Assessing Current and Emerging Cyber-ThreatsBy Jack Rosenberger
Assessing Current and Emerging Cyber-Threats
By Jack Rosenberger
Cyberspace comes across as a forbidding, often dangerous and now-untrustworthy environment in Threat Horizon 2016, the new state-of-the-cybersecurity landscape report from the Information Security Forum. The annual report's purpose is to provide a forward-looking view of security threats and issues in cyberspace. The bleak cyber-world portrayed in "Threat Horizon 2016" is heavily colored by U.S. whistleblower Edward Snowden's revelations of massive cyber-surveillance by the American government, revelations which have consequently altered the trust equation between different parties (namely, individuals, businesses and governments). In terms of growing cyber-threats, the ISF warns organizations of the vulnerabilities posed by insecure third-party vendors, poorly designed mobile apps, vulnerable encryption tools and more. To protect themselves against these and other dire threats, CIOs need to create a cyber-resilient organization, a task which, given "the skills chasm" noted by the ISF, will be a discouraging challenge for many companies.
CIO Insight recently interviewed ISF Global Vice President Steve Durbin about the main themes of "Threat Horizon 2016," the dangers and risks posed by today's everyone-is-connected-to-everyone-else world, and how organizations can apply data analytics to information security problems.
What should CIOs be most concerned about in "Threat Horizon 2016"?
Steve Durbin: The first action for CIOs is to re-examine the assumptions their organization has made about the Internet and adapt their cyber resilience to this new paradigm. For example, one of the threats in our report describes how a key component of Internet security—encryption—may fail to hold up.
Second, an organization's resilience to the ongoing threats of operating in cyberspace must be reassessed regularly. Cybercriminals are still well ahead of information security professionals. The bad guys are getting better quicker, while the good guys often struggle to merely respond. Also, the cost of investigating, managing and containing incidents will rise as they grow more complex and as regulators’ demands increase. And the insider threat will continue to challenge organizations because people will remain the weakest link in information security.
Finally, it's highly unlikely that governments will tidy up the mess they have made before 2016, so organizations need to give immediate consideration to additional actions they may wish to take to counter possible impacts from the recent disclosures [by Edward Snowden].
How can enterprises mitigate nation-state espionage?
Organizations should reinforce basic information security arrangements. This means understanding what and where the most critical information assets are, their key vulnerabilities, and the main threats against them. Standards and controls should be in place to mitigate the associated risks to those critical assets.
Key steps include making sure the business is up-to-date with government activities in all jurisdictions in which it operates—and with government activities in other important jurisdictions such as outsourcing locations. Companies need to participate in threat intelligence-sharing forums and build relationships with other organizations within and across industry sectors. They also need to cultivate a culture of information risk management that builds information security capabilities within the organization and ensures appropriate information security knowledge and awareness exists across the enterprise.
What threat intelligence-sharing forums should enterprise CIOs be following? What are useful security resources they might not be aware of?
Many such forums exist, some are sector specific—banks and other financial institutions share a considerable amount of threat information, for instance—and others are led by industry independents, such as the ISF, which provide a secure collaborative environment for members to share issues of importance around cybersecurity and the evolving threat landscape. Also, vendors such as Symantec and Verizon provide insights through their threat reports. Finally, law enforcement and government agencies are very keen to be included in threat-sharing forums.
Why do you think the Balkanization of the Internet is a large threat? Only a few nations are trying to create geopolitical borders on the Internet.
Organizations will no longer be able to depend on a free and open Internet as governments attempt to govern their corners of the Internet. Nation-states have already attempted to introduce governance of the Internet via the International Telecommunications Union (ITU), the United Nations and the Internet Governance Forum. This has proved unsuccessful. In its place, though, governments and regional blocs will attempt to standardize these norms at national and regional levels.
Assessing Current and Emerging Cyber-Threats
World leaders will use the rhetoric of "local" or "closed" Internets to bolster public trust, but this will further erode organizations' confidence in a free and open Internet. For example, an increasing number of democratic states are calling for either local Internets or formal Internet governance. Germany has stated its desire for a local Internet shielded from foreign intelligence services, and Brazil has led the rally for the United Nations to take a more active role in Internet governance.
Enterprises will have to operate in an increasingly complex regulatory landscape, particularly across borders, as national governments enact legislation and regulation to control their perceived corners of the Internet.
Regarding the unintended consequences of nation-states policing the Internet, what are the most likely types of incidents we'll see in 2014?
Conflicting official involvement in cyberspace will create the threat of collateral damage and have unforeseen implications and consequences for all organizations that are reliant on it. Varying government regulations and legislation will restrict activities whether or not an organization is the intended target.
Governments’ draconian implementation of these different regulations and legislation will lead to operational disruptions in organizations' supply chains. Those affected will have little recourse because of a lack of legal clarity in cyberspace.
Two high-profile examples where businesses were taken offline or the availability of their information was seriously compromised as a result of official intervention include the U.S. government's 2012 shutdown of the file-sharing site MegaUpload, which meant that almost 11 million legitimate files were blocked, and Groklaw, which halted operations in 2013, citing the potential for government pressure as making the Internet a less desirable place to do business.
This threat is inherently random. There is no way to know when it might affect an organization, if at all. This randomness underlines the need for organizations to build their resilience and implement proportional security measures in the event that it materializes.
How can enterprises reduce the vulnerabilities posed by third-party service providers? What's a good action plan you've observed?
Supply chain management is more difficult when service providers are key targets for cybercriminals. It requires more stringent due diligence and explicit contracts. Otherwise, you can expect disruptions and information loss.
Information security specialists should work closely with those in charge of contracting for third-party services to conduct thorough due diligence on potential arrangements. It is imperative that organizations have robust business continuity plans in place to boost both resilience and senior management’s confidence in the functions' abilities.
Advice for building this resilience includes identifying critical information assets and where they are located; identifying critical suppliers and ensuring the ability to continue operations is in place in the event their business is disrupted; fostering strong working relationships with service providers with the aim of becoming partners; being clear on what contracts are in place for what services; understanding clearly which legal jurisdictions govern the organization's information; and working with procurement or other business units responsible for contract management to ensure information security arrangements are included in contracts.
Your advice about using encryption now that it appears that encryption isn't the fail-safe tool that we'd believed it was.
Ironically, the reaction to the NSA revelations has been to boost reliance on encryption—the default approach to Internet security. But encryption will fail to live up to expectations due to weak implementation practices and governmental attempts to undermine it via backdoors in the software.
The failure of encryption is important as all organizations rely on it in cyberspace. It is therefore vital to understand that this threat is on the horizon, and no organization is immune. However, the information security function can prepare by taking the following actions: Classify information and know where the sensitive information assets are to understand where the organization faces the most risks to consider the full information life cycle; identify current cryptographic solutions used across the organization and determine a strategy for improving their implementation; work under the assumption that the potential exists for all encryption to be broken and assess risks to assets under this scenario; and critically assess commercial encryption software and hardware, given the revelations of back doors.
Assessing Current and Emerging Cyber-Threats
When companies apply data analytics to information security problems, what are the most common things they do right? And what do they often do wrong?
For the information security department, big data analytics could help identify cyber-criminal or state-sponsored zero-day attacks. Modern malware and cyber-attacks often rely on stealth and the element of surprise, which makes them increasingly successful even against state-of-the-art anti-malware solutions. As a result, many of the anti-malware vendors are using big data analytics to analyze malware reports and associated network traffic in an effort to identify and mitigate malware campaigns as they occur.
In terms of supply chain security, big data analytics has the potential to profile or identify suppliers by scanning sources such as contracts, service level agreements, procurement and vendor management databases, connectivity logs, invoices, delivery and shipping notes, and payment and expense records. Big data analytics can create an overarching view of supply chain security by analyzing high-risk suppliers' security data such as that which is held in suppliers' network logs, event management databases and intrusion detection systems. It can also compare suppliers across different dimensions of information security risk.
When we look at internal threats, several of our member companies are using big data analytics to identify standard patterns of staff behavior. Big data sources may include e-mail content; web activity, including access to competitors' Websites and trade forums; and access logs.
Pressure is mounting on businesses to embrace big data because of the enormous insights and competitive advantage it can provide. Since we're still in the early days, we have not yet seen a tremendous amount of external requirements mandating businesses to assure information integrity. However, the sheer scale of information processed by businesses continues to increase and with big data analytics bringing business decisions closer and closer to raw data, the quality of information has become increasingly important.
About the Author
Jack Rosenberger is the managing editor of CIO Insight. You can follow him on Twitter via @CIOInsight. To read his previous CIO Insight article, "Three Things CIOs Can Learn From Sayta Nadella," click here.