Author: Dr. Philip Cao

Summary: CryptoLocker has infected an estimated 250,000 victims, demands an average $300 payout, and is trailing millions in laundered Bitcoin. Dell SecureWorks’ new paper sheds light on the unstoppable ransomware.

Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each, and millions in laundered Bitcoin have been tracked and traced to the ransomware’s money runners.

Spreading like wildfire from offices to homes, it arrives in email attachments (or over infected networks) to aggressively encrypt all files on a system (including mapped drives, Dropbox files, and all locally connected, network-attached, or cloud-based storage) – while an ominous onscreen timer demands payment within 72 hours.

Mess with the files or decline to pay and forget about ever opening your files again.

To date, no one has successfully defeated CryptoLocker. The Windows-only ransomware has held rapt the attention of malware fetishists since its formal appearance in September.

The Swansea, Massachusetts police department was hit in November.

The officers paid CryptoLocker’s ransom. Police Lt. Gregory Ryan told press that his department shelled out around $750 for two Bitcoin on November 10 – even then admitting his department had no idea what Bitcoin is, or how the malware functioned.

One Bitcoin address, one million dollars in a day

Dell’s CryptoLocker report cites a Computer Science thesis from an Italian grad student who looked at a few known CryptoLocker Bicoin payment addresses while examining BitIodine.

The thesis reported a stunning take for one CryptoLocker address on one day:

In total, we identified 771 ransoms, for 1226 BTC (approximately USD 1,100,000 on December 15, 2013).

After tracing another Bitcoin address belonging to CryptoLocker and watching it move over six million dollars they concluded, “This suggests that our estimate of their racket is very conservative.”

Dell SecureWorks released its detailed report on CryptoLocker Ransomware Wednesday, cementing what several researchers already knew about CryptoLocker’s cruelly smart extrotion system.

Dell’s unwillingness in its paper to estimate precise ransom payment statistics has confused press reports thus far: many articles incorrectly report $30 million (beginning with this updated URL, now citing an obviously incorrect $300K).

On our examination of Bitcoin addresses shared by victims online, the real number is likely in the hundreds of millions.

SecureWorks admits the true payout number is “very likely many times that” which its own paper suggested.

Bitcoin is “most cheap option”

CryptoLocker is criminally simple – and strangely eloquent, if you’re a supervillain.

Dell’s researchers estimate that between 200,000 and 250,000 systems were infected globally in the first 100 days after CryptoLocker’s release.

Carbonite, a cloud backup service, was reported in November to have been dealing with “several thousands” of phone calls from CryptoLocker-infected victims, and now have a dedicated team dealing with CryptoLocker recoveries.

In research for this article ZDnet traced four bitcoin addresses posted (and re-posted) in forums by multiple CryptoLocker victims, showing movement of 41,928 BTC between October 15 and December 18.

Based on the current Bitcoin value of $661, the malware ninjas have moved $27,780,000 through those four addresses alone – if CryptoLocker cashes out today.

If CryptoLocker’s supervillans cash out when Bitcoin soars back up to $1000, like it did on November 27… Well, $41.9 million isn’t bad for three months of work.

Many victims believe that CryptoLocker briefly moved its ransom sums through Bitcoin addresses to launder the bounty; just-dice.com was repeatedly cited as a digital “mixer” point.

The malware doesn’t appear to the victim until all files are successfully encrypted (and in case you thought it was safe to proceed, you’re not: CryptoLocker periodically scans for new files).

CryptoLocker hides its presence from victims until it has successfully contacted a command and control (C2) server and encrypted the files located on connected drives.

Prior to these actions, the malware ensures that it remains running on infected systems and that it persists across reboots.

When first executed, the malware creates a copy of itself in either %AppData% or %LocalAppData%. CryptoLocker then deletes the original executable file.

Then, your files are swiftly and silently owned.

The encryption process begins after CryptoLocker has established its presence on the system and successfully located, connected to, and communicated with an attacker-controlled C2 server. This communication provides the malware with the threat actors’ RSA public key, which is used throughout the encryption process.

(…) Instead of using a custom cryptographic implementation like many other malware families, CryptoLocker uses strong third-party certified cryptography offered by Microsoft’s CryptoAPI.

By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent.

Dell’s paper suggests CryptoLocker’s puppetmasters are in Russia and Eastern Europe, with primary targets in the United States, as well as other English-speaking countries.

A “bastard and fiendish” idea

When all files have been encrypted, each victim is then presented with an ugly splash screen with an ominous countdown timer, demanding payment.

CryptoLocker honors ransom payments.

Upon submitting payment, victims’ computers no longer show the threatening countdown screen and instead see a new payment activation window.

In Dell’s words, “During this payment validation phase, the malware connects to the C2 server every fifteen minutes to determine if the payment has been accepted. According to reports from victims, payments may be accepted within minutes or may take several weeks to process.”

If you didn’t pay, you gave up your files – and any new ones you made on your system after infection. To date, no one has successfully recovered files after CryptoLocker infection – unless they paid the ransom.

CryptoLocker’s ransom amount has varied since its debut in September, but currently sits at $300 (USD) and 300 Euro – the ransom price is typically listed in cash currency, and Bitcoin.

Bitcoin instability over the past few months has prompted CryptoLocker’s masterminds to reduce the ransom to 1 BTC, 0.5 BTC, and then to where it is currently: 0.3 BTC.

At first, CryptoLocker included [two known] static bitcoin addresses for everyone who was infected. The current versons of CryptoLocker dynamically generate new bitcoin payment addresses for each infection instance.

CryptoLocker cares

In early November, CryptoLocker’s clever writers added a new feature called the CryptoLocker Decryption Service.

SecureWorks explained, “This service gives victims who failed to pay the ransom before the timer expired a way to retrieve the encrypted files from their infected system.”

Not surprisingly, CryptoLocker’s “Decryption Service” is much more expensive than the original ransom – a hefty 10 BTC.

And what if a victim’s anti-virus software deletes the CryptoLocker executable before the ransom is paid?

According to BleepingComputer’s thorough guide, CryptoLocker thought of this, too.

Rather than leave you high and dry with encrypted files, a key, and no way to unlock them, CryproLocker detects the deletion of its executable files and shows victims a message that contains a link to a decryption tool that victims can download in case this happens.

BleepingComputer explains, “There are numerous reports that this download will not double-encrypt your files and will allow you to decrypt encrypted files.”

CryptoLocker has left such a wide swath of confused and angry victims that numerous forums where victims have been gathering online since September to share information about their experience, offering details in hopes of helping others.

Active IT threads on sites such as Reddit (r/sysadmin, r/techsupport, others) and BleepingComputer have ended up doubling as pseudo-support networks for those under CryptoLocker’s timed gun.

After taking everything in, one Redditor was moved to remark that CryptoLocker is a “bastard and fiendish idea.”

We’re sure they got the message.

It’s widely accepted that CryptoLocker’s masterminds lurk on blogs and forums about CryptoLocker (especially this thread), and have responded to infected user’s issues, as well as “give other messages on the home page of their Command and Control servers.”

Another Redditor writes,

The malware author has responded to people in forums, helping them pay and such, and has stated that the keys are not sent out on an automated process, but selected manually by him for deletion and sending for decryption.

He keeps the keys longer than the 4 days, and will troubleshoot moneypak codes not working, and will send the decrypt key as fast as he can after he gets the money. He knows each computer that has it, and each computer gets a unique key.

Still, no one has been able to draw a bead on who might be pocketing CryptoLocker’s spoils.

Dell’s new paper looks for clues in the malware authors’ behavior patterns:

Analysis of the IP addresses used by the threat actors reveals several patterns of behavior.

The first is that the threat actors use virtual private servers (VPS) located at different ISPs throughout the Russian Federation and in former Eastern bloc countries.

The extended use of some of these hosts, such as 93.189.44.187, 81.177.170.166, and 95.211.8.39, suggests that they are located at providers that are indifferent to criminal activity on their networks or are complicit in its execution (such as so-called “bulletproof” hosting providers). The remaining servers appear to be used for several days before disappearing.

The researchers say they don’t know if the servers are disappearing because ISPs are terminating CryptoLocker’s service, or if it’s because CryptoLocker’s crimewave gang prefers to stay a moving target.

Tell mom and dad not to open every damn email attachment

The first instances as reported by SecureWorks explains that the first wave of infection was through targeted emails with attachments, and this appears to remain a common vector.

The attachment, most of the time, is a .zip with a .PDF inside, which is actually an executable (.exe).

The flawless malware spread out of office networks, and currently targets home computer users as well.

Dell’s researchers noted that peer-to-peer (P2P) CryptoLocker infections began to appear in early October.

On October 7, 2013, CTU researchers observed CryptoLocker being distributed by the peer-to-peer (P2P) Gameover Zeus malware in a typical pay-per-installation arrangement. In this case, Gameover Zeus was distributed by the Cutwail spam botnet using lures consistent with previous malware distribution campaigns.

(…) Attached to the message is a ZIP archive containing a small (approximately 20KB) executable using a document extension in the filename and displaying an Adobe Reader icon. This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs other malware families including CryptoLocker.

(…) As of this publication, Gameover Zeus remains the primary method of distributing CryptoLocker.

Dell’s report explains that the first email wave, targeted at businesses, lured clicks by addressing professionals to notify them of a formal complaint. But outside of Dell’s paper, victims report CryptoLocker emails coming from spoofed Xerox email addresses, emails about resumes, and a commonly cited subject line is “Payroll Report.”

Mine came from a business source we deal with that had an attachment labeled “stores parts.zip” and a title of “Sent by email: stores parts.zip” –wisdom_and_frivolity

The SecureWorks paper brought together much of what has already been written about CryproLocker, tied a number of threads, and provides a solid marker moving forward.

Now, if only Dell products were coded with the maddening target-objective mindset and frightening efficiency of CryptoLocker…

[Source: ZDNet]

Summary: Now you can be contacted if your email address appears in any new, publicly-released data breaches.

About a month ago I told you about have i been pwned?, a new site at which you could learn if your email address was included in one of several large data breaches.

The main improvement that needed to be added to the site, as its creator Troy Hunt himself acknowledged, was a notification service to allow users to enter an email address and be notified in the future if their address appeared in any databases added to the service. Troy has now added the notification service.

haveibeenpwned.com allows you to check whether an email address is in one of several publicly-released databases of breached email addresses, with a total of 154 million email addresses. Troy says the site has been wildly popular and that, by far, the number one request for a notification service.

When you click “Notify me if my address gets pwned in the future” you are presented with the screen below. If you have searched on an email address already, it is pre-populated in the field. You must then fill a CAPTCHA (this is unfortunately necessary for several reasons) and click “notify me of pwnage”.

The service then sends a confirmation email to the address entered. Click the verify link in the email and you are registered for notifications. Troy provided this sample notification email:

It’s still a free service which is good, but note that this not his day job. In fact, it’s costing him some money, but not much: “less … than what I spend on coffee…” So he sees no reason to charge for it, but if there is another major breach and he’s busy, you might not be able to expect him to enter the database and notifications to follow immediately. Troy wrote the site, in part, as an exercise in learning to program Windows Azure services, and he says it’s a good demonstration of how powerful services can be built and operated inexpensively on Azure.

Next on Troy’s roadmap: domain-wide verifications. You can be notified if any address in a domain is in a database. A more stringent verification process of some kind will be necessary, since he needs to know that the person receiving notification for example.com is actually authoritative for that domain.

About Larry Seltzer

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years.

[Source: ZDNet]

Comment Widespread ridicule has greeted the announcement that eight giant technology companies led by Google and including Facebook and LinkedIn were going to save us from the NSA.

The ridicule is thoroughly justified, for trusting giant corporations – whose business models rely on selling your identity to advertisers – to safeguard your privacy is like hiring a kleptomaniac to guard the sweet shop.

Thirty years after the Khmer Rouge declared war on “the Garden of the individual”, Silicon Valley was lauding the collective “hive mind” while stealthily dismantling the rights that protect the individual.

Both practically and philosophically, today’s giant web corporations are incapable of defending you – and how can they, when don’t really accept that the individual really exists? In Silicon Valley, the individual is merely a phantom: a collection of patterns, or a node secreting data into one of its giant analytical processing factories.

Before we can understand why tech/media companies can’t protect the individual, and why their “solutions” are impoverishing us, let us remind ourselves what’s happened. We need to see how complicit the data business was with the behaviour of the intelligence agencies.

Spooky action at a distance

Edward Snowden’s revelations confirmed that 20 years after it was opened to the public for commercial access, the internet is subject to the same casual warrant-free surveillance as the circuit-switched telephone network. Fantasies that the internet would put us beyond the reach of the spooks turned out to be just that: fantasies. Only a fraction of Snowden’s material has been released, and much of it is banal: spies spy on foreign powers, for example. But the material did confirm that the physical infrastructure of packet communication is completely compromised, andsecurity backdoors are apparently commonplace.

This week’s disclosures in Der Spiegel confirmed the lack of protection. Spiegel did not draw from the Snowden cache in its report, which details alleged offensive capabilities of the NSA’s Office of Tailored Access Operations (TAO).

According to the German magazine’s report, TAO’s operations range from Q-Branch-style custom hardware to directed hacks on suspected individuals, networks and infrastructure. It would be naive to think this didn’t already go on, given the capabilities of Russian and Chinese cyber-warfare teams against political and industrial targets. The sophisticated Stuxnet malware, believed to be a joint US-Israeli effort, was constructed to disable control systems in Iran’s nuclear fuel processing plant.

Yet at least the NSA is subject to democratic scrutiny. Technology companies are not. The scrutiny of the NSA may have been supine and ineffective, thanks to senators including Democrat grandee and chair of the Senate Intelligence Committee Dianne Feinstein – but the structure is there to provide better oversight.

The Great Data Slurp

What I find far more disturbing than anything in Snowden’s cache is the fact that Silicon Valley’s internet companies have been complicit in denuding citizens of the privacy an individual requires to be an individual.

Firstly, these companies are a data acquisition industry. They hired the best engineers and mathematicians of their generation and set them about creating a kind of derivatives bubble of inferred human behaviour. The gimmicky gadgets we feature – Android phones and Google Glasses – are simply subsidised data-capture devices. I am doubtful there is as much value in this data as the hypesters want us to believe – because economists always put more store by “revealed preferences” – what you actually spend on a good – than by second guessing what you mightspend.

Far from being bold and “disruptive”, Google and Facebook appear to be deeply conservative companies that seem loathe to stray from their comfort zones. They’d prosper from helping other industries build transaction-based markets, which makes the inferral analytics less important than traditional business skills. Why don’t they go there? Perhaps the nerds who run these web companies fear being smaller fish a bigger pond.

Yes, I like cat videos. What’s it to you?

However, if there is value in this data they capture, then we are giving it away too cheaply. New elites prosper on the back of this. This prompted Jaron Lanier to suggest that we charge them for it, receiving a micropayment when an ad is clicked. There are two drawbacks in Lanier’s suggestion. One is that it relies on micropayments, which only ever work in aggregate amounts – discrete micropayments are too expensive to process. The second, rather larger problem, is that there isn’t enough money there in the first place.

So, instead of conducting a real transactional business, or helping other people make operational IT efficiencies, they’ve created a ghost world of their own instead, in which we’re the product. This required a public relations effort to try to persuade us we don’t have any property rights over our data, anyway.

While you were out fighting SOPA, we left you this note

One of the most ironic sights of 2013 was seeing the fugitive Snowden open up a laptop emblazoned with stickers for the EFF, the Electronic Frontier Foundation. The EFF is just one of many groups that receives money from the technology industry – with Google leading the handouts – waging a ceaseless war on the individual’s digital rights, while claiming to defend them.

These groups also loudly claim to be privacy watchdogs – yet have turned their meek protest into a funding activity. And guess who’s doing the funding? When Google and Facebook settled their respective Buzz and Beacon privacy lawsuits, the biggest beneficiaries were not individuals but “organizations that are currently paid by [Defendant] to lobby for or to consult for the company” thanks to a quirk called cy-près. The EFF and ACLU each bagged $1m from the settlement, which for the EFF was more than it raised in donations. And it has some pretty wealthy donors.

So the poachers are paying off the gamekeepers.

The web giants have also paved the way for the NSA by driving a bus through legal loopholes. For example, The Washington Post reported how the NSA justified its infrastructure interceptions by arguing it wasn’t really doing interception.

The distinction is between “data at rest” and “data on the fly.” The NSA and GCHQ do not break into user accounts that are stored on Yahoo and Google computers. They intercept the information as it travels over fiber optic cables from one data center to another.

Sound familiar?

It should do, as it was the same argument Google used when it launched Gmail in 2004. Google was reading your email because it wanted to inject advertisements based on your private communication. So it sought to redefine “reading” as “not actually reading”. Here’s what security expert Mark Rasch predicted at the time.

Google will likely argue that its computers are not ‘people’ and therefore the company does not ‘learn the meaning’ of the communication. That’s where we need to be careful. We should nip this nonsensical argument in the bud before it’s taken too far, and the federal government follows…Imagine if the government were to put an Echelon-style content filter on routers and ISPs, where it examines billions of communications and ‘flags’ only a small fraction (based upon, say, indicia of terrorist activity). Even if the filters are perfect and point the finger only completely guilty people, this activity still invades the privacy rights of the billions of innocent individuals whose communications pass the filter. Simply put, if a computer programmed by people learns the contents of a communication, and takes action based on what it learns, it invades privacy.

So what’s to be done?

Why any Silicon Valley ‘bill of rights’ will guarantee you never have any

Well, you can adopt DIY crypto tools, and try to teach your neighbour to use them. But most will give up long before they’re proficient in them – which means affordable powerful legal tools for the individual to exercise against government and corporations are vital. Laws and procedures that recognise the individual as sovereign, the supreme owner of the data, of digital objects or things. The individual would then have contractual relationships with companies and governments, as need be. In other words, property rights that allow every individual to assert where their property is used and for how long. This has a name: habeas data.

And the very good news is these powerful individual legal rights to assert ownership and usage over stuff we create are already here. They’re called intellectual property laws. And now you can begin to see why technology companies have lobbied so hard and furiously to weaken them, particularly by weakening copyright. This is a classic misdirection. Invent a bogeyman, and divert the people’s attention to fighting it, while you quietly steal their rights. Try and persuade people they’re not rights at all, but restrictions on freedom. Lobby governments to make those rights ineffective. And if that fails, weaken the ability of the individual to get access to justice in enforcing those rights.

Alas, I expect lots of windy rhetoric about a “bill of rights”, in which web giants would promise to never, ever abuse your privacy… unless you allowed them to in a 94-page click-through contract. A government-blessed privacy right would be little more use, particularly as these things contain acres of exceptions that render the rights meaningless. (Example: ECHR Article 10, supposedly guaranteeing freedom of speech. Except when the shit hits the fan – and you don’t have any.)

Because the web industry has spent 20 years fighting the application of individual property rights to digital things, like data, we can expect it to fight very hard for a meaningless set of “rights” that don’t protect your privacy. Through campaigns branded with the over-used phrase “open data”, the web industry has even persuaded governments to give away potentially lucrative data for nothing, without a penny being returned to the investor: the taxpayer. Yet without being able to assert property-ish rights (rights that exclude others), you’ll never have any privacy.

The way forward should not be as complicated as you might fear. First we need to recognise the web industry with its “siren servers” isn’t our friend, or any defender of the individual – and that’s already happening, I think. It’s apparent with every feature on Google Glass. Then we can begin to assert that we own everything we produce, extending copyright rights and practice to our own data. Only then will the giant web companies – who have lots of positive things to contribute – realise that they need to show respect to the individual, too. The “collective externalised mind” is its own form of tyranny.

Is it too much to ask? We’ve seen a concerted effort to grant legal rights to trees and rivers – with lawyers ventriloquising on their behalf. If trees can gain rights, why must we lose ours? ®

[Source: The Register]

As we approach the end of the calendar year, a variety of predictions on information security and network security trends for 2014 will take place. While there may be some interesting trends being proposed, what may be more helpful as you prepare for 2014 are the practical ways to plan for network security, particularly network security best practices associated with strategic IT initiatives, how to balance security risks with benefits to the business, and determining the right requirements to look for in vendors.

Let’s start with the IT initiatives that are important for 2014…

Network Segmentation

Planning for network segmentation used to be easy. The bad guys– attackers and hackers– were on the outside of the network. The good guys were on the inside, i.e internal employees connecting to the network and accessing data center applications on managed devices (access was primarily via wired Ethernet connections on IBM PCs remember? Macs weren’t even allowed).

Segmentation in the network generally focused around compliance. For example, ensuring only a subset of employees was allowed to access confidential information such as credit card holder information (PCI). Network segmentation methods included network isolation methods like VLANs and switch ACLs, along with a pair of stateful firewalls that would provide the checklist for the firewalling requirement in PCI-DSS or equivalent. Simple enough, right?

Globalization changed all this by transforming the way we fundamentally do business. It created interdependencies on global supply chains and multinational partners, expanded global economic interactions with many “countries of interest”, and enabled the movement of people, goods and information. Users now consist of mobile employees, partners or contractors on a variety of different devices, doing business with technology and manufacturing partners, collaborating with new acquisitions, and accessing applications that are virtualized in global data centers.

What happens to network segmentation then? The Zero Trust network segmentation architecture– one that inspects and logs all traffic all the time, strictly enforces access control based on a need-to-know basis and ensures all resources are accessed in a secure manner– is the right model. Planning in 2014 will need to focus on how to create distributed boundaries of Zero Trust in a manner that minimizes the impact to the network, but provides the most visibility and protection against next-generation threats.

Cloud and Software Defined “Anything”

I’ve lumped cloud computing and software defined “anything” in the same category, because in many cases the implementation of software defined data centers or software defined networks is intended to deliver dynamic, programmable and more automated networks for application delivery.

In 2014, your cloud computing choices have expanded. The announcement for the general availability of the Google Compute Engine cloud provides additional options for Infrastructure-as-a-Service. However, the Snowden wiki leaks about NSA spying on Google, Yahoo and Facebook servers by tapping into fiber optics lines have dampened public cloud enthusiasm. According to various reports, there is growing reluctance to engage cloud service providers due to Snowden’s leaks about the integrity of U.S.-based data center infrastructures.

The alternative then is to augment public cloud deployments with a robust private cloud, or move towards a private cloud only model. Numerous technologies from VMware and Cisco are available to build private clouds, for example, a software defined data center utilizing VMware NSX network virtualization technologies or a more hardware-centric SDN architecture approach with Cisco’s Application Centric Infrastructure (ACI).

For security-conscious organizations, a hybrid model is possible– where certain applications and services are offloaded to public clouds, but critical services such as internal research and development, financial data and customer data are only allowed to reside within private cloud boundaries.

In 2014, you will need to plan for and evaluate these new approaches to networking and data center design. What are the security features integrated into these architectures? Is it possible to implement a consistent network security framework across private and public clouds?

Mobility and BYOD

Mobility and BYOD continue to be one of the biggest challenges for security organizations worldwide, and increasingly so in 2014. Mobile device use cases are so vast, and the conditions for securing devices on a user or enterprise basis can be so diverse that designing the right enterprise mobile security solution can be very challenging. For the longest time, enterprise mobile security architectures have focused on a range of options –extending legacy technologies like VPN to mobile devices, using technologies like VDI or containers to compartmentalize application and data access, or using technologies like MDM that focus more on managing mobile devices.

In 2014, planning will be focused on architecting a comprehensive, integrated solution that can deliver all the pieces necessary to secure a variety of mobile devices, managed and unmanaged—managing the device, protecting the device and controlling the data. The solution must deliver the balance between what the user wants and what the business needs. It should be balanced towards the applications the user accesses, the data they need, and the user’s acceptance on the levels of security required to access confidential data/applications.

Summary

In a series of articles that follow this overview, I will address each of the strategic IT initiatives outlined above and provide the network security framework for each of them. Did I miss any you believe is important? Send me a tweet @danelleau before my next@SecurityWeek column.

Danelle Au manages data center and service provider solutions atPalo Alto Networks. She brings more than 10 years of product and technical marketing experience in the security and networking market. Prior to Palo Alto Networks, Danelle led the product management and strategy efforts at Cisco for the TrustSec network access control solution and ASA 5500 Adaptive Security Appliance platforms. She was also co-­founder of a high-­speed networking chipset startup. She is co-­author of an IP Communications Book, “Cisco IP Communications Express: Operation, Implementation and Design Guide for the Small and Branch Office” and holds 2 U.S. Patents.

[Source: SecurityWeek]

According to Yo Delmar, vice president of MetricStream, 2013 has been witness to extraordinary change. We are living and doing business in an increasingly global, mobile, social and Big Data world, fraught with new risks and complex regulations. As such, individuals and organizations are struggling to keep pace.

In response to greater uncertainty, complexity and volatility throughout 2013, we’ve seen increased convergence and alignment amongst internal teams, including IT, security and the business. As a result, organizations are better poised to provide the context for communicating risks. We’ve also seen the business ecosystem evolve to include geographically diverse vendors and third parties, and as a result, organizations must continue to view these entities as part of the organization itself, and manage them in a more tightly and integrated way.

Organizations have also moved away from doing IT and security operations on an ad-hoc basis, taking on a formal and structured approach that is more aligned with business priorities. Lastly, 2013 saw the continued emergence of new and innovative online, wireless and mobile technologies, requiring organizations and IT departments to get ahead of the bring-your-own-device (BYOD) trend, especially as employees continue to move away from corporate devices with some personal usage, to personal devices with significant corporate usage.

It is important that we reflect on some of these key trends in 2013, especially as we look ahead to 2014. The year ahead will require even stronger risk management, with an increased focus on leveraging social media to drive situational awareness. Organizations will need to focus more of their efforts on continuous monitoring, also leveraging security and risk analytics based on IT and security Big Data.

Organizations that focus their efforts in a thoughtful, methodical and analytical way will be poised to keep pace, and stay ahead of change and complexity in order to drive strong business performance and sustainable value to the organization and its key stakeholders.

Growing convergence among IT, security and the business: The landscape of risk and compliance continues to evolve, as organizations are asked to manage their IT risk and compliance activities far beyond that of basic audit and compliance requirements of the past. As new technologies bring their own set of unique risks, there is a growing disconnect among internal audit, security, compliance and the business on what it means to build, manage and lead a truly safe, secure and successful business.

As a result, we are seeing more focused efforts when it comes to getting these groups on the same page by building a common risk language, as well as a discussion framework to enable cross-functional collaboration. Doing so can set the context for communicating risks in a way that drives more effective governance and decision-making across the board of directors, executive management team and each respective business function.

Focus on managing third-party IT and security risks: Organizations have become even more hyper-extended, and are relying more extensively on third parties, including cloud-based service providers, which form part of their business eco-system, hold sensitive or regulated information, and run critical business processes. Today, organizations can’t afford to ignore these third parties. Lack of strong oversight can result in a security breach or service disruption that can have significant business and reputational impacts on the organization. In 2013, we saw organizations become more proactive in managing their third-party risks, and ensuring that all of their third-party managed data and operations are available, compliant and secure.

Movement toward risk-based security operations management: 2013 saw an increased shift from doing IT and security operations (secops) on an ad-hoc basis, to a more structured approach that is becoming more truly aligned with business priorities. This level of risk-based security management (RBSM) allows secops teams to effectively communicate the context of security risks to senior management, as well as enable a risk-based prioritization of security initiatives to make the most effective and efficient use of resources.

Bring your own device (BYOD) and mobile device risk management: More and more critical businesses and operations are supported by online, wireless and mobile technologies. We are seeing employees moving away from corporate devices with some personal usage, to personal devices with significant corporate usage. The threats that come with this trend include possible corporate data leaks, device thefts and misuse.

Corporate IT departments have begun to understand, plan and build strategies around mitigating and managing these risks so that the benefits of BYOD can be realized. This requires more robust corporate policies, tighter controls in the context of controlling applications and data, and defining user behavior. While many organizations have secured the data on the device, they have not secured the physical device itself. Lingering questions surrounding personal privacy infringement have yet to be answered.

Focus on continuous monitoring in risk management: Security and IT teams understand that near real-time monitoring of threats, vulnerabilities and potential exposures is becoming table-stakes for effective risk management. Many regulations and standards, such as PCI DSS 3.0, ISO 27001, ISO 22301, NERC CIP 5 and NIST CSF have and will continue to be updated with more effective approaches to risk management, based on continuous monitoring. Security and compliance teams need to be prepared for these updates, not only with technologies, but also by driving processes and people skills to another level of maturity in order to effectively implement these new lines of defense.

Security and risk analytics based on IT and security Big Data: Security analytics and metrics are as important to the business as any other key performance indicator such as liquidity, cash flow, or growth in sales or revenue. In 2014, boards of directors and executive leadership teams will demand that key security analytics and metrics be included in the operational risk portfolio. This will put the onus on security teams to provide the analysis and insights that give management the risk intelligence they need to drive better performance.

Leveraging social media to drive situational awareness: Security and business continuity management teams will continue to tap into the power of social media to learn from, and respond more effectively to, unfavorable incidents. Technology solutions can provide the capabilities to mine social media feeds, and to provide crisis updates from a variety of sources such as Google Crisis Maps, Twitter, Facebook and more. This social media intelligence can be further correlated with organizational assets and risks to determine the impact of a crisis on the business. Pre-designed workflows can be triggered based on this analysis in a way that best manages the financial, operational and reputational impact of the incident.

[Source: ITBusinessEdge]