Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
With mobile firmly entrenched in both the personal and work arena, cyber-criminals are stepping up attacks against smartphones and tablets.
Practically every security expert Security Watch talked to had something to say about the increasing volume of attacks against mobile devices. Android won’t be the only one under attack, but iOS, Windows Phone, and BlackBerry, too. Trend Micro estimated that malicious Android apps will reach 3 million in 2014.
What’s different about 2014 is that attackers will expand their arsenal to include new types of malware and other types of attacks against mobile devices, said Wade Williamson, senior security analyst at Palo Alto Networks. For example, attackers will also include mobile devices in their advanced persistent threat (APT) campaigns, especially since they will be able to use GPS location to pinpoint the target’s physical location.
We’ve seen USB devices used to infect computers and in 2014, we will see criminals using mobile devices to carry out attacks. For example, they can use smartphones to gain access to computers over a WiFi network, said Jason Frederickson, senior director of application development at Guidance Software. Once connected, the attacker can infect the computer and all other devices on the same network, he said.
Ransomware Goes Mobile There will be new types of mobile malware as cyber-criminals figure out new ways to monetize attacks against mobile. Ransomware will target Android devices in 2014, said Neil Cook, CTO of Cloudmark. Ransomware such as Citadel and CryptoLocker locked up infected machines and warned users that the computer will remain unusable until they paid a ransom. CryptoLocker encrypted the data on the machine, which meant even if the actual malware was removed, the data remained unavailable. This tactic proved to be highly effective in 2013 and will likely continue in 2014, with a few new twists.
Mobile ransomware will be slightly different from the variant targeting computers, Cook said. Most data stored on mobile devices are usually synced with some kind of cloud service—images on iCloud, contacts on Google’s Gmail servers, documents stored in cloud storage—which means locking up the data on the mobile device wouldn’t be as catastrophic as it would be on a computer.
It seems more likely that mobile ransomware will lock up the device on the hardware level, rather than targeting the data. While the data itself is fine and they would be able to just re-download their apps and information onto a new device, many people may prefer to pay the ransom rather than cough up hundreds of dollars for a new device.
Mobile Banking Fraud SMS will attract more phishing attempts, especially targeting financial accounts, Cook said. There will be an increase in SMS messages sent to business phones as part of a spear phishing attack. SMS spam will push mobile malware onto user devices, which can result in private, confidential personal and financial information being exposed.
Trend Micro also suggested that two-step verification mechanisms used in online banking will become inadequate as cyber-criminals boost their man-in-the-middle attacks against mobile devices.
“Mobile malware will become more profitable for scammers,” Cook said.
Security as a Competitive Edge It’s not all doom and gloom for mobile. With increased focus on data protection and online privacy, smartphone manufacturers will begin to compete on security, said Paul Kocher, president and chief scientist at Cryptography Research. Instead of focusing on just phone thinness or screen size, buyers in 2014 will consider how safe the apps are, whether data would be protected, and which devices wouldn’t compromise security.
‘Tis The Season For Security Resolutions, Not Predictions.
At SecurityWeek, we believe it is more important for IT security teams to focus onresolutions rather than vendor predictions that are typically self-serving. While keeping an eye on the ever-changing threat landscape is important, as we suggested in our 2013 security resolutions feature, organizations worried about what might happen should instead focus on what they can do to improve their security posture.
Keeping to tradition, SecurityWeek invited security experts to weigh in on New Year’s resolutions for improving information security and how organizations can better develop new habits in 2014.
Resolutions ranged from improving network monitoring, data center security, and understanding cloud services, to mobile security and user awareness. The common theme running through them all was the fact that organizations had to focus on the basics again, to tackle the nuts-and-bolts of security.
Back to Basics
The primary step towards keeping the enterprise “healthy” year-round is to get back to the basics, such as properly managing vulnerabilities and regularly patching systems, said Marc Maiffret, CTO of BeyondTrust. Unlike weight loss plans or promises to exercise more regularly, businesses see the benefits of adopting security fundamentals almost immediately.
Resolutions to do better don’t mean squat if the organization doesn’t know what is at stake, said Isabelle Dumont, director of product marketing of industry/vertical initiatives at Palo Alto Networks. Organizations need to know exactly what the vulnerabilities are and what they stand to lose in case of cyberattack.
“From healthcare and education to energy, oil and gas and transportation, companies in every vertical need to do a better job evaluating the costs and risks related to cybersecurity threats,” Dumont said.
Take Control of the Network
“Go back to the basics. Integrate your data. Automate as much as possible,” suggests Brandon Hoffman, senior director of global business development and security engineering at RedSeal Networks. Organizations have to first understand the security posture of the network infrastructure itself and then figure out how the information being collected can be used across multiple security systems. Automating some of data collection and analysis reduces human error and improves efficiency.
For most organizations, the network infrastructure is complex, as it has morphed to support new requirements over the years. The network had “numerous architects, builders, maintenance people, and janitors all adding sections, changing walls, and fixing holes (or adding them) over the years,” Hoffman said.
Administrators have to unravel the tangled mess that is their network and make sense of what they have and what is happening. “Trying to secure the network infrastructure without understanding it is like trying to secure a building without knowing where all the doors are,” Hoffman warned.
The next step is to figure out ways to integrate security platforms to improve overall security posture. Initiatives include correlating vulnerability scan data with network infrastructure analysis to understand where vulnerabilities exist. Data can be shared across multiple platforms.
Hoffman also emphasized the importance of automating certain security tasks to reduce human error and improve efficiency. Network infrastructure security management software automates the calculation of attack vectors and correlates systems data such as vulnerability data and security information and event management system logs, but the task is “enormous,” Hoffman said.
“Network infrastructure is the key, start there,” said Hoffman.
Don’t Neglect the Data Center
The data center should be part of the overall network infrastructure assessment. In recent years, organizations have largely been focused on the top layers of the IT stack, such as applications software, operating systems, storage, and networking devices, said Bob Butler, CSO of data center company IO. Assessing data center infrastructure security using penetration testing and vulnerability assessments is an important part of going back to the basics because the defenders will know what is vulnerable and the severity of the risk.
Many organizations will find their “traditional raised-floor data centers are filled with aging infrastructure of varying design that do not lend themselves easily to protection,” Butler said, noting that attackers can penetrated these aging systems relatively easily. A software-defined data center strategy will focus on standardizing hardware and use software-based intelligent controls to improve visibility into the network, Butler said.
Focus on Mobile
According to a recent survey of security professionals, 75% of respondents identified mobile devices such as smart phones as “the greatest risk of potential IT security risk within the IT environment.”
Thanks to proliferation of mobile devices, it’s no longer sufficient to focus just on the network, or the computers and servers. If your organization hasn’t addressed mobile devices yet, this is the year to tackle that question head-on. Whether the organization controls which mobile devices employees can use, or allows BYOD, it is important to come up with a strategy. Most security professionals recognize that mobile devices pose the biggest risks to the organization, but this awareness has to translate into actual policies. “Are you hiding your head in the sand when it comes to mobile security?” said Dumont.
The organization has to recognize that crimeware and fraud targeting mobile devices is just as risky to their networks and data as traditional attacks. Attackers will be able to use cellular networks to connect to command-and-control infrastructure, thus bypassing a lot of organization’s network-based defenses, Dumont said. APTs targeting mobile platforms will take advantage of GPS location to pinpoint individual targets.
“Get your mobile security strategy in place,” Dumont advised.
Control Employee Access
Administrators need to exert greater control over remote access tools such as Remote Desktop, SSH, and TeamViewer, said Dumont. The applications are powerful and essential for a variety of business operations, but they are also abused regularly by attackers. “In 2014, resolve to take make certain these tools are secure,” Dumont said.
“View employees as threats and monitor them as such,” says Carmine Clementelli, iNetSec product manager at Fujitsu Computer Products of America. Organizations have been focused almost exclusively on external threats that they have neglected to secure their networks and data from internal abuse. The threat may come from bring-your-own-device because IT doesn’t have control or visibility over employee activity, or because the employee decided to break the rules. Either way, organizations have to create policies and monitor employees before a costly data breach occurs.
Understanding the Cloud
Cloud providers need to “reinforce the idea that security is a shared responsibility,” that organizations outsourcing certain activities to the cloud doesn’t mean they relinquish their security obligations, said Adrienne Hall, general manager of the Trustworthy Computing group at Microsoft. Cloud providers are quick to tout the security benefits of the cloud, such as not having to worry about security updates, but neglect to mention that organizations still need to do their part, such as securing the endpoint and making sure employees are using strong passwords.
Along with a discussion about responsibilities, cloud providers and organizations need to talk about their expectations, Hall said. Cloud providers need to understand what compliance requirements the business has to follow, and organizations have to understand what security features the service plan offers, and how much these additional features would cost.
None of these conversations can happen if everyone slings around acronyms instead of specifying exactly what they are saying. Instead of getting caught up in the differences between Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), focus on what the cloud service provides the customer. For this New Year’s resolution, resolve to “avoid acronym soup when discussing cloud services,” and just talk about what the service provides and how it drives business value, Hall said. This will make cloud computing “less theoretical and more real,” she said.
Have Accountability
There is no magic pill in security, and organizations need to be diligent about staying on top of these tasks. Maiffret suggests a yearlong plan with monthly checkpoints “that force you to reflect more frequently and honestly” about what is actually being done, Maiffret said.
“Changing your habits is never an easy thing but just imagine—had you stuck to your goals a year ago where you would be now,” Maiffret said.
In 2014, Will Your Security Team be Driving New Value, or Responding to Yesterday’s Threats?
In the 1940s, Peter Drucker wrote that one of the keys to organizational success is to publicly commit to specific, measurable goals. It is as relevant for a high-tech software company today as it was at General Motors in the years following the end of World War II, and I challenge my staff to do so every year as we enter into our annual planning process.
The value in the exercise is in the accountability that it establishes, creating an incentive to stretch a bit further towards outcomes that drive growth and innovation. It is human nature to do what is comfortable, but to quote a somewhat more contemporary management consultant, what got you here won’t get you there. A secondary (but perhaps more important) result of public commitment to specific outcomes is that it fosters a discussion around identity and direction. If strategies and goals fail to mesh with that common vision, they can be quickly identified and set aside, without investing time and effort into activities do not lead the company towards increased success.
As 2013 wanes, it makes sense take a few steps back and look at the state of the cloud and how it fits into the plans our customers and friends have been sharing with us. End of year retrospectives are fairly typical — my company posted one as part of our newsletter to our customers, and I seem to receive a new one in my inbox daily — but of the ones that discuss cloud strategy, most seem to be saying the same things: the cloud is finally taking off, companies are moving their data into a hybridization of cloud platforms (such as the adoption of both Salesforce and Google Apps), and accelerated growth is to be expected.
While these may be accurate predictions, annual planning sessions offer the unique opportunity to look not only at if cloud technologies will change your business, but to take a page from Drucker, to also ask why and how. In articulating an IT strategy around cloud initiatives, consider some of the largest media stories in 2013, and how shortcoming in traditional technology architecture management resulted in data loss and increased risk: theEvernote password compromise in March, the access and release of thousands of federal employees’ personally identifiable information from the Federal Reserve in August, the massive credit card theft from Target’s stores in December. All played out differently, but there is a theme here: legacy system administration, where the responsibility for platformsecurity falls to internal resources, is problematic at best.
In moving to the cloud, much of this risk can be mitigated. I have written in previous articles about the “halo effect” of cloud adoption, wherein organizations embrace a cloud platform but forget that the responsibility for managing data and account security remains on them. While not entirely true, there is a net benefit in that responsibility forinfrastructure security is handled by the platform provider. Moving data from legacy server rooms into modern cloud environments means a reduction in the number of operating system patches, network security devices, and physical security safeguards against exploits that an IT team needs to manage.
Across the board, it is these core services that are most often responsible for security breaches, and it makes good business sense to allow them to be managed by a team with far more specialized experience than any generalist IT team could ever match; a single Google data center has thousands of servers, its own power and climate control systems, and a culture of secrecy so tightly interwoven into Google’s culture that even its own sales and engineering teams operate on a need-to-know basis (and most don’t, say inside sources).
We are beginning to see wider acceptance and adoption of this model, and as a result, a refocusing of IT’s goals away from solely operational tasks and increasingly towards ways to enable increased collaboration, efficiency, and organizational growth. IT is discovering that the same principles that make cloud applications so powerful can be multiplied to other areas of the business, establishing a true enterprise platform, and that their precious time and resources can be dedicated to maximizing that platform’s utility rather than maintaining it in an operational state. This is significant because it opens up a new world of possibilities in terms of collaboration and resources that were previously unavailable to a diversified workforce. Moreover, from a security perspective, they can appreciate that their attention can be spent on ensuring that their data and user base is safe, rather than responding to threats with origins in insecure software or configurations.
This shift in thinking signifies that by adopting cloud based platforms, organizations have recognized that maintaining a large number on-premise systems and applications is rarely a goal worth setting, and that instead of improving the organization, it often exposes increased risk and vulnerability. As we move through 2014, and as new data breaches emerge, will your teams be driving new value, or responding to yesterday’s threats?
As the year comes to close and we look ahead to 2014, many of us turn our attention to New Year’s resolutions. Losing weight, quitting smoking or getting fit are all popular goals. But as our lives become more complex and harried, one resolution that I hear with increasing frequency is: I want to simplify my life.
Many of the world’s greatest thinkers have touted the virtues of simplicity:
Simplicity is the ultimate sophistication. – Leonard da Vinci
Our life is frittered away by detail…Simplify, simplify. – Henry Thoreau
Life is really simple, but we insist on making it complicated. – Confucius
And this got me thinking about simplifying security. Cyber security is becoming so complicated that you could argue that complexity is one of our biggest security challenges. The evolving trends of mobility, bring-your-own-device (BYOD), cloud computing and advanced targeted attacks are driving this complexity. Today’s networks go beyond traditional walls and include data centers, endpoints, virtual and mobile. These networks and their components constantly evolve and spawn new attack vectors including: mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers and home computers.
As threats and our IT environments have become increasingly sophisticated, they’ve collided with traditional security methods that have not followed suit. Is it possible to simplify security yet increase its ‘sophistication’?
Most organizations attempt to secure these extended networks with disparate technologies that don’t – and can’t – work together. Not only are these structures difficult to manage but they create security gaps sophisticated attackers exploit with methodical approaches that leverage time, patience and nearly imperceptible indicators of compromise to accomplish their mission. We find ourselves ‘frittering away’ too many resources manually managing more and more security tools, yet breaches happen and go undiscovered for much too long.
As a cyber security professional, if you’d like to make a New Year’s resolution to simplify your approach to security while enhancing your defenses, you need a new model that is threat-centric – meaning focused on the threats themselves versus merely policy or controls. It must provide broad coverage across all potential attack vectors, rapidly adjust to and learn from new attack methods, and implement that intelligence back into the infrastructure after each attack.
Technologies that incorporate the following capabilities can help simplify security.
Visibility: To harness local and global intelligence with the right context to make informed decisions and take immediate actions. This requires the ability to tap into the power of big data analytics for better insights; open interfaces to visibility tools and real-time vulnerability-based research to proactively identify and respond to threats anywhere and anytime; and an open architecture for transparency.
Control: To consistently enforce policies across the entire network and accelerate threat detection and response. This requires an enterprise security architecture to enable unified, automated enforcement of polices from the data center, to the cloud, to the endpoint; enterprise-class, integrated policy and event management for more consistent control and better visibility into security devices; and open interfaces to control platforms to eliminate security gaps and complexities of point solutions.
Advanced Threat Protection: To detect, understand and stop targeted malware and advanced persistent threats across the entire attack continuum. This requires threat protection across the entire organization, from network to endpoint, from mobile to virtual and from email to web; and pervasive protection before, during and after attack, across more attack vectors and points of vulnerability.
Flexibility: To deploy security in a way that best fits and adapts to your changing environment. This requires it to be available in multiple form factors – physical, virtual, cloud and services depending on your business model; and open APIs to manage and support existing and evolving security infrastructure.
You can’t afford to leave gaps in protection that today’s sophisticated attackers exploit. At the same time, you can’t keep adding disparate security solutions that don’t work together. With technologies that enable visibility, control, advanced threat protection and flexibility, it is possible to simplify security and increase effectiveness. We no longer need to ‘insist’ that security must be complex. Instead, we can simplify.
It’s that time of year again when everyone wants to wow you with their insights and predictions about what the next year will bring us in terms of technology and hacks in the security industry. Don’t get me wrong, always thinking ahead and applying a predictive approach to security is an idea and practice I fully endorse. However, I would like to ask the security community as a whole to please not waste our time with vagaries and statements that are so broad that they could apply to anything, and/or at the same time, nothing.
For those unfamiliar with the name or work, Michel de Nostredame, aka Nostradamus, was a French apothecary and reputed seer who published collections of prophecies that have become famous worldwide. While he is the most famous of the prognosticators, his predictions are largely panned by the scientific community as being too general as to be moldable to fit multiple scenarios and situations. His most famous of all predictions was that the world was going to end in 1994, and then again in 1998 or maybe it was 2000. No, it was definitely going to end on December 21, 2012. Well, I’m writing this in November of 2013 so I guess that didn’t quite work out the way he had envisioned after all.
The reason I bring this up is that if Nostradamus had envisioned our networked world of 2014 and had written predictions about the security challenges that existed, I’d expect them to look something like this:
– Hackers will target data in the cloud
– Attacks will continue to become more sophisticated
– Cybercriminals will be motivated by profit
– China and other nation states will remain a top security concern
– Mobile devices will be under increased scrutiny
Please raise your hand if any of these predictions have helped you shore up your security planning for 2014. Anyone? I didn’t think so. While I changed some of the wording to protect the guilty, the themes of each of these predictions was a direct pull from members of our industry. Forward-thinking and practical advice from experts is always appreciated, but we need to do a better job making constructive points in our observations.
What we need are view points and recommendations based on analytics and trends in data that will point us towards actual solutions to real problems. One of the better reports published each year is the Emerging Cyber Threats Report presented by the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI). While it’s a fairly lengthy report, it is well worth your time investment as it provides analysis and trends with straightforward explanations of the types of threats we should be actively preparing to deal with in the coming years. These are the types of reports that allow companies to plan for security based upon facts, data, and the analysis of the best minds in the security industry and law enforcement.
As I’ve written about in the past, we as an industry do a great job of hyping ourselves, but a poor job of explaining what we do and how we solve problems within an organization. This needs to change. As we move into 2014 and beyond, security will continue to take on increased importance within organizations, especially those who deal in sensitive data or areas of critical infrastructure. It will need to become more tightly integrated into business planning and the CISO will need to become an agent of change within the organization.
As I’m sure you could gather from the opening portion of my article, I’m not much into predictions. A clever sound bite can’t ever be a substitute for careful analysis and years of research and development aimed at solving the industry’s most technical challenges. Despite years of heavy investment in security, none of us can stand here today and say that we are winning. At the same time, we continue to face more sophisticated foes with increasingly well-funded technology capable of delivering significant attacks on our most valuable institutions.
While I won’t make a prediction per se, I will leave you with what I consider to be a statement of fact. We in the security industry need to do better. We need to continue to advance our technology and develop new and better ways of addressing security concerns and vulnerabilities. Due to the very nature of our business we will always be playing catch-up to the hackers, but that is a challenge we need to meet. I’m not sure who said it first, but the reality remains, in the security industry, we need to be right 100 percent of the time whereas the hacker only needs to be right once. Words to live by and ones that I’m pretty sure didn’t come from Nostradamus.
