infrastructure. It's an illusion of course because Internet and email access provides a massive back door for attackers. BYOD is the final nail in the coffin for traditional corporate perimeter protection. The users have left the building, the applications are following and the enemy is already inside.  

Security speeds up

Growth in the frequency and impact of attacks will at least persuade security managers to forget the achingly slow Deming cycle and respond to vulnerability alerts and incidents in real time. Patching will get faster, vulnerability scanning will become more frequent, and security staff will become more empowered.    

SMEs discover security

In recent years I've researched and written extensively about the lack of interest and awareness in security in the small and medium enterprise sectors. The reality is that SMEs aren't concerned and nobody has bothered to educate them. They remain the soft underbelly of big business and critical national infrastructure. 2013 will see the start of a slow change in this sector, starting with small retailers, as compliance requirements gradually cascade down supply chains. It won't happen overnight but it will open up new markets for security vendors.  

It's the time of year when pundits express opinions on the year ahead. And naturally I have my own views. Before that, let's take a quick look at my forecasts for 2012. How well did I do? 

Last December I made six predictions for 2012.

1.       Space weather creates concern.
This risk didn't create the level of concern I anticipated. Levels of solar activity have been relatively low lately. Looks like another Y2K. I fell for both. The lesson from this is that professionals with well-researched data are just as likely as anyone else to overstate the risk.

2.       Social networks get secure.
It's happening, though very slowly. An increasing number of people are encrypting social media messages. Technology such as scrambls makes it easy. The rest is up to users. Some care, many don't. That will change though it might a few years.   

3.       Big Data is the new black.
If the RSA Conference is anything to go by, then it's true. The technology is here and it's available in leading products such as QualysGuard. The know-how on how to exploit it however is thin on the ground. And we've yet to scratch the surface of what can be done. 

4.       The electronic Pearl Harbour strikes home.
I've been forecasting it for a decade and a half but it hasn't happened, at least not in the form I expected. But awareness is considerably higher. Ten years ago people thought it was a wild exaggeration. Now they buy it; we've gone from denial to acceptance. But the disasters are still waiting to happen.  

5.       Public clouds fail to hit the spot.
Cloud services still have a long way to go, partly because of security and business continuity concerns. There is now a much wider understanding of the risks and how to address them. Paradoxically, Cloud security services are a compelling purchase and a big success.

6.       A new Global game - soft targets hit back.
If newspaper coverage is anything to go by then we are certainly into a new Great Game with angry reactions by those targeted or caught in the crossfire. This game is different as it's impossible to keep things secret in a networked society.   

Not a bad set of forecasts, and at least they were reasonably interesting. Perhaps I'll have better luck next time. 

It's been a few weeks since my last blog posting. That's the bad news. The good news is that it's the result of being rushed off my feet with consultancy assignments. Interestingly it's not my usual line of business. I generally set out to try and make a living from research and write white papers.

But I detect that the security consultancy market is going through a much needed change at the moment, with many clients getting fed up with buying the usual, off-the-shelf, template products offered by Big 4 and other large outfits. They are looking for more practical help from experts who are prepared to listen to their concerns and develop a tailored solution.

I'm particularly finding this in the Middle East where many of my customers started by buying identical paper bricks from big consultancies. These tomes now sit unread on the shelf gathering dust. Implementing them is the problem. Paperwork is useless unless everyone understands it. It might get you part of the way towards a certificate, or help to impress an inexperienced auditor. But it's near impossible to put a hundred page manual into action if no one has read it.   

This issue is largely inevitable. Consultants tend to measure their worth by the amount of paper they generate. Twenty years ago that might have been a challenge, but with the today's instant availability of thousands of policies, standards and control methodologies on the Internet, now anybody and everybody can be a security consultant. You just need to be able to cut and paste text and questionnaires.

I prefer to take a different approach. Rather than copying a business continuity manual from a previous client, I prefer to start with a two page plan and then show the client how to progressively build it into a more comprehensive working document. My clients from last year now have plans of around 50 pages. The difference is that they developed it all themselves. Now that's real security. Once upon a time I thought that was becoming an impossible dream. Perhaps there's hope for us all yet. So let's celebrate the fact that boutique consultancies are coming back into fashion. 

My crystal ball tells me that 2012 is a relatively predictable one. That's largely because we've experienced significant changes in the political, business and security landscapes, ones that are sufficient to inspire some form of predictable short term action. Amongst other things it means some interesting action items will percolate up the management agenda. Here's my top six predictions for 2012.

Space weather creates concern

Even if you're cynical about the forecasts of widespread electrical disruption, it's certainly worth dusting down the contingency plans and filling up the generators. At the very least, increased solar activity will probably cause a few minor annoyances to GPS users. The larger concern, however, is that it might take out mobile communications, power supplies or perhaps anything with a GPS chip. Not quite Y2K in impact, but longer, less predictable and much less researched and publicised.

Social networks get secure

Why have we been waiting so long to deploy a solution to insecure social networks when it's not that difficult to achieve? The answer is our lack of imagination. This will change in 2012 as easy-to-use products emerge to secure Facebook and Twitter communications, just in time for a Springtime wave of citizen uprisings. I'm already playing with an alpha version.  

Big data is the new black

Yes, we've all known about the information explosion for decades, arguably for centuries. The problem is that no one has done much about it. But big data is now becoming interesting, both as a challenge to existing security processes and an opportunity for data mining and fusion opportunities. It's a timely catalyst for change as the real future of security lies more with smart information exploitation rather than industrial-age quality management systems. I detect an increasing number of security vendors exploring this area. That's good news for a security community that's lacking in imaginative ideas.

The electronic Pearl Harbour strikes home

I've been forecasting the electronic Pearl Harbour for more than a decade. In 1999 I predicted it would not happen until at least 2006. That analysis was based on technology road mapping exercises.  Last year I forecast it would finally hit home. It didn't, but the integrity of many of our critical services continues to survive on borrowed time. Expect a big catastrophe this year. It's long overdue, and much needed to shake up the current lacklustre order of battle in the cyber security space.

Public clouds fail to hit the spot

Why are public cloud services so reluctant to give security assurances? Now that's the bit I don't get. You can't make money without talking up your products. There are plenty of liability considerations of course. But that's precisely why big customers are holding back. If vendors can't deliver cast iron guarantees then big companies will not buy the services. If any cloud services catch on they are likely to be private or hybrid implementations. Public clouds might seem like a good idea in theory but they have a long way to go in practice.  

The new global game

For decades we lived in the shadow of a largely invisible cold war dominated by pervasive espionage aimed primarily at military or diplomatic targets. It had little, if any, apparent impact on everyday citizen and business interests. Few of us noticed, or cared what was going on. Today it's different. The new battleground is our global business infrastructure, and the targets our trade secrets. It's no longer realistic for governments to turn a blind eye to hostile attacks, or even attempt to keep the new game under wraps. As exploitation of stolen secrets becomes increasingly visible, then we should expect an overt response to any covert attacks. It's time for soft targets to strike back. 

As we near the close of 2011, I find it instructive to look back and see just how accurate my forecasts proved to be. At the start of the year I forecast three major shifts in thinking during 2011.

Firstly, I expected that we would experience a major security incident involving the integrity of critical national infrastructure - perhaps an easy forecast, given the discovery of Stuxnet in 2010. Yet surprisingly it didn't happen. 2011 was perhaps a lucky year for CNI managers, but many insecure legacy systems continue to survive on borrowed time. 

Secondly, I forecast that emerging security technologies, based on virtualisation and trusted computing, would encourage user organisations to develop non-traditional approaches to securing enterprise infrastructure. Unfortunately, as Bill Gates pointed out, we have a tendency to overestimate what happens in the short term and underestimate what comes to pass in the longer term. Many existing solutions were found wanting in 2011, but innovative alternatives have yet to be adopted. 

Thirdly, I predicted that we would finally see some action in response to the growing need to encourage small and medium enterprises to implement security. I'm pleased to say that this forecast was nearer the mark, with the launch of the ISSA-UK 5173 standard, the US Government "Small Biz Cyber Planner" and a host of vendor solutions from the likes of Qualys, Sourcefire and Dell.

I also suggested that 2011 could see the start of a revolution in security thinking, which would last for most of the next decade, a period that might prove to be a new age of enlightenment for information security. On this one I probably jumped the gun. I still believe this will likely happen, but not until next year, judging by the reaction I get from my lectures to universities and conferences. 

Last week I was fortunate to be speaking at Cyprus Infosec 2011. It was a first class event with intelligent speakers, great debates and a smart audience. But yet again I seem to be the only speaker calling for a forward looking approach to security.

Too many of our thought leaders are locked in the past, preaching outdated standards and old-fashioned management systems. These tools might be necessary for compliance but they will not meet emerging security challenges.

The business landscape is changing from one that is relatively static, standardised and synchronised to one that is dynamic, devolved and diversified. Fast-changing threats can't be countered by static policies and paperwork. Internal governance systems can't control external supply chains.

The future demands new approaches to responding to external events. And this in turn requires new skills, better intelligence, and smarter technology. Security managers should leave the paperwork on the shelf for the auditors and start implementing countermeasures that are capable of preventing advanced persistent threats.

We closed the conference with a futurist who pleaded for simplicity and regarded users as stupid. He was wrong on both points. Networks encourage diversity and complexity. We can't and shouldn't hold them back. The answer is to increase the intelligence in our security controls. Stafford Beer pointed this out more than 40 years ago. And it's not users that are stupid but the people who design their systems. Safety experts learned that many decades ago. 

Every single day we hear new reports about large organizations being thoroughly penetrated by sophisticated attacks. Just when we thought it could not get any worse, it does. This is not just bad luck, and these attacks are not simply isolated incidents. It is, in fact, a phenomenon to be expected; the result of years of neglect in addressing the root causes of security breaches.

Put bluntly, our current approach to information security is not fit for purpose. It hasn't been for years, though we continue to congratulate our efforts with bullish presentations and glittering award ceremonies. But the fact is that a growing wave of regularly compliance has well and truly drowned what little inspiration might have existed to create new solutions. The result is that organized crime and intelligence agencies are free to steal whatever they want from our databases.  

Let's face it our so-called best practices are no more than bureaucratic collections of ancient (often flawed) rituals. They might satisfy our auditors and regulators, but they don't address the growing gaps in our defences. This is to be expected to some extent, as standards and compliance processes are intrinsically backward-looking. It takes many years to identify, document, agree, implement and certify a set of controls.

Security today demands forward-looking horizon scanning and real-time assurance mechanisms. And it needs to be executed across an increasingly externalised infrastructure. The users have left the building, the apps are following. Securing the in-house LANs and servers is not the answer. And we are a long way from agreeing the new problem space.

Designing strategies, writing policies and conducting audits will not fix these problems. We have to break free from the treacle of compliance and build brand new solutions. The key question is who will lead this revolution? So far no one appears to have come forward. Not industry, not the governments, not the institutes and not the universities. Even the vendors are short on solutions. (Many have only just discovered ISO 27001.)

The security community has a long journey ahead. It would be useful to have a direction, a leader and a budget to solve it.     

Last year we saw the beginning of a change in attitude to information security, with a growing realisation that highly sophisticated attacks (such as Stuxnet) can and do happen. The threat is now taken much more seriously and new actions are being taken, at least by government. That's a useful step forward. But neither government nor industry appears to have grasped the broader implications of the changes introduced by the information age, of which threats are just one component.

More significantly for security is the inevitable shift in behaviour towards information management. We are entering an age when the value of intellectual assets resides much more in exploitation than possession. Or, as Alvin Toffler put it several decades ago, it's the information flows - not stocks - that really count. This trend is regularly accelerated by step changes in the ease of information sharing.       

That's why attempts to stamp out leaks are mostly doomed to failure, as illustrated by the recent leak of a US government strategy to prevent leaks. The proposed solution is far too weak to tackle the growing problem space. Instead, we need to rethink our philosophy towards information management.  The key to the future is openness and trust, not secrecy and caution.