The burgeoning Internet of Things and smart devices
2014 is likely to be the year that many industries start to cash in on the much-hyped benefits of smart connected devices. But as more devices become IP-enabled, they contribute to the pool of things that can be recruited into botnets or other platforms used for distributed attacks – something which most companies are currently not prepared for, warns Mike Foreman, general manager of security software firm AVG Technologies.
‘Distributing attacks via unmanned smart devices helps make it more difficult to trace the source and easier to overwhelm the target,’ says Foreman.
In order to meet the challenge of securely managing hundreds of millions of connected devices and securing the data transmitted between them, Jason Hart, VP of cloud solutions at security specialist SafeNet, says that organisations will need public key infrastructure solutions that combine comprehensive security with scalability and reliability.
‘PKIs, simply put, use digital certificates that can be embedded within devices, giving them the authorisation needed to access different networks,’ explains Hart.
BYOD convenience vs. security
Companies will need to adopt new tactics to tackle the increasing drawbacks of a BYOD environment, changing their focus from the devices themselves. When it comes to effective device management, says Chris Wysopal, co-founder and chief information security officer of application security expert Veracode, apps, not devices, are the real problem.
‘Companies need to look for MDMs that understand what apps are installed across corporate and BYOD devices, and the risk associated with those applications,’ he advises.
Jonathan Foulkes of systems management software firm Kaseya thinks businesses will need to shift the focus away from devices and onto securing and managing data. ‘By “containerising” corporate data and only providing access through secure applications, IT is given full control over policies and the ability to decide which users – rather than devices – are allowed to connect to what data and with what application.’
The true security risks of cloud computing beginning to emerge
The horse has left the barn for IT teams dealing with the cloud. Business units are demanding it and building apps there if their IT departments will not – and this is a trend that is set to continue in 2014 as adoption of core applications in the cloud grows.
‘This opens up application change errors that can be totally missed by the security team,’ warns Reuven Harrison, CTO of security policy orchestration company Tufin.
‘It also increases silos and puts the business network at great risk by bypassing traditional IT structures.’
Veracode’s Chris Wysopal stresses that cloud apps will need to follow the same application security practices that the organisation requires for internally built apps, while moving towards end-to-end automation of network changes should free up time to concentrate on monitoring all areas of the network.
Controlling the privileged user
Without a doubt, one of the biggest mistakes that organisations make is having insufficient control and oversight of the actions of ‘privileged users’, says Paul Ayers, VP EMEA of security firm Vormetric.
‘In 2014, after the Snowden leaks and other high-profile insider threats and data breaches, I expect organisations to increasingly put in place the security procedures and tools that allow them to audit and control the actions of these users,’ he comments.
The effects of cyber war and cyber espionage
Cyber is the new battlefield, and the fifth element of warfare, with states already pouring a huge range of resources into both defensive and offences capabilities.
‘Within the next couple of years, we will experience an increasing number of cyber attacks resulting in militaristic and economic damage,’ says Jarno Limnell, director of cyber security at McAfee Group security vendor Stonesoft.
Rik Ferguson, VP of security research at security vendor Trend Micro, notes that the PRISM revelations will increasingly lead cyber criminals to turn to ‘darknets’ – a class of networks, such as The Onion Router (TOR), that guarantee anonymous and untraceable online access.
‘Law enforcement agencies may not have enough knowledge or experience to deal with cyber crime and will have a hard time tracking criminals in the Deep Web, prompting more investment in the fight against cyber crime,’ he says.
Strengthened government agenda on cyber security and new compliance standards
Over 2013-14, the UK cabinet office will have invested £180 million in cyber security, increasing this amount to £210 million in 2014-15. The government has announced its intention to back a new kite-mark standard for cyber security, with further details promised early this year. Around the same time, the European Commission will unveil a new directive on data privacy.
‘But while these measures are to be welcomed, organisations will have their work cut out preparing themselves to achieve compliance,’ says Alan Calder, founder of cyber security services provider IT Governance.
‘Add to these changes the multiple compliance challenges arising from recent updates of standards, such as ISO 27001 and PCI DSS, and you quickly have a considerable governance task in terms of planning, resourcing and training.’
The security skills gap
The world faces an acute shortage of cyber security professionals who are adequately skilled for today’s threat landscape. According to Alan Calder of IT Governance, in 2014 we will feel the effects of this shortfall more than ever, resulting in yet more spectacular data breaches, as it will be several uncomfortable years before supply meets demand.
‘Large accountancy and professional services firms are, at the moment, heavily investing in IT security talent, which means that SMEs will struggle to compete for the best talent, putting the future of their businesses at risk,’ says Christian Toon, risk and security expert at data protection company Iron Mountain.
Toon urges that when recruiting IT security professionals, companies should remember that it’s important to get someone who understands not just the technicalities of the job, but also the psychology of both the individuals they are helping to protect and of the cyber criminals who are attempting to steal information from the business.
The ever-increasing sophistication of DDoS attacks
The transparency shown by RBS in admitting that it failed to invest properly in its IT systems after DDoS attacks in 2013 is a common refrain amongst many enterprises, large and small.
But, says Jag Bains, CTO of DDoS attack prevention firm DOSarrest Internet Security, ‘While each organisation may have multiple reasons for failing to invest, they all share the same notion that they won’t be a target – until they get attacked.’
With DDoS tools becoming more advanced and pervasive, Bains warns that all IT operations should work under the premise that they will be attacked, and so plan accordingly.
‘Every stack and layer within their purview should be reviewed, and they should identify cost-effective cloud solutions for their DDoS, which provide much better performance and mitigation than expensive hardware.’
Catherine Pearce, security consultant at mobile security firm Neohapsis, predicts that DDoS attackers will accelerate a move from simple volumetric attacks to those that take advantage of a site’s specific performance, with the spread of tools that profile specific targets and attack based upon certain weaknesses in configuration or implementation.
Smarter analytics to combat cyber threats
Martin Borrett, director at the IBM Institute for Advanced Security, believes that analytics will become a vital element in countering new threats, aided by advancements in machine learning algorithms that will further improve data and analytics technologies.
‘Security systems will greatly benefit from real-time correlation across massive structured data, such as security device alerts, operating system logs, DNS transactions and network flows, as well as unstructured data, such as emails, social media content, packet info and business transactions,’ says Borrett.
’Organisations can begin along this path by surveying the additional new data sources available and considering which could be used to improve their security analysis outcomes.’
However, each data source may bring its own challenges, such as the volume, velocity, variety and veracity of data, so it will be important for a business to consider also which skills and tools they have available to manage these issues.
Challenges regarding authentication technologies such as 2-factor and biometric
‘With companies slowly adopting BYOD programmes, on-premise software still reigning supreme in many IT environments and big hacking attacks occurring every few weeks, there’s no question that the business world still lags in adopting people-centric technologies across workforces,’ says Phil Turner, VP EMEA at identity management company Okta.
‘As a result, in 2014, as businesses have added more applications and the proliferation of devices in the workplace continues to increase, we are likely to see significant growth in cloud-based identity and asset management (IAM) services that can deliver single sign-on across all applications.’
However, looking forward to the end of 2014, we can expect this to start to change. Multi-factor authentication (MFA) – which requires two or more factors to verify the legitimacy of the user – has taken off and evolved pretty substantially in the past decade. And authentication methodologies are becoming as personalised and specific to the individual as the experiences that they’re trying to access.
‘Customers’ expectations for seamless trusted authentication and the continued dominance of smartphones and smart devices will accelerate the move from legacy hardware one-time password tokens to mobile-friendly, embedded security and contextual access controls,’ says SafeNet’s Jason Hart. ‘We can already see early examples such as Apple’s iTouch of biometric authentication, and investments by vendors such as Samsung to bake enterprise-grade security controls into their KNOX platform.’
Cyber resilience, not cyber security
In 2014, we will see savvier organisations relinquish futile hopes of ‘cyber security’ for a more pragmatic drive for ‘cyber resilience’.
‘We are living permanently with an irreducible level of cyber threat,’ says IT Governance’s Alan Calder. ‘As this realisation sinks in, organisations must adapt their strategies to avoid unhelpful restrictions on staff mobility and internet access, while ensuring their ability to recover swiftly when attacks take place.’
Jason Hart of SafeNet reiterates that in the coming year we can expect to see companies move away from the traditional strategy of focusing on breach prevention, and towards a ‘secure breach’ approach.
‘This means accepting that breaches happen and using best practice data protection to guarantee that data is effectively useless when it falls into unauthorised hands,’ he says. ‘So, we can expect to see an increase in the use of encryption that renders any data useless to an unauthorised party.’