Brian Wall | January 31, 2018

Through the glass, darkly

As seen on BTC...

Computing Security asked those in the know to do some future-gazing and give us their top predictions for cybersecurity in 2018. Here's what they had to say

Whether it's in the run-up to a new year, or as we dance, hug and kiss while the clocks strike the midnight hour, most of us tend to wonder what the next 12 months have in store. And it isn't that different in the security world - with maybe less hugging and kissing? - where the question is all too often: "Will I be hit by a damaging attack in the months ahead?"

The truth is that way too many organisations suffered a harmful event in 2017 and the prospect of even more cyber-attacks in 2018 is in the minds of most organisations. Here are the thoughts of a number of people we asked to pinpoint what the threat landscape might look like in the coming months…

John Pescatore, director of emerging security trends at the SANS Institute Business reliance on cloud will drive increased direct attacks against cloud services. We will continue to see a rapid increase in the adoption of cloud-based Infrastructure-as-a-Service offerings for running business-critical applications on public cloud. The elasticity of cloud-based services is attractive to businesses to reduce costs and increase speed to market. While the top tier of these services is designed and managed with security in mind, the promise of cost reduction means enterprises are not investing in the skills and tools required by IT operations to safely manage the cloud. Server administrators have been understaffed and under-skilled, unable to securely administer a relatively small and constrained number of servers found in traditional data centres. Daily news stories of misconfigured cloud services are already showing how the use of cloud is exposing this risk and making cloud services attractive targets for cyberthieves.

Denial of service will become as financially lucrative as identity theft. Cybercrime has represented the majority of damaging cybersecurity incidents for the past several years. Using stolen identities for new account fraud has been the major revenue driver behind breaches. However, in recent years ransomware attacks have caused as much, if not more, damage, as increased reliance on distributed applications and cloud services results in massive business damage when information, applications or systems are held hostage by attackers.

The focus on 'increase staff or automate' vs 'increase skills and support' will fail to show any return on investment. There are countless media headlines touting massive underemployment in cybersecurity, when most enterprises really see a need for more effective cybersecurity staff vs just more bodies. Similarly, the latest buzzword technologies such as 'machine learning' and 'AI' have yet again been vastly overpromised as technology that will eliminate or drastically reduce the need for experienced and skilled cybersecurity staff. The real successes in cybersecurity have been where skills are continually upgraded, staff growth is moderate and next-generation cybersecurity tools are used to act as 'force multipliers' that enable limited staff to keep up with the speed of both threats and business demands.

Consumer advances in secure use of technology will drive workplace change. Phishing attacks continue to succeed because the vast majority of Windows PC users within businesses are still using reusable passwords. However, large numbers of consumers now routinely use biometric authentication on their mobile phones and 28% of consumers are using two-factor authentication on at least one personal account. Apple and Android mobile phones and tablets include advanced technologies like application control, privilege management and encryption that are rarely enabled on work PCs. Home users are actually often safer using their own technology than they are using systems at the office! Just as users have driven businesses to adopt technologies like the Internet, Wi-Fi, smartphones etc, they will start to drive stronger forms of authentication and data protection at work.

Cyber-insurance policies will not demonstrate any actual reduction in business costs from cyberattacks. The high levels of business damage due to cyberattacks has greatly increased the interest of boards of directors in managing this risk. This has driven an increase in procurement of cyber-insurance policies, as capping liability via insurance is well known to directors. However, for a variety of reasons, cyber-insurance does not bound liability in any way, and the payback very often doesn't even cover the costs of the premiums and the deductibles, if an incident does occur.

The bigger they are, the harder they fall If we think the headlines shocked us with Equifax, SEC, and NSA, we will learn that large organisations have poor cyber security hygiene, are not meeting regulations, and are failing to enforce the policies they developed, recommend and enforce on others. 2018's news will have even more high-profile names and the root causes will be as shocking as the OMB breach.

One of the most shouted about topics for the last few years has been the GDPR, with security organisations offering varied and often conflicting advice on how to prepare for the new regulation. However, another important regulation is also transposing into EU legislation (this includes the UK) a few weeks before the GDPR: the NIS Directive. So how prepared for this are we?

The NIS Directive, or Directive on Security of Network and Information Systems, has been designed to raise the overall level of cybersecurity across the EU by establishing common standards of preparedness, cooperation, response and, importantly, security awareness. In fact, it is the first piece of cybersecurity legislation that has been passed by the EU. The Directive took effect in August 2016, so member states have had 21 months to integrate the requirements into their own national laws - although now there are less than six months left to prepare. The directive is aimed at EU member states as a whole, as well as specific operators of essential services within those states. 'Operators of essential services ' refers to organisations involved in energy, transport, banking, financial market infrastructure, health, water supply and distribution, and digital infrastructure, such as internet providers.

Non-compliance could trigger fines of up to £17 million, or 4% of an organisation's global turnover. However, the UK Government insists that fines are a last resort and "they will not apply to operators that have assessed risks adequately, taken appropriate security measures, and engaged with competent authorities but [have] still suffered an attack".

There are four broad areas that organisations need to focus on, in order to be compliant with the NIS Directive. They need to: develop a strategy and policies to assess and manage their risk; implement security measures that will aim to prevent attacks or system failures; report incidents as soon as they happen; and have systems in place to ensure they can recover quickly after an event by having capabilities that allow them to respond and restore systems promptly.

What distinguishes the NIS Directive from the GDPR is that NIS specifically requires security awareness training - although compliance with any cyber security-based regulation will rely heavily on good end-user security awareness, because you can't rely on technology alone to protect your organisation.

Read the full article on BTC UK