Post on 12-May-2015
description
transcript
ISF Threat Horizon
Dr Adrian Davis, PhD, MBA, MBCS, CITP, CISMPPrincipal Research Analyst
Information Security Forum
Agenda
• The challenge• Our answer: Threat
Horizon• 2013...• 2014…• 2015…• What can I do?
What is the ISF?
An international association of over 320 leading global organisations, which...
• addresses key issues in information risk management through research and collaboration
• develops practical tools and guidance• is fully independent, not-for-profit organisation driven by its
Members• promotes networking within its membership
The leading, global authority on information securityand information risk management
“It is impossible for men in the future to fly like birds. Flying is reserved for the angels.” —Milton Wright, Bishop , 1870, father of Orville and Wilbur Wright
“This ‘telephone’ has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us.”— Western Union internal memo 1876
“I think there is a world market for maybe five computers.”— Thomas Watson, chairman of IBM 1943
About predicting the future
Source: http://directorblue.blogspot.com/2011/07/time-to-reach-20-million-users.html
…and the pace of change is accelerating
The ISF Threat Horizon
“ The brand is pivotal to us. How do you protect the brand? You look into the crystal ball, and the crystal ball is called the Threat Horizon. ”
Threat Horizon:• is annual• identifies threats to information security over 24 months• is written for a business and information security audience.
How the ISF Threat Horizon helps
ISF Threat Horizon methodology (cool)
Information Security Forum 8
2013...
2013 PLEST
Government intervention
State vs. State
Breach notification
Digital human rights
Cost of resources m-economyRise of Africa
Single-issue activism
Location services
4G/LTE networks
The world of 2013
A view of the business and technical trends....
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULTURAL
IPv6 adoptionSmart grids
State vs. Non-state
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULURAL
Considering the PLEST framework, several major trends emerge:Data leakage
Securing the supply chain
Blended attacks
Device revolution
Data quality issues
Attacks on infrastructure
Hacktivism
Beyond cloud
New e-crime opportunities
The information security trends of 2013
An overview of the threats
On the radar but not
manageable
On the radar and
manageable
Below the radar
Black swans
Threats for 2013
• On the radar and manageable
• Uncontrolled introduction of consumer devices
• Loss of trust / inability to prove identity and authenticate
• Loss of workforce loyalty – loss of organisational culture and knowledge
• On the radar but not manageable
• State-sponsored cyber-activity• Social media• Embedded location services
Threats for 2013
• Below the radar• Governmental
requirements• Co-ordinated attacks for
extortion, blackmail, bribery or stock manipulation
• RFID exploits
• Black swans• Hardware back doors (low-
level attacks / vulnerabilities) in chips, SCADA
• Solar activity disrupts communications globally
2014...
Predictions for 2014
EXTERNAL THREATS
Cyber criminality increases as Malspace matures further
• Significant increase in maturity of the industry• Crime-sourcing more common• Attacking the cloud, mobile platforms
www.securityforum.org Cyber Security Strategies Copyright © 2011 Information Security Forum Limited
Welcome to malspace
– Global highly-functional industry that supports all aspects of modern crime
– Supports the development and sale of:
• sophisticated attack tools• services to help plan and
coordinate attacks• laundering of stolen
assets.
The tools that we use are also available to our attackers
The cyber arms race leads to a cyber cold war
• Stuxnet proved the effectiveness of cyber weapons (vis-à-vis military action)
• Investments into cyber resilience and intelligence sharing• Scale of cyber espionage becoming apparent, starting to hurt
More causes come online;activists get more active
• New players• Protesting tools fully available• Increasing speed, reach and impetus of
online democracy
Cyberspace gets physical
• Real impact• Utilities hacked• Lives at stake
REGULATORY THREATS
New requirements shine a light in dark corners, exposing weaknesses
• Secrecy does not equal security• Transparency everywhere
– regulations– business partners– customers
• Whistle-blowing, fraud and cyber attacks
A focus on privacy distracts from other efforts
• Incoming privacy regulations• New technologies, new concerns• Cyber havens
The regulatory storm…
– Governments and regulators are demanding action
– The results often have extra-territorial impacts:
• EU Data Privacy Directive• US FATCA• US Dodd-Frank Act• PCI DSS• Proposed EU Directive on
Network and Information Security
…is getting stronger
• Monetary Authority of Singapore (MAS)– June 2012 notice:
“[..] inform the Authority in writing within 30 minutes upon the discovery of all IT security incidents [...]”
• (http://www.mas.gov.sg/~/media/resource/publications/consult_papers/2012/13%20June%202012%20Notice%20On%20Technology%20Risk%20Management.pdf)
INTERNAL THREATS
“CERT Australia: 44% of attacks originate from
within the organisation…”
Cost pressures stifle investment;an undervalued function can’t keep up
• West in self-induced stagnation• Legacy of underinvestment kicking back
• Deteriorating security awareness
A clouded understanding leads to an outsourced mess
• Strategically unsound business decisions strain security• IT security increasingly outsourced• Organisations in a digital divide
New technologies overwhelm
• Mobile is king• The Internet of Things• Big data runs businesses off course
The supply chain springs a leak,as the insider threat comes from outside
• Closer business relationships lead to unforeseen security challenges
• Increased risk complexity• Your business information is your supplier’s data
IT is a key disruptor in supply chains...
Risks Triggers for disruption
46% conflict
44% shocks
59% natural
disasters
57% subcontr
acting
59% fragment
ation
63% shared
data
53% visibility
30% Information
and communications
64% Reliance
on Oil
2015...
Predictions for 2015
Information Security Forum 41
Predictions for 2015
Is there anything that’s really new?
Information Security Forum 42
Predictions for 2015
Does “new” really matter?
Information Security Forum 43
Threats have evolved. Attackers are organised.Attacks are sophisticated.
Old threats are more dangerous and pose more risk to our organisations
It’s not so much about “new” than about the potential to do harm.
CYBER RISK IS CHALLENGING
The CEO doesn’t get it
Information Security Forum 45
• Organisations’ dependence on cyberspace is still increasing• The increasing knowledge from the board doesn’t always match• Understanding cyber risks and rewards is fundamental to trust• Organisations that do get it see business benefits
Organisations can’t find the right people
• Skills shortage is a main obstacle to deliver• Educational system can’t provide people with relevant experience• High unemployment make immigration a sensitive subject for governments
Outsourcing security backfires
• Evolving environments require to maintaincontrol on information security strategy
• Loss of key capacities will disconnect the businessfrom the information security strategy
• Outsourcers are partners
Information Security Forum 47
REPUTATION IS THE NEW TARGET
Insiders fuel corporate activism
• People place their own ethics and perceptions above those of their employers• Organisations will be scrutinised by employees, contractors and customers• Hacktivists will join the fights
Information Security Forum 49
Hacktivists create fear, uncertainty and doubt
• Reputation becomesthe target
• Organisations have less time than ever to respond
• People use non-verified sources of information such as Youtube or Twitter
• Organisations will be guilty until proven innocent
Information Security Forum 50
CYBER RISK IS CHALLENGING
Crime as a Service (CaaS) upgrades to v2.0
• Criminal organisations have a huge and diverse talent pool readily available
• Attacks are becoming even more sophisticated and targeted
• Persons’ information is eclipsed by organisations’ information
Information Security Forum 52
Information leaks all the time
• The combination of sources provide valuable information
• People need to realise the true value of information
• Organisations need to define what is public information
Information Security Forum 53
CHANGING PACE OF TECHNOLOGY
BYOC adds unmanaged risks
• Amount of information is still increasing exponentially• So is the demand for access, anywhere, anytime and from any device• People already have their own cloud
Information Security Forum 55
BYOD further increases information risk exposure
• Organisations won’tbe able to ignore bring your own device (BYOD) initiatives
• Integration is complex and needs careful consideration
• It’s the consumer oriented features which make a device popular
• The number different architectures andtheir updates can be a support nightmare
Information Security Forum 56
DO NOT MISUNDERSTAND THE ROLE OF GOVERNMENT
Governments and regulators won’t do it for you
• Governments have a role in securing cyberspace• Governments are expecting organisations to do their part• Regulations can’t keep up with the speed of technology• No one can better protect an organisations’ information than the organisation itself
Information Security Forum 58
WHAT CAN I DO?RECOMMENDATIONS
It’s as much about the predictions…
• …as what you do with them.
Recommendations
1. Prepare for the strategic challenge of cyberspace2. Build cyber resilience into your organisation3. Create or enhance your strategy and governance4. Develop an incident management capability5. Secure your supply chain6. Focus on the basics7. Keep looking forwards
1. Prepare for the strategic challenge of cyberspace
• CYBERSPACE– Always-on,
technologically interconnected world
– Made up of people, organisations, information and technology
• CYBERSECURITY– Organisation’s ability to
secure its people, information, systems and reputation
– Builds on information security – the basics and principles are the same
www.securityforum.org Cyber Security Strategies Copyright © 2011 Information Security Forum Limited
2. Build cyber resilience into your organisation
– Organisation’s capability to withstand impacts from threats materialising in cyberspace
– Covers all threats – even the one we don’t know about
– Driven by agile, broader risk management
• Linking information risk to ERM
3. Create or enhance your strategy and governance
A plan of action to take the information security function from mission to vision
3. Create or enhance your strategy and governance
Aligned to ISO/IEC 27014
4. Develop an incident management capability
•There are five key components which need to be addressed to establish an effective information security incident management capability.
Post incident analysis and forensics are vital. The results from these should change risk
assessments that select controls
5. Secure your supply chain: Follow the information
1. Approve• Build support
2. Prepare• Create the tools and build on
existing risk management
3. Discover• Categorise, prioritise and
assess existing contracts
4. Embed• Build information risk
management in to the vendor lifecycle and new contracts
67
Aligned to ISO/IEC 27036
6. Focus on the basics: collaborate
– Adopt a consistent approach to security
– Integrate security in the business
– Share information on attacks
– Build awareness across your customers, suppliers and employees
– Build up a threat picture
7. Keep looking forwards… go beyond the horizon
• Biometrics• Embedded chips• Quantum computing• SPIT• Nano-technology• AI• New interfaces• Everyone connected to
everything
Conclusion
Information Security Forum 72
The threat is changing and evolving…
• Bring your own device (BYOD, 2013) is now bring your own Cloud (BYOC, 2015)
• Loss of knowledge (2013) has become lack of knowledge (2015)
• State-sponsored cyber activity (2013) is hotting up (2014) and merging with Cybercrime 2.0 (2015)
• Supply chains first appeared in 2014; now they are a key threat source (2015), via outsourcing and the cloud (2014, 2015)
• Social media (2013) has become hacktivism (2014 and 2015)
Information Security Forum 73
The threat is changing and evolving…
• The greatest threat is, and always will be, people– We’ve always stressed the
people aspect
• The threats are not only from the bad guys:– Good guys make mistakes– People who don’t want to,
or cannot, understand the ‘cyber world’
– Missed opportunities
• Remember, there are many positives – You can minimise your
vulnerabilities– The Internet, along with
mobile devices, offers an unparalleled opportunity to create new businesses, services and products
– Treat these as business risk to be managed and overcome
Information Security Forumadrian.davis@securityforum.org
www.securityforum.orghttp://uk.linkedin.com/in/adriandaviscitp/