Infosec Professional 2012 Review

This is the 2012 Infosec Professional review, containing all the articles and interviews from the past 12 months.  It's been a fascinating year from an information security perspective, with some eye-watering data breaches, great conferences and innovative new products coming to market.  A thank you to all who spent some time being interviewed and giving their comments on the industry - some great chats and thought provoking comments. 



Cyber Security




The Obligatory 2013 Infosec Predictions Post

2012.  Been and gone pretty much, in the blink of an eye.  Well it's lasted pretty much as long as 2011, give or take, but one thing's for sure, it seems information security became more of a big deal.  In my eyes, it always has been a big deal.  Security is a default in my opinion, both in my personal and professional life.  I fail safe when it comes to processes or technical changes.  I believe security is essential, not only for an individual team, system, person or organisation level, but also from an industry and society perspective too.

The Year That's Been

The biggest take away for me, seemed to be that non-security people started to take security seriously.  Governments got involved with information security in a big way.  The US had several issues with SOPA, the online piracy act and then turned its attention to cyber war, with several policy discussions and hardening of attitude towards the likes of China and Iran, from a cyber security standpoint.  October saw the release of a damning report against Chinese network component provider Huawei, indicating the organisation posed a significant threat to the US from an intelligence gathering and supply chain disruption perspective.

The UK got involved too, announcing an investment of £650 million to be spent over 4 years on cyber security research, in partnership with some of the UK's top universities.

'Big Data' again grabbed the headlines at most of the vendor trade shows, with products focusing on data aggregation and advanced intelligence and analytics.  Information-centric security response, has become a talking point, with the focus on centralised SIEM and logging solutions being combined with identity and behaviour profiling systems, in order to create a more contextual view of potential threats.  The concept is interesting, but again, reactive.  Organisations are generating vast amounts of data across all pillars, not just security, and finding even the smallest crumb of competitive advantage within the data mountain is now seen as the holy grail.

From a consumer perspective, the topic which consistently caught my attention was the rise of mobile malware, especially concerning smartphones on the Android operating system.  The significant rise of Android handsets, simply means an attacker has a greater potential revenue pool to tap into, if a malware app was successful.  The rise of dialers, texters and spambots landing on Android devices, seems to be an expected tidal wave in the coming months.

So What's Ahead?

I'm not one for big predictions at all.  Technology in general, evolves so quickly, that 12 weeks is an age when it comes to new ideas, iterative development and market changes - and security is no different.  However, the main areas I will personally be following with interest though, will be the BYOD/BYOA, personnel, preemptive security and social intelligence areas.


Bring Your Own Device is a bit 2009, but is now starting to infiltrate into many organisations infosec plans, with several on a version 2.0 implementation strategy.  The sheer rise in consumer ownership, of the laptops-in-your-hand style of phones, makes leveraging their capability a cost effective and beneficial internal marketing strategy by many companies.  As more and more employees shout for the use of iPad like applications and user interfaces, organisations ultimately have to listen.  The biggest concern is obviously security.  BYOA (..your own application) is a variation on a theme and I will be looking to see how organisations implement approaches surrounding personal and business data separation, the development and distribution of internally built apps and the logistical and legal implications.

Security Personnel Shortages

2012 saw many independent and non-for-profit research papers being released on the continual shortage of information security professionals.  The reports indicated, that the infosec industry will create at least 2 million more jobs within the space due to market demand.  The upward trend, is seemingly being driven by more complex architectures such as cloud adoption and BYOD, as well as an increasing focus on compliance.  It will be interesting to see, whether there is in fact a shortage of good quality information security professionals, or simply issues within the hiring process, where organisations are unable to articulate and map the skills they require.  The salary trends in both the US and Europe will be interesting reading, as will the number of qualified security professionals, especially covering the defaults such as CISSP, CISM, CISA and CEH.

Preemptive Security

Preemptive security has always been a big interest area for me.  Many products in the market today are often focused on the reactive.  Analysis tools, post incident investigation and even areas that look to stop the bad stuff from happening could be deemed to reactionary.  I have always argued for a longer term shift for security to be more embedded, as a default and preemptive.  Areas such as security-by-default operating systems, as recently announced by Kaspersky, or white-listing, push security to an implicit position as a default.  Instead of trying to develop an infinite number of signatures to stop a piece of malware or an insider attack pattern, instead, stop everything, unless it's known to be good.  Windows 8 for example, in its attempts at boosting security, include a boot-loader feature which stops the OS from loading if tampering has been identified due the use of file hashing.

Social Intelligence & Data Aggregation

Back in September, Google acquired anti-malware start-up VirusTotal.  It didn't seem to set the airwaves fluttering, but it caught my eye for several reasons.  VirusTotal is an aggregation system, for file and URL scanning.  They sit in front of several of the top anti-virus providers and provide a free service either via HTTP or an API, so you can either scan a file natively, or ping over a hash and check whether that file or URL has been involved in any skirmishes.  Not very revolutionary, but the focus on aggregation and as-a-service is a powerful notion.  Price comparison use a similar approach (air tickets, electronics, insurance) and the application of this approach to more security related arenas is welcome, especially with a general focus on big is better (aka big data) and how processing vast amounts of alerts/vulnerabilities/signatures is key.


Do Better Technical Controls Increase People Focused Attacks?

Technical controls are often the default security response for many organisations.  When I refer to technical controls, there is obviously a people element to that, from a design and implementation perspective, but ultimately the control is focused on a piece of hardware or software.  For example, cryptographic algorithms have continued to evolve over the last 40 years, to levels which allow them to be computational secure and can be used on a wide scale without major concern.  PKI and other crypto infrastructures are often too focused on the algorithms; hardware security module usage and technical touch points, than for example, the people related process and awareness.  It is all very well having an industry standard algorithm, but that becomes less useful if a user doesn't protect the un-encrypted payload when it’s at rest, or allows it to be stored in temporary memory for example.

Casually thinking of the default security controls for many organisations and many are in fact software or hardware related: antivirus, firewall, intrusion detection systems, encryption, data loss prevention systems or security information and event monitoring solutions.  The focus is on faster, stronger or cheaper software or hardware technology.

People as an attack vector

People play a critical role in the security landscape of an organisation.  From a design and implementation perspective from those working under a chief information security office or security ops team, right through to non-IT related individuals, all can be seen as a potential attack vector and therefor, a threat to an organisations information assets.
System accounts are created for individuals.  Staff, have physical security badges and proximity cards.  Audit trails are linked in real people (or should be). 

More than one way to skin a cat

The last 24 months has seen a significant rise in the number of external or cyber related attacks.  These attacks have either been advanced persistent threats using advanced evasion techniques, or simple “hacktivist” style approaches, would undoubtedly have utilised, an internal account to gain unauthorised access.  That account is likely to have already existed, have permissions (or enough to start a privilege escalation process) and might also be assigned to a real person, as opposed to a service or system account.
However, to gain access to an initial password, a hacker would always choose the simplest and most cost effective (from a time and money perspective) method of entry.  If a user’s complex password or passphrase is hashed using a salt, and algorithm that is computational secure – resulting in say 400 years of brute force protection, why bother attempting to crack it, if you can use more subtle methods?

Increase in social engineering

People are undoubtedly the biggest threat and biggest asset to an organisations security position.  Social engineering can be seen as a more direct approach to exposing real security assets such as passwords, processes, keys and so on.  Via subtle manipulation, carefully planned framing and scenario attacks, through to friending and spear phishing attacks, people are increasingly becoming the main target, as technologically is seen to becoming more secure and more expensive to crack.

Information Security: Why Bother?

I have heard this sentiment, perhaps not put quite as bluntly as that, on several occasions over the last few years when working with clients and engineers on security related projects. My role would have been to help embed a particular piece of security software or introduce a piece of consultancy or business process which would help improve the organisations security posture.

The question, often raised as a bargaining tool, is often focused on the, ‘well I understand what you propose and I know it will increase the security of scenario X, but why should I do it?’. In honesty, it is a good question. Organisations have finite budgets which will cover all of IT and related services, and it is a fair objective, to have to show and prove, either via tangible or intangible RoI, that a piece of software or consultancy will have a beneficial impact on the organisation as a whole.

Justification and SRoI

Return on Investments, or Security Return on Investments are clearly a useful tool for proving that a particular security related project will have a benefit to an organisation. An organisation will probably already know that this value will break even very quickly, before even starting to look at service and software providers to help implement such a project. During the business case and feasibility study phase, a basic high level SRoI could generally be used to see if initiating the project is actually worthwhile.

The main drivers for many security related initiatives have often been related to external factors. I refer to these factors as external, as I am referring to factors that are generally reactionary or not originating from the overall strategy of the business. These factors could include things like compliance requirements, responses to previous security attacks or data breaches. If these factors didn’t exist, would those security projects and budgets be allocated?

Security as a default

Unfortunately, the answer may be no, hence the thoughts prompted by this article title. Security is often not seen as essential to the business strategy either via from a delivery, efficiency or cost savings perspective. It is something the organisation often feels they have to do. “If we don’t sort the access control process out, we’ll get fined”. “If we get hacked again, and lose more customer records, our reputation will be unrecoverable”. Sound familiar?

Security as a default option is probably some way off the agenda for many enterprise IT strategists. The fail-safe option is costly, complex and evolving. The generation of the CISO role, is a great step forward in providing security level awareness to the overall business strategy. Whilst currently that role is really focused on completing the ‘must’ have security practices, over time this may evolve to allow security to become a default option. Default within the software development lifecycle, new business processes, and employee attitudes and so on.

The key to making this happen will take a careful balance of showing the tangible and non-tangible benefits of having a better security posture, without restricting business or employee agility.