2011 has been an interesting year in information security, with the emergence of several key trends that are likely to continue. Global IT security association, ISACA, has compiled the following responses for Computer Weekly in response to the question: What is the most important nut for infosec to crack in the coming year and why?
Derek Oliver, director and CEO of Ravenswood Consultants and co-chair of COBIT 5 Task Force
Cloud Storage: a threat to compliance with legislation?
Although providing a futuristic solution to data storage and, in particular to data sharing, the ‘Cloud’ is fraught with dangers, for those of us dealing with personal data in the EU in particular. Cloud Security may well be improving but we are at the mercy of the inexperienced and “unwilling-to-learn” user. Whatever assurances they may give when setting up cloud storage solutions, it is all too easy for someone to include person identifiable information (PII) in the cloud along with other, less sensitive data then grant read access to the whole folder to someone entitled to see the non-sensitive data but who has no right to access the PII. There is also the unknown factor of the Cloud server location, which may well be in the USA, for example. Both of these instances are likely be in breach of EU directive on personal data security, encoded in the UK as the Data Protection Act, 1998. (For this reason, the many requests I get for access to Google Doc’s; Dropbox etc. always receive a negative answer!).
Information Security: still not seen as a full-time job?
Despite ISACA’s efforts to engage with and inform Executive management, especially with the publication of the Business Model for Information Security (BMIS), the role of the Information Security Manager is still not being seen as a full time job by many organisations, particularly in the Public Sector. Some places believe it can be covered by “somebody” in the “margins of time” but there are still many instances of the old “We have an IT Security Officer so that covers information security” which is, of course not the same thing! Whilst Information Security incorporates IT, it does not necessarily follow that the reverse applies. Organisations can still be found with an “IT Security Policy” but nobody to ask what is the policy for securing information on paper or voice communications or to advise on compliance with legislation on Data Protection, Freedom of Information, Human Rights etc.: these are not normally issues within the remit of IT Security!
Member of the ISACA Guidance and Practices Committee.
Mobility + Social + Cloud
World is turning mobile and Enterprises are turning social. With the now established triad on Mobility-Social Media-Cloud, I am envisioning that enterprises will become social, allowing employees to participate -further- in the movement (I wouldn't say direction) of the company, facilitating the exchanging of opinions and ideas, making it possible for them to protect the brand. Then, companies will deal with that information and move forward. I think that companies will provide their own App Store so that employees can download MANY apps for an easy access to different content of the company
Still in its early stages but companies will allow employees and customers to 'play' with the organization. We will be 'invited' to interact with companies through online gaming so that it's easier -and funnier- to us as employees and consumers to give feedback, to give like/dislike information, etc. Of course, the Internet and social media -groups of interest, social networks- will be instrumental for this as well as mobility. Organizations are creating new channels/ways to get us interested in their brands and promoting them as games, even with a reward schema -that you can redeem at a certain point in time- will be happening more and more often.
Identity Management based on Context-based Access Controls
Because of geolocation -well covered by ISACA on a white paper that I had the pleasure of chairing-, the world will move beyond RBAC (Role-Based Access Control) and will embrace Attribute-Based Access Control (ABAC) and, more importantly, Context-Based Access Controls (CABC) so that we gain access to information depending WHERE we are, WHEN we are, and HOW we are (connected to the enterprise). I will be the same professional (with the same access rights) for my company if it's Saturday at 3:00am and connected through a smartphone than at a normal working hours. Thus, I might not get the same access if I am using a smartphone in a special region than if I'm sitting at a partner's desk within my country.
On crisis time, companies still need to innovate but need to invest wisely on R+D due to budget constraints. Thus, moving beyond the regular outsourcing, enterprises will embrace the crowdsourcing arena, a discipline based on shared knowledge and ideas contribution from all over the world. Contributors might get just a mention on the final delivery, the project or some kind of reward but definitively, far beyond from the regular cost of 'the normal way'. This will be driven, again, by social media and Cloud, where companies can create a shared workspace for people to collaborate... but will bring benefits and risks at the same time: authenticity, integrity, and confidentiality of the information.
This is already happening and there are big vendors behind the topic (IBM, for instance). Since we created the same amount of information every two years than the previous 150, we need to filter information, to analyze it so that we get to conclusions faster and with more intelligence. There are many different interactions channels, many tests from products, different opinions from customers from geographically dispersed regions of the world, organizations need to collect, store, analyze and report tons of useful information. This will require IT to bring intelligent systems, unique datawarehouse stores and analytical capabilities to machines that will be enable by a machine-to-machine dialogue.
The Internet of things - Many Internets
Internet is already a place for many people, many companies. They exist only there -in the Cloud, again- and are global because of that. However, geo-political reasons and regime changes might present the opportunity to establish a more-secure-private-only Internet that can be for a country (China, in way, is already doing this), for a region or for a global company that only wants one type of user (the one with a certain level of security, with pre-defined patches applied -in a kind of Network Access Control-,...). I envision, for security and business reasons, a growing number of different 'Internets', even 'Community Internets'.
Professor John Walker
London Chapter ISACA Security Advisory Group and CTO of Secure-Bastion
New Malware attacks
2012 will be a critical year on-line trading, which may encounter intense interested from Organised Crime, developing engineered Malware threats, with carriers containing business sector, or entity specific targeted payload.
DoS & DDoS should be expected to increase, utilised as CyberConflict tools which may be utilised by attackers as a) Noise generators, to conceal more subtle attacks, b) Utilisation by Hacktivists to carry their message to the target(s) of choice, and c) The means by which Cloud presence will be targeted with unwanted bandwidth payload.
SmartPhone Malware will enjoy significant increase – it is likely that the attackers will utilise this small hand held platform to communicate Trojans, and Malware cross-platform into the connected desktop host.
Consumerisation will prove to be a security challenge, presenting opportunities for Data Theft, Data Leakage, and possible unwanted Trojanised driven logical incursions into the corporate interconnected environment.
Director of ISACA (and chair of the ISACA Credentialing Board)
2012 is expected to be a very tough year on many fronts. Dark clouds are gathering and one almost wished to decamp to a deserted island and return at the end of the year, in the hope that normality has returned. However, against the backdrop of the world economic crisis and looming recession in the US and Europe, coupled with severe austerity measures across many fronts and having to do more with less, and increasingly interconnected and complex systems subject to constant change and heightened regulatory scrutiny, the risk, security, assurance and governance professionals potentially have many opportunities and should have a busy year.
Expect to see a heightened focus on data privacy and a continuation of data loss incidents from high profile organisations in the public and private sectors. And also expect to see that the regulators and the general public run out of patience with the sometimes lax controls in place, for example still not mandating two factor authentication for accessing one’s online bank account, or not enforcing encryption or masking of sensitive data when it is not in properly secured environments.
Expect to see more sophisticated and targeted attacks at the mobile platforms (primarily smart phones and tablets) for example harvesting data and attacking web browsers. This is likely to cause widespread disruption and high visibility as these are consumer facing technologies. And the proliferation of devices coupled with inconsistent protection practices from hardware and service providers (particularly for Androids) will mean that this is hard to guard and protect against.
Although there have been some isolated critical infrastructure incidents, expect to see an increase in occurrence of these and an increase in the intensity and impact. Perhaps targeted at specific major events in 2012 such as the London Olympics in the summer or the USA Presidential elections in the fall.
With the exception of a few isolated reports (for example the recent Illinois water station incident), there have not been widespread reports of CNI attacks. This has potentially given the impression that SCADA systems are harder to break into. Traditionally SCADA systems have been considered to be more isolated from the internet and also more resilient against malware as the systems were generally based on more robust proprietary systems. The reality is that many SCADA systems have moved from proprietary to more open IP based protocols are now more likely to be more connected to office systems and other networks than ever before. The risks of such attacks, and impacts on ordinary people, are very real. (the reference to major events above was related to the idea of CNI being targeted during such events for maximum impact or effect).
A major international political crises as a direct result of cyber warfare or cyber sabotage draws ever closer. Currently a lot of the actively is covert through cyber espionage but it is just a matter of time before this blows up, quite literally, as it is not inconceivable that the victim country may respond using traditional military force.
A major cyber attack on say one country’s critical national infrastructure is likely to spark off a serious international diplomatic incident, with wide ranging consequences, particularly if there was loss of life. And it is very possible that the victim country could respond by using traditional warfare methods. However, this is likely to be very problematic, for example sending in air attacks to destroy data centres is likely to be ineffective as it will be a bit like searching for a needle in a haystack. Perhaps the answer is to produce SAS style digital warriors (and these are probably in the making already).
Service provider outages
Expect to see more service provider outages (as with Blackberry in 2011) related to complexity, capacity, and interconnectivity and dependency issues.
As single large vendor dependencies grow (and RIM with Blackberry is a good example of this), any major outage can have wide ranging implications. Expect to see more pressure on the major cloud service providers (Google, Amazon, IBM, etc) to demonstrate that they have highly resilient systems and services.
Awareness of the need within organisations to ensure that risks are properly mitigated and that value is achieved from information systems, as a direct result of the launch of COBIT 5.
The launch of COBIT 5 in 2012 will be a very important milestone for ISACA, and with much publicity expected around the launch, and the more wider ranging scope of coverage (including covering enterprise information and technology assets, and being principle based and enabler supported), I would hope and expect that it will reach audiences not previously engaged. Also the inclusion of the implementation guide should further assist easy adoption and adaption for specific circumstances and environments.
John P. Pironti
Chief Information Risk Strategist at Archer Technologies and member of the ISACA Education Board
- Organizations will recognize that security focused on compliance instead of threat and risk is
not effective and that they must begin to change their approach to be successful.
- Information security organizations will move away from being a function of Information Technology and become part of Enterprise Risk Management organizations.
- There will be a sharp increase of attacks targeted at mobile devices to either exploit them or use them as an access point to corporate networks
- Google will be forced to change its practices for applications submitted to and distributed by its Application Store to require more vigorous security testing and requirements.
- Cloud solutions will be compromised more often due to their growing popularity and use.
This was first published in December 2011