The threat matrix

Security is always high up on the list of issues IT decision makers need to manage. One of the most challenging aspects of security is that the types of threats are changing and the environment we’re protecting is shifting as mobility, the cloud and other trends alter the way we work. Anthony Caruana spoke with four security gurus to get their views on the changing threat matrix.

What is the biggest change to the types of security threats enterprises face?

All four of our panel agreed that the types of threat have changed but each pointed to a different threat. Gray said, “The whole concept of APT (state sponsored malware) attacks has really become mainstream over the last few years. The funny thing is, APT-style attacks are nothing new, it’s more that awareness of this type of threat has grown.”

On the other hand, Ducklin pointed to growing use of the cloud by cybercrooks where they can access “crimeware as a service”.

According to Searle, “The single biggest change in the threat landscape has been the movement from mass-produced scattergun-style spam, phishing and defacement campaigns to highly customised and sophisticated attacks.” Coupled with McKinnel’s identification that, “The biggest change has been the increase in mobile devices being used in the work environment and the breakdown between their owners (staff) and corporate IT.” We learn that what worked last year may not work this year and may not even work next year.

Can enterprises adapt their existing security models to deal with BYOD?

It’s obvious that there is no way to eliminate all the risks to a business. However, McKinnel said that “it’s a question of educating people and teams within an organisation about how to protect both their devices and the information stored on them”.

Businesses can accommodate technical changes so there’s no reason why they can’t change their approach to security according to Ducklin. “If you are determined to run headlong into the future in what you do and how you do it, yet determined to be a stick-in-the-mud when it comes to security, you may end up not adapting your attitude to security.”

This is the challenge for businesses and securing their IT environments. The very idea of the organisation’s perimeter is far less defined than it was.

Gray said, “The transition to BYOD is really driving some new thinking among smarter enterprises. They’re realising it’s a chance to really embrace deperimeterisation - they’re now able to set up their networks in a way that treats each endpoint with less trust. So when BYOD is done right, the entire network can benefit. When it’s done wrong, it’s potentially very risky.”

Security systems are only as strong as the weakest link in the chain. Searle told us, “Attackers will quickly identify the weakest link within a target organisation and pursue them relentlessly until they have achieved their goals.”

What emerging threats do you anticipate for the coming year?

This is perhaps the most critical question - what’s next?

Ducklin expects to see “more of the same” and McKinnel said, “Emerging threats include DDoS, botnets and multivector threats. There will be more activism, hactivism, state-sponsored espionage and cyber warfare. Gray was more pessimistic.

“Well, there are two things that concern me - the erosion of the effectiveness of two-factor authentication and the rising popularity of social engineering among a class of attackers who previously haven’t presented much of a threat.”

Gray sees ‘man in the middle’ attacks, where authentication information is captured between the sender and receiver. He pointed to recent attacks using malware called Zeus, used to intercept the one-time-passwords sent by SMS that are used in banking transfers. “A crew hitting European banks got away with something like $47m doing this,” according to Gray.

What was clear in speaking with all four panellists was that the factor to consider when looking at emerging threats was the motivation of the attackers.

Searle said that “attackers may not directly attack an organisation, instead they attack the underlying supply chain who may not have the same level of security maturity. By compromising these organisations an attacker can quickly abuse the trust relationships between supplier and customer and achieve their aims.”

Further to that, Searle also noted that traditional security by logical or physical separation may no longer be enough. “SCADA environments are becoming more commonly targeted, particularly in cases of espionage. Often SCADA environments rely on ‘security through obscurity’ and operate on dedicated networks that are physically separate from the rest of the corporate environment.”

Gray expects to see the collapse of existing authentication methods and shift away from static data, such as birthdays, addresses and the like, when validating personal credentials.

“We’ve seen some miscreants doing some very clever account hijacking by abusing helpdesk process flaws at companies like Apple and Amazon. Google for ‘Mat Honan social engineering’ to read a horrifying story about that.

“Authentication headaches are going to grow in 2013 and hit fever pitch in 2015. It’s a really awful problem that might necessitate a move to single-use transaction devices, like a tablet computer issued by your bank that can only connect to the bank and nowhere else. I think we’ll see this for high-value corporate accounts some time in 2014. They’ll stay in use until we can think of a better solution,” Gray added.

Have businesses adapted their thinking around security in the cloud and BYOD world?

While the cloud has become a significant planning and execution concern for enterprise IT departments, it seems that businesses are being slow to adapt their security models for this new paradigm.

Gray says that there’s a source of local advice. “One organisation providing stellar advice when it comes to both cloud computing and the BYOD phenomenon is Australia’s very own Defence Signals Directorate. They issue edicts to government about these topics and release guidance to the private sector. DSD’s work in this area is well worth a look.”

“Largely the core model for effective IT security management - Prepare, Protect, Respond & Monitor - remains unchanged,” according to Searle.  “What has changed is the focus of the individual principles and the level of exposure that non-IT staff have to these principles.”

Searle says that IT’s roles in security is changing as back office teams like finance or HR are now involved in addressing IT security risks. “In today’s environment, every single team member within the enterprise has a critical role to play.”

Ducklin sees the willingness of end users to give up personal information as being a significant issue. As well as personal data, there’s also geo-location data and the willingness to put information on free cloud services. Teaching users how to be safe with their own data is a good way to get them thinking about business data and to ask the question, “Do you look after your customers’ data as strongly and as carefully as you should?”

What does “security done well” look like in an enterprise?

We have a theory. When security is done well it’s like the umpire at your favourite sporting event. You know it’s there but it’s not noticeable. McKinnel says that it starts the C-suite by “having someone in a senior position, such as a CISO”.

Similarly, Searle says, “Security done well could be most easily described as having security built into the very DNA of an organisation. Every business process, every job function, every requirements specification would have information security built in as a key consideration. Security becomes part of the culture of an organisation, not dissimilar to antidiscrimination or OH&S.”

Ducklin’s view is that there needs to be a pragmatic approach that is negotiated with end users where the benefits for bit the user and business are highlighted. “Can you hook your own iPad up to the company network? Yes. Do you get to make all your own decisions on configuring the iPad? No. You can’t install any old app. You can’t jailbreak it. You can’t get rid of the passcode because you find it irritating. In return, of course, the personal stuff you have on there will be safer, which is good for you, too.”

Gray, on the other hand, hasn’t yet seen security done well. “Show me an enterprise that does security well and I’ll show you a unicorn that pisses beer.”

Image credit ©iStockphoto.com/Bryan Tighe