monsitj - Fotolia
Although WannaCry dominated the cyber crime landscape in 2017, the attack was not without significance for anyone responsible for IT security within organisations. If nothing else, WannaCry highlighted the vulnerabilities of some versions of operating systems, even though some commentators incorrectly blamed Windows XP and highlighted the importance of keeping software up to date.
Topics also highlighted in 2017 were the value of enterprises adopting a business-led approach to IT security, the ongoing security concerns and challenges around cloud despite business benefits, the security challenge of hybrid environments and open source software, the vulnerabilities of the WPA2 security standard, and the security risks associated with printers.
However, the year has also seen a fair amount of innovation around technologies such artificial intelligence, more specifically machine learning, opening up security analytics as a practical and viable option for organisations as part of their IT security tools. And in the face of constrained security budgets and IT security teams, statistics showed that a growing number of organisations are turning to managed service security service providers.
Failure to update to the latest operating system was initially cited as one of the reasons why more than 200,000 computers in 150 countries were rapidly infected by WannaCry, with many commentators blaming the continued use of Windows XP for the NHS being especially hard hit.
However, researchers discovered that in fact Windows 7, particularly the 64-bit edition, was worst affected and responsible for the wide and fast spread of the attack, so although organisations are generally advised to run the latest versions of operating systems, it is not necessarily the oldest versions that will be most vulnerable.
Keeping software up to date with security patches is one of the security basics, but WannaCry not only highlighted the well-known fact that security patching is often poorly done in many organisations, it also showed that for some organisations, especially where legacy or critical IT systems are involved, patching can be extremely challenging.
The fact that Microsoft released a security update a month before the exploit was leaked indicates that timely patching would have prevented much of the chaos caused by WannaCry. According to security firm Digital Shadows, internet scans reveal that days after the WannaCry attacks, at least 1.3 million Microsoft Windows systems had not been patched with security update MS17-010 and therefore remained vulnerable.
Led by RSA, security suppliers have increasingly called for enterprises to adopt a business-centric rather than one-size-fits-all approach to cyber security to mitigate cyber attacks.
With cyber threat actors getting bolder than ever and hiding in plain sight with impunity, RSA president Rohit Ghai believes organisations should harness the one advantage they have over their adversaries – the deep insights they have about their business.
“The one and only asymmetric advantage that we have is knowledge of our business context – and that is the central idea behind business-driven security,” he told the RSA Conference Asia Pacific and Japan in Singapore in July.
European businesses are increasing their investment in public cloud to improve efficiencies and in some cases lower costs, but there is still widespread confusion about security responsibility for cloud-based services, and investment in additional measures highlights ongoing concerns, according to a survey by Barracuda Networks.
Nearly 35% of organisations polled said their infrastructure is currently in the cloud, but less than 45% of respondents believe their public cloud IaaS provider completely and successfully offers strong protection when it comes to accessing cloud applications.
As businesses transition to cloud-based services and infrastucture, many are still operating a hybrid IT environment, which presents its own set of security challenges. Computer Weekly’s essential guide on the topic is aimed at helping IT security teams tackle these challenges, with a particular focus on how to secure virtual infrastructure, defend against server-attacking ransomware, secure datacentres, and use software-defined networking to secure critical systems.
Another new and growing security challenge facing organisations is security flaws in open source code that is incorporated into software used by the enterprise.
An analysis of more than 1,000 applications by Black Duck’s Centre for Open Source Research and Innovation (COSRI) revealed that 96% of applications across all industry sectors contained open source and a large proportion were vulnerable to open source security issues.
Overall, 60% of the applications audited contained high-risk vulnerabilities. The retail and e-commerce industry had the highest proportion of applications with high-risk open source vulnerabilities, with 83% of audited applications containing high-risk vulnerabilities.
If vulnerabilities in open source code were not enough of a hidden threat to content with, alarm bells also rang for IT security teams in October 2017 after Belgian security researcher Mathy Vanhoef went public with a novel exploit he had identified called a key reinstallation attack – Krack for short – that could enable a cyber attacker to read encrypted user data transiting a Wi-Fi network.
The Krack exploit is particularly dangerous because it affects WPA2, the security standard that underpins every Wi-Fi network in the world. The discovery was widely hailed as a prime example of a widely pervasive design flaw, giving it a greater impact than a mere implementation bug.
The discovery of Krack initially raised fears that every Wi-Fi network in the world could be breached, but fortunately that is not likely because too many specific conditions would have to met, according to the Wi-Fi Alliance, which nevertheless took immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections, including testing for this vulnerability in its global certification lab network and communicating remedies to device suppliers.
Enterprises, however, should ensure they have installed the latest recommended updates from device manufacturers to ensure the vulnerability has been addressed and to increase network visibility to detect malicious activities, while mobile enterprise workers are also advised against connecting to public Wi-Fi without using a virtual private network (VPN) to add an additional layer of security.
In addition to warnings about the WPA2 flaw, enterprise IT security teams have received fresh warnings that printers can be used to launch malware attacks.
Along with the capabilities to capture, process, store and output information, most print devices also run embedded software. Information is therefore susceptible at a device, document and network level. Not only can confidential or sensitive data be accessed by unauthorised users – whether maliciously or accidentally – but network connectivity makes vulnerable print devices potential entry points to the corporate network.
To address these threats, print devices need to include robust security protection, and fortunately, more manufacturers are embedding security in new generation devices. However, it only takes one rogue, unsecured device to weaken security, IT security teams have been warned.
While traditional approaches to cyber security no longer appear to be enabling organisations to keep up with cyber threats, security analytics is an increasingly popular addition to the cyber arsenal.
Monitoring and threat detection are crucial if businesses are to stay ahead of the curve, and security analytics has emerged as a popular way to counter attacks. It involves the collection, aggregation and analysis of security data, usually combining datasets with sophisticated detection algorithms.
Spearheaded by advances in tech such as AI and machine learning, security analytics offers greater visibility into critical IT systems.
With the growing number of cyber attacks, IT security budget constaints, and the challenge of finding people with the necessary cyber security skills, it should come as no surprise that demand for managed security services (MSSPs) to guide implementations and help respond to attacks has been growing in recent years.
According to IDC, the security services market was worth $4.23bn in 2016 in APAC alone (excluding Japan), and will grow at a compound annual growth rate of 20.5% between 2016 and 2020. Many companies with relatively few resources see MSSPs as a way of tapping into the required level of expertise when they come under cyber attack without having to maintain a costly IT security team.