Threat Horizon 2015: More danger from known threats

transcript

ISF Threat Horizon

Dr Adrian Davis, PhD, MBA, MBCS, CITP, CISMPPrincipal Research Analyst

Information Security Forum

Agenda

• The challenge• Our answer: Threat

Horizon• 2013...• 2014…• 2015…• What can I do?

What is the ISF?

An international association of over 320 leading global organisations, which...

• addresses key issues in information risk management through research and collaboration

• develops practical tools and guidance• is fully independent, not-for-profit organisation driven by its

Members• promotes networking within its membership

The leading, global authority on information securityand information risk management

“It is impossible for men in the future to fly like birds. Flying is reserved for the angels.” —Milton Wright, Bishop , 1870, father of Orville and Wilbur Wright

“This ‘telephone’ has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us.”— Western Union internal memo 1876

“I think there is a world market for maybe five computers.”— Thomas Watson, chairman of IBM 1943

About predicting the future

Source: http://directorblue.blogspot.com/2011/07/time-to-reach-20-million-users.html

…and the pace of change is accelerating

The ISF Threat Horizon

“ The brand is pivotal to us. How do you protect the brand? You look into the crystal ball, and the crystal ball is called the Threat Horizon. ”

Threat Horizon:• is annual• identifies threats to information security over 24 months• is written for a business and information security audience.

How the ISF Threat Horizon helps

ISF Threat Horizon methodology (cool)

Information Security Forum 8

2013...

2013 PLEST

Government intervention

State vs. State

Breach notification

Digital human rights

Cost of resources m-economyRise of Africa

Single-issue activism

Location services

4G/LTE networks

The world of 2013

A view of the business and technical trends....

OLITICALP

CONOMICE

T ECHNICAL

S OCIO-CULTURAL

IPv6 adoptionSmart grids

State vs. Non-state

OLITICALP

CONOMICE

T ECHNICAL

S OCIO-CULURAL

Considering the PLEST framework, several major trends emerge:Data leakage

Securing the supply chain

Blended attacks

Device revolution

Data quality issues

Attacks on infrastructure

Hacktivism

Beyond cloud

New e-crime opportunities

The information security trends of 2013

An overview of the threats

On the radar but not

manageable

On the radar and

manageable

Below the radar

Black swans

Threats for 2013

• On the radar and manageable

• Uncontrolled introduction of consumer devices

• Loss of trust / inability to prove identity and authenticate

• Loss of workforce loyalty – loss of organisational culture and knowledge

• On the radar but not manageable

• State-sponsored cyber-activity• Social media• Embedded location services

Threats for 2013

• Below the radar• Governmental

requirements• Co-ordinated attacks for

extortion, blackmail, bribery or stock manipulation

• RFID exploits

• Black swans• Hardware back doors (low-

level attacks / vulnerabilities) in chips, SCADA

• Solar activity disrupts communications globally

2014...

Predictions for 2014

EXTERNAL THREATS

Cyber criminality increases as Malspace matures further

• Significant increase in maturity of the industry• Crime-sourcing more common• Attacking the cloud, mobile platforms

Welcome to malspace

– Global highly-functional industry that supports all aspects of modern crime

– Supports the development and sale of:

• sophisticated attack tools• services to help plan and

coordinate attacks• laundering of stolen

assets.

The tools that we use are also available to our attackers

The cyber arms race leads to a cyber cold war

• Stuxnet proved the effectiveness of cyber weapons (vis-à-vis military action)

• Investments into cyber resilience and intelligence sharing• Scale of cyber espionage becoming apparent, starting to hurt

More causes come online;activists get more active

• New players• Protesting tools fully available• Increasing speed, reach and impetus of

online democracy

Cyberspace gets physical

• Real impact• Utilities hacked• Lives at stake

REGULATORY THREATS

New requirements shine a light in dark corners, exposing weaknesses

• Secrecy does not equal security• Transparency everywhere

– regulations– business partners– customers

• Whistle-blowing, fraud and cyber attacks

A focus on privacy distracts from other efforts

• Incoming privacy regulations• New technologies, new concerns• Cyber havens

The regulatory storm…

– Governments and regulators are demanding action

– The results often have extra-territorial impacts:

• EU Data Privacy Directive• US FATCA• US Dodd-Frank Act• PCI DSS• Proposed EU Directive on

Network and Information Security

…is getting stronger

• Monetary Authority of Singapore (MAS)– June 2012 notice:

“[..] inform the Authority in writing within 30 minutes upon the discovery of all IT security incidents [...]”

• (http://www.mas.gov.sg/~/media/resource/publications/consult_papers/2012/13%20June%202012%20Notice%20On%20Technology%20Risk%20Management.pdf)

INTERNAL THREATS

“CERT Australia: 44% of attacks originate from

within the organisation…”

Cost pressures stifle investment;an undervalued function can’t keep up

• West in self-induced stagnation• Legacy of underinvestment kicking back

• Deteriorating security awareness

A clouded understanding leads to an outsourced mess

• Strategically unsound business decisions strain security• IT security increasingly outsourced• Organisations in a digital divide

New technologies overwhelm

• Mobile is king• The Internet of Things• Big data runs businesses off course

The supply chain springs a leak,as the insider threat comes from outside

• Closer business relationships lead to unforeseen security challenges

• Increased risk complexity• Your business information is your supplier’s data

IT is a key disruptor in supply chains...

Risks Triggers for disruption

46% conflict

44% shocks

59% natural

disasters

57% subcontr

acting

59% fragment

63% shared

53% visibility

30% Information

and communications

64% Reliance

on Oil

2015...

Is there anything that’s really new?

Does “new” really matter?

Threats have evolved. Attackers are organised.Attacks are sophisticated.

Old threats are more dangerous and pose more risk to our organisations

It’s not so much about “new” than about the potential to do harm.

CYBER RISK IS CHALLENGING

The CEO doesn’t get it

• Organisations’ dependence on cyberspace is still increasing• The increasing knowledge from the board doesn’t always match• Understanding cyber risks and rewards is fundamental to trust• Organisations that do get it see business benefits

Organisations can’t find the right people

• Skills shortage is a main obstacle to deliver• Educational system can’t provide people with relevant experience• High unemployment make immigration a sensitive subject for governments

Outsourcing security backfires

• Evolving environments require to maintaincontrol on information security strategy

• Loss of key capacities will disconnect the businessfrom the information security strategy

• Outsourcers are partners

REPUTATION IS THE NEW TARGET

Insiders fuel corporate activism

• People place their own ethics and perceptions above those of their employers• Organisations will be scrutinised by employees, contractors and customers• Hacktivists will join the fights

Hacktivists create fear, uncertainty and doubt

• Reputation becomesthe target

• Organisations have less time than ever to respond

• People use non-verified sources of information such as Youtube or Twitter

• Organisations will be guilty until proven innocent

CYBER RISK IS CHALLENGING

Crime as a Service (CaaS) upgrades to v2.0

• Criminal organisations have a huge and diverse talent pool readily available

• Attacks are becoming even more sophisticated and targeted

• Persons’ information is eclipsed by organisations’ information

Information leaks all the time

• The combination of sources provide valuable information

• People need to realise the true value of information

• Organisations need to define what is public information

CHANGING PACE OF TECHNOLOGY

BYOC adds unmanaged risks

• Amount of information is still increasing exponentially• So is the demand for access, anywhere, anytime and from any device• People already have their own cloud

BYOD further increases information risk exposure

• Organisations won’tbe able to ignore bring your own device (BYOD) initiatives

• Integration is complex and needs careful consideration

• It’s the consumer oriented features which make a device popular

• The number different architectures andtheir updates can be a support nightmare

DO NOT MISUNDERSTAND THE ROLE OF GOVERNMENT

Governments and regulators won’t do it for you

• Governments have a role in securing cyberspace• Governments are expecting organisations to do their part• Regulations can’t keep up with the speed of technology• No one can better protect an organisations’ information than the organisation itself

WHAT CAN I DO?RECOMMENDATIONS

It’s as much about the predictions…

• …as what you do with them.

Recommendations

1. Prepare for the strategic challenge of cyberspace2. Build cyber resilience into your organisation3. Create or enhance your strategy and governance4. Develop an incident management capability5. Secure your supply chain6. Focus on the basics7. Keep looking forwards

1. Prepare for the strategic challenge of cyberspace

• CYBERSPACE– Always-on,

technologically interconnected world

– Made up of people, organisations, information and technology

• CYBERSECURITY– Organisation’s ability to

secure its people, information, systems and reputation

– Builds on information security – the basics and principles are the same

2. Build cyber resilience into your organisation

– Organisation’s capability to withstand impacts from threats materialising in cyberspace

– Covers all threats – even the one we don’t know about

– Driven by agile, broader risk management

• Linking information risk to ERM

3. Create or enhance your strategy and governance

A plan of action to take the information security function from mission to vision

3. Create or enhance your strategy and governance

Aligned to ISO/IEC 27014

4. Develop an incident management capability

•There are five key components which need to be addressed to establish an effective information security incident management capability.

Post incident analysis and forensics are vital. The results from these should change risk

assessments that select controls

5. Secure your supply chain: Follow the information

1. Approve• Build support

2. Prepare• Create the tools and build on

existing risk management

3. Discover• Categorise, prioritise and

assess existing contracts

4. Embed• Build information risk

management in to the vendor lifecycle and new contracts

Aligned to ISO/IEC 27036

6. Focus on the basics: collaborate

– Adopt a consistent approach to security

– Integrate security in the business

– Share information on attacks

– Build awareness across your customers, suppliers and employees

– Build up a threat picture

7. Keep looking forwards… go beyond the horizon

• Biometrics• Embedded chips• Quantum computing• SPIT• Nano-technology• AI• New interfaces• Everyone connected to

everything

Conclusion

The threat is changing and evolving…

• Bring your own device (BYOD, 2013) is now bring your own Cloud (BYOC, 2015)

• Loss of knowledge (2013) has become lack of knowledge (2015)

• State-sponsored cyber activity (2013) is hotting up (2014) and merging with Cybercrime 2.0 (2015)

• Supply chains first appeared in 2014; now they are a key threat source (2015), via outsourcing and the cloud (2014, 2015)

• Social media (2013) has become hacktivism (2014 and 2015)

The threat is changing and evolving…

• The greatest threat is, and always will be, people– We’ve always stressed the

people aspect

• The threats are not only from the bad guys:– Good guys make mistakes– People who don’t want to,

or cannot, understand the ‘cyber world’

– Missed opportunities

• Remember, there are many positives – You can minimise your

vulnerabilities– The Internet, along with

mobile devices, offers an unparalleled opportunity to create new businesses, services and products

– Treat these as business risk to be managed and overcome

Information Security Forumadrian.davis@securityforum.org

www.securityforum.orghttp://uk.linkedin.com/in/adriandaviscitp/