Skip to main content

The Obligatory 2013 Infosec Predictions Post

2012.  Been and gone pretty much, in the blink of an eye.  Well it's lasted pretty much as long as 2011, give or take, but one thing's for sure, it seems information security became more of a big deal.  In my eyes, it always has been a big deal.  Security is a default in my opinion, both in my personal and professional life.  I fail safe when it comes to processes or technical changes.  I believe security is essential, not only for an individual team, system, person or organisation level, but also from an industry and society perspective too.

The Year That's Been

The biggest take away for me, seemed to be that non-security people started to take security seriously.  Governments got involved with information security in a big way.  The US had several issues with SOPA, the online piracy act and then turned its attention to cyber war, with several policy discussions and hardening of attitude towards the likes of China and Iran, from a cyber security standpoint.  October saw the release of a damning report against Chinese network component provider Huawei, indicating the organisation posed a significant threat to the US from an intelligence gathering and supply chain disruption perspective.

The UK got involved too, announcing an investment of £650 million to be spent over 4 years on cyber security research, in partnership with some of the UK's top universities.

'Big Data' again grabbed the headlines at most of the vendor trade shows, with products focusing on data aggregation and advanced intelligence and analytics.  Information-centric security response, has become a talking point, with the focus on centralised SIEM and logging solutions being combined with identity and behaviour profiling systems, in order to create a more contextual view of potential threats.  The concept is interesting, but again, reactive.  Organisations are generating vast amounts of data across all pillars, not just security, and finding even the smallest crumb of competitive advantage within the data mountain is now seen as the holy grail.

From a consumer perspective, the topic which consistently caught my attention was the rise of mobile malware, especially concerning smartphones on the Android operating system.  The significant rise of Android handsets, simply means an attacker has a greater potential revenue pool to tap into, if a malware app was successful.  The rise of dialers, texters and spambots landing on Android devices, seems to be an expected tidal wave in the coming months.

So What's Ahead?

I'm not one for big predictions at all.  Technology in general, evolves so quickly, that 12 weeks is an age when it comes to new ideas, iterative development and market changes - and security is no different.  However, the main areas I will personally be following with interest though, will be the BYOD/BYOA, personnel, preemptive security and social intelligence areas.

BYOD / BYOA

Bring Your Own Device is a bit 2009, but is now starting to infiltrate into many organisations infosec plans, with several on a version 2.0 implementation strategy.  The sheer rise in consumer ownership, of the laptops-in-your-hand style of phones, makes leveraging their capability a cost effective and beneficial internal marketing strategy by many companies.  As more and more employees shout for the use of iPad like applications and user interfaces, organisations ultimately have to listen.  The biggest concern is obviously security.  BYOA (..your own application) is a variation on a theme and I will be looking to see how organisations implement approaches surrounding personal and business data separation, the development and distribution of internally built apps and the logistical and legal implications.

Security Personnel Shortages

2012 saw many independent and non-for-profit research papers being released on the continual shortage of information security professionals.  The reports indicated, that the infosec industry will create at least 2 million more jobs within the space due to market demand.  The upward trend, is seemingly being driven by more complex architectures such as cloud adoption and BYOD, as well as an increasing focus on compliance.  It will be interesting to see, whether there is in fact a shortage of good quality information security professionals, or simply issues within the hiring process, where organisations are unable to articulate and map the skills they require.  The salary trends in both the US and Europe will be interesting reading, as will the number of qualified security professionals, especially covering the defaults such as CISSP, CISM, CISA and CEH.

Preemptive Security

Preemptive security has always been a big interest area for me.  Many products in the market today are often focused on the reactive.  Analysis tools, post incident investigation and even areas that look to stop the bad stuff from happening could be deemed to reactionary.  I have always argued for a longer term shift for security to be more embedded, as a default and preemptive.  Areas such as security-by-default operating systems, as recently announced by Kaspersky, or white-listing, push security to an implicit position as a default.  Instead of trying to develop an infinite number of signatures to stop a piece of malware or an insider attack pattern, instead, stop everything, unless it's known to be good.  Windows 8 for example, in its attempts at boosting security, include a boot-loader feature which stops the OS from loading if tampering has been identified due the use of file hashing.

Social Intelligence & Data Aggregation

Back in September, Google acquired anti-malware start-up VirusTotal.  It didn't seem to set the airwaves fluttering, but it caught my eye for several reasons.  VirusTotal is an aggregation system, for file and URL scanning.  They sit in front of several of the top anti-virus providers and provide a free service either via HTTP or an API, so you can either scan a file natively, or ping over a hash and check whether that file or URL has been involved in any skirmishes.  Not very revolutionary, but the focus on aggregation and as-a-service is a powerful notion.  Price comparison use a similar approach (air tickets, electronics, insurance) and the application of this approach to more security related arenas is welcome, especially with a general focus on big is better (aka big data) and how processing vast amounts of alerts/vulnerabilities/signatures is key.

@SimonMoffatt

Popular posts from this blog

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.