Upload File

threats in a downturn

3
DOWNTURN THREATS Computer Fraud & Security January 2010 8 Threats in a downturn A threat is just a threat A threat is the means by which dam- age might be done and, as such, most threats don’t cause any trouble. Through a combination of mitigating action (such as security controls), education (such as awareness) and pure luck, they become benign and, sometimes, forgotten. It is only when business impact occurs that the true nature of the threat is revealed. For threats that we know about, we can plan a way to defend against them through controls and awareness, but for new threats that we don’t yet know about, we can only rely on pure luck to protect us. The threat horizon series of reports uses the ISF global membership to debate and identify possible threats that could cause business impact in a two year timeframe. The two year time frame was chosen to reflect that, particularly when a defensive control is part of the organisational infra- structure (such as network security gate- ways), the lead time to put such defences in place for a multinational organisation is often several years. The impact of the recession In looking at the threats for the two year period spanning 2009-2011, it became apparent that some of the threats seemed to be more immediate, and that signs of business impact associated with what were thought to be future threats, were becoming apparent. So what happened? It appears that the impact of the reces- sion brings future threats much closer. A recession opens up new opportunities for fraudsters and criminals. Staff worried about their jobs are likely to be less loyal to an organisation; more temporary jobs create opportunities for criminal gangs to get their people behind the firewall and to send back valuable identity information; and less budget for the security depart- ments means that there are more holes in an organisation’s defences. As job numbers fall, fewer staff doing more work equals more stress, and stressed people tend to make more mis- takes. Human error has consistently fea- tured as the top threat identified by ISF members for the past ten years and, in a recession, this is likely to remain the case. The recession also changes the busi- ness assumptions. Organisations oper- ating on thin margins are unlikely to be able to survive a ten million pound security incident, which they could have shrugged off last year. This time it may take them under. The recession, then, changes the threat landscape and shortens the threat horizon. Information security profes- sionals will need to make a conscious decision on how to respond with static or diminishing resources (eg people, cash and technology) and re-assess their approaches on a more regular basis than in the past. Some of the 2010 threat headlines ISF member organisations across the globe debated the threats of the future based on a macro-economic model of the world of the future. Ten key threats were identified as requiring prompt examination and mitigation. Here are some of them: A golden time for crime Organised crime will increase its attacks on both organisations and individuals. The sophistication and scope of attacks is expected to rise; and governments may be targeted much more often than in the past. As external threats rise, so will the threat from the insider. “The downturn will dramati- cally affect employees’ pay, job security and promotion prospects. In such a climate, employees may well turn against their employers and commit acts of fraud, theft or sabotage” Crimeware as a service The future may be a golden time for organised crime and associated cyber- crime activities. Criminal syndicates will develop ever more sophisticated malware, such as viruses and Trojans, in terms of coding and impact. Most mal- ware will be sold on a commercial basis, with guarantees including non-detection by commercial anti-malware software and full helpdesk support, the so-called ‘crimeware as a service’ model. Criminal gangs will also offer an increasing range of services, such as DDOS attacks, bot- net rental, specialised malware creation and electronic money laundering. Attacks will range from crude 419- type spam to a sophisticated combina- tion of social engineering, malware and data harvesting. Finally, attacks will become more targeted, with techniques such as whaling (targeting high net worth individuals) and attacks tailored to individual organisations. Andy Jones, principal consultant, Information Security Forum Having visibility of threats that are likely to arise in the future is a long-held dream − and one that is even more important in the present economic climate. Such insight would allow organisations to take informed, timely action to miti- gate risks, help them justify investments, and change their stance from reactive to proactive. Predicting the future is, however, an inexact science and anticipat- ing how threats will change over time is a complex undertaking that requires a combination of practical knowledge, analytical skill and intuition.

Upload: andy-jones

Post on 19-Sep-2016

213 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Threats in a downturn

DOWNTURN THREATS

Computer Fraud & Security January 20108

Threats in a downturn

A threat is just a threat

A threat is the means by which dam-age might be done and, as such, most threats don’t cause any trouble. Through a combination of mitigating action (such as security controls), education (such as awareness) and pure luck, they become benign and, sometimes, forgotten. It is only when business impact occurs that the true nature of the threat is revealed.

For threats that we know about, we can plan a way to defend against them through controls and awareness, but for new threats that we don’t yet know about, we can only rely on pure luck to protect us.

The threat horizon series of reports uses the ISF global membership to debate and identify possible threats that could cause business impact in a two year timeframe. The two year time frame was chosen to reflect that, particularly when a defensive control is part of the organisational infra-structure (such as network security gate-ways), the lead time to put such defences in place for a multinational organisation is often several years.

The impact of the recessionIn looking at the threats for the two year period spanning 2009-2011, it became apparent that some of the threats seemed to be more immediate, and that signs of business impact associated with what were thought to be future threats, were becoming apparent. So what happened? It appears that the impact of the reces-sion brings future threats much closer.

A recession opens up new opportunities for fraudsters and criminals. Staff worried about their jobs are likely to be less loyal to an organisation; more temporary jobs create opportunities for criminal gangs to get their people behind the firewall and to send back valuable identity information; and less budget for the security depart-ments means that there are more holes in an organisation’s defences.

As job numbers fall, fewer staff doing more work equals more stress, and stressed people tend to make more mis-takes. Human error has consistently fea-tured as the top threat identified by ISF members for the past ten years and, in a recession, this is likely to remain the case.

The recession also changes the busi-ness assumptions. Organisations oper-ating on thin margins are unlikely to be able to survive a ten million pound security incident, which they could have shrugged off last year. This time it may take them under.

The recession, then, changes the threat landscape and shortens the threat horizon. Information security profes-sionals will need to make a conscious decision on how to respond with static or diminishing resources (eg people, cash and technology) and re-assess their approaches on a more regular basis than in the past.

Some of the 2010 threat headlinesISF member organisations across the globe debated the threats of the future based on a macro-economic model of

the world of the future. Ten key threats were identified as requiring prompt examination and mitigation. Here are some of them:

A golden time for crime

Organised crime will increase its attacks on both organisations and individuals. The sophistication and scope of attacks is expected to rise; and governments may be targeted much more often than in the past. As external threats rise, so will the threat from the insider.

“The downturn will dramati-cally affect employees’ pay, job security and promotion prospects. In such a climate, employees may well turn against their employers and commit acts of fraud, theft or sabotage”

Crimeware as a service

The future may be a golden time for organised crime and associated cyber-crime activities. Criminal syndicates will develop ever more sophisticated malware, such as viruses and Trojans, in terms of coding and impact. Most mal-ware will be sold on a commercial basis, with guarantees including non-detection by commercial anti-malware software and full helpdesk support, the so-called ‘crimeware as a service’ model. Criminal gangs will also offer an increasing range of services, such as DDOS attacks, bot-net rental, specialised malware creation and electronic money laundering.

Attacks will range from crude 419-type spam to a sophisticated combina-tion of social engineering, malware and data harvesting. Finally, attacks will become more targeted, with techniques such as whaling (targeting high net worth individuals) and attacks tailored to individual organisations.

Andy Jones, principal consultant, Information Security Forum

Having visibility of threats that are likely to arise in the future is a long-held dream − and one that is even more important in the present economic climate. Such insight would allow organisations to take informed, timely action to miti-gate risks, help them justify investments, and change their stance from reactive to proactive. Predicting the future is, however, an inexact science and anticipat-ing how threats will change over time is a complex undertaking that requires a combination of practical knowledge, analytical skill and intuition.

Page 2: Threats in a downturn

DOWNTURN THREATS

January 2010 Computer Fraud & Security9

Attacks by disgruntled employeesThe downturn will dramatically affect employees’ pay, job security and pro-motion prospects. In such a climate, employees may well turn against their employers and commit acts of fraud, theft or sabotage. Fraudulent attacks may include submitting false expense claims and using forged documents. More complex frauds may include fic-tional invoicing, inflated pricing, asset or loan misstatement, money laundering and embezzlement, where employees manipulate information to falsify records and thus cover their tracks.

Infiltration of organisations

There is evidence that organised crime syn-dicates will either recruit employees or pay for people to receive university-level educa-tion in IT and then place those people into an organisation. These moles or sleepers will gather information about the organisa-tion, to either identify the right targets or bypass defences; these will presage a new, more sophisticated set of attacks. Other moles will be placed to steal product information, deliberately introduce vulner-abilities or malware whilst programming or working in IT or information security and provide the information necessary for a successful external attack (eg targets, pass-words, user accounts or detailed technical information).

Infrastructure creaks and fails

The downturn is likely to affect invest-ment in infrastructure over the coming years. At the national level, this may result in planned updates to electricity, telecommunications, and other utility networks being deferred. At an organisa-tional level, planned hardware, software, and security control implementations and upgrades may be cancelled. Projects to build resilience may also be affected, as organisations struggle to understand the return on investment and to raise the necessary finance. Reduced funding may also impact initiatives to modernise or protect SCADA (Supervisory Control

and Data Acquisition) systems, provid-ing multiple points of attack and failure.

Complexity and integration

Infrastructures (including IT, supply chain and utility) will become much more complex, with many different nodes and end points. For an organisa-tion, the challenges will include provid-ing an infrastructure capable of handling many more connections from multiple devices; maintaining, upgrading and patching multiple mobile devices; inte-grating the various infrastructures across the supply chain to provide a seamless backbone for the production and move-ment of goods and services; and protect-ing global infrastructures from attack from many different threats, including malware, denial of service and physical disruption.

Increase in zero-day attacks

Zero-day exploits will be created regu-larly by reverse engineering patches. Combined with new malware, exploits will take advantage of the ‘window of vulnerability’ to attack unpatched devic-es or insert malware such as key-loggers or screen-grabbers onto servers and end point devices, including smartphones.

Mobile malware steps up a gear

Mobile devices, especially smartphones, are becoming extremely capable data stor-age and processing end points. As innova-tions such as ‘electronic wallets’, contact-less always on networking and IP services are widely adopted, these devices and the information stored on them will become ever more valuable and vulnerable.

New operating system and application malwareThe range of devices that can be attacked by malware will increase; popu-lar mobile operating systems will be targeted, along with the plug-in applica-tions (eg web browsing, email) that these support. New vectors for the spread of malware will be used, such as down-loadable extensions to mobile device

functionality, as well as text messaging and the internet. Attacks will range from making the phone automatically dial or text premium rate phone num-bers owned by the criminal, who thus receives payment for each call, to attack-ing electronic wallets embedded on the phone. In addition, there is likely to be a consolidation of operating systems, mak-ing vulnerability scanning and exploita-tion attacks much easier.

Exploitation of new communication protocolsAttacks against devices using short-range network protocols will increase. Malware will be created to exploit the ‘always on’ connectivity of these devices, vulnerabili-ties in the various networking protocols used, and the devices’ increasing ability to connect to the internet. VOIP, currently being implemented by both individuals and corporates, will be targeted by cyber criminals to engage in voice fraud, data theft, and other scams (eg spam over internet telephony, SPIT). Denial of serv-ice, remote code execution and botnets all apply to VoIP networks, and are likely to be significant threats in the future.

“Organisations will have to deploy controls similar to those on laptops (eg encryp-tion, malware protection software and personal fire-walls) to protect corporate assets, assuming they are available for the device”

Attacks against mobile-stored data

As mobile devices store increasing amounts of personal, financial and com-mercial information, they will become targets for physical and logical theft – both for the data on the device and the authentication information stored on it.

Organisations will have to deploy controls similar to those on laptops (eg encryption, malware protection software and personal firewalls) to

Page 3: Threats in a downturn

SECRETS

Computer Fraud & Security January 201010

protect corporate assets, assuming they are available for the device. Whether devices can support these overheads and carry out their various functions at the same time has yet to be determined.

The sky is falling

Threats tend to come, rather than go. We spend money and effort on mitigat-ing threats and...nothing happens – no business impact. In fact, for information security this represents success! However selling a solution which results in noth-ing is quite difficult, and the business

case for information security has always been hard to establish. The temptation is, then to paint a picture of doom, with ever more dangerous and imaginative threats looming on the horizon, and yet in the absence of tangible damage, this picture fades quite quickly.

Distinguishing between truly danger-ous threats where mitigation is a priority and those threats that can be left in the imagination is organisationally specific and reliant on the skill of the informa-tion security professional. But, by having a view of a likely set of future threats derived from a global peer group, a more

informed and timely approach to future risk mitigation can be taken.

About the author

The Information Security Forum is an independent, not-for-profit association of some 300 leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security and devel-oping best practice methodologies, proc-esses and solutions that meet the business needs of its members. www.securityforum.org

Secrets are in the eye of the beholder

Wendy Goucher

Staff who handle information covered by the Data Protection act will, hope-fully, be aware of their responsibilities under that. However that is informa-tion about customers and staff. It is not, generally, what is meant by corporate data. It is not the information that is at the heart of what the business is about, which should, even so, be perceived as relevant and important to staff. So why is corporate data considered somebody else’s problem, and what can we do about it?

When thinking about why so many have this blind spot it helps, I think, to start at the beginning and accept that some staff would not recognise a corpo-rate secret if they saw it. No, really, why should they? From the wisdom of Adam Smith and the days of FW Taylor and Henry Ford we have separated work into discrete specialist areas.

We have encouraged people to know much about their own area and some knowledge and appreciation of neigh-bouring functional areas – but not so much that they will move or, as the civil service used to call it when a minister started identifying with their department ‘go native’, and thereby lose sight of their own departmental perspective.

“When a group of people form a strong bond of friend-ship and support, they arrive at an understanding about a lot of things including what is meant by the term ‘secret’ or ‘confidential’”

Someone from the research and devel-opment department of a large corpora-tion might be working on a new range that aims to gain market share from

significant competitors. Hopefully, they will understand the sensitive nature of their work and why it must be protected. But someone from the accounts depart-ment, who found a sheet with designs on it on a table in the canteen might not see any harm in chatting about that with their colleagues or even family. What harm can it do?

Show me the money

A few years ago, a famous Scottish bank was launching a new design for its £5 banknote celebrating 250 years of the Royal and Ancient course at St Andrews. The marketing, or PR department, I‘m not sure which, was in contact with a golfing magazine with the aim of getting a good article placed to publicise the launch. It sent the magazine a high qual-ity ‘jpg’ copy of the design of the note.

At this time it was standard practice to issue pictures with the word “Proof” embedded, in order to try and stop the picture being used to give potential

Wendy Goucher, Security Empowerment Consultant, Idrach Ltd.

Back in October, at the ISSE conference at The Hague, Adobe’s Jim King said that 98% of office staff did not see the protection of corporate data as their problem, his source being a survey his organisation had carried out. Even given for inaccuracies of various types, that is a scary result.

http://www.securityforum.org

Managing Talent In A Downturn

eCommerce in the Downturn

MCKINSEY - Managing IT in Downturn

Seize Advantage in a DownTurn

Pricing In A Downturn

 · of microbreweries Threats: Molson & Labatt, economic downturn in 2008, strong competition Product review BUD LIGHT Hockley Valley Brewery co. INC Harvard Case Solution & Analysis

Sustaining Your Brand in the Economic Downturn

Making Money In A Downturn Economy

Innovation In The Downturn

Business Strategy In Downturn Economy

Donor Care in the Downturn

Emerging Threats in theEmerging Threats in the Battle Against ...media.techtarget.com/searchSecurity/downloads/EmergingThreatsB… · Emerging Threats in theEmerging Threats in the

Ten ways to thrive in a downturn

OPERATING IN THE DOWNTURN CORNELL GAMING …

Marketing in a Downturn: Recession Facts

The IT question in a downturn!

Challenges in a global downturn: how can speech in a global downturn... · 2019-05-21 · Challenges in a global downturn: how can speech self-service help? A white paper discussing

Engaging Employees in an Economic Downturn

V90min Managing Marketing In Downturn Economy

Fiat Open Innovation in downturn

The Challenge Of It In Downturn

Transforming IT-SME in downturn

Motivating staff in a downturn

Tim Cooper: Positives in an economic downturn

Managing Reputation in a Global Downturn

Retailer Strategies in Economic Downturn

Managing strategy in a downturn

IPA's Advertising In A Downturn

Fraud in the Economic Downturn

Keynote Email In A Downturn

Bounceback -strategies in an economic downturn

India Inc In Downturn

Advertising in an Economic Downturn

P INC - GLOBAL BOUTIQUE REALTY Buying in a Downturn · Buying in a Downturn Paying your mortgage and riding out the downturn is a major consideration, and more important than finding

Flexible Working in a Downturn