My 3 Big Security Predictions for 2016


It doesn't feel like a year since I last sat down and wrote about what the next year might bring. 2015 has flown by and looking back on it now its difficult to say with any confidence that things are getting better or going to any time soon.


1. Attacks on (and from) the Internet of Things (IoT)


The IoT or 'smart' things are the fastest growing area of concern I have today and I suspect this concern to only grow in 2016. This concern not only centres around the direct consequence or impact from incidents which target IoT devices specifically, but also around the potential these might have to allow an attacker to 'pivot' to other systems on the same network (your home, your office, the hospital or power station you work at...).

For me, IoT is the embodiment of fashion over function. Little to no requirements appear to be driving IoT development and some of the stuff that appears to be in the works is just bonkers. Seemingly, companies are soldering chips into things purely to one-up their competitors. Don't believe me? Check out @InternetOfShit

So where *should* security fit in with the IoT? Realistically, in exactly the same place it should fit in with any other solution. IoT vendors should be actively considering patching, network security, user privacy, remote access and management. If they are, then this might result in innovation which might benefit security efforts wholesale. If they're not, then the likelihood of there product or service becoming the next headline or contributing factor towards it remains high. 

One thing that might focus this effort is challenging beliefs around the size and scale of the internet. The fact is that the internet is not vast and endless and you simply can't hide on it. The bad guys are not only looking for what they already know about. People need to think of the internet like a bad neighbourhood. Anyone can visit, at any time, from anywhere so you better lock your car. Don't leave anything on display... you get the idea...

Services like Shodan and now Censys are going some way to challenging the outdated mode of thinking as they are used and referenced more and more (typically during investigations following an incident or the release of a vulnerability). 

2. Breaches. Lots more Breaches. 


Source: http://www.informationisbeautiful.net

2015 was a bad year for breaches and I'm 100% certain that the trend will continue and we'll hear about (lots) more breaches in 2016. Some of these will be new, real time incidents and we'll likely hear about historic cases too. Given their frequency and in some cases the lack of effort required, I'm not sure "breach" is still an appropriate term for describing incidents of mass data loss as this implies a certain degree of effort. 

In reality, breaches are the result where technical controls have failed or working practises have become unhygienic... or both. Irrespective of size, organisations should be constantly reviewing where their data resides and who has access to it. To get the ball rolling, I'd recommend a specific DLP (Data Loss Prevention) risk assessment be conducted by a specialist third party. From this a map of where your data *actually* resides and who *actually* has access to it can be drawn up along with an assessment of any existing controls and their effectiveness (technology and operation). Once you know what it is you're trying to protect, I'd recommend organisations (large and small) look to review their controls and take steps to ensure its not already too late. This review can take the form of what's called a compromise assessment (CA). During a CA a third party scours your environment (network and hosts) for signs of historic or active compromise. This is a big ticket item and will require senior backing not just because of the cost but also because you'll need to understand and agree on your obligations should the assessment find evidence of a breach.


3. Development of the malware economy


Malware is big business. There is now a well documented, fully fledged economic system driving the production, distribution, trade and *consumption* of malware and this isn't going to change any time soon. If you work in security operations, you'll likely be familiar with the constant onslaught of exploit kits like Angler, Nuclear and Rig and the never ending salvoes of booby-trapped office docs which go on to drop (predominantly) ransomware. This likely informs (if not dominates) how you spend a lot of your time and your metrics. 

The current threat-case for commodity malware is already very serious, but has potentially broader and more worrying implications than just theft or fraud. If you work to the assumption that a threat-actor (aka 'bad guy') will work up to using their most sophisticated option last, exhausting all other options along the way in attempting to achieve their objective, then any market that exists which provides easy access to (relatively) sophisticated malware and means of distributing it at a relatively low cost is of grave concern. For years, the 'rogue state' has been acknowledged as a would-be threat actor but the number of those with cyber capabilities has always been very low.

I'm predicting that we will likely see non-financially motivated threat-actors entering the malware economy and looking to leverage commodity malware as a means of promoting their cause or achieving their objectives within the next year. In fact, this may have already happened with the on-going discussions and research around attacks against power infrastructure in the Eastern Ukrainian over Christmas. 

http://arstechnica.com/security/2016/01/first-known-hacker-caused-power-outage-signals-troubling-escalation/
Being honest about your maturity and capabilities is the first step to improving your defences. If you don't know where you stand in regards to common benchmarks like the SANS 20 Critical Controls, then it's probably time you got some help.


Conclusions 


It's 2016 and in my opinion a lot of organisations (still) don't really *do* security but instead focus on compliance. They do the absolute minimum necessary to tick the box or get the security badge they need to do business. When TalkTalk's CEO Dido Harding bumbled onto our screens late last year after the telco/ISP was breached by 'script kiddies' she defended her position and went as far to say that TalkTalk's 'security was 'head and shoulders' above competitors. Sadly, she was probably right and I've long believed that the root cause of this deficient state in many organisations is the lack of real world ramifications for not doing more to protect information systems. Unless this changes, things won't get better and this has serious ramifications now that more aspects of our lives are becoming internet accessible and the knowledge required to launch attacks against them a commodity. 

We've had well over a decade of security standards and testing which should have contributed a lot more to improving security than it really has. In my opinion, because the agenda is so often driven by the reward of compliance or certification, we've undermined any attempt to develop effective capabilities. The emphasis has always been to achieve a passing mark against the smallest scope possible. This shouldn't be allowed to continue and if those companies that had taken this route historically addressed their deficiencies today we'd see less incidents now and in the future. Adopting or maintaining this form of compliance regime is a business decision and ultimately needs to be attributable to someone. The fact is attackers don't care about scope. To them everything is up for grabs. 

A decade ago, when the internet was new(ish), businesses really might not have known any better. Today though, cyber incidents make the press weekly and if companies don't question or look to validate their security posture in light of the growing list of casualties then someone should be held to account. If companies managed their finance or accounting practises like so many mis-manage security someone would be going to jail. 

Here's to a hopefully better 2016. Happy New Year :)



Popular posts from this blog

Tools & Techniques - Cloud Firewalls (DigitalOcean)

PCI-DSS: Your CDE may be getting bigger

WAR GAMES - Simulating Security Incidents