Thursday, December 31, 2009

Looking past the cyber threats of the last decade and the new to come

Top Cyber Security Risks
 As we pass the first decennial after 2000 we can look back at how IS threats have evolved in the last ten years such as for the complexity of the attacks and the evolution of the attacker's motives.
This is well described by Robert Vamosi on his article on PC world "Top 10 Security Nightmares of the Decade The new threats that will be facing in 2010, according to predictions from a report from McAfee Avert labs will be exploiting of application layer vulnerabilities such as Web 2.0, social networking sites, drive by download, browser vulnerabilities man in the browser,  adobe flash vulnerabilities, mobile phone vulnerabilities, and malware attacks through botnets and banking trojans (e.g. Zeus).

For security practitioners that still think old security school, network security such as secure the perimeter by deploying firewall and IDS (that I pioneered developing at ISS) mitigate threats to the PC/desktop using AV, AS this is the main lesson from the trenches: as threat evolve and rather quickly with increased sophistication, we need new defenses expecially at the application layer to mitigate these new threats. The new defenses need to look at the security of the applications and the data expecially of the transactions and the data flows (end to end from user to application) above all.

There is also a need to look at security control from risk mitigation perspective, keep measures that work (that is risk mitigation to acceptable residual risk) and discard the ones that do not work. One example of a very destructive change in the security industry would be for example to retire all MFA (Multi Factor Authentication) that were adopted in 2006 (mostly to earn a checkmark from FFIEC) and that now just add to the TCO (Tocal Cost of Ownership) since can be easily defeated by malware.

As Einstein said," let's not pretend that things will change if we keep doing the same things". In essence, we are moving to a past information age society where cybercrime threats mitigation need to be the main focus of information security. I believe that we as security practitioners we are about to reach a tipping point: organizations and governments will pay a huge price for fraud and data losses without deploying radically new countermeasures.

My wish for the 2010 is that business organizations and government will put more focus on application security and root causes of vulnerabilities such as insecure software and design. I hope we could put the effort on building new countermeasures at the application layer and use new approaches such as identification of design flaws that account for more than 50% of vulnerabilities such as by using threat modeling (that will be the book I will publish in 2010). My hope is that we recognize that we as security practitioners we are on a time race to win against cybercriminals, we need to work with businesses to roll out new security control and measures. We need to quickly adapt to the new threats and prepare to respond to the cyber threats of the next decade...


James said...

Cyber threats will continue to evolve and pose challenge to users, software developers, vendors of security products and organizations. I agree that over the last decade, the motivation behind cyber-attacks has shifted from fame to making profits. Cybercrime has now become an organized activity. With the prospect of countries using cyber war to display their supremacy, public and private organizations are going to have a tough time protecting their networks. In such a scenario, it is important for organizations to take cognizance of the latest cyber threats, assess weaknesses of networks, revisit security policies with changes in threat profile, hire specialists such as ceh, use tested and certified security products and monitor user activity. Government must promote cyber education at all levels to meet the future requirements of cyber experts.

Marco & Gianluca said...

I agree wholeheartedly James. Another important aspect is for governments to enact cybercrime security standards and regulations that can be enforced to protects citizens privacy and consumers losses from fraud. Nowdays, cybercrime is a billion dollar business so best practices are not enough as you pointed out, we need new security standards and enforcements of these with liability and responsabilities to enforce them.