Recently in Future Trends Category

One day wonders

| No Comments | No TrackBacks
| More

Last week Dr Hugh Thompson of Blue Coat and RSA fame was in London. I was fortunate to find a slot with him to meet up and exchange ideas. I like Hugh because he's not like the regular, dull vendors or CSOs that churn out the accepted security mantra. And he understands the importance of the human and political factors in achieving effective security.

Hugh updated me on his latest Blue Coat research on "One day wonders" i.e. websites that exist for less than a day. It's an important landscape as a surprisingly high 71% of all web sites exist for 24 hours or less. More worrying is the disturbing fact that these sites attract hackers, villains and other bad people.

Of course most one-day wonders are legitimate and exist to deliver a better user experience. Many are organizations such as Google, Amazon and Yahoo with a substantial Internet presence. That's why they're popular. Unfortunately there's a darker side, as malware operators seek to generate large numbers of popular sub-domains built on a foundation more evil domains. Sites are selected to support mass attacks on targeted victims, attacks that are highly scalable, difficult to track and easy to implement.   

Hugh and I also had an imaginative debate on current trends, including the Internet of Things. We both agree that security cannot be contained within devices alone. Against a landscape of continuously fragmenting technology (into larger networks of smaller devices), rapidly changing platforms, and uncertain access policies, security must migrate into the network. The challenge of course is where, when and how this will materialise. And of course who will control it. 

Security and the Internet of Things

| No Comments | No TrackBacks
| More

Whether you like the term or not the so-called Internet of Things is generating a huge amount of interest, and a growing amount of security research, including great opportunities for forward-looking security practitioners. The label of course is simply a passing fashion. Just like EDI or Knowledge Management it's not likely  to survive for more than a year or two, though the problem and solution spaces it occupies will continue to blossom for decades.

So what is it exactly? And what sort of security does it require? These are good questions that have yet to be answered adequately. I can imagine a future world in which billions of devices interact safely and securely. But this world is far from possible with today's technology. In fact today's initiatives are no more than very small beginnings: a handful of private machine-to-machine networks, a few attempts to standardise on communications protocols, and one or two initiatives to develop a public catalogue for sensor data.

All of this falls well short of the world imagined by the brilliant Neil Gershenfeld fifteen years ago in his visionary book "When things start to think". Radical change is very easy to imagine, but it's extremely hard to bring it about. There remain many tough problems yet to be solved to realize the Internet of Things. Ones that spring to my mind for example are the following. 

  • Where is the bullet-proof data ontology to enable reliable translation of critical data between systems? (I've heard a few whispers about vocabularies under development. That's nowhere near enough.)  
  • How can we develop access policies for interaction between devices when we're not quite sure where, when, how, or by whom the data will be exploited? Security technology is worthless without a requirements specification. 
  • Who will control the security and where will it sit? Will it be in devices? I think not. Will it be in the network? I think so. But who takes control? 
  • Who will be liable for serious incidents arising from accidental or deliberate misuse or manipulation of sensor information? Against a business landscape of increasing product liability this is no trivial question.  

We are clearly at a very early stage in developing the vision for the Internet of Things. Perhaps, just like the World-Wide-Web, it will begin as an anarchistic Wild West of experimental but dangerous, read-only applications. And maybe it will begin to flourish for business applications when we finally develop a security breakthrough equivalent to the acceptance of the SSL protocol.

One thing that is certain is that we will not achieve much progress without early casualties. So let us hope that there are pioneers brave enough to accept or ignore the risks.

Meetings with remarkable security men

| No Comments | No TrackBacks
| More

This week Doc Hugh Thompson of RSA fame was in London. We had an interesting and entertaining debate on current and future trends. Hugh is a consummate, multi-tasking professional: lecturer in Cyber Security at Columbia University; Chair of RSA Conference; and Chief Security Strategist at Blue Coat. He's also a larger-than-life character, with a keen interest in technology, human behaviour, and innovation.

Blue Coat products have a strong position in the market (80% of Fortune 500 they tell me) based on their easy-to-deploy security appliances which have the useful feature of providing visibility of encrypted SSL traffic. They have recently added additional features such as sandboxing and advanced analytics to combat APT threats, making them a good choice for an enterprise security gateway.

Not surprising we talked about encryption. Default encryption has been suggested as the best way to protect web users' privacy online, and it's on the increase as more and more organizations switch from http to https. Hugh tells me that around 25% of incoming business traffic is now encrypted. However, this trend presents a major problem for enterprises, as it also enables attackers to hide their communications. Security demands the ability to read traffic. Encryption creates as many problems as it solves. In my view it will not succeed. The future is more likely to be a hyper-connected world in which no information is secure.  

Information sharing is another hot issue we discussed. I take the view that it's simply not viable as legal, compliance, and political considerations discourage any release of sensitive information to third parties. Governments can't easily share secrets with international companies. And executive boards don't like security managers telling others about incidents. Countries with state-owned industries clearly have an advantage here, though such an infrastructure carries its own baggage.

Another topic was conference audiences. RSA Conference has seen a trend away from a technical security community towards a more business oriented security community. My view is that security managers are going native. They need to stand up to, rather succumb to business managers. I've also noticed that compliance and audit functions are now setting more of the security agenda. Large financial organizations now have almost ten times more people policing them than securing them. At this rate ISACA conferences will overtake RSA conferences in size. 

We both agreed that speed, imagination, and attention to the human factor are the keys to security in the future. CSOs need to escape the burden of compliance and be empowered to practice real security. Personally I don't believe this will happen until after an electronic Pearl Harbour incident.    

Unfortunately we ran out of time to discuss deeper issues. But we did agree to continue the discussion next time Hugh is in town. 

The future of mobile? Bright but cloudy

| No Comments | No TrackBacks
| More

Tuesday evening saw the London launch of IDATE's 2014 version of their DigiWorld Yearbook, an excellent guide to telecoms, Internet and media markets. It was a useful opportunity to catch up with emerging trends in the mobile world and the over-the-top services that are changing our lifestyles and challenging our security. So what did I learn?

IIDATE (not the Internet dating agency) is a European think tank represented by around 50 major players in the digital economy, largely vendors, regulators, and, refreshingly, a few French banks. Interestingly for security professionals, the UK branch is chaired by Steve Durbin who is also Managing Director of the Information Security Forum.  

The Yearbook reveals that global digital markets have shown "growth in slow motion" (3.3%) though European revenues remain in decline, perhaps reflecting a weak economic climate and inefficiencies in a fragmented supply side. Emerging markets are well up of course and not held back by legacy infrastructure.

Delving further into the numbers we can see an overall growth of 20% in Internet services, with the strongest growth in social media sites, mobile apps and video services. The Cloud is also a star, with high growth and revenues (up 30%) and accounting for a quarter of online revenue.

Clearly customers in mature markets are getting picky and vendors being squeezed despite a strong appetite for bandwidth and mobile services. What are the issues for Europe?  Three things according to Anne Bouverot, Director General of the GSM Association. Firstly spectrum: there isn't enough and it takes a decade to transform. Secondly taxation: it's far too high and runs counter to digital inclusion. And thirdly consolidation: it's needed to extend services and reduce costs.  

How does an investment bank view such a business environment? Very positively according to Jeffrey Krogh, a tech-savvy BNP Paribas director. Slow growth means companies need to cooperate and take out cost, which sets the scene for convergence. He believes we're just at the beginning of a wave of radical consolidation.

What about 5G? What is it and when is it coming? The answer is that we don't yet know but it has to be different and much more than 4G. The UK Ministry of Culture is planning to launch a consultation paper in July.        

So much uncertainty, as well as so many red herrings. What about those clever Google ideas about balloons and drones? Not so smart on closer inspection according to Anne Bouverot. Balloons get blown about in three dimensions which is not good for service delivery. And the site of a drone is likely to terrify citizens in many emerging countries. 

Enhanced by Zemanta

The world in 2018 (or not)

| No Comments | No TrackBacks
| More

Now I'm not saying that I get everything right about the future. But I can certainly spot the excesses of other futurists. The latest example is IBM's predictions for the next five years.

The most important thing about forecasts is to understand the human, societal and legal blockers, as well as the limitations of technology and developers to deliver on promises. Against this background, IBM's suggestions seem rather naive, especially against a five year timeline.  

The classroom will learn you

Not only is it bad English but it seems rather sinister to suggest that technology should assess children's potential and be relied on to identify dyslexia instantly.

Buying local will beat online

I couldn't think of anything more likely to send me quickly to the exit than the prospect of a salesperson intercepting me in the aisle in which the products I'm interested are located.

Doctors will use your DNA to keep you well

The prospect of doctors determining my medication based exclusively on DNA readings fills me with concern. I prefer a human diagnosis based on a richer set of symptoms and experience.

A digital guardian will protect you online

The idea that a digital guardian learns about a user and authenticates transactions is a sound one in theory but will citizens be comfortable with a third party system that continuously shadows their behaviour? I think not.

The city will help you live in it

The prospect of large scale urban sprawl is bad enough but the idea that decisions on urban services are directed by crowdsourcing is enough to make central planning a desirable option.  

As a Daily Telegraph letter writer might put it "Am I alone in thinking this?"    

Predictions for 2014

| No Comments | No TrackBacks
| More

So what will 2014 hold for cyber security professionals? Will it be something new or more of the old? The answer is bit of both. We have all reached a crossroads in the way we manage security. Some CSOs will soldier on ahead - with diminishing effectiveness - while others will others will benefit from taking a fresh direction. Here are my forecasts for the state of security in 2014.   

Escape from monoculture

New security technologies will provide a greater choice of defensive options. I've reported before on the danger of security 'monoculture', i.e. we have all been implementing identical security defences, providing attackers with a simple testing platform for attacks. New products that detect malware through behaviour and characteristics other than traditional signature scanning will present a new challenge for attackers.  

A new generation of attacks

Forward-looking security professionals have been wondering what comes next after Stuxnet et al. That code was developed many years ago. The next generation of attacks will inevitably be richer, more sophisticated and even stealthier. There are enough political, commercial and criminal motives to encourage further attacks, so we can expect to see some spectacular threats - if we can detect them. They may already be amongst us.

A backlash against security standards

Wherever I go in the world I find a huge percentage of security managers who believe that security has failed, and the major culprit is compliance along with the bureaucratic standards it promotes. I've been saying this for years but lately I detect that governments and regulators are beginning to see the light. Compliance cannot go away. In fact it's likely to become even stronger. There will however be a rethink of the standards we need to achieve effective security. But don't expect an early solution.   

Improving strategic crisis response

Crisis management has been a long-standing weakness in all enterprises, for both business and security crises, especially at the strategic level which aims to safeguard the intellectual assets of the organisation. The growth in major incidents, CERTs, SOCs and SIEM tools has all helped to raise awareness of the need for better crisis management. It will be a long journey. But it's a healthy sign that enterprises are finally looking beyond simple incident management processes and business continuity plans.

Cyber skills gap grows

We all know there's a shortage of high-end cyber skills. Ask anyone that runs a security testing company. It's because skills such as high-speed reverse-engineering require a special kind of person. Training courses can't fix this problem, especially those that teach ancient security rituals. People with special skills can't be mass produced. They have to be sought out. And that's a more difficult challenge.

No change at NSA    

Don't expect any major changes in the operations at NSA, despite continuing Snowden revelations. The weakness is primarily with visible oversight and public presentation of policy, rather than day-to-day operations. The reality is that you we have to gather large amounts of intelligence to prevent terrorist incidents. And that threat has not diminished. There is no evidence of widespread misuse of the data gathered. Admittedly there is a theoretical possibility of a future dictator abusing the power. But that's arguably a lower risk than the threat of terrorists gaining access to weapons of mass destruction.

And on that controversial note I'll wish everybody Seasons Greeting.  

Enhanced by Zemanta

Predictions for 2013

| No Comments | No TrackBacks
| More

It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last December I made five predications for 2013. How well did I do?  Let's examine them.

Attacks get nastier

I forecast that attacks would become more damaging. It didn't happen quite the way I imagined. Some data breaches were massive (e.g. Snowden) but most attacks were designed primarily to steal data than damage business operations. We await the latter. It's simply a matter of time.

Big challenges from Big Data

Big Data enables powerful user access and new opportunities for bigger data breaches. The potential was illustrated by the Snowden case which highlighted the massive power that is now in the hands of our administrators and power users. We are witnessing the slow death of the 'least privilege' principle. The worst is yet to come.      

Final death of corporate perimeters

The users have left the building, the applications are progressively following, and the enemy is already inside. Everybody is aware of the challenge. The Jericho Forum has therefore disbanded their evangelic mission and declared success. All that remains is for enterprises to follow their mew instincts and implement security at the application and data levels. 

Security speeds up

Security managers are speeding up their act, supported by a new generation of security tools that deliver real-time, continuous security. There are no excuses today for delay in detecting and mitigating vulnerabilities. Security managers should take full advantage of the new opportunities presented by Cloud security technology for speed and empowerment. 

SMEs discover security

For decades SMEs have been the soft underbelly of big business and critical national infrastructure. They still are. I predicted that 2013 would see the beginning of a slow change in this sector. Certainly there is greater awareness and interest with governments and regulators. But we yet to see any significant change despite the fact that we (ISSA-UK) set out a practical blueprint nearly two years ago.    

Learning points

The events of 2013 demonstrated several home truths of cyber security. The Snowden case illustrated these well. Firstly, you can't keep anything secret in a hyper-connected society. Secondly, the short term damage of a massive breach can seem less than expected, though the longer term effects will be surprisingly broad and disruptive. Thirdly, existing security practices are inadequate for addressing the risks presented by today's infrastructure. And finally, it takes a painfully long time for stakeholders to address issues that have for many years been staring them in the face. 

Enhanced by Zemanta

Visions of the Future

| No Comments | No TrackBacks
| More

I've just read an interesting report of future 2020 scenarios on cyber security put together by an esoteric institute called the International Cyber Security Protection Alliance (ICSPA). I don't know who they are but they have some excellent chaps such as John Lyons and the Right Honourable David Blunkett MP on board. It's a fascinating read and a valiant attempt to visualise life in the next decade and beyond. As a keen futurist I applaud such exercises but cannot help but see them with critical eyes.

Many attempts to predict the future fall into the trap of imagining the future as an exaggerated version of present trends, rather than taking a step back and trying to identify the real blockers, enablers and catalysts of the current and emerging drivers and trends. This one falls into a similar trap of extrapolating the present rather than imagining a different future.

Personally I find that 2020 is a hard call. I can generally see the next 18 months and imagine life a decade Or two away. But very little changes in five or six years. As even Bill Gates has noted we tend to overestimate the changes that will occur in the next two years and underestimate the changes that will occur in the next ten.

In the ICSPA report we see mention of attacks on critical infrastructure, augmented reality and the Internet of things. Yet these possibilities have been around and viable for the last two decades. SCADA systems have been vulnerable (and hacked) since the time they were first introduced. Augmented reality is based on a technology worn continuously by Thad Starner for two decades. And the Internet of things is little more than a rather lacklustre adaption of Neil Gershenfeld's pioneering visions at MIT Media Lab in the 1990s. 

Why did these technologies not materialise in the past? It's a good question, and it represents one of the keys to understanding the future. Augmented reality has been a reality since the turn of century but has not caught on. There's clearly a major blocker. It may be cost, health and safety or a combination of both. Attacks on critical infrastructure have been possible for decades but the threat has not materialised (and I'm sure it will be well and truly mitigated as soon as a 9/11 type incident occurs). The Internet of things is a wonderful field for imaginative speculation but the business case and reality lags very far behind.

It's good however to stretch the minds of executives with far-fetched scenarios of the future. People tend to suspend their disbelief when contemplating fictional visions and accounts. The Royal Dutch/Shell Group has been exploiting this phenomenon for around forty years. It works. But it's a lot more effective when it's accurate. 


Enhanced by Zemanta

Business understanding of cyber attacks a decade out of date

| No Comments | No TrackBacks
| More

This is the title of an article from yesterday's Australian Financial Review, the leading Australian business newspaper. It was written by Chris Joye, a leading economist, fund manager and policy adviser, previously with Goldman Sachs, following an interview with me. Chris is a leading influence in business leadership in Australia. If he gets it, it's only a matter of time before the business community follow his lead.

It's good news to gain the interest of business leaders like Chris. It's another problem to exploit this spotlight. Let's hope that the Australian security community has the imagination to follow through.    

Enhanced by Zemanta

Learning points from Advanced Persistent Threats

| 1 Comment | No TrackBacks
| More

I've been very busy this year as you might gather from my rather thin postings. It's a positive sign in fact as it reflects the mushrooming demands of a growing industry which has a long way further to grow.      

One thing that is currently occupying my attention is the subject of APTs, which I'm currently researching for a new publication. It's an interesting and fast moving topic. Ten years ago nobody was interested in this level of threat. I was even accused of being a 'doomsayer' by ZDNet for warning about such risks. But what strikes me about APTs today is that nearly all of the published information about them is either factual analysis about how they work, or promotional claims about new technologies to make them go away.

What's lacking are the learning points from actual attacks. It's understandable given that most companies prefer to keep quiet about attacks. Yet this is the information we need. If we'd been warned earlier about the full facts of these attacks we might have done things differently.  

We need to know things such as: What should we do differently? How can we discover an attack? What measures should be implemented to minimise future risks?  This information is still hard to come by. Implementing ISO standards does not solve the problem. Committees, responsibilities and policies certainly don't deliver enough.

Going beyond today's best practices should be the focus of security researchers today. Too many are still trying to invent new ways of outdated controls to unsympathetic executive boards. I have occasional debates with Fred Piper on the subject of whether today's practices are better than nothing. I claim they're not because they're an expensive distraction. He says they still serve some use. But we both agree they're not good enough.

So I invite anybody who has a great new idea on how to reduce the risk of APTs to contribute it to my current research. You'll get full credit. We need your innovation. At the same time, I must encourage anyone who has experienced an APT attack to share their views on what they would do differently in the future. We need your experience.   

About this Entry

This page contains a single entry by David Lacey published on October 23, 2014 8:52 PM.

Security and the Internet of Things was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

 

-- Advertisement --