[BreachExchange] Five Emerging Threats That Worry Global Security Professionals

Audrey McNeil audrey at riskbasedsecurity.com
Thu Nov 30 18:32:34 EST 2017


http://www.securityweek.com/five-emerging-threats-worry-
global-security-professionals

Over the next year, five separate threats will have one major effect: the
current rate of security breaches will increase and worsen. This is the
view of the Information Security Forum (ISF), an international network of
more than 10,000 security professionals.

The five primary threats to cyber security are the continuing evolution of
crime-as-a-service; the effect of unmanaged IoT risk; the complexity of
regulation; the supply chain; and a mismatch between Board expectation and
Security capability.

Talking to SecurityWeek, ISF managing director Steve Durbin explained that
the growing effect of crime-as-a-service is his own biggest concern. This,
he suggested, is a result of the increasingly professional nature of
organized cybercrime.

"Crime as a service has reached maturity, with criminal organizations
providing easy access for entry level criminals," Durbin said. "I think
that next year we are going to see attacks becoming more sophisticated and
targeted. One of the problems is that cybercriminals have become very good
at sharing information, and being able to do some of the things that the
good guys are perhaps not as good at doing -- sharing intelligence and so
on."

The root cause is that organized crime has moved aggressively into the dark
web, resulting in what Durbin views as something similar to a very large
corporation.

"There's this big umbrella organization that we call cybercrime. Underneath
that we've got some very large, very professionally run cybercrime groups
-- organized crime -- who are clearly looking to continue to recruit and
expand, and are also happy to sell products and services to others. When I
talk about criminals being better at communication," he said, "I relate it
to the way that good corporations operate: they have marketing plans; they
have outreach plans; they have communication around some of the services
that are available as part of crime-as-a-service. They're not sharing
methods and exploits to the extent that competitors could take over -- but
are they are sharing it in terms of increasing their footprint. At the more
sophisticated levels, cybercrime operates very much like a professional
business."

For Durbin, there are a few 'mega' organized crime groups, supplemented by
a number of smaller, highly capable groups, coming out of the former soviet
states. But below these -- and to some degree what worries him most -- are
the disorganized wannabees coming into the game on the back of
crime-as-a-service. Counter-intuitively, they are disrupting and worsening
the accepted status quo; and he gives ransomware as an example.

"In the 'good' old days of ransomware," he explained, "we knew that the
cybercriminal was only really interested in this to get money. There was a
game to be played, and everybody knew the rules. The criminals would drop
some malware onto our systems to prevent us from accessing our information
so that they would get paid a certain amount of money."

This was enough to make it profitable for the criminal, but not so much
that the victim would not or could not pay. "What we're now seeing," he
continued, "is elements of ransomware that are not following these rules.
For example, keys not being handed over when ransoms are paid; and that's a
concern because the rules of the game have changed." In short, the
commoditization of cybercrime through crime-as-a-service is introducing
anarchy that makes it difficult for defenders to plan a posture, and
difficult for organized crime to remain organized.

It will be interesting to see, he added, whether a degree of
self-regulation emerges. "It's possible that some of the larger crime
groups will decide that the emerging aspirant criminals are actually bad
for business, and decide to do something about it."

The second threat is the internet of things (IoT), with two major areas of
concern. Firstly, home devices are insecure, default passwords are not
always changed, and people take work home. But what really concerns him is
IoT in the critical infrastructure. "Regulation and legislation would work
if we were starting from a blank piece of paper," he said; but we are not.
"We've been installing embedded devices in manufacturing for years. At the
time, manufacturers did not consider security to be an issue, and
organizations do not have clear visibility of all the devices they use."

He gave an example of a member organization, a Forbes Global 2000 company,
that shut down its plant. "In the course of that shutdown, some of the
machinery burst back into life because there were some IoT devices
connected to the Internet that they hadn't been aware of." The company had
forgotten about parts of its own IoT; but it was capable of autonomously
restarting the machinery.

The third emerging threat is the increasing burden and complexity of
regulation. Although it is designed to improve security, Durbin fears that
regulation will pull attention and resources away from important security
initiatives. The General Data Protection Regulation (GDPR) is a perfect
example of complexity in requirement and lack of understanding by
stakeholders. But GDPR is far from being the only new regulation coming
into force, and he fears that the increasing burden of compliance and
legislative variances across jurisdictions will increase the burden for
multi-nationals and those businesses targeting international trade.

The fourth and fifth emerging threats -- the supply chain, and a mismatch
between Board expectation and Security capability -- are really two sides
of the same coin. While senior management is increasingly concerned about
security, and is increasingly held responsible for the firm's security, it
still does not understand what its security team is doing or is even
capable of doing. This also occurs in third-party related organizations,
fourth parties and beyond (the supply chain). But if the Board does not
really understand its own security capabilities, it has even less
understanding of the security of its supply chain; and that is a threat
vector that is growing rapidly through the digitization of business.

Durbin believes the solution can only come from baking security into the
whole ethos of the organization so that the security team is an integral
concept rather than a separate silo. "I often talk about the day when we
don't have security people because the organization has become so aware of
security being integral to the business that security has become completely
integrated into the business functions. Security must become inbuilt into
the organization by design. We're a long way off that, but the immediate
challenge that a lot of CISOs face is around communication, around being
taken seriously by the organization."

If, and perhaps only when, security by corporate design becomes a reality
will all five of ISF's emerging threats be brought under some semblance of
control. In the meantime, Durbin feels that breaches will increase, and the
security landscape will only get worse long before it gets better.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171130/f339af82/attachment.html>


More information about the BreachExchange mailing list