Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Five Emerging Threats That Worry Global Security Professionals

Over the next year, five separate threats will have one major effect: the current rate of security breaches will increase and worsen. This is the view of the Information Security Forum (ISF), an international network of more than 10,000 security professionals.

Over the next year, five separate threats will have one major effect: the current rate of security breaches will increase and worsen. This is the view of the Information Security Forum (ISF), an international network of more than 10,000 security professionals.

The five primary threats to cyber security are the continuing evolution of crime-as-a-service; the effect of unmanaged IoT risk; the complexity of regulation; the supply chain; and a mismatch between Board expectation and Security capability.

Talking to SecurityWeek, ISF managing director Steve Durbin explained that the growing effect of crime-as-a-service is his own biggest concern. This, he suggested, is a result of the increasingly professional nature of organized cybercrime.

“Crime as a service has reached maturity, with criminal organizations providing easy access for entry level criminals,” Durbin said. “I think that next year we are going to see attacks becoming more sophisticated and targeted. One of the problems is that cybercriminals have become very good at sharing information, and being able to do some of the things that the good guys are perhaps not as good at doing — sharing intelligence and so on.”

The root cause is that organized crime has moved aggressively into the dark web, resulting in what Durbin views as something similar to a very large corporation.

“There’s this big umbrella organization that we call cybercrime. Underneath that we’ve got some very large, very professionally run cybercrime groups — organized crime — who are clearly looking to continue to recruit and expand, and are also happy to sell products and services to others. When I talk about criminals being better at communication,” he said, “I relate it to the way that good corporations operate: they have marketing plans; they have outreach plans; they have communication around some of the services that are available as part of crime-as-a-service. They’re not sharing methods and exploits to the extent that competitors could take over — but are they are sharing it in terms of increasing their footprint. At the more sophisticated levels, cybercrime operates very much like a professional business.” 

For Durbin, there are a few ‘mega’ organized crime groups, supplemented by a number of smaller, highly capable groups, coming out of the former soviet states. But below these — and to some degree what worries him most — are the disorganized wannabees coming into the game on the back of crime-as-a-service. Counter-intuitively, they are disrupting and worsening the accepted status quo; and he gives ransomware as an example. 

“In the ‘good’ old days of ransomware,” he explained, “we knew that the cybercriminal was only really interested in this to get money. There was a game to be played, and everybody knew the rules. The criminals would drop some malware onto our systems to prevent us from accessing our information so that they would get paid a certain amount of money.”

Advertisement. Scroll to continue reading.

This was enough to make it profitable for the criminal, but not so much that the victim would not or could not pay. “What we’re now seeing,” he continued, “is elements of ransomware that are not following these rules. For example, keys not being handed over when ransoms are paid; and that’s a concern because the rules of the game have changed.” In short, the commoditization of cybercrime through crime-as-a-service is introducing anarchy that makes it difficult for defenders to plan a posture, and difficult for organized crime to remain organized.

It will be interesting to see, he added, whether a degree of self-regulation emerges. “It’s possible that some of the larger crime groups will decide that the emerging aspirant criminals are actually bad for business, and decide to do something about it.”

The second threat is the internet of things (IoT), with two major areas of concern. Firstly, home devices are insecure, default passwords are not always changed, and people take work home. But what really concerns him is IoT in the critical infrastructure. “Regulation and legislation would work if we were starting from a blank piece of paper,” he said; but we are not. “We’ve been installing embedded devices in manufacturing for years. At the time, manufacturers did not consider security to be an issue, and organizations do not have clear visibility of all the devices they use.”

He gave an example of a member organization, a Forbes Global 2000 company, that shut down its plant. “In the course of that shutdown, some of the machinery burst back into life because there were some IoT devices connected to the Internet that they hadn’t been aware of.” The company had forgotten about parts of its own IoT; but it was capable of autonomously restarting the machinery.

The third emerging threat is the increasing burden and complexity of regulation. Although it is designed to improve security, Durbin fears that regulation will pull attention and resources away from important security initiatives. The General Data Protection Regulation (GDPR) is a perfect example of complexity in requirement and lack of understanding by stakeholders. But GDPR is far from being the only new regulation coming into force, and he fears that the increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.

The fourth and fifth emerging threats — the supply chain, and a mismatch between Board expectation and Security capability — are really two sides of the same coin. While senior management is increasingly concerned about security, and is increasingly held responsible for the firm’s security, it still does not understand what its security team is doing or is even capable of doing. This also occurs in third-party related organizations, fourth parties and beyond (the supply chain). But if the Board does not really understand its own security capabilities, it has even less understanding of the security of its supply chain; and that is a threat vector that is growing rapidly through the digitization of business.

Durbin believes the solution can only come from baking security into the whole ethos of the organization so that the security team is an integral concept rather than a separate silo. “I often talk about the day when we don’t have security people because the organization has become so aware of security being integral to the business that security has become completely integrated into the business functions. Security must become inbuilt into the organization by design. We’re a long way off that, but the immediate challenge that a lot of CISOs face is around communication, around being taken seriously by the organization.” 

If, and perhaps only when, security by corporate design becomes a reality will all five of ISF’s emerging threats be brought under some semblance of control. In the meantime, Durbin feels that breaches
will increase, and the security landscape will only get worse long before it gets better.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem