I was invited by @IntelSec_Biz to join their twitter conversation called SecChat. It lasts about an hour and a set of questions are posed for us to answer. It is usually a diverse audience and the discussion is usually very good. To help me manage this I enlisted 2 computers and four screens.
Windows 1
Twitter Notifications (to see who is interacting with me and respond accordingly)
Window 2
SecChat hashtag (to watch the flow of the conversation)
Window 3
(to keep a flow of ideas)
My tweets and replies page (to keep a track of what I have responded to)
Window 4
CrowdChat (to flow my answers through)
I have used CrowdChat at SteelCon as it is great to segregate discussions and I would endorse it massively for anyone wanting to do their own TwitterChat as I have not found a decent platform yet. I like it for a variety of reasons
- it auto adds the hashtag,
- it groups conversations
- responses are kept under the relevant conversations
- you can upvote good comments
- and stats – we all love stats !
Views:125
Reach:157.8K
Posts:85
And there were only 6 of us there !!
So onto the chat. SecChat this time was on the topic of Threat Predictions 2016. If you want to know more about the McAfee Labs Threats Prediction Report, it can be found here : LINK.
So here are the questions and my responses and a short paragraph explaining my logic !
Q1: Which type of cyberthreat do you think will cause the most damage in 2016 and why?
A1) Most damage to whom ? brand, financial or state ?
A1) Brand – breach Financial – being sued for breach State – critical national infrastructure attack
A1) Financially – I believe the solicitors are honing their skills ready for the big court cases … that’ll be the big financials
A1) I also believe there will be more Bitcoin raids to come which will lose some tens of dollars
When I first read this I thought that the damage is relative to the target being hit. A small business is unlikely to survive a breach whereas we have already seen that the stocks of major corporations that suffer a breach quickly bounce bag. At one point during the TalkTalk breach, their stock was actually higher that pre-breach levels !
If we look at just the damage to brand then that is definitely a breach, but the caveat here is .. what got leaked ? If it was full records and attributable impact to that company then yes, breach is going to hit your brand hard. The financial element however does not usually come as a result of the breach directly, it usually comes after the incident has settled down and the lawyers have had chance to circle and see how much meat there is on the bones for them to take. However, the largest damage is where large swathes of population are going to be hit – in order to do this, we’re looking at the critical national infrastructure, or, putting it more simply, what makes a country ‘run.’ I also think that with the lack of regulation and therefore required basic security standards we will see Bitcoin raids on the increase – I was shared a great report by Christiaan Beek about their Bitcoin Analysis. However, with the falling price of Bitcoin, the financial impact decreases daily !
Q2: What new types of hardware attacks will we see in 2016?
A2) Hardware attacks : mobile devices, ATMs, critical national infrastructure will be the big attacks.
A2) Agreed – lower level criminals will go for the money while State actors will go for maximum impact
In hindsight, there was a lot of hardware I could have included here but I personally think the list looks as follows :
- mobile devices (as they become ever more populous),
- ATMs (hitting the jackpot literally)
- critical national infrastructure (by state actors).
- Payment terminals (think Target breach and skimmers)
- NFC/Bluetooth devices (this insecure technology can be easily compromised by script kiddies making it an easy target)
Q3: How will the movement to cloud-based services affect the behavior of cybercriminals?
A3) I’m waiting for the cloud infrastructure to be exploited – smaller vendors wont survive
A3) Big data leaks caused by lack of security being implemented correctly in cloud infrastructures
A3) I think cloud is attractive to some criminals as they can hit one target and exploit many (e.g. defacers)
Having dealt with a defacer this year, I know that they like easy targets where they can exploit one site and traverse to other sites on the same box and infect everyone to get maximum impact. So I think as cloud becomes increasingly adopted and the security of the sites held on those servers becomes harder to be kept up to date then I think that defacers specifically will go for these. To back this up, you only have to look at the number of defacements of WordPress sites (and the increasing numbers of unsupported plug-ins). Cloud is also becoming the go-to for personal backup storage and so with it being a write-only process, the user rarely checks who is logging in in the interim accessing their data – how many of the fappening users knew what was happening till their data was leaked.
I also think that cloud vendors are going to have to smarten up to secure the back-end of cloud infrastructures. Could you imaging the damage you could cause if you were able to log in to a cloud as an admin turn off backups ? delete all instances ? turn it off ? or all three ?!
Q4: New devices, new threats. What will the next big
#IoT attack vector be?
A4) it will be the #IOT we were not expecting e.g. flood gauges or datacentre UPS controls
A4) The obvious answer is home systems, but they are not attractive to criminals. #FollowTheMoney
A4) The media will carry on hyping the baby camera with default password as a threat
I have a certain disdain for all things IoT. It is a much over-used hype term for any device connected to the internet. However, as threats go, I can’t see someone’s fridge being weaponised. I can see someone collecting IP address info from a location to make a specific house a location to raid for its tech. After all, if you’ve spent £200 on an internet connected kettle, you’ll probably have some other interesting assets attractive to a criminal. However, the average criminal does not need to be so clever, a simple brick through a window is all you need in most locations. However, new devices and new threats – well you only have to look at Shodan to find the amount of random kit connected to the internet in organisations, and in an up-coming blog I will be discussing river-gauges with the vast amount of information they can give out. I also built a datacentre in a previous role and I know the pressure I was under from vendors to leave all sorts of kit connected to the internet. One device I thought about later was drones. Yes, some are WiFi connected which puts them as a target.
Q5: How do you expect
#IoT security standards to develop in 2016?
A5) it wont. There is no driver for manufacturers to make #IoT secure.
A5) Standards in #IoT … would be nice ! but too many international manufacturers, no common framework
Security standards – really ? Are there any ? I mean generally … any ? ISO27001 is about risk so you can’t have that one. And isn’t that the problem ? We would love the idea of a kitemark saying something is secure but as my old mantra goes … Compliance does not equal security, and, security does not equal secure. The only way we could do this is to have and International standard (and ISO) for hardware security and let’s face it .. that isn’t going to happen soon. There are so many vendors, so many countries, too many components in the supply chain – it would be too complex for an average manufacturer of consumer goods to maintain and so the standard would stop. Try putting security into the supply chain of all the components in a DVD player !
I do agree that some devices should have some kind of security standard (e.g. medical devices) but the wider is that we need to move away from the Minimum Attainable Product model for security to become a standard. (thanks to David Longnecker for sharing that article)
Q6: How will the regulatory and liability landscape change in 2016?
A6) liability is the key word … as with chip and pin, the market will move to transfer the liabilty
A6) Regulatory – I think that countries are getting smarter at this but we still have a long way to go
A6) Always comes down to the lawyer question – what’s my day rate
This question raised a few hackles in me – behind any law or regulation is a team of expert solicitors who know that law or regulation better than your auditor and can swoop in to remove all your assets despite you meeting the standard (ask the PCI Compliant Target!!). Also, laws are not the same in every country so how do we make it an ‘international’ law ? We also have to think – does the person setting the law or regulation really know what they’re talking about ?
Q7: What tactics will prove most effective in defending against difficult-to-detect threats, like fileless malware?
I didn’t actually get to answer this due a discussion that was happening around question 5. I think this is the point where I talk about meatware. The more meatware that is security enabled then the more awareness there is when something goes wrong. By meatware of course I mean you. The more ‘secure’ humans who take care of their own security, know what secure looks like then they will know when something looks wrong and can respond appropriately. Also, the infosec defenders need to know / have better visibility of the edges … where are the endpoints that the criminal will be attacking ?
Q8: What types of cyberthreats or espionage will we see from nation-states in 2016?
A8) I think we will see attacks on military targets – DSEI had plenty to talk about on this topic
A8) critical national infrastructure will definitely be a target also.
Beautiful quip answer from MalwareMustDie – APT. But in truth, I was at DSEI late 2015 and the cyber area was very small because most of the stands have their cyber teams built into the systems they produce. Yes, warfare now has cyber protection layers built-in and I believe that nation states will seek to exploit this – no missile zones created by tech that literally turn missiles off in mid-flight? Anti-drone technology already exists. I also think we will see a rise in attacks on critical national infrastructure from mysterious groups that are tenuously linked to governments. One thing you need to be aware though is that the very country you live in will also be doing the same.
Q9: In terms of data privacy, what is the potential impact of increased regulation?
A9) More companies falling foul of it unintentionally
A9) The legislation will only be good if it done by someone who knows what secure looks like
Again, taking a theme from earlier, by increasing regulation, someone will need to understand that the increasing of that regulation will actually do something useful rather than being a hurdle. They will also need to be able to communicate that advantage to the end-user base otherwise people will fall foul of it unintentionally ! (and here come the sharks (lawyers) circling).
Q10: What are the top priorities for new security technologies in 2016?
A10) home security tech. Plug in devices to secure the home.
A10) Get users to understand what secure looks like and how they can get there.
A10) Stop selling blinky cyber LEDs that are not effective.
A10) filling the skills gaps by recruiting into areas we need and allowing seniors do their proper jobs
A10) all tech to have a step which considers security and a statement that explains how they met it
I think we need to be savvy as an industry in helping secure the consumer. This will in turn drive more faith in what we do as an industry which will mean we can push our security messages to a receptive audience. We suffer as an industry from being driven by sales and marketing and vapourware protected no-one ever. We need to stop selling on those false promises that we can stop APTs by buying a PFsense firewall in a 1U server to protect your entire infrastructure. Look at your products seriously… if they don’t do everything then that is actually good – do what you do and do it well. Faking it to make it doesn’t work with infosec !
We also suffer from not enough people doing the right jobs. So let’s finally address the skills gap, get more juniors on board, get them giving back to the community – engaging and then we can let the seniors get on with the tough jobs while mentoring the juniors to become the next grade seniors allowing the seniors to then get into more niche markets driving further product development. Why is it hard ?
However, one ask for 2016 is that in every development cycle there is a question – how did you make this secure ? and there should be a paragraph in non-technical speech which says , “we did X” or “we accepted the risk.” but it needs to be in there so that when the next development cycle comes round it can be added to.
Conclusion
I had a blast, got to chat to some great people and more importantly got another blog out ! I think it’s time to record a podcast though !
If there is anything you would like to discuss – there is a contact form below or catch me on Twitter.
In the meantime here is the CrowdChat with other comments – thank you IntelSec / McAfee – I had a great time.
[gravityform id=”1″ title=”false” description=”false”]
Leave a Reply