As we look forward to 2015, this is a good time to take stock of how the information security threats and attack landscape have been changing. Let’s see: major data breaches at global, brand-name organizations, state-sponsored hacking activity, revelations of our own government's attempts to access personal data.
It would be easy to proclaim 2014 as the "Year of the Security Threat," but that's not really how it works. 2014 cannot be the "Year of the Security Threat" any more than it can be the "Year of Taxes." The number of incidents may go up or down (and with taxes, it always seems to go up), but the fact is, security is something we need to be aware of all the time.
Look at information security threats. While the number of high-profile attacks may go up or down in any given year, there will always be attacks, and there isno "magic bullet" to prevent them from occurring. What does change is the scope. The adoption of new technologies leads to new attack vectors. Malware authors, malicious individuals and groups, and nation-states all have the necessary discipline (and in many cases, the resources) to exploit our increasing technology footprint.
Here are some ways they're doing it:
- Kinetic Attacks. Everybody loves the Internet of Things (IoT). Who doesn’t? Conceptually, it's great, but in practice, it's a security nightmare. As history has shown, functionality and performance of new technologies always takes precedence over security. How we interact with IoT is vastly different from how we've traditionally interacted with computers. Today, our interaction with technology is physical, or kinetic. Our "smart" cars actually transport us while we're inside of them, and our smart meters remotely adjust power usage. Unfortunately, the holes in the software and operating systems of many of these smart devices are legion, and they're massive. Not so "smart," really.
- The Rise of the Zero-Day. Zero-day attacks—that is, attacks "in the wild" for which there are no vendor-provided patches—have become more frequent. Considering the last few months alone, with vulnerabilities in critical software that secure large portions of the Internet, including OpenSSL, the bash shell, and the SSL 3.0 cryptographic standard.
- Physical Access = Ownership. As we've seen from the Target attack, physical access to systems—coupled with a massive increase in skimmers, fake ATMs, and other components designed to separate people from their money—means that those devices can be owned. It doesn’t matter if we are talking about PoS units, card scanners, or standalone servers. As time goes on, attackers will get even better at mimicking and integrating with different types of technology.
- The Cloud. While we have yet to see a successful security attack specifically caused by data being located in the cloud, rest assured that it's coming. The adoption rate of cloud technologies is massive, and while the fact that applications and data sit in the cloud does not itself make them insecure, the ways in which organizations and their cloud vendors configure access to those assets in the cloud can turn the smallest misconfiguration into a massive attack vector.
What's a CISO To Do?
Mitigating these threats will not be easy. As with security threats in the past, there are no simple answers or silver bullets. However, there are some approaches and associated technologies that can help reduce the risk of becoming a target:
- Behavioral Analysis and Anomaly Detection. We agree that signature-based approaches to threat detection are insufficient on their own, but we've never identified a solution to fill the void (and no, SIEM doesn’t qualify….) Fortunately, we're beginning to see a large number of broad-based, statistical and heuristic approaches to analyzing a lot of security data at once. Unstructured security of every type—events, configurations and changes, network traffic, identity data, and more—can be fed into big data solutions to address questions that were previously impossible to answer. Questions such as "Which users are doing things they don't normally do?" and "What networks are we talking to for the first time?" can be answered easily, and the results can be correlated with other data to identify rogue processes, systems, users, and networks that are trying to compromise our environments.
- Improved Authentication and Access Control. Another technique is to cut off impersonation, one of the most common attack vectors the bad guys use. Today, there's no good reason for not implementing a multi-factor authentication mechanism on high-risk applications and systems. Zero-footprint, cloud-based methods for identity federation, authorization, and even provisioning can dramatically reduce excess privileges and "phantom" credentials, while improving the user experience through single sign-on.
- The Basics Are Still Important, But Need To Be Done Correctly. Security and infrastructure software have taken a beating lately. The Heartbleed bug, POODLE flaw and the bash bug, it's clear these technologies should not be treated as "set and forget " components. Security basics like patch management are critical to ensuring that organizations are not exposed to critical vulnerabilities such as these. The same goes for layered security tools such as anti-malware and IDS/IPS. In-depth defense techniques are timeless, and they need to be part of your toolset. But they're only going to work if you apply them appropriately and to the right assets within your environment.
There is no magic bullet to solve the problem of information security threats; even as our detection, elimination, and mitigation techniques become more advanced, they will always be outpaced by more advanced and complex threats. As a result, your security strategy cannot be based on the idea of 100 percent prevention. However, by implementing security processes and controls that reduce the likelihood and potential footprint of modern attacks, we can collectively minimize the impact when the inevitable finally hits us.