The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Information Security Forum (ISF) — a nonprofit association that researches and analyzes security and risk management issues on behalf of its members — puts out its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year period. What follows are the nine biggest threats on the horizon through 2019 that your organization may have to manage and mitigate.
Theme 1: Disruption from an over-reliance on fragile connectivity
Organizations today depend of instant and uninterrupted connectivity, smart physical devices and trustworthy people. But that dependence makes them vulnerable to attacks on core internet infrastructure, devices used in daily business and key people with access to mission-critical information.
"We've been dependent on the internet for so very long," says Steve Durbin, managing director of the ISF. "We've gotten to the point where we view it as any other utility. If you suddenly cut of the electricity, it's a major issue. Corporations have backups in place for other utilities — generators for instance. No one has really done that for the internet. They just assume it's going to be there."
To defend themselves, Durbin says, organizations need to rethink their defensive models, particularly regarding business continuity and disaster recovery plans. Plans that rely on employees working from home won't survive attacks that remove connectivity or that target key individuals. ISF recommends that revised plans cover threats to physical safety as well as periods of operational downtime caused by attacks on infrastructure, devices or people.
Premeditated internet outages bring trade to its knees
As conflicts across the globe increase in number and severity, ISF predicts that within the next two years, nation states and other groups will seek new ways of causing widespread disruption, including internet outages at the local or even regional level. Commercial and government organizations are likely to be considered legitimate targets, and industries stand to lose millions of dollars if communications systems fail and trade grinds to a halt.
Given the increasing prevalence of 'just-in-time' supply chain models, even brief disruptions can lead to shortages, Durbin says. Financial services institutions are also vulnerable, and outages that target them could lead to cascading failures. For instance, if clearing houses (institutions that settle payments) lose connectivity, organizations across all industries may lose the ability to initiate or receive payments for the duration. Even government services like law enforcement depend on connectivity for communications.
Attacks in this realm could involve physically cutting cables (possibly under sea where repairs could take significant time), rendering root DNS or datacenters useless, distributed denial of service (DDos) attacks that harness massive botnets or even manipulating internet addresses and routes to ensure traffic doesn't arrive at its stated destination.
ISF says containing the chaos caused by such an attack will require coordination by central governments through their national critical national infrastructure programs. Individual organizations must also understand the extent of their reliance on the internet and have plans in place to address the risk of attacks that recur on a relatively frequent basis.
The ISF recommends you do the following:
- Engage with internal and external stakeholders to agree to alternative methods of communication
- Develop relationships with regional bodies (e.g., governments, competitors, industry forums) to create new, standardized contingency plans for when internet communications fail
- Assess communications providers' contingency plans; insist that they align with standardized or organizational plans , while partnering to ensure gaps are addressed
- Plan for alternative supply chain models for critical systems and services
Ransomware hijacks the internet of things
Criminals are increasingly profiting from ransomware — encrypting a victim's data and then demanding payment for the encryption key. According to a report released by Symantec last year, the average ransoms for data demanded by criminals jumped from $294 in 2015 to $679 in 2016. And the U.S. Federal Bureau of Investigation (FBI) estimated last year that cybercriminals would generate about $1 billion in revenue from ransomware by the end of 2016.
[ Related: 2017 security predictions ]
The ISF believes that over the next two years, cybercriminals will increasingly focus their ransomware efforts on smart devices connected to the Internet of Things (IoT). Attackers may hold specific devices for ransom, but the ISF believes they will also use the devices as gateways to install ransomware on other devices and systems throughout organizations.
Such attacks have the potential to disrupt business operations and automated production lines. But they could also prove deadly if they affect medical implants or vehicle components.
"Medical devices, manufacturing, we've put all of these 'things' out there," Durbin says. "Driverless cars, transportation, railways, financial services. We've embedded smart devices in all these areas, but we never really thought things through to this next stage. All of these things are out there in the real world. It's a bit like shutting the stable door after the horse has bolted."
Durbin says manufacturers of connected devices need to work with their customers to address security vulnerabilities and, at minimum, ensure that basic security features are always enabled. All organizations need to identify how they currently use connected devices, how they plan to increase use in the future and what the impact would be if one or more devices are affected by ransomware.
The ISF recommends you take the following actions:
- Apply pressure on manufacturers (e.g., via industry bodies) to build comprehensive security features into devices.
- Engage with industry bodies to lobby for (and influence) regulation ensuring minimum security standards for IoT devices.
- Raise the profile of the ransomware threat across your organization and mandate minimum security requirements for procurement of IoT devices.
- Incorporate IoT-related ransomware scenarios into your business continuity planning and run regular simulations.
- Collaborate with manufacturers and customers to gather threat intelligence about the IoT devices you use.
Privileged insiders coerced into giving up the crown jewels
Your business may be high-tech and digital, but your employees exist in the physical world, and that makes them vulnerable to blackmail, intimidation and violence. The ISF says that over the next two years, well-funded criminal groups will combine their global reach and digital expertise with the very real threat of violence to threaten privileged insiders to give up mission-critical information assets (e.g., financial details, intellectual property and strategic plans).
These privileged insiders may be senior business managers and highly placed executives, but they could also be their personal assistants, systems administrators, infrastructure architects, network support engineers and even specific external contractors. Extreme cases could involve "tiger kidnapping" of the insider's family.
ISF believes criminal gangs are likely to turn to these methods for these three reasons:
- They can significantly reduce the level of cyber expertise they require and replace that expertise with "muscle."
- They can continue to have access to compromised individuals and persuade them to act again.
- They can steal mission-critical information while operating at "arm's length."
To protect yourself against these threats, ISF recommends you take the following actions:
- Identify your mission-critical information assets and the individuals who own and access them.
- Invest in special measures to protect individuals with privileged access (e.g., instruction in physical security precautions; exposure to social engineering methods).
- Implement mechanisms to protect your organization against the insider threat (e.g., screen prospective employees; embedding appropriate clauses in employment contracts).
- Adopt a trust-but-verify approach to privileged insiders (e.g., foster a culture of trust, while verifying and monitoring appropriate system access).
Theme 2: Trust in the integrity of information is lost to distortion
To make good decisions, your business depends upon accurate and reliable information. If the integrity of that information is compromised, so is your business. This issue has risen to prominence recently with the 'fake news' that has begun swirling around major politicians. The ISF believes that over the next two years, attackers will spread lies or distort internal information in the hope of gaining a competitive or financial advantage at the expense of targets' reputations or operational effectiveness.
"With volumes of data increasing to the levels that they are, we've reached a point where it's absolutely impossible for anybody to really, absolutely ensure the integrity of data," Durbin says. "How do we work with the business to ensure we make the information they're using to make decisions as accurate as possible? We're going to see this change in the way that the CISO, in particular, is viewed within the enterprise. We've for so long assumed this is an IT security thing, but CISOs have been talking about their role and how that has evolved much more to reflect the business; it's more akin to risk management in the information space."
Durbin says organizations can reduce the effect of misinformation through proactive means: Monitoring what others say about the organization online and keeping track of changes made to internal information to provide early warning signals.
Automated misinformation gains instant credibility
Advances in artificial intelligence (AI) personas allows for the creation of chatbots that will soon be indistinguishable from humans. Attackers will be able to use these chatbots to spread misinformation targeting commercial organizations: Without ever breaching an organization's digital boundary an attacker could damage that organization's reputation by spreading convincing misinformation about its working practices or products. A single attacker could deploy hundreds of chatbots, each spreading malicious information and rumors over social media and news sites.
Attacks won't just target reputation. Fake news can also be used to manipulate a company's share price. German payments company Wirecard AG found that out the hard way in February of last year, when a fake report 'detailed' fraudulent activities by the company. While the report was later proven fake, the company's share price plummeted and took three months to recover.
You won't be able to stop chatbots from disseminating misinformation about your company, but recognizing the threat and incident response planning can mitigate the damage.
To protect your organization, the ISF recommends you do the following:
- Build scenarios covering the spread of misinformation into your overall incident management process.
- Extend monitoring of social media before and after big organizational announcements or events.
- Combine forces with industry bodies to lobby governments and regulators to investigate ways of identifying and prosecuting those spreading fake news and misinformation.
- Consider increasing existing social media output to proactively counter the spread of misinformation (e.g., encourage employees to spread legitimate news and report suspicious posts.
Falsified information compromises performance
Organizations are increasingly reliant on data to drive their decision-making, and that means criminals and competitors can add information distortion to their toolbox of threats. The ISF believes three types of attack on the integrity of information will become commonplace over the next two years:
- Distorting big data sets used by analytics systems.
- Manipulating financial records and reports, or bank account details.
- Modifying information before leaking it.
For instance, consider a utility company which analyzes data from smart meters to balance the amount of electricity it generates against the current demand. An attacker could manipulate smart meter data to falsely show high demand. Such manipulation could cause a surge in electricity generation. If that surge is significant enough, it could cause the electricity supply grid to fail.
Bogus or distorted data could also significantly affect pharmaceutical research, which is increasingly turning to big data analytics to improve the speed of modeling and trialing new drugs.
Durbin says organizations need to start preparing now to ensure information risk assessments address the likelihood and impact of attacks on integrity.
To prepare, the ISF recommends you take these actions:
- Take steps to validate and maintain the integrity of key databases.
- Incorporate scenarios of compromised information integrity into business risk assessments; involve appropriate stakeholders across the organization gauge business impact.
- Collaborate with peers to share intelligence about attacks on information integrity.
- Consult with legal professionals before making public any information that provides factual evidence to counter false claims.
- Monitor access and changes made to sensitive information using tools like Federated Identity and Access Management (FIAM) systems and Content Management Systems (CMS).
Subverted blockchains shatter trust
Many organizations are exploring blockchain technology because it promises to ensure the integrity of transactions without the need for a trusted third party at the center of the exchange.
In an article for Harvard Business Review last year, Don Tapscott and son Alex Tapscott, authors of Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, And the World, argued, "our two-year research project, involving hundreds of interviews with blockchain experts, provides strong evidence that the blockchain could transform business, government, and society in perhaps even more profound ways."
The Tapscotts suggest 65 percent of top global banks will have large-scale blockchain implementations in place by 2019.
But Durbin notes that like any technology, blockchains will be vulnerable to compromise. Potential vulnerabilities include weak encryption, hashing and key management; poorly written programs; incorrect permissions; and inadequate business rules. In the event a blockchain is compromised, ISF says customer, senior management and user trust in the affected process will be shattered, and will require substantial effort to rebuild.
A compromised blockchain could lead to unauthorized transactions or data breaches, diversion of funds, fraud and even validating fraudulent transactions.
To avoid that fate, Durbin says attention must be paid to building information security into the design, build, implementation and operational phases of blockchain-based applications. Close collaboration will be required between business managers, developers and information security professionals.
The ISF recommends you do the following:
- Appoint a sponsor or steering committee to consult widely and take decisions concerning the adoption and use of blockchains throughout your organization.
- Train employees on how to use blockchains securely, and to detect suspicious activity.
- Assess the security controls of external parties using blockchains (e.g., audit the strength of their security controls, such as cryptographic key management and access control measures).
- Engage with industry forums and experts to contribute to the development of good practice guidelines and standards for secure implementation.
- Consult legal to understand the contractual implications of using a blockchain.
- Demand that information security requirements are incorporated during the design, implementation and operation of a blockchain-based application.
- Consider the implications of decentralized blockchain systems on existing governance and change management processes
Theme 3: Deterioration when controls are eroded by regulations and technology
Over the next two years, the ISF believes that rapid advances in intelligent technologies and the conflicting demands posed by heightened national security and individual privacy will erode organizations' ability to control their own information.
New surveillance laws intended to improve national security will require communications providers to bulk-collect data that could reveal corporate secrets, Durbin says. Organizations won't be able to define the security arrangements around these data reservoirs, and they could become attractive targets for attackers who have the knowledge and capability to extract and exploit the data stored in them.
At the same time, Durbin says, new data privacy regulations like the European Union's General Data Protection Regulation (GDPR) will make it more difficult for organizations subject to them to monitor the behavior of insiders. The GDPR requires that organizations be transparent about their use of tools to monitor user behavior, which Durbin says will give malicious insiders exactly the information needed to bypass such controls.
Meanwhile, technological innovation will continue to outpace regulations. Durbin says increasingly mature AI in automated systems will start to make independent decisions that will contradict defined business rules, disrupt operations and create new security vulnerabilities.
While many of these factors will be out of the direct control of your organization, Durbin says business and security leaders can prepare for these threats through considered risk assessments, open and honest negotiations with communications providers, taking legal counsel to understand the effects of new regulations and building a workforce ready for the adoption of advanced technology.
Surveillance laws expose corporate secrets
Some governments have already begun creating surveillance legislation that requires communications providers to collect and store data related to electronic and voice communications. The ISF anticipates that the trend will continue over the next two years.
The intention of such legislation may be to identify and monitor terrorists and other such groups, but the data collection will necessarily sweep up a great deal more information, including sensitive data from organizations.
The ISF notes motivated attackers will quickly recognize the value of this data, know where it is and how to get it, and have the capability to analyze, interpret and exploit it. Such information could reveal things like plans for mergers and acquisitions, IP under development and details of new products in the pipeline.
The ISF argues that five factors will combine to make it a question of when, not if, data stolen from a communications provider will expose secrets:
- No organization will be able to avoid the collection of their data; it will be a legal requirement.
- The data is likely to be stored in multiple locations by multiple external parties — each applying different levels of security.
- The increasing volume and impact of data breaches across the globe suggests the data won't be adequately protected.
- Attackers seeking to exploit the data are likely to be better funded and more motivated than the people responsible for protecting it.
- The potential value from analyses of the data will make it an obvious target for well-resourced, highly skilled and determined attackers, including organized criminal groups, competitors, terrorist groups and nation states.
To protect your organization, ISF recommends you take these actions:
- Obtain advice on the metadata that communications providers must legally store, in every jurisdiction in which you operate.
- Collaborate across your organization and conduct a risk assessment to understand the impact of metadata lost by a communications provider.
- Engage with communications providers to agree to responsibilities and set minimum requirements for the secure storage of metadata.
- Establish if, how and when communications providers will notify you of a breach and work together to minimize impact.
Privacy regulations impede the monitoring of insider threats
According to a study released by McAfee in 2015, 43 percent of data breaches in that year were caused by insiders: users, managers, IT professionals and contractors. It should come as no surprise, then, that User Behavior Analytics (UBA) tools, which flag anomalous user behavior, have become increasingly popular: a 2016 report by MarketsAndMarkets Research predicted sales of UBA tools would increase nearly 600 percent from $131.7 million in 2016 to $908.3 million by 2021.
But the ISF says new privacy regulations like the GDPR, South Korea's Personal Information Protection Act (PIPA), Hong Kong's Personal Data (Privacy) Ordinance and Singapore's Personal Data Protection Act, have the potential to constrain the use of such tools. They stipulate that an employers' use of such tools must be controlled and transparent to the user. Under GDPR, for instance, all profiling of employees is forbidden unless the employee is informed of the logic underpinning the process. While Durbin notes that transparency and creating a culture of trust is good, these regulations will position malicious insiders to circumvent UBA.
To address the insider threat and the implications of new regulations, the ISF recommends you do the following:
- Take legal advice on restrictions regarding user profiling in every jurisdiction in which your organization operates.
- Establish a rigorous program (tied to the disciplinary process) that is transparent about any employee monitoring activity.
- Make employees aware of insider risk and train them to identify suspicious behavior.
- Undertake more regular and stringent audits of access privileges for insiders, assuring appropriate role-based access.
A headlong rush to deploy AI leads to unexpected outcomes
AI systems represent a major innovation in terms of automation. The ability to learn independently will allow them automate increasingly complex and non-repetitive tasks in areas ranging from manufacturing to marketing and consulting. But Durbin notes that while AI are no longer in their infancy, they're only likely to reach adolescence in the next two to three years. And that makes them prone to errors: learning from wrong or incomplete information can lead to inaccurate conclusions, for instance.
When leveraged in environments where outcomes can affect an organization's reputation or performance, AI could function unpredictably. Examples include the following:
- Vulnerability introduction. An AI system could initiate a new relationship with customers or suppliers and connect to an insecure external network.
- Misinterpretation of commands. A smart assistant could pick up the wrong conversation or misunderstand instructions, leading it to process incorrect orders.
To protect your organization against this threat, the ISF recommends you take these three steps:
- Collaborate across the organization to establish which areas will benefit from deployment of AI, and when
- Recruit, develop and retain talent with the skills to understand and manage AI systems
- Collaborate with industry peers and academic bodies to develop best practice for deploying AI systems
- Update governance structures to manage AI effectively (e.g., incorporate security in design, provide oversight of decisions taken by the AI system, ensure the system can be manually shut down if a serious incident occurs)
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.