El horizonte de las amenazas: identificando futuras tendencias / Threat Horizon: Identifying Future...
-
Upload
centro-de-investigacion-para-la-gestion-tecnologica-del-riesgo-cigtr -
Category
Technology
-
view
283 -
download
1
description
Transcript of El horizonte de las amenazas: identificando futuras tendencias / Threat Horizon: Identifying Future...
Threat Horizon: identifying future trends
Dr Adrian Davis, MBA, MBCS, CITP, CISMP
Principal Research Analyst
Information Security Forum
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 2
Agenda
The challenge
Our answer: Threat Horizon
2012...
2013..
What can I do?
Conclusion
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 3
The Information Security Forum
And much
more
besides!
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 4
THE CHALLENGE
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 5
The world is flat...
5
(With apologies to Thomas Friedman)
Anything, including IT and information security, can be
outsourced anywhere
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 6
Organisations: from value chain to corporate LEGO®
• Single, vertically integrated organisation
• Did everything and provided everything
• Diverse, management –heavy, operations (cost of coordination)
• Outsourcing means that organisations can assemble, break apart and reassemble themselves using different components
• Focus on core competences• The supply chain can also be
similarly reconfigured
Firm infrastructureHuman resource management
Technology developmentProcurement
InboundLogistics
OperationsOutbound Logistics
Sales and Marketing
Service
Value
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 7
IT: from mainframe to commodity
• Services accessed across a network by a user at a ‘dumb’ terminal
• Multiple applications• Multiple users• Charged on a per-use basis
• Relentless technological innovation
• The rise of the ‘app’• Availability, affordability,
connectivity, interactivity...
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 8
Technology: from data centre to cloudification...• Specialised, highly specified,
purpose built facilities• Often owned by the
organisation or provided as part of an outsourcing deal
• Fairly easy to audit and monitor
• Black box – the service is bought ‘as is’
• Opportunity to specify is lower
• Your suppliers may be using the cloud
• Audit and monitoring may be very different
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 9
Manufacturing: from in stock to just in time
• Logistics is king• Minimal storage overhead• Reduced shrinkage and
obsolescence• Information has to be freely
shared across supply chain
• Wasting asset – stock takes up space, time and cash
• Opportunity for shrinkage and obsolescence
• Information is concentrated in warehouses
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 10
The information security challenge....
How do we make sure we don’t cry wolf?
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 11
Is to predict the future…
“Heavier-than-air flying machines are impossible” Lord Kelvin, president, Royal Society 1895
“I think there is a world market for maybe five computers”Thomas Watson, chairman of IBM 1943
“I have travelled the length and breadth of this country and talked with the best people, and I can assure you that data
processing is a fad that won't last out the year.”The editor in charge of business books for Prentice Hall 1957
“This 'telephone' has too many shortcomings to be seriously considered as a means of communication. The device is
inherently of no value to us.”Western Union internal memo 1876
Increasingly, information technology is playinga pivotal role in all our lives, both at work and at home
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 12
OUR ANSWER: THREAT HORIZON
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 13
Why look into the future?
In order to understand how good practice should change in the future we need to understand what threats that we will face in the future and how we should respond to them.
The ISF call this the
Threat Horizon
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 14
What is the threat horizon?
A report that...• identifies new and changing threats that are likely to impact information security over the
next 24 months• is written for both information security and business audiences
• informs information security strategy.
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 15
Threat Horizo
n Datase
t
Ongoing ISF research and analysis
ISF Analysis
Threat Horizon report
The process…
Regional meetingsISF Members
around the globe
Sector inputFinance,
Manufacturing, Pharmaceutical,
Services...
Expert InputWEF, OECD,
Futurologists
World Congress
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 16
Threat horizon methodology
Consider the world of the future and how this may give rise to information security threats
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULURAL
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 17
2011...
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 18
The world of 2011
A view of the business and technical trends....
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULTURAL
Protectionism
Regional blocs
Inter-dependence
More legislation
Harsher penalties
OutsourcingE-crime
Less R&D
Internet vs. reality Haves vs. have-nots
Cloud grows up Corporate vs. home
Encryption
Security vs. privacy
Home vs. office
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 19
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULURAL
The information security trends of 2011
Considering the PLEST framework, several major trends emerge:Criminal attacks
Changing cultures
Weaknesses in infrastructure
Erosion of networkboundaries
Identity theft
Espionage
Tougher statutory
environment
Mobile malware
Pressures on outsourcing
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 20
Criminal attacks
• Crimeware as a service• Insider attacks
• Infiltration
Tougher rules
• Emphasis on privacy• Incompatible laws
• Increasing punishment
Outsourcing / Offshoring
• More outsourcing• Meeting compliance
• Instability of providers
Weak infrastructure
• Reduced investment• Complexity
• Zero-day attacks
Eroding boundaries
• Cloud computing• More connections • Bypass of defences
Top five threats in detail
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 21
2012...
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 22
The world of 2012
A view of the business and technical trends....
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULTURAL
Protectionism Government Intervention
Governmental sharing Regulation
Privacy Over-regulation
Cloud economics Recession legacyE-crime economics
Blur Digital have-nots
Cloud grows up
Mobile dominates
Mobile malware
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 23
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULURAL
The information security trends of 2012
Considering the PLEST framework, several major trends emerge:Abuse of personal& mobile devices
Changing cultures
Weaknesses in infrastructure
Erosion of networkboundaries
Identity theftLoss of communication
links and power
Cyber extortion
Mobile malware
Criminal attacksand espionage
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 24
The scenarios…. Infrastructural weaknesses
Infrastructural weaknesses
Contingency fails
The cloud becomes a fog
Who took my boundary?
• Over reliance on Internet-only sales channels combines with poor resilience at pinch points
• Impact• Loss of business and increased
costs• Reduced transaction integrity and
associated fraud• Loss of trust in the Internet
channel • Loss of customers to competitors
who can offer an easy alternative• Threats
• Loss of or damage to communications links / services
• Malfunction of computer / network equipment
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 25
The scenarios…. Changing cultures
The mobile mainframe in your pocket
A merger of home and work-life : the avatar effect
• Increasing use of smartphones for business and personal transactions• Increased impact from of:
• Fraud• Information leakage• Loss of integrity
•Threats:• Distributing computer viruses
(including worms)• Theft of equipment• Disclosing important business
information• Theft of personally identifiable
information
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 26
The scenarios…. Trends for multi-nationals
The privacy vs. security debate becomes a high profile issue
Espionage gets serious
The greening of business
Integrity is king
Threats converge
• Insufficient granularity in controls, lack of a trust model and poor compensating controls means that the accuracy, provenance, traceability and authenticity of information is unclear.
• Impact• Trivial to significant.• Loss of trust with regulators,
suppliers and customers • Downstream consequences to
reputation. • Threats
• Unforeseen effect of changes to business information
• Misusing systems to commit fraud • Compliance failure
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 27
2013...
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 28
2013 PLEST
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 29
Government intervention
State vs. State
Breach notification
Digital human rights
Cost of resources m-economyRise of Africa
Single-issue activism
Location services
4G/LTE networks
The world of 2013
A view of the business and technical trends....
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULTURAL
IPv6 adoptionSmart grids
State vs. Non-state
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 30
OLITICALP
EGALL
CONOMICE
T ECHNICAL
S OCIO-CULURAL
Considering the PLEST framework, several major trends emerge:Data leakage
Securing the supply chain
Blended attacks
Device revolution
Data quality issues
Attacks on infrastructure
Hacktivism
Beyond cloud
New e-crime opportunities
The information security trends of 2013
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 31
An overview of the threats
On the radar but not
manageable
On the radar and
manageable
Below the radar
Black swans
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 32
Threats for 2013
On the radar and manageable- Uncontrolled introduction of
consumer devices
- Loss of trust / inability to prove identity and authenticate
- Loss of workforce loyalty – loss of organisational culture and knowledge
On the radar but not manageable- State-sponsored cyber-activity
- Social media
- Embedded location services
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 33
Threats for 2013
Below the radar- Governmental requirements
- Co-ordinated attacks for extortion, blackmail, bribery or stock manipulation
- RFID exploits
Black swans- Hardware back doors (low-
level attacks / vulnerabilities) in chips, SCADA
- Solar activity disrupts communications globally
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 34
Beyond the horizon
Biometrics
Embedded chips
Quantum computing
SPIT
Nano-technology
AI
New interfaces
Everyone connected to everything
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 35
WHAT CAN I DO?
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 36
Responding to the threat horizon
Information security controls that defend against threats are:
Often part of a wide infrastructure project (eg firewall, network segregation)
Sometimes difficult to justify to the business
AND
Sometimes can take years to plan and deliver
THEREFORE
We need to start to plan controls for future threats NOW!
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 37
What do I do now? – at a strategic level
Re-assess the risks to your organisation and its information• Inside and outside…
Change your thinking about threats• Don’t rely on trends or historical data
Revise your information security arrangements• Question ‘security as usual’
Focus on the basics• That includes people, not just technology!
Prepare for the future• Be ready to support initiatives such as cloud computing,
consumerisation....
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 38
Create a security-positive environment or culture
Security positive
environment
Security Policy
Security Awareness
Organisational Culture
Framework of Controls
Visibility of Security Function
Local Security
Coordination
Leadership and
Governance
Communication and
Messaging
Organisational factors: Engagement and
commitment
Security factors: Knowledge and know
how
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 39
Manage your external suppliers
1. Identify and classify external suppliers
2. Define a baseline of information security and privacy arrangements
3. Validate external supplier information security and privacy arrangements regularly
4. Plan for the end
39
Managing the relationships
A: Identify and classify external suppliers
D: Handling termination
C: Validate external suppliers security
B: Agree external suppliers security
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 40
Manage the cloud: the seven deadly sins
1. Ignorance
2. Ambiguity
3. Doubt
4. Trespass
5. Chaos
6. Conceit
7. Complacency
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 41
Prepare for consumerisation
• A strategic imperative• Securing consumer /
mobile devices forms the centre piece of the organisational response
• Four aspects to your response
1. Governance
2. Users
3. Devices
4. Applications and data
“Communication and information processing devices originally
designed for personal use being used in the workplace”
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 42
CONCLUSION
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 43
Keeping up with change
• Social environment (demographics, attitudes, cultures)
• Business environment (activities, operations, markets)
• Economic environment (credit crunch, realignment of world economy, rise of China)
• Global environment (global warming, interconnectivity, competition for resources)
• Technological environment (mobile phones, nanotechnology, pervasiveness)
ACTIONS• Engage with the business• Question the beliefs• Craft a new security strategy • Plan for uncertainty• Prepare for change
www.securityforum.org ISF Threat Horizon Copyright © 2011 Information Security Forum Limited 44
Information Security [email protected]
www.securityforum.orghttp://uk.linkedin.com/in/adriandaviscitp/