Marketing and advertising technologies have always been at the forefront of finding new ways to identify and track data, and security threats are never far behind. So, with 2016 looming, there’s no better time to look at Forbes’ “The Top 7 Online Marketing Trends That Will Dominate 2016” and the resulting security implications. Forbes’ list is as follows:
Video ads will start dominating.
App indexing will lead to an explosion of apps.
Mobile will completely dominate desktop.
Digital assistants will lead to a new kind of optimization.
Virtual reality will emerge.
Wearable technology and the Internet of Things (IoT) will pave new ground.
Advertising will become more expensive.
One thing is for sure: some of these trends open new avenues for cybercriminals. Three key trends that stand out as potential security issues are: the explosion of apps as a replacement for regular websites, the emergence of virtual reality, and the expansion of wearable technology. Let’s take a closer look at just how each of these three trends could impact web-based attacks in 2016.
Explosion of apps
There are already apps for everything from accounting to web posting, with more popping up every day. The fact that most apps can do exactly what websites can do – and in many cases better – will lead to a volume challenge, considering how the sheer number of apps can potentially degrade security and be open to exploitation.
Emergence of virtual reality
A new phenomenon, with little regulation and standardization, virtual reality opens the door to new, never-before-experienced cyberattacks. Virtual reality platforms will connect to the web or web-based apps, again resulting in a broader base to launch cyberattacks for cybercriminals.
Expansion of wearable technology
The Internet of Things (IoT) is moving beyond its infancy. Many wearable gadgets offer access to the web and very little control for secure access. Yet, most devices will somehow connect to a larger corporate network. This provides cybercriminals with the benefit of a lower barrier to entry into any connected organization.
While all of these changes are important, I do not expect to see a major shift in web-based attacks during 2016. Instead, we will see an adjustment in the behavior of cybercriminals and their use of the cyberattack lifecycle, mainly in how they infiltrate companies.
It’s hugely important for companies to deploy good application identification capabilities within a security platform that offers a holistic and comprehensive approach to security, with web security providing a part of the overall protection. Focusing on web security alone will not be sufficient. Securing an enterprise or government means architecting security to both detect and prevent known and unknown attacks while safely enabling applications.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.
First things first, if you have not seen the movie or read the book “The Martian,” stop right now and do not continue because there will be spoilers. You have been warned.
On more than one occasion in my life as a security professional, I have felt like I was stranded on Mars – all alone with only my wits and spirit to survive. As I read The Martian, I kept thinking about what skills and practices would help a security practitioner in their day-to-day life. What would Mark Watney do?
During an ongoing attack, there is no time to deploy new tools and there is no one else who is more familiar with your network environment than you. Instead, you must use the tools and knowledge immediately available to survive, and time is not on your side. Maybe that is why this book resonated so well with me.
This post is the first in a two-part series. Watney’s approaches can be divided between methodologies and psychological skills, both of which are equally important in a stressful situation such as a cyber-attack. In this post, I’ll explore how Watney approached problem-solving and what logic he used to give himself the best chance of survival.
Science is helpful for what can be explained by science
Sciences like physics, chemistry and botany teach us that a small percentage of the future can be predicted if we play within the laws that are deterministic. It is within these formulas that we can predict the future outcome of an action, but what “The Martian” illustrates is even with all that science provides, the majority of the future cannot be determined and we just need to deal with it. Science only explains a very small percentage of what we as humans experience, so if you happen to be on the high horse of science, get off before you fall.
Science only takes you so far; for the rest you are on your own.
Adapt or die
During the entire time on Mars, Watney needed to adapt to an unfriendly and deadly environment. He needed to assume the role of farmer, trucker and construction worker to survive. As a farmer, he used his limited resources to create an environment suitable for growing potatoes to sustain a diet until rescue. As a trucker, he had to get his entire living space mobile for the trek across plans and mountains to a rescue craft. As a construction worker, he needed to modify the craft and reduce weight and other properties so that he could get to orbit with the fuel that was on hand.
All of these roles are crafts, which means they encompass not just processes and skills but resources and tools as well. Watney needed all of it to survive. It is likely that an individual in your organization fulfills multiple roles such as incident responder, business leader, IT operations, etc. as they go about their daily job. Adaptation is a survival skill on any planet.
Utilize lateral thinking
While Watney had advanced machinery and materials designed specifically for Mars, none of it was meant for use beyond 31 days. Watney had to stretch it for a year and a half and use it in ways it wasn’t intended. To do that, he had to get creative. He modified machines, adapted materials and jury-rigged a potato farm in his living quarters.
In cyber-security, organizations cannot afford to buy a new tool for every specific need. In fact, attempting to do so is ineffective and can lower the overall security. Instead, we must adapt our tools. Oftentimes, we can use them for purposes the designer did not envision and make them work with our other tools in creative ways. Again, this is also applicable to processes. What doesn’t work at another organization may work in yours. Maybe your team is versatile and benefits from regular role reassignments. Maybe your tools are also beneficial to network operations, which can help garner more funding for future cooperative investments. Don’t be afraid to try new and crazy things. It just might save you.
Plan for Failure
A plan is good until it makes first contact with the enemy. Unfortunately, systems sometimes fail and processes may prove ineffective. You cannot rely on success. For every plan that Watney thought of, he tested and prepared for failure. Whenever he made modifications to the rover, Watney would drive it around his living area for days to see how it held up to use. When he reestablished communication with Houston using the remains of the Mars Pathfinder probe, he created a plan on how to provide updates via Morse code should communications fail. Of course, Watney couldn’t imagine every failure scenario, but he planned for enough to keep himself alive.
In cyber security, we must plan for failures. Having strong network perimeter defenses are important, but they cannot be relied on as the sole source of security. Monitoring internal network traffic, utilizing proper segmentation and detecting anomalous and malicious behaviors are important measures to ensure attackers can be stopped after other measures fail.
Also, don’t forget to save a nice meal for the day you survive something that should have killed you.
Testing and rehearsals are critical
According to Watney, “in space no one can hear you scream like a little girl.” We can plan for failure, but that doesn’t make it any less terrifying. To avoid that terror Watney tested and tested and rehearsed and tested some more before he did anything. His modified rover had days’ worth of travel time on the odometer before he drove further than walking distance from the Hab. He put his makeshift tent through the ringer, breaking it in the process, before he ever spent a night in it.
Some failures are so complete that there are no possible backup plans, so we must push our tools and responses until they break in order to make them as strong as possible. This is the mentality behind penetration testing. Security teams need to know exactly what to do in the event of an attack. If they don’t know something, the need to be able to find it out – in minutes. Security tools must function properly under pressure, and responses need to be effective.
Start with these questions: Do you have an incident response plan? (You should) Have you tested that plan? (You should) Do you know what to do in the event of an outside attack? What about an inside attack? What are the limits of your tools? Are there any critical blind spots or vulnerabilities in your network? How do you know? Rehearse attack scenarios to find out the answer to these questions. Then rehearse some more, and do it regularly. If you don’t identify your own weaknesses first, someone else will.
Next week, I’ll cover what Watney did to stay sane in the face of isolation and death. I’ll also touch on what interpersonal factors were present in the entire Ares 3 crew, which ultimately allowed them to rescue Watney without losing a single person.
Palo Alto Networks was a Gold sponsor of the official side program of the “Cyber3 Conference Okinawa 2015—Crafting Security in a Less Secure World”, an international cybersecurity conference hosted by the Government of Japan in Okinawa from 7-8 November 2015.
The event was moderated by William H. Saito, Special Advisor to Japan’s Cabinet office who is also Vice Chairman and CSO of Palo Alto Networks Japan. The conference featured three separate themes which were closely interconnected and interdependent: Cyber Connection,Cyber Security, and Cybercrime.
Held concurrently with the conference, the official side program, which included two Education track sessions, offered the opportunity for conference participants and global leading companies in the cyberspace to discuss comprehensive security measures.
In addition, Palo Alto Networks held a press conference to announce its 2015 Application Threat Usage Report (AUTR) as well as several media interactions. Last but not least, Palo Alto Networks also hosted dinner and networking events throughout the conference.
The event was a great success. Take a look at some of the photos from the event below!
Application Usage and Threat Report (AUTR) press conference
Cyber3 Conference Okinawa 2015
Vice Chairman of Nissan, Toshiyuki Shiga (center), together with Hiroshi Alley, Chairman and President of Palo Alto Networks Japan K.K. (far right)
Navigating the Digital Age books were widely distributed at the Conference. Download your copy.
Did you attend Cyber3 Conference Okinawa 2015? Share your thoughts from the event in the comments below.
Former US President John F. Kennedy once said, “There are risks and costs to action, but they are far less than the long-range risks and costs of comfortable inaction.” He was speaking about ways to decrease antagonism among nuclear powers, but I think there’s a lesson in what he said for those of us in the business world as well. Specifically, sometimes things arise that seem risky in the short term; we’re nervous about doing them because of potential short-term risks or disruption to the organization. But when these potential downsides are weighed against the status quo (i.e., the “comfortable inaction” Kennedy was talking about), taking the short-term risk might very well be the more optimal path when viewed over a longer horizon.
This can be seen very acutely when it comes to adoption of new technologies. New technologies have the potential to be transformative to the organization—in both positive and negative ways. Positive benefits vary depending on the technology, but possible negative impacts could be disruption to business operations, potential erosion of the value of existing technology investments (for example, adopting a new technology would decrease the value of what we have in place now), and potential new technical risks as “kinks” are ironed out of the technology and organizations figure out how to safeguard usage of it.
Despite all this, pulling the trigger and adopting a new technology is often still the optimal path. Consider two hypothetical organizations competing in the same niche market. One organization implements a change that enables it to produce goods faster at lower cost; the other decides that it cannot or will not implement that same change because the short-term risks are too high. What are the logical consequences should the first organization adopt successfully?
Clearly, the organization that realized potential benefits becomes more competitive: it can satisfy more of the market, has the option to reduce price given the lower overhead, and can potentially focus attention and resources on other areas. In short, it has an edge. Even if the change carries with it some degree of potential risk initially, the potential upside trivializes the short-term downside risks by comparison.
The point I’m making here is that looking solely at the technical risks associated with a particular change misses a huge part of the equation. In evaluating the holistic risk to our organizations and making recommendations, we absolutely need to consider risks that may be introduced through adoption of new technologies, but we need to consider the risks of inaction as well. Nowhere is this more true than when it comes to Big Data analytics.
Big Data analytics is the use of advanced analytics techniques to operate on large sets of business data. This could be data derived from existing business processes and tools, data that exist independently of the organization such as social media, or new sources of data entirely. For many in the ISACA community, we know this can present risks. We know, for example, that there are privacy and security risks that can occur as a result of the adoption of big data analytics; in fact, ISACA has published quite a bit of guidance on exactly these issues. However, to evaluate risk holistically, we need to weigh these risks against the risks to the business should we choose not to adopt and adapt. Do the business gains outweigh the technical and other risks? Do the risks to competitiveness eclipse in the long term the short-term additional risk we take on? Good questions.
To help organizations answer them, ISACA evaluated Big Data Analytics—along with a number of other business trends—using anew methodology that attempts to objectively score risk and value impacts of business trends. The goal: find a reproducible and systematic way to find out what “megatrends” have the highest value potential in light of possible technical and other risks. Much like measurements such as “signal-to-noise ratio” or “earnings-per-share” provide an objective unit of measurement that organizations can use to inform data-driven decision-making, the goal here was to find a way that organizations can systematically assess and analyze these tough questions.
Of all the trends we investigated, Big Data analytics scored the highest in terms of business value created relative to potential negative risk impact.
Now, obviously every organization is different, so your particular organization may have unique factors that impact either the risk or the value side of that equation. You’ll certainly want to examine that data point through the lens of your particular organization’s needs, circumstances and business context. That said, given that it could be so impactful, it’s almost certainly a good idea to—at a minimum—ensure that strategic discussions are taking place about the role that Big Data analytics has in your organization.
There are some key questions you should be asking about how you might use this to forward your business goals and how your competitors might be using it to gain a competitive edge. We’ve tried to distill down the most critical questions that you might want to ask in our report covering the findings from our analysis, with the hope being to provide one potential framework around which those conversations can be built and those questions can be asked.
Ed Moyle Director, Emerging Business and Technology, ISACA
On November 3, 2015, ZScaler reported that a Chinese government website hosting the Chuxiong Archives, http://www.cxda[.]gov.cn, had been compromised and contained injected code leading to the Angler Exploit Kit. The report stated that the affected website had appeared to be remediated and cleaned within 24 hours; however, upon scanning the website using our own malicious web content detection system, we discovered that in fact, the website remained compromised. At this time, we advise users to not visit the website in the near future, even though it appears to be clear of malicious code.
Based on our analysis, the malicious code injection on http://www.cxda[.]gov.cn has not been removed, but simply placed in a dormant state. After ZScaler published information regarding this compromise, we continuously scanned and monitored the compromised website, as well as other popular websites and potentially related suspicious targets. What we discovered was that many other websites had been compromised in a similar way, where the malicious code had the ability to be placed by the attacker in a dormant or an active state.
For this article, we chose a few of the additionally discovered compromised sites found by our malicious web content detection system and continued to scan them in high frequency. The following diagram shows the vulnerability status of three of these sites over the duration of a day. The markings on the top portion indicate that the site’s malicious code was active during that time slot while the markings on the bottom portion indicate the site was benign, or dormant, during that time slot.
Figure 1
In what appears to be a technique to evade detection or analysis, the injected malicious code has the ability to hides itself when the user-agent or IP address of the request does not meet specific criteria. Attempts to launch requests from different combinations of IP addresses and user agent strings consistently produced different behaviors (benign vs malicious) depending on what was sent.
During our continuous monitoring for a 24-hour period from November 11, 2015 to November 12, 2015, eight days after the Zscaler report, the Chuxiong Archives website consistently presented malicious content injected by an attacker depending on the source IP and user agent. It is believed that if a user were to visit the compromised website a second time following the initial exposure to the malicious code, the site would recognize the source IP and user-agent and simply remain dormant, not exhibiting any malicious behavior. Because of this anti-analysis/evasion technique, it may easily cause the belief that the threat has been remediated, when in reality, it had not.
At the time of this report, using our malicious web content scanning system, we have already discovered more than four thousands additional, similarly compromised websites globally exhibiting the same ability of being able to be dormant or active depending on source IP and user agent. Investigations regarding this campaign on a larger scale are ongoing and a second report detailing the similarly compromised websites will be published in the near future.
