2014 is now upon us: the ball has dropped, the fireworks are over, and now it is time to see what the year brings.
Nobody can know the future, but if there is one thing that is clear, it is that 2014 is shaping up to be a year of exciting developments and rapid change. Things like delivery via automated drone and wearable computing devices, once the domain of only the most speculative sci-fi writers, is now not only possible but seemingly on the brink of becoming “serious business.”
For professionals in the ISACA community, periods of disruptive technology change can sometimes seem daunting; there are a lot of hard questions to answer. How does one secure an automated drone? How does one govern a technology ecosystem that—literally—extends to what corporate citizens wear to work? And how do we ensure users’ privacy rights as we do so?
Answering these questions fully will take time, research, diligence and industry consensus. But as we face these questions, it is useful to consider a few things. First, being in a position to ask these hard questions in the first place is a good thing. Questions that “push the envelope” mean the business is evolving: these questions are a byproduct of the business taking advantage of new markets, exploring more efficient ways of operating, or opening up new pathways to deliver value to the customer.
As such, it is important that we frame risk discussions with the business accordingly. By this I mean that it is important that risk discussions include both technical risks of adoption and business risks of non-adoption.
Obviously, it is important that we address the new technology risks that can arise (since many of them can and will introduce new security and governance challenges that we ignore at our own peril). However, it is also imperative that we counterbalance those with due consideration of the business risks associated with the “status quo,” since businesses that do not adapt alongside their competitors will incur market risk.
The faster the pace of change, the riskier running in place becomes. In the words of Starbucks CEO Howard Schultz, “Any business today that embraces the status quo as an operating principle is…on a death march.”
Additionally, it is important to remember that business leaders asking questions like these of security professionals, risk managers, governance professionals, or other practitioners is a good sign. It indicates trust in the practitioners’ ability to understand the issue and confidence that guidance received will be useful and actionable.
That kind of relationship takes time to build and requires the foundation of a successful and fruitful partnership. If that history is not there, effort is required on the part of the practitioner to build it. (And the faster the pace of change, the more effort required.)
The point is, there will be plenty of tough questions to answer in the weeks and months ahead, and while that is challenging, it is also an optimistic sign for 2014.
Ed Moyle
Director, Emerging Business and Technology Trends– ISACA/ITGI
Following the much-discussed credit card breach at Target during the 2013 holiday season,CERT issued an alert on January 2, 2014 warning against malware specifically targeting Point of Sale (POS) systems.
Because they transact valuable credit card information, POS systems have always been an obvious target for cybercriminals. Some of the most notorious POS malware in recent years included Dexter, and its variant Stardust, which extracted track data from the system memory and from internal network traffic. In most cases, malware infiltrates POS systems through phishing emails.
To help strengthen POS security, the US-CERT has made the following 6 recommendations:
Use strong passwords
Update POS software Applications
Install a firewall
Use antivirus protection
Restrict access to the internet
Disallow remote access
Here is how Palo Alto Networks technology addresses CERT’s recommendations, along with some additional advice on how to best leverage our network security platform in a POS environment:
Apply segmentation combined with a strong zero-trust model as the first line of protection. In every industry, sensitive or restricted data that is subject to tight regulations or is of significant value (examples: credit card information, SSN…) should be systematically isolated from more generally accessible information. Our next-generation firewall’s ability to classify all network traffic based on application, user, and content is ideally suited to define and control access to network zones that should only be accessed by a limited, and identifiable set of users, and whose traffic should be constricted to a well-defined set of applications. Our approach allows you to easily enforce a zero-trust model where no traffic is allowed except the few applications and users authorized in the specific zone, no traffic is trusted regardless of location, and all traffic is inspected and logged.
Apply additional granular control where appropriate. One good practice is to block authentication to administrative functions from untrusted zones and from unauthorized users. Our ability to control application traffic at a functional level can enable you to implement such control with very simple policies.
Stop all known malware and detect unknown ones. We have signatures for Dexter and its variants to automatically block DNS and Command & Control traffic. Our ability to strictly control traffic based on applications and users limits the scope of you security risks on POS systems, but also enables you to inspect all suspicious files without any performance degradation.
In summary, deploying our next-generation security platform enables you to more easily control inbound and outbound traffic, screen out malicious traffic, and mitigate risks related to vulnerabilities of software and systems that are behind on patches.
With mobile firmly entrenched in both the personal and work arena, cyber-criminals are stepping up attacks against smartphones and tablets.
Practically every security expert Security Watch talked to had something to say about the increasing volume of attacks against mobile devices. Android won’t be the only one under attack, but iOS, Windows Phone, and BlackBerry, too. Trend Micro estimated that malicious Android apps will reach 3 million in 2014.
What’s different about 2014 is that attackers will expand their arsenal to include new types of malware and other types of attacks against mobile devices, said Wade Williamson, senior security analyst at Palo Alto Networks. For example, attackers will also include mobile devices in their advanced persistent threat (APT) campaigns, especially since they will be able to use GPS location to pinpoint the target’s physical location.
We’ve seen USB devices used to infect computers and in 2014, we will see criminals using mobile devices to carry out attacks. For example, they can use smartphones to gain access to computers over a WiFi network, said Jason Frederickson, senior director of application development at Guidance Software. Once connected, the attacker can infect the computer and all other devices on the same network, he said.
Ransomware Goes Mobile There will be new types of mobile malware as cyber-criminals figure out new ways to monetize attacks against mobile. Ransomware will target Android devices in 2014, said Neil Cook, CTO of Cloudmark. Ransomware such as Citadel and CryptoLocker locked up infected machines and warned users that the computer will remain unusable until they paid a ransom. CryptoLocker encrypted the data on the machine, which meant even if the actual malware was removed, the data remained unavailable. This tactic proved to be highly effective in 2013 and will likely continue in 2014, with a few new twists.
Mobile ransomware will be slightly different from the variant targeting computers, Cook said. Most data stored on mobile devices are usually synced with some kind of cloud service—images on iCloud, contacts on Google’s Gmail servers, documents stored in cloud storage—which means locking up the data on the mobile device wouldn’t be as catastrophic as it would be on a computer.
It seems more likely that mobile ransomware will lock up the device on the hardware level, rather than targeting the data. While the data itself is fine and they would be able to just re-download their apps and information onto a new device, many people may prefer to pay the ransom rather than cough up hundreds of dollars for a new device.
Mobile Banking Fraud SMS will attract more phishing attempts, especially targeting financial accounts, Cook said. There will be an increase in SMS messages sent to business phones as part of a spear phishing attack. SMS spam will push mobile malware onto user devices, which can result in private, confidential personal and financial information being exposed.
Trend Micro also suggested that two-step verification mechanisms used in online banking will become inadequate as cyber-criminals boost their man-in-the-middle attacks against mobile devices.
“Mobile malware will become more profitable for scammers,” Cook said.
Security as a Competitive Edge It’s not all doom and gloom for mobile. With increased focus on data protection and online privacy, smartphone manufacturers will begin to compete on security, said Paul Kocher, president and chief scientist at Cryptography Research. Instead of focusing on just phone thinness or screen size, buyers in 2014 will consider how safe the apps are, whether data would be protected, and which devices wouldn’t compromise security.
‘Tis The Season For Security Resolutions, Not Predictions.
At SecurityWeek, we believe it is more important for IT security teams to focus onresolutions rather than vendor predictions that are typically self-serving. While keeping an eye on the ever-changing threat landscape is important, as we suggested in our 2013 security resolutions feature, organizations worried about what might happen should instead focus on what they can do to improve their security posture.
Keeping to tradition, SecurityWeek invited security experts to weigh in on New Year’s resolutions for improving information security and how organizations can better develop new habits in 2014.
Resolutions ranged from improving network monitoring, data center security, and understanding cloud services, to mobile security and user awareness. The common theme running through them all was the fact that organizations had to focus on the basics again, to tackle the nuts-and-bolts of security.
Back to Basics
The primary step towards keeping the enterprise “healthy” year-round is to get back to the basics, such as properly managing vulnerabilities and regularly patching systems, said Marc Maiffret, CTO of BeyondTrust. Unlike weight loss plans or promises to exercise more regularly, businesses see the benefits of adopting security fundamentals almost immediately.
Resolutions to do better don’t mean squat if the organization doesn’t know what is at stake, said Isabelle Dumont, director of product marketing of industry/vertical initiatives at Palo Alto Networks. Organizations need to know exactly what the vulnerabilities are and what they stand to lose in case of cyberattack.
“From healthcare and education to energy, oil and gas and transportation, companies in every vertical need to do a better job evaluating the costs and risks related to cybersecurity threats,” Dumont said.
Take Control of the Network
“Go back to the basics. Integrate your data. Automate as much as possible,” suggests Brandon Hoffman, senior director of global business development and security engineering at RedSeal Networks. Organizations have to first understand the security posture of the network infrastructure itself and then figure out how the information being collected can be used across multiple security systems. Automating some of data collection and analysis reduces human error and improves efficiency.
For most organizations, the network infrastructure is complex, as it has morphed to support new requirements over the years. The network had “numerous architects, builders, maintenance people, and janitors all adding sections, changing walls, and fixing holes (or adding them) over the years,” Hoffman said.
Administrators have to unravel the tangled mess that is their network and make sense of what they have and what is happening. “Trying to secure the network infrastructure without understanding it is like trying to secure a building without knowing where all the doors are,” Hoffman warned.
The next step is to figure out ways to integrate security platforms to improve overall security posture. Initiatives include correlating vulnerability scan data with network infrastructure analysis to understand where vulnerabilities exist. Data can be shared across multiple platforms.
Hoffman also emphasized the importance of automating certain security tasks to reduce human error and improve efficiency. Network infrastructure security management software automates the calculation of attack vectors and correlates systems data such as vulnerability data and security information and event management system logs, but the task is “enormous,” Hoffman said.
“Network infrastructure is the key, start there,” said Hoffman.
Don’t Neglect the Data Center
The data center should be part of the overall network infrastructure assessment. In recent years, organizations have largely been focused on the top layers of the IT stack, such as applications software, operating systems, storage, and networking devices, said Bob Butler, CSO of data center company IO. Assessing data center infrastructure security using penetration testing and vulnerability assessments is an important part of going back to the basics because the defenders will know what is vulnerable and the severity of the risk.
Many organizations will find their “traditional raised-floor data centers are filled with aging infrastructure of varying design that do not lend themselves easily to protection,” Butler said, noting that attackers can penetrated these aging systems relatively easily. A software-defined data center strategy will focus on standardizing hardware and use software-based intelligent controls to improve visibility into the network, Butler said.
Focus on Mobile
According to a recent survey of security professionals, 75% of respondents identified mobile devices such as smart phones as “the greatest risk of potential IT security risk within the IT environment.”
Thanks to proliferation of mobile devices, it’s no longer sufficient to focus just on the network, or the computers and servers. If your organization hasn’t addressed mobile devices yet, this is the year to tackle that question head-on. Whether the organization controls which mobile devices employees can use, or allows BYOD, it is important to come up with a strategy. Most security professionals recognize that mobile devices pose the biggest risks to the organization, but this awareness has to translate into actual policies. “Are you hiding your head in the sand when it comes to mobile security?” said Dumont.
The organization has to recognize that crimeware and fraud targeting mobile devices is just as risky to their networks and data as traditional attacks. Attackers will be able to use cellular networks to connect to command-and-control infrastructure, thus bypassing a lot of organization’s network-based defenses, Dumont said. APTs targeting mobile platforms will take advantage of GPS location to pinpoint individual targets.
“Get your mobile security strategy in place,” Dumont advised.
Control Employee Access
Administrators need to exert greater control over remote access tools such as Remote Desktop, SSH, and TeamViewer, said Dumont. The applications are powerful and essential for a variety of business operations, but they are also abused regularly by attackers. “In 2014, resolve to take make certain these tools are secure,” Dumont said.
“View employees as threats and monitor them as such,” says Carmine Clementelli, iNetSec product manager at Fujitsu Computer Products of America. Organizations have been focused almost exclusively on external threats that they have neglected to secure their networks and data from internal abuse. The threat may come from bring-your-own-device because IT doesn’t have control or visibility over employee activity, or because the employee decided to break the rules. Either way, organizations have to create policies and monitor employees before a costly data breach occurs.
Understanding the Cloud
Cloud providers need to “reinforce the idea that security is a shared responsibility,” that organizations outsourcing certain activities to the cloud doesn’t mean they relinquish their security obligations, said Adrienne Hall, general manager of the Trustworthy Computing group at Microsoft. Cloud providers are quick to tout the security benefits of the cloud, such as not having to worry about security updates, but neglect to mention that organizations still need to do their part, such as securing the endpoint and making sure employees are using strong passwords.
Along with a discussion about responsibilities, cloud providers and organizations need to talk about their expectations, Hall said. Cloud providers need to understand what compliance requirements the business has to follow, and organizations have to understand what security features the service plan offers, and how much these additional features would cost.
None of these conversations can happen if everyone slings around acronyms instead of specifying exactly what they are saying. Instead of getting caught up in the differences between Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), focus on what the cloud service provides the customer. For this New Year’s resolution, resolve to “avoid acronym soup when discussing cloud services,” and just talk about what the service provides and how it drives business value, Hall said. This will make cloud computing “less theoretical and more real,” she said.
Have Accountability
There is no magic pill in security, and organizations need to be diligent about staying on top of these tasks. Maiffret suggests a yearlong plan with monthly checkpoints “that force you to reflect more frequently and honestly” about what is actually being done, Maiffret said.
“Changing your habits is never an easy thing but just imagine—had you stuck to your goals a year ago where you would be now,” Maiffret said.
In 2014, Will Your Security Team be Driving New Value, or Responding to Yesterday’s Threats?
In the 1940s, Peter Drucker wrote that one of the keys to organizational success is to publicly commit to specific, measurable goals. It is as relevant for a high-tech software company today as it was at General Motors in the years following the end of World War II, and I challenge my staff to do so every year as we enter into our annual planning process.
The value in the exercise is in the accountability that it establishes, creating an incentive to stretch a bit further towards outcomes that drive growth and innovation. It is human nature to do what is comfortable, but to quote a somewhat more contemporary management consultant, what got you here won’t get you there. A secondary (but perhaps more important) result of public commitment to specific outcomes is that it fosters a discussion around identity and direction. If strategies and goals fail to mesh with that common vision, they can be quickly identified and set aside, without investing time and effort into activities do not lead the company towards increased success.
As 2013 wanes, it makes sense take a few steps back and look at the state of the cloud and how it fits into the plans our customers and friends have been sharing with us. End of year retrospectives are fairly typical — my company posted one as part of our newsletter to our customers, and I seem to receive a new one in my inbox daily — but of the ones that discuss cloud strategy, most seem to be saying the same things: the cloud is finally taking off, companies are moving their data into a hybridization of cloud platforms (such as the adoption of both Salesforce and Google Apps), and accelerated growth is to be expected.
While these may be accurate predictions, annual planning sessions offer the unique opportunity to look not only at if cloud technologies will change your business, but to take a page from Drucker, to also ask why and how. In articulating an IT strategy around cloud initiatives, consider some of the largest media stories in 2013, and how shortcoming in traditional technology architecture management resulted in data loss and increased risk: theEvernote password compromise in March, the access and release of thousands of federal employees’ personally identifiable information from the Federal Reserve in August, the massive credit card theft from Target’s stores in December. All played out differently, but there is a theme here: legacy system administration, where the responsibility for platformsecurity falls to internal resources, is problematic at best.
In moving to the cloud, much of this risk can be mitigated. I have written in previous articles about the “halo effect” of cloud adoption, wherein organizations embrace a cloud platform but forget that the responsibility for managing data and account security remains on them. While not entirely true, there is a net benefit in that responsibility forinfrastructure security is handled by the platform provider. Moving data from legacy server rooms into modern cloud environments means a reduction in the number of operating system patches, network security devices, and physical security safeguards against exploits that an IT team needs to manage.
Across the board, it is these core services that are most often responsible for security breaches, and it makes good business sense to allow them to be managed by a team with far more specialized experience than any generalist IT team could ever match; a single Google data center has thousands of servers, its own power and climate control systems, and a culture of secrecy so tightly interwoven into Google’s culture that even its own sales and engineering teams operate on a need-to-know basis (and most don’t, say inside sources).
We are beginning to see wider acceptance and adoption of this model, and as a result, a refocusing of IT’s goals away from solely operational tasks and increasingly towards ways to enable increased collaboration, efficiency, and organizational growth. IT is discovering that the same principles that make cloud applications so powerful can be multiplied to other areas of the business, establishing a true enterprise platform, and that their precious time and resources can be dedicated to maximizing that platform’s utility rather than maintaining it in an operational state. This is significant because it opens up a new world of possibilities in terms of collaboration and resources that were previously unavailable to a diversified workforce. Moreover, from a security perspective, they can appreciate that their attention can be spent on ensuring that their data and user base is safe, rather than responding to threats with origins in insecure software or configurations.
This shift in thinking signifies that by adopting cloud based platforms, organizations have recognized that maintaining a large number on-premise systems and applications is rarely a goal worth setting, and that instead of improving the organization, it often exposes increased risk and vulnerability. As we move through 2014, and as new data breaches emerge, will your teams be driving new value, or responding to yesterday’s threats?