Skip to main content

InfoSec End of Year Review - 2011 into 2012

The end of the year is coming - the goose is getting fat, the gritters are ready (some maybe even with salt...) and the supermarket 2-for-1 offers on mince pies are overwhelming.  As such, I thought it would be a good time to reflect on what have been the main interest areas of 2011 from an information security perspective and what might become of 2012 - the 'new' threats or the possible realisation of the old ones - all before we lose ourself in the midst of Christmas parties, over-eating and the warmth of a log fire.

  1. Everyone is Aiming for the Sky (or at least the clouds) - Now beyond the hype point of deployment, many organisations are dipping their corporate toes into outsourced on-line provisioning of infrastructure, applications and services.  This emphasis on outsourced components will lead to many questions surrounding data privacy in multi-tenanted environments, supplier auditing, 'Chinese wall' considerations and SLA management.  Any organisations considering using cloud providers should pay close attention to the legal contracts involved and identify key stakeholder responsibilities, demarcation points and 3rd party employee credential checking.  These factors will continue into 2012 and beyond as many organisations look to reduce the IT cost base as a result of utilising cloud providing services.
  2. If it moves (it's mobile), attack it! - Mobile phones are no longer just that.  They're 'smart', sometimes super-smart, providing 'laptop in a pocket' capabilities.  Now work email, document editing and PDF viewing is all possible all on a device that can be easily lost or stolen.  Many organisations also allow a BYOD (Bring Your Own Device) policy which may appear to save the organisation the cost of initial capital outlay, but which ultimately brings the risk of excessive device management costs in the long run.  A main failure of many organisations at present, is the lack of a clear mobile security policy which is documented and distributed.  This is a key area of focus for both corporate & personally owned devices.  On a practical level, virus applications are now more common and should continue to provide mobile support in 2012, whilst all devices now provide PIN support - which should be realised with a 6 digit ping with a single repeated value.  Remote wipe settings are also now standard via network provider or 3rd party apps and should be considered for corporate use.
  3. Starwars becomes Cyberwars - 25 years ago, 'Starwars' was the main theme for the US's defence capability, with the weapon's shield spanning the globe - including Europe.  Whilst that is still being implemented - much to the distraction of Russia - a new type of warfare is developing - Cyberwar.  Online attacks aimed not only at corporate and individual users, but also at governments, public utilities and military installations have all come to the public attention in 2011.  APT's (Advanced Persistent Threats) have become the latest buzz, with the likes of Stuxnet in 2010 and Duqu in 2011 proving that cyber-attacks are no longer being committed by individual components of malware, but complex, multi-piece well engineered software that is sufficiently advanced to attack SCADA (Supervisory Control and Data Acquisition) as well as public facing devices.
  4. Governments get Geeky - Cyber-security and digital protection has taken on a significant presence in government defence strategy in the last year.  The UK recently announced a new Cyber Security Strategy, costing £650m over a 4 year period to help improve governmental protection and business awareness of cyber-threats and attacks.  In 2009, the US announced a new position of Cyber Security Co-ordinator to be held initially by Howard Schmidt, placing cyber-awareness right to heart of the Obama administration.  Both the UK and the US will look to drive home the concept that they are 'safe' to do online business with for 2012 and beyond.
  5. Social Networking becomes Socially Engineered - Facebook announced in 2011 that it had reached 800m members, with over half using the system daily to communicate with friends and family.  Alongside the likes of Twitter, LinkedIn and Google+ organisations now also have an outlet to extend their corporate reach and brand.  Whilst this can bring a new and more direct approach for consumer awareness, it can also bring risk: risk of quick proliferation of brand damage, bad reviews, fake accounts and so on.  The use of social media also needs controlling internally from both a personal usage perspective and also an outbound marketing approach.  Both require well documented and distributed policies.  Social networking has now become a standard use case for many CRM and middleware software products and in turn requires adequate control and protection.
  6. Zap the Zero-Day? - "Zero day attacks" have made the news on a number of occasions in the past 12 months, enough to probably make it a house hold term, if not fully understood.  Zero-day attacks are focused on exposing vulnerabilities in COTS software that have yet to be patched. Many home operating systems and installed components (media players, viewers, document and spreadsheet software etc) all have auto-update capabilities, but this assumes that the vendors can provide patches before a vulnerability has been exposed.  This may not be always be the case but many vendors are developing systems to reduce the zero-day threat, including the likes of McAfee, which recently announced DeepSafe, an anti-rootkit hardware protection system created in combination with knowledge from Intel which recently acquired the business. Instead of focusing on patch identification and deployment time, maybe 2012 could warrant a new approach to remove the vulnerability in the first place.

Popular posts from this blog

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.