InfoSec End of Year Review - 2011 into 2012

The end of the year is coming - the goose is getting fat, the gritters are ready (some maybe even with salt...) and the supermarket 2-for-1 offers on mince pies are overwhelming.  As such, I thought it would be a good time to reflect on what have been the main interest areas of 2011 from an information security perspective and what might become of 2012 - the 'new' threats or the possible realisation of the old ones - all before we lose ourself in the midst of Christmas parties, over-eating and the warmth of a log fire.

  1. Everyone is Aiming for the Sky (or at least the clouds) - Now beyond the hype point of deployment, many organisations are dipping their corporate toes into outsourced on-line provisioning of infrastructure, applications and services.  This emphasis on outsourced components will lead to many questions surrounding data privacy in multi-tenanted environments, supplier auditing, 'Chinese wall' considerations and SLA management.  Any organisations considering using cloud providers should pay close attention to the legal contracts involved and identify key stakeholder responsibilities, demarcation points and 3rd party employee credential checking.  These factors will continue into 2012 and beyond as many organisations look to reduce the IT cost base as a result of utilising cloud providing services.
  2. If it moves (it's mobile), attack it! - Mobile phones are no longer just that.  They're 'smart', sometimes super-smart, providing 'laptop in a pocket' capabilities.  Now work email, document editing and PDF viewing is all possible all on a device that can be easily lost or stolen.  Many organisations also allow a BYOD (Bring Your Own Device) policy which may appear to save the organisation the cost of initial capital outlay, but which ultimately brings the risk of excessive device management costs in the long run.  A main failure of many organisations at present, is the lack of a clear mobile security policy which is documented and distributed.  This is a key area of focus for both corporate & personally owned devices.  On a practical level, virus applications are now more common and should continue to provide mobile support in 2012, whilst all devices now provide PIN support - which should be realised with a 6 digit ping with a single repeated value.  Remote wipe settings are also now standard via network provider or 3rd party apps and should be considered for corporate use.
  3. Starwars becomes Cyberwars - 25 years ago, 'Starwars' was the main theme for the US's defence capability, with the weapon's shield spanning the globe - including Europe.  Whilst that is still being implemented - much to the distraction of Russia - a new type of warfare is developing - Cyberwar.  Online attacks aimed not only at corporate and individual users, but also at governments, public utilities and military installations have all come to the public attention in 2011.  APT's (Advanced Persistent Threats) have become the latest buzz, with the likes of Stuxnet in 2010 and Duqu in 2011 proving that cyber-attacks are no longer being committed by individual components of malware, but complex, multi-piece well engineered software that is sufficiently advanced to attack SCADA (Supervisory Control and Data Acquisition) as well as public facing devices.
  4. Governments get Geeky - Cyber-security and digital protection has taken on a significant presence in government defence strategy in the last year.  The UK recently announced a new Cyber Security Strategy, costing £650m over a 4 year period to help improve governmental protection and business awareness of cyber-threats and attacks.  In 2009, the US announced a new position of Cyber Security Co-ordinator to be held initially by Howard Schmidt, placing cyber-awareness right to heart of the Obama administration.  Both the UK and the US will look to drive home the concept that they are 'safe' to do online business with for 2012 and beyond.
  5. Social Networking becomes Socially Engineered - Facebook announced in 2011 that it had reached 800m members, with over half using the system daily to communicate with friends and family.  Alongside the likes of Twitter, LinkedIn and Google+ organisations now also have an outlet to extend their corporate reach and brand.  Whilst this can bring a new and more direct approach for consumer awareness, it can also bring risk: risk of quick proliferation of brand damage, bad reviews, fake accounts and so on.  The use of social media also needs controlling internally from both a personal usage perspective and also an outbound marketing approach.  Both require well documented and distributed policies.  Social networking has now become a standard use case for many CRM and middleware software products and in turn requires adequate control and protection.
  6. Zap the Zero-Day? - "Zero day attacks" have made the news on a number of occasions in the past 12 months, enough to probably make it a house hold term, if not fully understood.  Zero-day attacks are focused on exposing vulnerabilities in COTS software that have yet to be patched. Many home operating systems and installed components (media players, viewers, document and spreadsheet software etc) all have auto-update capabilities, but this assumes that the vendors can provide patches before a vulnerability has been exposed.  This may not be always be the case but many vendors are developing systems to reduce the zero-day threat, including the likes of McAfee, which recently announced DeepSafe, an anti-rootkit hardware protection system created in combination with knowledge from Intel which recently acquired the business. Instead of focusing on patch identification and deployment time, maybe 2012 could warrant a new approach to remove the vulnerability in the first place.