I just read another post on maintaining trust with customers in era of data breaches. There is nothing new in the posting, but the content is impactful from its simplicity and succinctness. Here are the items that should be acted on (easier to write about than implement)
Of course, there is no surprise that several sources are looking into their respective crystal balls to predict the future (at least for 2017). I completed a google search for ” cyber security predictions 2017″ and got several results. For fun, I decided to compare the top 5 results in the table below (in a unscientific way). The top 3 trend categories are: 1) IoT; b) law enforcement; and c) ransomware.
The Takeaways
| Trend | Trend Category | 1 | 2 | 3 | 4 | 5 |
| Escalation of ad wars boost malware delivery | Ads | Y | ||||
| The explosion in fake adds and purchased likes erodes trust | Ads | Y | ||||
| Adaptive and behavior-based authentication grows in importance | Authentication | Y | ||||
| Behavioral technologies, such as pressure, typing speed and fingerprints, will be embedded into newly-released technologies | Behavioral analytics | Y | ||||
| Increasing number of cloud-based attacks cause vendors to double-down on security | Cloud | Y | ||||
| The mainstream move to the cloud and mobile computing will turn up the volume on demands for security that covers the expanding attack surface | Cloud, Mobile | Y | ||||
| Companies will struggle to adapt, understand and adjust to updates in privacy frameworks. | Compliance/Regulation | Y | ||||
| Compliance concerns drive growth in the endpoint and device market | Compliance/Regulation | Y | ||||
| Consumers and others will lobby more aggressively for protection. | Consumerism | Y | ||||
| Companies will fight back. | Counter hack | Y | ||||
| Cyber-offense and cyber-defense capacities will increase | Counter hack | Y | ||||
| The number of cyber-attacks will continue to grow almost in every industry. | Cyber attacks | Y | ||||
| Cyberbullying … it is an emergency | Cyberbullying | Y | ||||
| Cybercriminals focus on crypto currencies | Cybercriminals | Y | ||||
| Commercialized anti-DDoS will emerge | DDoS | Y | ||||
| Dronejacking places threats in the sky | Drones | Y | ||||
| Exploit kits, the hackers’ Swiss Army knife | Exploit Kits | Y | ||||
| Hacktivist expose privacy issues | Hacktivist | Y | ||||
| Internal threats will increase | Insider threat | Y | ||||
| With more hacktivism and nation-states sponsoring cybercrime, countries will have to consider “cyber arms treaties” to reverse the trend. | International Treaties | Y | ||||
| The Internet of Things (IoT) –everything from toy drones to routers – will come under government cyber security scrutiny and require manufacturers to tighten security. | IoT | Y | ||||
| Industrial IoT hacks will increase | IoT | Y | ||||
| IoT devices, a dangerous weapon in the wrong hands | IoT | Y | ||||
| IoT malware opens backdoor into the ome | IoT | Y | ||||
| We’ll see an increase in new vulnerabilities introduced through the Internet of Things (IoT). | IoT | Y | ||||
| A joint international effort to fight the cyber crime | Law enforcement | Y | ||||
| Cyber espionage: industry and law enforcement join forces | Law enforcement | Y | ||||
| Law enforcement takedown operations put a dent in cyber crime | Law enforcement | Y | ||||
| Machine learning accelerates social engineering attacks | Machine Learning/AI | Y | ||||
| The rise of Artificial Intelligence | Machine Learning/AI | Y | ||||
| Mobile threats to include ransomware, RATs, compromised app markets | Mobile | Y | ||||
| The dramatic increase in Mobile threats | Mobile | Y | ||||
| Nation State Actors hacking and the urgency of norms of state behavior | Nation state actor | Y | ||||
| The first nation state cyber-attack will be conducted and acknowledged as an act of war | Nation state actor | Y | ||||
| The concept of passwords and password re-use will take front and center stage in home and business awareness | Passwords | Y | ||||
| Physical and cyber security industries join forces | Physical and cyber | Y | ||||
| Ransomware and extortion will increase | Ransomware | Y | ||||
| Ransomware subsides in second half of 2017 | Ransomware | Y | ||||
| Ransomware, one of the most dangerous cyber threats | Ransomware | Y | ||||
| Security will no longer be an afterthought | Security by design | |||||
| The security skills shortage will continue. | Skill shortage | Y | ||||
| Hardware and firmware threats an increasing target for sophisticated attackers | Sophisticated Attackers | Y | ||||
| Business security spending will increase | Spending | Y | ||||
| Threat intelligence sharing makes great strides | Threat Intelligence and sharing | Y | ||||
| Tor v2 comes online | Tor v2 | Y | ||||
| Continued exploits of known vulnerabilities | Vulnerabilities | Y | ||||
| Vuln exploits on Windows cool down as other platform heat up | Vulnerabilities | Y |
Sanjay Aurora wrote an interesting blog post about using the immune system as an analogy to inspire CISOs to rethink how we do cyber security:
By understanding and continuously refining our grasp on what is inside us — the “self” and what is “normal” — the human body can detect abnormalities and respond in real-time to anything it identifies as a threat.
…We do not expect our skin to protect us from viruses — so we should not expect a firewall to stop advanced cyber threats which, in many cases, originate from the inside in the first place.
…Enterprises that have been successful in mitigating threats have acknowledged that security professionals cannot be expected to do all the heavy lifting. It is impossible to manually track and secure every part of an organisation’s network. Hence, they have turned to unsupervised machine-learning technology that mirrors the mechanism of the human immune system, allowing them to eliminate more than 18,000 serious early-stage threats globally in the past two years.
Aurora addresses two types of threats that we must identify with cyber security immune system: trust attacks and insider threats:
Today’s most savvy attackers are moving away from pure data theft or website hacking, to attacks that have a more subtle target — data integrity….attackers will use their ability to hack information systems not to just make a quick buck, but to cause long-term, reputational damage to individuals or groups by eroding trust in data itself.
Let’s not forgot the potential impact of these “Trust Attacks”:
The scenario is worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks, as critical data repositories are altered and public distrust in national institutions rises. Local firms will not be immune from such attacks, especially as they digitise and consequently become more reliant on online data.
The threats within are:
…often the source of the most dangerous attacks. They are harder to detect, because they use legitimate user credentials. They can do maximum damage, because they have knowledge of and privileged access to the information required for their jobs, and can hop between network segments. A disgruntled employee looking to do damage stands a good chance through a cyber attack.
But insider threats are not just staff with chips on their shoulders. Non-malicious insiders are just as much of a vulnerability as deliberate saboteurs. How many times have links been clicked before checking email addresses? Or security policy contravened to get a job done quicker, such as uploading confidential documents on less secure public file hosting services?
The Takeaways from Aurora are:
Traditionally, when we think about security and protecting ourselves, we think in terms of armor or walls. Increasingly, I find myself looking to medicine and thinking about viruses, antibodies. Part of the reason why cybersecurity continues to be so hard is because the threat is not a bunch of tanks rolling at you but a whole bunch of systems that may be vulnerable to a worm getting in there. It means that we’ve got to think differently about our security, make different investments that may not be as sexy but may actually end up being as important as anything.
What I spend a lot of time worrying about are things like pandemics. You can’t build walls in order to prevent the next airborne lethal flu from landing on our shores. Instead, what we need to be able to do is set up systems to create public health systems in all parts of the world, click triggers that tell us when we see something emerging, and make sure we’ve got quick protocols and systems that allow us to make vaccines a lot smarter. So if you take a public health model, and you think about how we can deal with, you know, the problems of cybersecurity, a lot may end up being really helpful in thinking about the AI threats (President Obama, Oct. 2016)
Chris Young at his keynote at Focus 2016 reflected on some trends over the last year. One of his observations, which is also expanded on in Mcafee’s book “The Second Economy,” is that threat actors or “black hats” use time against defenders (see below for excerpt from book).
Three years ago, the trend and focus was about threat actors prolonging the attacks. That is, it is about being persistent in the environment as long and stealthy as possible to harm the victim. It is about extending the length of the attack(s). The persistence can be by the original threat actor or a new threat actor that has purchased access from the former. Of course, these persistent threats are still occurring.
However,in 2016, with the increase in ransomware attacks, threats actors are now using time to pressure victims to avoid long term harm (i.e., a hospital cannot treat patients in their ER department because their computer systems are unaccessible). It is about shortening the length of time of the attack as much as possible.
The Takeways
COO (#focus16 #P_barnabe) of Atos is delivering a keynote that aligns with the message of collaboration. The next steps of cyber security according to Atos needs these elements:
The Takeways
I am at Mcafee Focus 16 (#focus16). I decided to come despite missing out on the CxO track.
The opening video talked about the need to collaborate and work together. Standing alone won’t work. “Together is Power!”
Chris Young announced Open Data Exchange Layer. I have been waiting for this for last 2 years. He has thrown down the gauntlet to their competitors. Are you listening, Cisco, Symantec, Microsoft and Palo Alto Networks?
Chris Young also mentioned automation, integration and orchestration. Nice. Another key element is using the cloud as part of our cybersecurity efforts; it expands and contracts with the individual and company’s needs. It is always available regardless of where the person is physically or virtually.
The Takeways
In 2015, KPMG released a glossy, but informative 9 page pamphlet entitled, ” Positioning the Chief Information Security Officer (CISO) for Success.” KPMG starts off with answering two common questions on the first page:
The answers are interrelated. In fact, #1 is the overarching answer (and The Takeaway) are:
KPMG also raise two valid points about how to achieve these objectives:
I get asked various questions throughout the day about safety, compliance, policies, technologies etc. Below is my detailed response to the question: why do we need to change our passwords on a regular basis?
Why do we change passwords on a regular basis?
What are healthcare companies doing?
What is some recent research on mandatory password expiration?
What are some key points from the NIST posting?
What are some key points from the FTC blog posting?
Where can I find more information?
I used the resources below to help with my response to your great question.
The Takeaways:
No simple blog post can characterize all the feelings associated with 9/11. I can only pay a simple tribute to the heroes and victims of 9/11 by reading stories related to this dark day in world history. I am reflective and appreciative of the heroes and my freedom on this day. I teach my kids to do the same thing.
In this post, I pay tribute to Rick Rescorla. I encourage you to read the stories posted on http://rickrescorla.com/.
Rick Rescorla, Jorge Velazquez and Godwin Forde – leading the evacuation on 9/11 (Grunwald, 2001)
Below is an excerpt from “A Tower of Courage” by Michael Grunwald from the Washington Post (October 28, 2001). I chose this excerpt because it has takeaways for CISOs.
___________
After the truck bombing that year, Rescorla had warned Hill: Next time by air. He expected a cargo plane, possibly loaded with chemical or biological weapons. In any case, he insisted on marching his troops through evacuation drills every few months. The investment bankers and brokers would gripe, but Rescorla would respond with his Seven P’s: Proper prior planning and preparation prevents poor performance. He wanted to develop an automatic flight response at Morgan Stanley, to burn it into the company’s DNA.
According to Barbara Williams, a security guard who worked for him for 11 years, Rescorla was in his office when the first plane hit. He took a call from the 71st floor reporting the fireball in One World Trade Center, and he immediately ordered an evacuation of all 2,700 employees in Building Two, as well as 1,000 Morgan Stanley workers in Building Five across the plaza. They walked down two stairways, two abreast, just as they had practiced. Williams could see Rescorla on a security camera with his bullhorn, dealing with a bottleneck on the 44th-floor lobby, keeping people off the elevators.
“Calm, as always,” she says.
In his cell phone call to Hill, Rescorla said he had just spoken to a Port Authority official, who had told him to keep everyone at their stations. “I said: Everything above where that plane hit is gonna collapse,” Rescorla recounted to Hill. “The overweight will take the rest of the building with it. And Building One could take out Building Two.”
That, of course, is not exactly what ended up happening. But by the time the second hijacked jet rammed into the south tower at 9:07 a.m., many Morgan Stanley employees were already out of the building, and just about all of them were on their way out.
__________
The Takeaways
Computer Security News, Advice and Research
In-depth security news and investigation
Robert Rost 