Over the next year, five separate threats will have one major effect: the current rate of security breaches will increase and worsen. This is the view of the Information Security Forum (ISF), an international network of more than 10,000 security professionals.
The five primary threats to cyber security are the continuing evolution of crime-as-a-service; the effect of unmanaged IoT risk; the complexity of regulation; the supply chain; and a mismatch between Board expectation and Security capability.
Talking to SecurityWeek, ISF managing director Steve Durbin explained that the growing effect of crime-as-a-service is his own biggest concern. This, he suggested, is a result of the increasingly professional nature of organized cybercrime.
“Crime as a service has reached maturity, with criminal organizations providing easy access for entry level criminals,” Durbin said. “I think that next year we are going to see attacks becoming more sophisticated and targeted. One of the problems is that cybercriminals have become very good at sharing information, and being able to do some of the things that the good guys are perhaps not as good at doing — sharing intelligence and so on.”
The root cause is that organized crime has moved aggressively into the dark web, resulting in what Durbin views as something similar to a very large corporation.
“There’s this big umbrella organization that we call cybercrime. Underneath that we’ve got some very large, very professionally run cybercrime groups — organized crime — who are clearly looking to continue to recruit and expand, and are also happy to sell products and services to others. When I talk about criminals being better at communication,” he said, “I relate it to the way that good corporations operate: they have marketing plans; they have outreach plans; they have communication around some of the services that are available as part of crime-as-a-service. They’re not sharing methods and exploits to the extent that competitors could take over — but are they are sharing it in terms of increasing their footprint. At the more sophisticated levels, cybercrime operates very much like a professional business.”
For Durbin, there are a few ‘mega’ organized crime groups, supplemented by a number of smaller, highly capable groups, coming out of the former soviet states. But below these — and to some degree what worries him most — are the disorganized wannabees coming into the game on the back of crime-as-a-service. Counter-intuitively, they are disrupting and worsening the accepted status quo; and he gives ransomware as an example.
“In the ‘good’ old days of ransomware,” he explained, “we knew that the cybercriminal was only really interested in this to get money. There was a game to be played, and everybody knew the rules. The criminals would drop some malware onto our systems to prevent us from accessing our information so that they would get paid a certain amount of money.”
This was enough to make it profitable for the criminal, but not so much that the victim would not or could not pay. “What we’re now seeing,” he continued, “is elements of ransomware that are not following these rules. For example, keys not being handed over when ransoms are paid; and that’s a concern because the rules of the game have changed.” In short, the commoditization of cybercrime through crime-as-a-service is introducing anarchy that makes it difficult for defenders to plan a posture, and difficult for organized crime to remain organized.
It will be interesting to see, he added, whether a degree of self-regulation emerges. “It’s possible that some of the larger crime groups will decide that the emerging aspirant criminals are actually bad for business, and decide to do something about it.”
The second threat is the internet of things (IoT), with two major areas of concern. Firstly, home devices are insecure, default passwords are not always changed, and people take work home. But what really concerns him is IoT in the critical infrastructure. “Regulation and legislation would work if we were starting from a blank piece of paper,” he said; but we are not. “We’ve been installing embedded devices in manufacturing for years. At the time, manufacturers did not consider security to be an issue, and organizations do not have clear visibility of all the devices they use.”
He gave an example of a member organization, a Forbes Global 2000 company, that shut down its plant. “In the course of that shutdown, some of the machinery burst back into life because there were some IoT devices connected to the Internet that they hadn’t been aware of.” The company had forgotten about parts of its own IoT; but it was capable of autonomously restarting the machinery.
The third emerging threat is the increasing burden and complexity of regulation. Although it is designed to improve security, Durbin fears that regulation will pull attention and resources away from important security initiatives. The General Data Protection Regulation (GDPR) is a perfect example of complexity in requirement and lack of understanding by stakeholders. But GDPR is far from being the only new regulation coming into force, and he fears that the increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.
The fourth and fifth emerging threats — the supply chain, and a mismatch between Board expectation and Security capability — are really two sides of the same coin. While senior management is increasingly concerned about security, and is increasingly held responsible for the firm’s security, it still does not understand what its security team is doing or is even capable of doing. This also occurs in third-party related organizations, fourth parties and beyond (the supply chain). But if the Board does not really understand its own security capabilities, it has even less understanding of the security of its supply chain; and that is a threat vector that is growing rapidly through the digitization of business.
Durbin believes the solution can only come from baking security into the whole ethos of the organization so that the security team is an integral concept rather than a separate silo. “I often talk about the day when we don’t have security people because the organization has become so aware of security being integral to the business that security has become completely integrated into the business functions. Security must become inbuilt into the organization by design. We’re a long way off that, but the immediate challenge that a lot of CISOs face is around communication, around being taken seriously by the organization.”
If, and perhaps only when, security by corporate design becomes a reality will all five of ISF’s emerging threats be brought under some semblance of control. In the meantime, Durbin feels that breaches
will increase, and the security landscape will only get worse long before it gets better.