My 3 Big Predictions for Security in 2015




2014 was an interesting year to be working in security. The bad guys showed us that they were still capable of capturing the headlines and that even technocentric companies, presumably with ranks full of security savvy employees and managers weren't safe (if they can't stay secure, who can?). Their links to organised (and more traditional) crime were highlighted through a series of enormous breaches, typically designed to steal credit cards and PII. These attacks found success with huge retailers and restaurant chains, and even banks. We became aware of 'regin', a form of advanced and presumably state sponsored malware which could exist within the registry of an infected host, sort of like a 'cyber ghost'. It may have been been doing the rounds (undetected) for almost a decade according to one vendor. The internet continued to move into the home and closer to the heart through the rise of home automation and a general increase in the number of 'smart' devices and the release of more accessible wearable tech. 

Overall, all this has contributed to what has felt like a growing sense of fear, confusion and helplessness about the topic of security. The public's perception of the internet and what it represents along with what is popularly referred to as 'cyber security' remains one of ignorance and fear. On the one hand, the internet is fully accepted into the lives of many, seen as essential and treated like any other utility, like electricity or water. As more things become internet enabled and data-hungry the number of consumers and use-cases for consumption is set to continue rising. On the other hand, the internet, its architecture and governance, and what constitutes good security practice, remains as mis-understood as it ever was. From a users perspective, they simply want to consume the internet like any other utility and their personal responsibilities towards doing this in a safe way is typically to select a good password, and that's all. We (as security professionals) need to change this if we're to drive improvement.

Education is the best defense, for our users, our developers and our architects. As companies, we need to integrate security into solution design and architecture (from day 0) and push for change if its missing. We need to take things back to basics, adopt security models (such as the SANS20 Critical Security Controls) that are geared towards improving actual security and not merely demonstrating compliance. We need to push for risk acceptance (formally) and hold people accountable for designing secure solutions and hold people accountable for when they fail. We need to move away from the endpoint security model and start looking to secure and monitor our networks as they are by far our biggest asset and ultimately facilitate access to our data, the thing we are trying to protect. We need to improve user awareness of all the other security considerations that aren't a password. They need to understand why they need to patch, they need to understand why they shouldn't open that invoice they've just received in their inbox unexpectedly, they need to understand that Microsoft don't call you at home to troubleshoot printers, and they need to understand what to do and who to call when they make any of those mistakes.  

The alternative is that we design a system that does all this inherently, but I don't see that happening any time soon. 

With the state of thing being as they are I predict 2015 will bring more of the same...

1 . Detection of more state sponsored, military grade Malware


Not just new, but the detection of older, more established, previously un-categorised strains and campaigns. Regit will probably be just one of many such examples if we fast forward 12 months. As detection capabilities improve across businesses and organisations and as the industry and community continues to focus on malware, the net result will be more eyes looking at the same big picture. Vendors will likely continue to develop and integrate detection and analysis technologies to their products, further increasing the amount of visibility and potential for subsequent coloration of events and 'symptoms'. In response to these improvements, we're bound to see more complex and sophisticated malware making its way into circulation. If I were to sum up the current state of the malware industry I'd have to call it an ever escalating'arms race'.

I'd like to take this opportunity to express a huge amount of thanks and gratitude to the community. The response and efforts of so many stand out but I'd like to extend specific thanks to Conrad, Brad, Leigh, Malekal, the team at Malwr, and everyone involved in CiSP via CERT-UK for their continued collaborative efforts.

2 . Breaches. Lots of Breaches. 


Again, these will include the identification of historic breaches as well as a catalogue of new compromises. The erosion of perimeters and boundaries through the now mainstream adoption of cloud and worker trends like BYOD must eventually be targeted with blame. How can organisations protect their data if they can't track where it is, can't account fully for who is accessing it and whilst continuing to render it available to their own people, from anywhere, from any device? Federation is key in a world where there are no ACLs and I predict that as businesses shy away from making changes to technologies and methodologies that are geared towards rapid development and deployment (which ultimately make them money), they will look to shore up their architectural weaknesses and provide assurance to their users and stakeholders through the application of 'bolt-on' technologies, initially in the identity management space. If you can't change where the data is or how it is accessed then your efforts must naturally increase in checking that the people accessing it are who they say they are, right?

3 . Attacks on (and from) the Internet of Things (IoT)

In regards to the Internet of Things (IoT) I have just this to say - we're just not ready...


Like all consumer driven technological movements, the focus is on designing products that are desirable and functional first with security appearing somewhere (much) lower on the list of priorities. I predict that we'll see more products entering the market (a new market) which will be plagued by all the same problems embedded devices face today. Failures to provision and manage patching (and technical vulnerability management in general), weaknesses in (or a complete lack of) access control considerations and concerns about surveillance potential will probably form the root cause for many security concerns around IoT devices and systems in the years to come. I'm confident, as more IoT devices make it online that we'll see them falling to vulnerabilities and then contributing to the distributed architecture employed in activities such as DDoS attacks and malware distribution. 
Its taken almost a generation to get consumer endpoint and awareness to the place they're in now, and that is far from perfect. Adding refrigerators, televisions and  maybe even automobiles to the same 'scope' is a big ask...



Bonus . A continuation in the use of ridiculous photos in security press articles

You know the ones I mean. Hooded figures crouching over laptops in the dark, balaclava clad cyber terrorists reaching out through the screen to grab your loved ones or masked anarchists threatening to topple democracy and capitalism outright... 

Nailed it.



Popular posts from this blog

Tools & Techniques - Cloud Firewalls (DigitalOcean)

Image
My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices.  I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent. They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc.  Initial Impressions - Pros, Cons and Limitations Pros No Cost (free!!) - Cloud Firewalls are available at no additional cost. Availability - Cloud Firewalls are available in ever region DigitalOcean operate.
Read more

PCI-DSS: Your CDE may be getting bigger

Image
In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words: “Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.” The guidance goes on to visualise a scoping process, considering each category of system in turn: I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems” . These are cases where the: System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity). System component can connect
Read more

WAR GAMES - Simulating Security Incidents

Image
Why it's a good idea There are a myriad of reasons to test in peace time, the controls and processes which collectively represent your incident readiness. These include: Validating your Incident Readiness - testing can confirm that you are as ready as you think you are, and that nothing has changed resulting in an end state which prevents you from initiating IR.  Assess Controls Coverage and Identify Gaps - testing can confirm your controls coverage is adequate as well as highlighting those gaps which you'd rather not have in the event of a real issue. Demonstrate value of investment - you've probably spent a lot of time and other people's money acquiring controls, attracting talent and preparing for the eventually of an incident. Internal stakeholders will likely already be looking for assurance that their investment has been worth while.  Demonstrate investment and commitment to interested parties - internal stakeholders considered, you'll lik
Read more