Wednesday, 13 June 2012

current challenges

Asked for views on
  1. The current challenges in information assurance - what are the latest threats and exploits
  2. Current trends of COST of breaches and examples of information assurance breaches
  3. Assessing risk and valuing information
Whilst not a comprehensive answer, I thought the following where suitable points
 
The current challenge is the BYOD (bring/buy your own device) this along with cloud and mobile working is stripping away the number of levels that controls and countermeasures can be deployed.
 
Defense in depth is becoming harder to achieve when the endpoint is someones personal tablet or smartphone, the number of exploits for Android is increasing and other smartphone tablet OS's
Interestingly although Android is a bit of a paradox, it is easier to exploit as it is less controlled than iOS from Apple however it has been selected by the USA Government as the basis of a secure phone as it is less locked down and they can add and implement secure features more easily than on the iOS
 
The main threat agents are :-
  • Hactivists groups such as Anonymous
  • Criminal gangs
  • Industrial espionage, both state sponsored and private
  • Cyber terrorism/warfare, applies to Governments and Critical Infrastructure
Cyber terrorism/warfare is much hyped, however it can be a possibility, from a risk management point of view it is a low likelihood, high impact risk. Normally you would consider risk transfer via insurance for this type of risk of low likelihood and high impact, but in this case it is not appropriate, migrating the risks through controls and countermeasures is costly but the impact can be very high.

My view is the danger that the Cyber warfare tools such as Stuxnet, Duqu & Flame once released into the wild can escape from the target environment, Stuxnet did this. The other problem is that the other threat agents can reverse engineer the code and produce new variants to do their bidding.

The main attack vectors are
  • Infrastructure
  • Application
  • Social Engineering
A lot of the recent successful attacks have been via attacking the application (Sony) or through social engineering (RSA), infrastructure countermeasures are a mature technology (except SCADA) and attacks based on the network infrastructure are becoming less of a percentage of the overall attacks.
 
I see infrastructure attacks continuing to occur, new attacks will be developed to attack the mobile/cloud infrastructure, implementing man-in-the-middle attacks, redirect attacks, spoofing attacks on the remote cloud apps and storage will become more prevalent.
 
There is a lot of focus on Advanced Persistent Attacks (APT), however there are still problems in the basics of security countermeasures, security needs to be part of the fundamental design requirements during project initialization stages rather than being added during the project, at the end of the project, or afterward the project has been completed for any system development. Whilst looking at the new attacks we should not forget the old attacks and foget the security basics. This applies in particular to web applications, injection and cross site attacks have been know for years but applications are still vulnerable.
 
Legislation is slowly moving to compulsorily breach notification, higher penalties for information disclosure; this is driving the need for proper security programs and data classification being conducted by Information Security professionals rather than the IT department.
 
Within organisations there is a growth in the position of the Chief Information Security Officer (CISO) and the Information Security Manager (ISM) and all related acronyms. Certifications such as CISSP, CISM and CISA will become more prevalent in the qualifications for such positions along with others. Companies will be looking at standards and becoming certified and accredited to standards such as CoBIT, ISO/IEC 27000 series and ITIL as accreditation will help prove due diligence and show the company is working to the prudent man rule. A number of high profile companies that have been attacked recently didn't have a specialist information security person before the attack and now have filled that position (LinkedIn and Sony).
 

No comments:

Post a Comment