Apocalypse soon?

Yesterday’s ISC2 Security Leadership Seminar in London reflected a spectrum of contemporary thinking on the subject of information security, as well as highlighting some of the more extreme risks we can expect to encounter soon. It was an interesting blend of common sense, déjà vu and doomsaying, mirroring the different experiences and perspectives of the speakers. 

It was hard to disagree with Howard Schmidt’s introduction, an articulate, realistic and mature assessment on the current state of play. Howard believes that, despite the credit crunch, organizations have not lost their appetite for security, sensing the bad guys are unlikely to take a break. The new factor, of course, is risk management which raises expectations that business as usual can be maintained with appropriate protection. The challenge is that we have to continue patching up a large legacy estate, designed with inadequate security controls, as well as preparing for future threats, such as those presented by the billions of mobile devices accessing the Internet. It’s a huge challenge for a relatively immature discipline.

“Back to basics” was also a common theme. We keep to trying to do the same things over and over again, expecting different results, failing to learn from our earlier shortcomings. We’ve had good, documented standards for two decades but they haven’t hit the spot. Perhaps the answer lies in more education and engagement. But, unfortunately, our cupboard is largely bare when it comes to addressing the softer side of security. Clearly, we need to accelerate our learning capability.

The doomsayers were well represented by presentations from vendors armed with extensive incident statistics and market survey reports. The latest figures are enough to make your hair stand on end. Could you have imagined, for example, that there would be a 1,559% increase in data theft Trojans in 2008? And can your business survive an environment in which zero-day attacks now represent around 20% of malware attacks? It’s a frightening threat for organizations who take days or even weeks to apply patches to legacy systems. Growth rates in infections of clients and web sites are now running at alarming rates, threatening to undermine current Internet business models, which are underpinned by confidence in clicks on banner advertising.

In fact, last year now appears to have been a turning point in the professionalism of cyber crime. The software development skills and data mining capabilities of organized crime are believed to be second to none. They (whoever that is) are stealing vast amounts of our data, though no-one really understands the logic in their targets. Process industries, rather than banks, seem to be in the firing line. Why should that be?

We can only speculate on where these developments will lead. But the implications to business are not good. We cannot carry on in the same way without something big breaking. We’ve seen from the banking sector, that there is no safety in sticking with the herd. Governments are raising the bar in the protection of critical infrastructure, but that leaves an awful lot of valuable systems with a growing vulnerability to a rising threat. In the absence of more demanding, mandatory standards, we have to rely on risk management, which, unfortunately, in practice becomes little more than the logic that excuses business from applying adequate countermeasures. A perfect storm is brewing and there’s not much we can do to prevent it.