El horizonte de las amenazas: identificando futuras tendencias / Threat Horizon: Identifying Future...

Threat Horizon: identifying future trends

Dr Adrian Davis, MBA, MBCS, CITP, CISMP

Principal Research Analyst

Information Security Forum

www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 2

Agenda

The challenge

Our answer: Threat Horizon

2012...

2013..

What can I do?

Conclusion


The Information Security Forum

And much

more

besides!


THE CHALLENGE


The world is flat...

5

(With apologies to Thomas Friedman)

Anything, including IT and information security, can be

outsourced anywhere


Organisations: from value chain to corporate LEGO®

• Single, vertically integrated organisation

• Did everything and provided everything

• Diverse, management –heavy, operations (cost of coordination)

• Outsourcing means that organisations can assemble, break apart and reassemble themselves using different components

• Focus on core competences• The supply chain can also be

similarly reconfigured

Firm infrastructureHuman resource management

Technology developmentProcurement

InboundLogistics

OperationsOutbound Logistics

Sales and Marketing

Service

Value


IT: from mainframe to commodity

• Services accessed across a network by a user at a ‘dumb’ terminal

• Multiple applications• Multiple users• Charged on a per-use basis

• Relentless technological innovation

• The rise of the ‘app’• Availability, affordability,

connectivity, interactivity...


Technology: from data centre to cloudification...• Specialised, highly specified,

purpose built facilities• Often owned by the

organisation or provided as part of an outsourcing deal

• Fairly easy to audit and monitor

• Black box – the service is bought ‘as is’

• Opportunity to specify is lower

• Your suppliers may be using the cloud

• Audit and monitoring may be very different


Manufacturing: from in stock to just in time

• Logistics is king• Minimal storage overhead• Reduced shrinkage and

obsolescence• Information has to be freely

shared across supply chain

• Wasting asset – stock takes up space, time and cash

• Opportunity for shrinkage and obsolescence

• Information is concentrated in warehouses


The information security challenge....

How do we make sure we don’t cry wolf?


Is to predict the future…

“Heavier-than-air flying machines are impossible” Lord Kelvin, president, Royal Society 1895

“I think there is a world market for maybe five computers”Thomas Watson, chairman of IBM 1943

“I have travelled the length and breadth of this country and talked with the best people, and I can assure you that data

processing is a fad that won't last out the year.”The editor in charge of business books for Prentice Hall 1957

“This 'telephone' has too many shortcomings to be seriously considered as a means of communication. The device is

inherently of no value to us.”Western Union internal memo 1876

Increasingly, information technology is playinga pivotal role in all our lives, both at work and at home


OUR ANSWER: THREAT HORIZON


Why look into the future?

In order to understand how good practice should change in the future we need to understand what threats that we will face in the future and how we should respond to them.

The ISF call this the

Threat Horizon


What is the threat horizon?

A report that...• identifies new and changing threats that are likely to impact information security over the

next 24 months• is written for both information security and business audiences

• informs information security strategy.


Threat Horizo

n Datase

t

Ongoing ISF research and analysis

ISF Analysis

Threat Horizon report

The process…

Regional meetingsISF Members

around the globe

Sector inputFinance,

Manufacturing, Pharmaceutical,

Services...

Expert InputWEF, OECD,

Futurologists

World Congress


Threat horizon methodology

Consider the world of the future and how this may give rise to information security threats

OLITICALP

EGALL

CONOMICE

T ECHNICAL

S OCIO-CULURAL


2011...


The world of 2011

A view of the business and technical trends....

OLITICALP

EGALL

CONOMICE

T ECHNICAL

S OCIO-CULTURAL

Protectionism

Regional blocs

Inter-dependence

More legislation

Harsher penalties

OutsourcingE-crime

Less R&D

Internet vs. reality Haves vs. have-nots

Cloud grows up Corporate vs. home

Encryption

Security vs. privacy

Home vs. office


OLITICALP

EGALL

CONOMICE

T ECHNICAL

S OCIO-CULURAL

The information security trends of 2011

Considering the PLEST framework, several major trends emerge:Criminal attacks

Changing cultures

Weaknesses in infrastructure

Erosion of networkboundaries

Identity theft

Espionage

Tougher statutory

environment

Mobile malware

Pressures on outsourcing


Criminal attacks

• Crimeware as a service• Insider attacks

• Infiltration

Tougher rules

• Emphasis on privacy• Incompatible laws

• Increasing punishment

Outsourcing / Offshoring

• More outsourcing• Meeting compliance

• Instability of providers

Weak infrastructure

• Reduced investment• Complexity

• Zero-day attacks

Eroding boundaries

• Cloud computing• More connections • Bypass of defences

Top five threats in detail


2012...


The world of 2012


OLITICALP

EGALL

CONOMICE

T ECHNICAL

S OCIO-CULTURAL

Protectionism Government Intervention

Governmental sharing Regulation

Privacy Over-regulation

Cloud economics Recession legacyE-crime economics

Blur Digital have-nots

Cloud grows up

Mobile dominates

Mobile malware


OLITICALP

EGALL

CONOMICE

T ECHNICAL

S OCIO-CULURAL


Considering the PLEST framework, several major trends emerge:Abuse of personal& mobile devices

Changing cultures

Weaknesses in infrastructure

Erosion of networkboundaries

Identity theftLoss of communication

links and power

Cyber extortion

Mobile malware

Criminal attacksand espionage


The scenarios…. Infrastructural weaknesses

Infrastructural weaknesses

Contingency fails

The cloud becomes a fog

Who took my boundary?

• Over reliance on Internet-only sales channels combines with poor resilience at pinch points

• Impact• Loss of business and increased

costs• Reduced transaction integrity and

associated fraud• Loss of trust in the Internet

channel • Loss of customers to competitors

who can offer an easy alternative• Threats

• Loss of or damage to communications links / services

• Malfunction of computer / network equipment


The scenarios…. Changing cultures

The mobile mainframe in your pocket

A merger of home and work-life : the avatar effect

• Increasing use of smartphones for business and personal transactions• Increased impact from of:

• Fraud• Information leakage• Loss of integrity

•Threats:• Distributing computer viruses

(including worms)• Theft of equipment• Disclosing important business

information• Theft of personally identifiable

information


The scenarios…. Trends for multi-nationals

The privacy vs. security debate becomes a high profile issue

Espionage gets serious

The greening of business

Integrity is king

Threats converge

• Insufficient granularity in controls, lack of a trust model and poor compensating controls means that the accuracy, provenance, traceability and authenticity of information is unclear.

• Impact• Trivial to significant.• Loss of trust with regulators,

suppliers and customers • Downstream consequences to

reputation. • Threats

• Unforeseen effect of changes to business information

• Misusing systems to commit fraud • Compliance failure


2013...


2013 PLEST


Government intervention

State vs. State

Breach notification

Digital human rights

Cost of resources m-economyRise of Africa

Single-issue activism

Location services

4G/LTE networks

The world of 2013


OLITICALP

EGALL

CONOMICE

T ECHNICAL

S OCIO-CULTURAL

IPv6 adoptionSmart grids

State vs. Non-state


OLITICALP

EGALL

CONOMICE

T ECHNICAL

S OCIO-CULURAL

Considering the PLEST framework, several major trends emerge:Data leakage

Securing the supply chain

Blended attacks

Device revolution

Data quality issues

Attacks on infrastructure

Hacktivism

Beyond cloud

New e-crime opportunities



An overview of the threats

On the radar but not

manageable

On the radar and

manageable

Below the radar

Black swans


Threats for 2013

On the radar and manageable- Uncontrolled introduction of

consumer devices

- Loss of trust / inability to prove identity and authenticate

- Loss of workforce loyalty – loss of organisational culture and knowledge

On the radar but not manageable- State-sponsored cyber-activity

- Social media

- Embedded location services


Threats for 2013

Below the radar- Governmental requirements

- Co-ordinated attacks for extortion, blackmail, bribery or stock manipulation

- RFID exploits

Black swans- Hardware back doors (low-

level attacks / vulnerabilities) in chips, SCADA

- Solar activity disrupts communications globally


Beyond the horizon

Biometrics

Embedded chips

Quantum computing

SPIT

Nano-technology

AI

New interfaces

Everyone connected to everything


WHAT CAN I DO?


Responding to the threat horizon

Information security controls that defend against threats are:

Often part of a wide infrastructure project (eg firewall, network segregation)

Sometimes difficult to justify to the business

AND

Sometimes can take years to plan and deliver

THEREFORE

We need to start to plan controls for future threats NOW!


What do I do now? – at a strategic level

Re-assess the risks to your organisation and its information• Inside and outside…

Change your thinking about threats• Don’t rely on trends or historical data

Revise your information security arrangements• Question ‘security as usual’

Focus on the basics• That includes people, not just technology!

Prepare for the future• Be ready to support initiatives such as cloud computing,

consumerisation....


Create a security-positive environment or culture

Security positive

environment

Security Policy

Security Awareness

Organisational Culture

Framework of Controls

Visibility of Security Function

Local Security

Coordination

Leadership and

Governance

Communication and

Messaging

Organisational factors: Engagement and

commitment

Security factors: Knowledge and know

how


Manage your external suppliers

1. Identify and classify external suppliers

2. Define a baseline of information security and privacy arrangements

3. Validate external supplier information security and privacy arrangements regularly

4. Plan for the end

39

Managing the relationships

A: Identify and classify external suppliers

D: Handling termination

C: Validate external suppliers security

B: Agree external suppliers security


Manage the cloud: the seven deadly sins

1. Ignorance

2. Ambiguity

3. Doubt

4. Trespass

5. Chaos

6. Conceit

7. Complacency


Prepare for consumerisation

• A strategic imperative• Securing consumer /

mobile devices forms the centre piece of the organisational response

• Four aspects to your response

1. Governance

2. Users

3. Devices

4. Applications and data

“Communication and information processing devices originally

designed for personal use being used in the workplace”


CONCLUSION


Keeping up with change

• Social environment (demographics, attitudes, cultures)

• Business environment (activities, operations, markets)

• Economic environment (credit crunch, realignment of world economy, rise of China)

• Global environment (global warming, interconnectivity, competition for resources)

• Technological environment (mobile phones, nanotechnology, pervasiveness)

ACTIONS• Engage with the business• Question the beliefs• Craft a new security strategy • Plan for uncertainty• Prepare for change


Information Security [email protected]

www.securityforum.orghttp://uk.linkedin.com/in/adriandaviscitp/

http://www.securityforum.org/

http://www.securityforum.org/

http://uk.linkedin.com/in/adriandaviscitp/

El horizonte de las amenazas: identificando futuras tendencias / Threat Horizon: Identifying Future...

Technology

Transcript of El horizonte de las amenazas: identificando futuras tendencias / Threat Horizon: Identifying Future...