What is the most important nut for infosec to crack in 2012?
Adrian Davis, principal research analyst at ISF
Over the past six years, the ISF has conducted a yearly forward-looking exercise called the Threat Horizon. In this exercise, we draw on the expertise of our members, academics and futurologists to examine the global trends and challenges organisations and information security will face, using the business-oriented PLEST (political, legal and regulatory, economic, socio-cultural and technology) framework. Our Threat Horizon has constantly flagged up both the dependence of organisations on their supply chain and the very real risks and vulnerabilities supply chains present.
So, from the ISF’s viewpoint, the most important nut to crack is supply chain security. The ultimate aim should be a globally accepted, adopted and scalable supply chain security assessment standard and approach that is cost effective and generally accepted across the business and government communities. Such a standard would provide a methodology, a process to identify supply chain risks and assess them, a baseline information security standard, and a method of consistently and regularly assessing and comparing the information security status of the organisations in the supply chain. Such a standard, applied globally, would set the bar for a supply chain; provide a way to assess and demonstrate security status; and offer a firm foundation to specify and build security solutions.
So is securing the supply chain a dream or reality for 2012? We at the ISF believe it can happen and are working to solve this problem for our Members and the industry as a whole. We have created the common baseline for external suppliers and are looking to expand the range of tools and techniques our Members can use to secure their supply chain. In addition, we are: working on the draft ISO/IEC 27036 Standard on Information Security in Supplier Relationships; aligning with the Common Assurance Maturity Model; and forming alliances with the Cloud Security Alliance. Watch this space...
John Colley, managing director EMEA, (ISC)2
The emerging threat in the developing cyber security skills gap is an issue we have highlighted throughout 2011. I believe 2012 will be the year when industry really begins to feel it, particularly in London with the Olympic Games coming to town.
Our research shows the average age of people in security is 40, with less than 10% under the age of 29. Looking back to 2008, there were 17% under the age of 29. Further, we are expecting the workforce to nearly double by 2015. Where are the people going to come from?
Beyond the numbers, the demands on professionals are changing significantly. CISOs (chief information security officers) today are actually at risk of losing insight into the systems that are driving business, with cloud computing, social networking, and numerous personal devices infiltrating the workplace, along with the easy to download applications these technology trends bring with them. We have always managed technical change, but the current pace is unprecedented. These developments will ruthlessly expose the weaknesses in an organisation, while a skills disparity is sure to arise in a workforce experienced at securing corporate-driven systems. Here too the aging of our workforce is cause for concern with a generation gap contributing to the challenge.
This skills gap is clearly an issue that cannot be resolved in its entirety in 2012, but there are some concrete steps that should be taken. As a professional organisation we are working hard with partners like the Cyber Security Challenge UK and US to develop more interest and support to encourage young people to consider a career in this field. More generally, organisations need to review their competencies in recruitment and the measurement of success— both continue to focus too heavily on the highly measurable technical elements of the job rather than the softer skills that are increasingly considered key.
The London 2012 Olympic Games will be an interesting test of the marketplace. This coincides with government recognition for the need for cyber defences and the Olympics, which earlier this month saw its security budget double, should be a showcase of their commitment. New systems for the games will clearly call on security know how; while increased requirements on existing infrastructures such as border control will also have an effect. You could compare it to the Y2K issue when companies faced a shortage of competent developers with the correct skills.
Vladimir Jirasek, head of security solutions at WorldPay, director CSA UK & Ireland
The past year was turbulent and eventful when it comes to information security with a number of high profile security incidents and an increase in cyber fraud (or e-crime). There is no indication that 2012 is going to be any different.
A list of priorities for information security professionals for the year 2012 could be split to several areas:
1. Legislative lobbying for consolidated international information security laws
The world needs less legislation, not more. Laws and regulations related to information security are results of silo approach by individual lobby groups. Look at data protection legislations around the world. The international privacy law is so complex that many lawyers do not understand all implications.
When looking at pure information security standards the field is also very fragmented. What we need is one standard for information security that will set the baseline, and then added specialised modules. For example, PCI DSS standards could be stripped of the requirements that are common with other standards, such as ISO2700x, and the payment process specific requirements become a module in the ISO standard.
2. International cooperation in tackling e-crime
Cyber criminals are laughing their socks off when committing e-crime. Not only is the Internet more-or-less anonymous but also legislation complexity and bureaucracy protect them from law enforcement. Countries need to agree on a single law framework for crime and processes to identify, capture and prosecute cyber-criminals.
3.Technology to protect by default
I have been saying for some time that the cause of the cyber security incidents lies in underlying Internet and computer architecture. These were created with very little security in mind, and security controls have been added to solve discreet problems. Loot at the Internet, where anonymity supports e-crime. Can you imagine same system on the roads?
Computer architecture need to step up with the controls that make our computers trusted. Some mobile phone platforms have been very successful in this area; look at Microsoft Windows Phone and Apple iOS. Traditional desktop operating systems have a lot to learn from mobile platform security. Such a trusted platform would be then used for future initiatives, such as trusted identity assistant in your pocket.
In summary, year 2012 should be the year where governments come together and simplify cyber security and privacy laws, and computer HW and Sw companies step up their efforts to create trusted computing platforms.
Ruggero Contu, agenda manager, security solutions, worldwide, Gartner
Solving security issues relating to the use of mobile technologies will be among the most pressing priorities for businesses in 2012. This is due to the range of vulnerabilities that affect increasingly popular mobile platforms such as smartphones and media tablets, from the high risk of data loss and the availability of insecure applications from app stores, to the growing threat from mobile malware.
Throughout 2012, many organisations will remain unsure how to tackle these vulnerabilities. One important concern relates to the "consumerisation" of IT. While some businesses will opt for more restrictive policies to try to limit employees' use of personal devices at work, this will become increasingly difficult, if not impossible to implement. After all, employees can download data to cloud storage services such as Dropbox, and then access it from unauthorised devices. What's more, bring-your-own-device (BYOD) schemes for employees can have clear productivity benefits, as can granting external consultants and partners controlled access to corporate resources via mobile devices.
To secure mobile technologies, it's crucial to have the right policy and tools in place. Implementation of a clear mobile security policy will contribute to a controlled and secure use of both corporate and personal mobile equipment. New technology can be very useful for solving some security problems. Mobile device management tools, for example, offer capabilities to fulfill tasks like software distribution, inventory/policy management and security management.
More traditional security technologies also have capabilities that can extend to mobile devices. For example, network access control is now used mainly to enable BYOD schemes, while cloud-based secure Web gateway tools can be very helpful in protecting mobile devices when used remotely. Mobile data protection and data loss prevention tools offer essential capabilities to secure both moving and static data by applying granular encryption policies and monitoring the movements of vital corporate information.
Louise Bennett, chair of BCS Security
The reality is that no IT security issue ever gets solved for all time. Security is a race without end between attackers and defenders.
So, the question I will answer concerns the area where I would like to see focus and progress in 2012. It is security for the Internet-of-Things. My reason is that many people thought Y2K was not a real problem, but the problem was very real when it came to embedded chips. These often had code that did not allow for the millennium date change and almost never had any security. Many still do not.
Now, more than a decade on, there are billions of “things” attached to the Internet, with frighteningly little security. These do not just include computers and mobile devices, but also TVs, medical devices, smart meters, lights, environmental control systems and so on. Soon we will have tagged cars and clothes and food. Most of these devices have limited provision for security and we have no model of how security will work. Who is going to provide security patches for Internet TV or tagged consumer products? Ubiquitous broadband networks will link these and may be monitoring and subtly altering them. Who will accept responsibility and liability for the protection of consumers and businesses using these devices? What will happen to confidence in remote health monitoring of the elderly and those with chronic diseases if a future Dr Shipman chooses to alter medicine doses?
We need to discuss this topic and act now to provide the right security.
Derek Oliver, director and CEO of Ravenswood Consultants and co-chair of COBIT 5 Task Force
Cloud Storage: a threat to compliance with legislation?
Although providing a futuristic solution to data storage and, in particular to data sharing, the ‘Cloud’ is fraught with dangers, for those of us dealing with personal data in the EU in particular. Cloud Security may well be improving, but we are at the mercy of the inexperienced and “unwilling-to-learn” user. Whatever assurances they may give when setting up cloud storage solutions, it is all too easy for someone to include personally identifiable information (PII) in the cloud along with other, less sensitive data then grant read access to the whole folder to someone entitled to see the non-sensitive data, but who has no right to access the PII. There is also the unknown factor of the Cloud server location, which may well be in the USA, for example. Both of these instances are likely be in breach of EU directive on personal data security, encoded in the UK as the Data Protection Act, 1998. (For this reason, the many requests I get for access to Google Docs; Dropbox etc. always receive a negative answer!).
Information Security: still not seen as a full-time job?
Despite ISACA’s efforts to engage with and inform Executive management, especially with the publication of the Business Model for Information Security (BMIS), the role of the Information Security Manager is still not being seen as a full time job by many organisations, particularly in the Public Sector. Some places believe it can be covered by “somebody” in the “margins of time” but there are still many instances of the old “We have an IT Security Officer so that covers information security” which is, of course not the same thing! Whilst Information Security incorporates IT, it does not necessarily follow that the reverse applies. Organisations can still be found with an “IT Security Policy” but nobody to ask what is the policy for securing information on paper or voice communications or to advise on compliance with legislation on Data Protection, Freedom of Information, Human Rights etc.: these are not normally issues within the remit of IT Security!
Ramsés Gallego, member of the ISACA Guidance and Practices Committee.
Mobility + Social + Cloud
The World is turning mobile and Enterprises are turning social. With the now established triad on Mobility-Social Media-Cloud, I am envisioning that enterprises will become social, allowing employees to participate further in the movement (I wouldn't say direction) of the company, facilitating the exchanging of opinions and ideas, making it possible for them to protect the brand. Then, companies will deal with that information and move forward. I think that companies will provide their own App Store so that employees can download MANY apps for an easy access to different content of the company
Still in its early stages, but companies will allow employees and customers to 'play' with the organisation. We will be 'invited' to interact with companies through online gaming so that it's easier -and funnier- to us as employees and consumers to give feedback on likes and dislikes, for example. Of course, the Internet and social media -groups of interest, social networks- will be instrumental for this as well as mobility. Organisations are creating new channels/ways to get us interested in their brands and promoting them as games, even with a reward schema -that you can redeem at a certain point in time- will be happening more and more often.
Identity Management based on Context-based Access Controls
Because of geolocation -well covered by ISACA on a white paper that I had the pleasure of chairing-, the world will move beyond RBAC (Role-Based Access Control) and will embrace Attribute-Based Access Control (ABAC) and, more importantly, Context-Based Access Controls (CABC) so that we gain access to information depending WHERE we are, WHEN we are, and HOW we are (connected to the enterprise). I will be the same professional (with the same access rights) for my company if it's Saturday at 3:00am and connected through a smartphone than at a normal working hours. Thus, I might not get the same access if I am using a smartphone in a special region than if I'm sitting at a partner's desk within my country.
On crisis time, companies still need to innovate but need to invest wisely on R+D due to budget constraints. Thus, moving beyond the regular outsourcing, enterprises will embrace the crowdsourcing arena, a discipline based on shared knowledge and ideas contribution from all over the world. Contributors might get just a mention on the final delivery, the project or some kind of reward, but definitively, far beyond from the regular cost of 'the normal way'. This will be driven, again, by social media and Cloud, where companies can create a shared workspace for people to collaborate... but will bring benefits and risks at the same time: authenticity, integrity, and confidentiality of the information.
This is already happening and there are big suppliers behind the topic (IBM, for instance). Since we created the same amount of information every two years than the previous 150, we need to filter information, to analyse it so that we get to conclusions faster and with more intelligence. There are many different interactions channels, many tests from products, different opinions from customers from geographically dispersed regions of the world, organizations need to collect, store, analyse and report tons of useful information. This will require IT to bring intelligent systems, unique datawarehouse stores and analytical capabilities to machines that will be enabled by a machine-to-machine dialogue.
The Internet-of-Things - Many Internets
Internet is already a place for many people, many companies. They exist only there -in the Cloud, again- and are global because of that. However, geo-political reasons and regime changes might present the opportunity to establish a more-secure-private-only Internet that can be for a country (China, in way, is already doing this), for a region or for a global company that only wants one type of user (the one with a certain level of security, with pre-defined patches applied -in a kind of Network Access Control-,...). I envision, for security and business reasons, a growing number of different 'Internets', even 'Community Internets'.
John Walker, member London Chapter ISACA Security Advisory Group and CTO of Secure-Bastion
New malware attacks
2012 will be a critical year on-line trading, which may encounter intense interest from Organised Crime, developing engineered malware threats, with carriers containing business sector, or entity-specific targeted payloads.
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks should be expected to increase, utilised as CyberConflict tools which may be utilised by attackers as (a) Noise generators, to conceal more subtle attacks, (b) Utilisation by hacktivists to carry their message to the target(s) of choice, and (c) The means by which Cloud presence will be targeted with unwanted bandwidth payload.
SmartPhone Malware will enjoy significant increase – it is likely that the attackers will utilise this small hand held platform to communicate Trojans, and Malware cross-platform into the connected desktop host.
Consumerisation will prove to be a security challenge, presenting opportunities for Data Theft, Data Leakage, and possible unwanted Trojanised driven logical incursions into the corporate interconnected environment.
Allan Boardman, director of ISACA and chair of the ISACA Credentialing Board
2012 is expected to be a very tough year on many fronts. Dark clouds are gathering and one almost wishes to decamp to a deserted island and return at the end of the year, in the hope that normality has returned. However, against the backdrop of the world economic crisis and looming recession in the US and Europe, coupled with severe austerity measures across many fronts and having to do more with less, and increasingly interconnected and complex systems subject to constant change and heightened regulatory scrutiny, the risk, security, assurance and governance professionals potentially have many opportunities and should have a busy year.
Expect to see a heightened focus on data privacy and a continuation of data loss incidents from high profile organisations in the public and private sectors. And also expect to see that the regulators and the general public run out of patience with the sometimes lax controls in place, for example still not mandating two factor authentication for accessing one’s online bank account, or not enforcing encryption or masking of sensitive data when it is not in properly secured environments.
Expect to see more sophisticated and targeted attacks at the mobile platforms (primarily smart phones and tablets) for example harvesting data and attacking web browsers. This is likely to cause widespread disruption and high visibility as these are consumer facing technologies. And the proliferation of devices coupled with inconsistent protection practices from hardware and service providers (particularly for Androids) will mean that this is hard to guard and protect against.
Critical National Infrastructure
Although there have been some isolated critical infrastructure incidents, expect to see an increase in occurrence of these and an increase in the intensity and impact. Perhaps targeted at specific major events in 2012 such as the London Olympics or the US presidential elections.
With the exception of a few isolated reports (for example the recent Illinois water station incident), there have not been widespread reports of CNI attacks. This has potentially given the impression that SCADA systems are harder to break into. Traditionally SCADA systems have been considered to be more isolated from the internet and also more resilient against malware as the systems were generally based on more robust proprietary systems. The reality is that many SCADA systems have moved from proprietary to more open IP based protocols and are now more likely to be more connected to office systems and other networks than ever before. The risks of such attacks, and impacts on ordinary people, are very real. (The reference to major events above was related to the idea of CNI being targeted during such events for maximum impact or effect).
A major international political crises as a direct result of cyber warfare or cyber sabotage draws ever closer. Currently a lot of the actively is covert through cyber espionage, but it is just a matter of time before this blows up, quite literally, as it is not inconceivable that the victim country may respond using traditional military force.
A major cyber attack on say one country’s critical national infrastructure is likely to spark off a serious international diplomatic incident, with wide ranging consequences, particularly if there was loss of life. And it is very possible that the victim country could respond by using traditional warfare methods. However, this is likely to be very problematic, for example sending in air attacks to destroy data centres is likely to be ineffective as it will be a bit like searching for a needle in a haystack. Perhaps the answer is to produce SAS style digital warriors (and these are probably in the making already).
Service provider outages
Expect to see more service provider outages (as with Blackberry in 2011) related to complexity, capacity, and interconnectivity and dependency issues. As single large vendor dependencies grow (and RIM with Blackberry is a good example of this), any major outage can have wide ranging implications. Expect to see more pressure on the major cloud service providers (Google, Amazon, IBM, etc) to demonstrate that they have highly resilient systems and services.
Awareness of the need within organisations to ensure that risks are properly mitigated and that value is achieved from information systems, as a direct result of the launch of COBIT 5.
The launch of COBIT 5 in 2012 will be a very important milestone for ISACA, and with much publicity expected around the launch, and the more wider ranging scope of coverage (including covering enterprise information and technology assets, and being principle based and enabler supported), I would hope and expect that it will reach audiences not previously engaged. Also the inclusion of the implementation guide should further assist easy adoption and adaption for specific circumstances and environments.
John P. Pironti, chief information risk strategist at Archer Technologies and member of the ISACA Education Board
- Organisations will recognise that security focused on compliance instead of threat and risk is not effective and that they must begin to change their approach to be successful.
- Information security organisations will move away from being a function of Information Technology and become part of Enterprise Risk Management organisations.
- There will be a sharp increase of attacks targeted at mobile devices to either exploit them or use them as an access point to corporate networks
- Google will be forced to change its practices for applications submitted to and distributed by its Application Store to require more vigorous security testing and requirements.
- Cloud solutions will be compromised more often due to their growing popularity and use.
This was first published in January 2012