THREAT HORIZON 2017 - Information Security Forum...2013/01/08 · emerge that will “exploit the...

Dangers accelerateTHREAT HORIZON 2017

Threat Horizon 2017

PUBLISHED BYInformation Security Forum Limited Tel: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813 Email: [email protected] Web: www.securityforum.org

PROJECT TEAMDave Clemente - LeadVictoria Melvin - Contributor

EDITORIAL REVIEWSteve ThorneAndrew Schuster

DESIGNKim WhyteRoss Mackenzie

WARNINGThis document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct. If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected]. Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited. This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.

CLASSIFICATIONRestricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.

REFERENCE: ISF 15 02 01 Copyright©2015 Information Security Forum Limited. All rights reserved.

CONTENTSINTRODUCTION 5

THEME 1: DISRUPTION DIVIDES AND CONQUERS 71.1 Supercharged connectivity overwhelms defences 81.2 Crime syndicates take a quantum leap 101.3 Tech rejectionists cause chaos 12

THEME 2: COMPLEXITY CONCEALS FRAGILITY 142.1 Dependence on critical infrastructure becomes dangerous 152.2 Systemic vulnerabilities are weaponised 172.3 Legacy technology crumbles 192.4 Death from disruption to digital services 21

THEME 3: COMPLACENCY BITES BACK 233.1 Global consolidation endangers competition and security 243.2 Impact of data breaches increases dramatically 26

CONCLUSIONS AND NEXT STEPS 28

Appendix A: Revisiting predictions from 2015 and 2016 30Appendix B: ISF Threat Radar 36Appendix C: Methodology 38Acknowledgements 39

Information Security Forum4 Threat Horizon 2017: Dangers accelerate

5Threat Horizon 2017: Dangers accelerate

The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organisations. To assist each ISF Member organisation to identify specific actions in this fast-moving space, this Threat Horizon report identifies nine emergent threats that organisations can expect to face in the period up to and including 2017. To assist with communication and understanding, the threats are grouped under three themes:

• Disruption divides and conquers – innovation is bringing new opportunities for business, but also malicious actors that seek to disrupt operations.

• Complexity conceals fragility – a cyberspace congested with people and devices is becoming more complex, exposing the fragility of the underlying infrastructure.

• Complacency bites back – organisations are too complacent, paying insufficient attention to threats concealed by international borders.

Members should note that Threat Horizon is written for a wide readership. In particular, it should resonate with business leaders who will be able to understand the threats and the potential business impacts. Consequently, each Member is advised to share and discuss the report widely across their organisation (as well as its separate four-page Executive summary). An approach for getting the best from this report can be found on the next page.

THE 2017 THREATS AND THEIR IMPACTSAs with other reports in the ISF’s Threat Horizon series, the ISF provides predictions that balance today’s realities with those that push the boundaries of current thinking. Consequently, while it is unlikely that all the predictions it contains will materialise, we are confident they are all within the realm of possibility and thus merit serious consideration.

However, it is unlikely that the nine threats represent every threat an organisation may face: vigilance is necessary to spot new or sector-specific threats as they appear. Consideration should also be given to those threats that have evolved and endured from previous ISF Threat Horizon reports. Furthermore, Members should bear in mind the potential for threats to influence and interact with one another, in the process shaping and aggravating both short- and long-term impacts.

Each threat in the main body of the report describes possible business impacts using the Impact Categories from the ISF’s Information Risk Assessment Methodology, IRAM2. The categories are shown below along with examples of the potential consequences.

INTRODUCTION

Impact Category Examples of potential business impact

Financial

Operational

Legal and regulatory compliance

Reputational

Health and safety

Unmet financial goals and budgets (such as loss of sales), direct financial loss or profit reduction, fines and penalties, reduced share price

Reduction or loss of business management’s ability to effectively govern or operate the organisation, reduction or loss of competitive advantage

Loss of confidence from regulators, sanctions or restrictions on practices

Negative publicity, customer complaints, loss of confidence by key stakeholders, loss of customers

Discomfort, injury or loss of life to one or more individuals

Adopting this approach should promote the use of a common language across all information risk management endeavours.


HOW TO USE THIS REPORTMembers should consider adopting a structured approach to gain the maximum benefit from this report. While each organisation is likely to face their own specific circumstances, consideration should be given to adopting the following steps to identify a way forward.

The ISF encourages Members to share their experiences with deploying Threat Horizon on ISF Live and to consult the same source to study the success stories of others.

Step Considerations

1. Become familiar with the threat landscape

• Nine threats for 2017

• 2015 and 2016 threats in Appendix A

• Other ISF reports and credible sources of information

2. Adapt Threat Horizon to the organisational environment

• Specific threats for sector(s) and geographies

• Modifications to Threat Horizon for the organisation

• ISF Threat Radar in Appendix B

3. Identify and engage key stakeholders

• Influential individuals and groups needed to drive action

• Compelling arguments for each stakeholder audience

• Specific responses to individual threats

4. Make an action plan for this year, the next year and the future

• Changes required to business critical systems

• Updates to cyber resilience strategy

• Commitment and resources

Be prepared to revisit earlier steps as the threat landscape changes

Information Security Forum 7Threat Horizon 2017: Dangers accelerate

The capacity for disruptive innovation is an esteemed quality among technology entrepreneurs, but they are not the only ones with the ability to exploit the advantages of digital technologies. Hackers and organised criminals will hone their capabilities and attacks, hiding their online activity in a flood of data and conquering organisational defences. Regular and increasingly large disruptions will begin to tear at the technical, social, political and economic fabric of the Internet, creating new divisions. In response to mounting risks, organisations will need to fundamentally re-assess their resilience strategies.

The widespread availability of super-fast gigabit connectivity will deliver a vast increase in data volume and velocity to malicious agents. This will supercharge both new and emerging threats and enable hackers to develop sophisticated ‘killer apps’ that overwhelm the defences of organisations around the globe.1 Organisations that do not strengthen their defences will be harmed by the severity of these external assaults.

Crime syndicates will align commercially and diversify their enterprises, seeking profits from moving more of their activities online. They will base their operations where political and law enforcement structures are weak and malleable, and where they can conduct their activities relatively undisturbed. This will force domestic organisations to adapt their security strategies and fortify their internal business operations.

‘Tech rejectionists’ will rise around the world in protest against the negative impacts of technology-enabled globalisation. With the right mix of social and political factors, the discontent will combust, leading to widespread and violent unrest. The resulting chaos will disrupt businesses and supply chains, and force countries to reconsider the balance between technological progress and long-established social and economic equilibriums.

Fortunately, organisational and technological entrepreneurs will be fighting back against the disruption and division. New defensive innovations will emerge. The challenge will be responding quickly and investing in the right mix of people, process and technology.

THEME: DISRUPTION DIVIDES AND CONQUERS 1

1 2 3

1 S. Shankland, “Moore’s Law: The rule that really matters in tech”, CNet, 15 October 2012, www.cnet.com/news/moores-law-the-rule-that-really-matters-in-tech/


1 2 3

2 J. Brodkin, “Gigabit DSL (with a fiber boost) to hit market next year”, Ars Technica, 5 December 2014, http://arstechnica.com/information-technology/2014/12/gigabit-dsl-with-a-fiber-boost-to-hit-market-next-year/

3 L. Rainie, J. Anderson, and J. Connolly, “Killer Apps in the Gigabit Age”, Pew Research Center, 9 October 2014, p. 4, www.pewinternet.org/files/2014/10/PIP_KillerAppsinGigabitAge_100914.pdf4 Ookla, “Global Broadband Household Download Index”, accessed 10 January 2015, www.netindex.com/download/allcountries/

SUPERCHARGED CONNECTIVITYOVERWHELMS DEFENCESWHY DOES THIS THREAT MATTER?Reasonably-priced gigabit connectivity will become widely available to supply the growing demands of devices and users, providing speeds up to 100 times faster than current services in most countries.2 This will be a dramatic leap forward, similar to the move from dial-up to broadband, increasing both data volume and velocity and providing new business opportunities. As billions of devices are connected, there will be more ‘data in flight’ that must be managed. Conventional malicious use will increase rapidly, resulting in cascading failures between sectors. It will enable new and previously impracticable avenues for destructive activity online, increasing financial and reputational liabilities and overwhelming traditional defences.

RATIONALEWhile the political, social and economic implications are not fully clear, gigabit connectivity represents a significant overnight leap forward. This will enable the ‘Internet of Things’ and a new class of applications to emerge that will “exploit the combination of big data, GPS location, weather, personal-health monitoring devices, industrial production and much more. Gigabit bandwidth is one of the few real ‘build it and they will come’ moments for new killer apps”.3 Connectivity will be so cheap and prevalent that sensors will be embedded everywhere, increasing the flood of data and creating an ecosystem of embedded devices that are nearly impossible to secure. High bandwidth services that are impractical today will become the expected norm as download speeds increase exponentially, emphasised in Figure 1.1.

When combined with the steady growth of processing power and storage, this increased connectivity will allow malicious actors to launch new attacks that will be both lucrative and difficult to detect. Businesses will struggle to keep up with these attacks, and law enforcement and the legal profession will continue to lag behind the development and deployment of the criminal versions of ‘killer apps’.

1.1

Figure 1.1 - Google Fiber compared to average global consumer download speeds (December 2014)4


1 2 3

5 L. Rainie, J. Anderson, and J. Connolly, “Killer Apps in the Gigabit Age”, Pew Research Center, 9 October 2014, p. 9, www.pewinternet.org/files/2014/10/PIP_KillerAppsinGigabitAge_100914.pdf6 S. Ó hÉigeartaigh, “Would you hand over a moral decision to a machine? Why not? Moral outsourcing and Artificial Intelligence”, University of Oxford Practical Ethics Blog, http://blog.practicalethics.ox.ac.uk/2013/08/

would-you-hand-over-a-moral-decision-to-a-machine-why-not-moral-outsourcing-and-artificial-intelligence/7 Symantec, “Transformational ‘smart cities’: cyber security and resilience”, 2013, http://eu-smartcities.eu/sites/all/files/blog/files/Transformational%20Smart%20Cities%20-%20Symantec%20Executive%20Report.pdf

RECOMMENDATIONS AND TIPS

It is deceptively easy to focus on the opportunities of high-speed connectivity. However, business leaders must also respond to emerging challenges. Priorities include:

Conduct robust resilience and business continuity planning, and update security policies.

Work with critical suppliers to ensure they have business continuity plans in place.

Verify Internet Service Providers have a strategy to deal with large-scale DDOS attacks.

Ensure that intrusion detection systems are rigorously maintained and calibrated correctly.

Identify and assess risks from embedded devices.

While not all malicious uses of gigabit connectivity will be new, many that were previously impractical “will finally work well enough if given high enough bandwidth”.5 This includes hackers using more powerful public and private cloud services to easily crack passwords or to steal large volumes of data more quickly, leaving them to later mine the data at their leisure. Advances in artificial intelligence will result in more opportunities for ‘moral outsourcing’, where human decisions (e.g. military or financial) are delegated to highly connected systems, with the result that accidents happen and only an algorithm can be held liable.6 Infrastructure in smart cities will be targeted by botnets and DDOS attacks for a variety of geopolitical or financial motivations.7 Given such high levels of connectivity, the cascading effects will be felt swiftly throughout all major sectors. For example, transportation being disrupted by attacks on energy or finance infrastructure.

For an organisation, the potential impact on finances and reputation will be significant and often overlooked until it is too late. Those reliant on supply chains will be forced to invest in additional security measures and systematically identify the situations where human intervention is a necessity or a liability, and where they need to fully automate their intrusion detection and response capabilities. While this may be feasible financially, timescales and technology updates will result in many organisations taking last-minute action and hoping for the best, rather than being prepared for the future.

ISF RESOURCES IRAM2 Supply Chain AssuranceFramework

FederatedIdentity and AccessManagement


Financial

Operational

• Loss of revenue from severe delays to the introduction of new products and services.

• Loss of information due to hackers hiding malicious activity in gigabit traffic.

• Increased exposure to attack while risk assessment, assurance and compliance processes are adapted to cope with this leap in technology.

• Disruption to critical business systems from cyberattacks by botnets with significantly greater size, scale and power.


WHY DOES THIS THREAT MATTER?Criminal organisations will become more sophisticated, mature internally and migrate their activities online at greater pace. They will develop complex hierarchies, partnerships and collaborations that mimic large private sector organisations. This will facilitate their diversification into new markets and the commoditisation of their activities at a global level. Some of these organisations will have roots in existing criminal structures (e.g. the Mafia or Yakuza), while others will be new and focused purely on cybercrime. Organisations will struggle to keep pace with this increased sophistication. The effects will be felt around the globe.

RATIONALECybercrime is “a high growth market that hasn’t begun to realize what the total addressable market is”.9 By 2017 this will change. Cyber criminals will exploit legal and jurisdictional loopholes and partner with traditional organised crime to find safe havens around the globe. These criminal syndicates, both new and old, will begin to resemble large multinational organisations and their ways of working – partnerships, collaborations, supply chains and competitive rivalries. They will exploit legal and jurisdictional loopholes and take advantage of a lack of specialised technical knowledge and investigative resources in many governments and law enforcement organisations. They will also expand major activities such as malware development, social engineering, payment fraud and child exploitation into new regions, as listed in Figure 1.2 below.

In a criminal marketplace with a global talent pool, professionalisation will encourage specialisation. Different (criminal) business units will focus on what they do best, and strategy development and market segmentation will follow best practice from the (legal) private sector. Malware development will be a prominent example of specialisation, where “teams and companies [...] turn out malware intended to bypass specific security defences, attack specific customers and accomplish specific objectives. And they’re sold on the open market in bidding forums”.11

Their profits will allow crime syndicates to steadily diversify into new markets and fund research and development out of their revenue. Online expansion of criminal syndicates will result in increased ‘espionage as a service’, along with distributed bulletproof hosting providers that sell services and turn a blind eye to the actions of malicious actors.12 Organised criminals will take advantage of the reduced cost of “3D printers, scanners and 3D modelling technology [which], combined with improving capabilities, will make IP theft more accessible”.13

1 2 3

8 R. Grimes, “IT’s 9 biggest security threats”, InfoWorld, 27 August 2012, www.infoworld.com/article/2614957/security/it-s-9-biggest-security-threats.html9 J. Somaini, “2015 Security Predictions”, Somaini’s Cyber Security Blog, 5 January 2015, http://somaini.net/blog/2015/1/5/2015-security-predictions10 Europol, “Internet Organised Crime Threat Assessment 2014”, 29 September 2014, chapter 3, www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta11 Europol, “Internet Organised Crime Threat Assessment 2014”, 29 September 2014, chapter 3, www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta12 The State of Security, “State Actors, APTs and Espionage-as-a-Service”, 2 May 2013, www.tripwire.com/state-of-security/security-data-protection/state-actors-apts-and-espionage-as-a-service/13 Gartner, “Gartner Reveals Top Predictions for IT Organizations and Users for 2014 and Beyond”, 8 October 2013, www.gartner.com/newsroom/id/2603215

CRIME SYNDICATES TAKE A QUANTUM LEAP1.2

Figure 1.2 - Europol - Major cyber crime activities (September 2014)10

““Crime syndicates will nurture new talent and cooperate to form a “multilevel, service-oriented industry withthe blatant goal of fleecing companies and people out of their money and intellectual property”.8


1 2 3


Organised crime will generate the vast majority of malicious activity. It will become a far more significant challenge for organisations to keep pace with these developments and remain financially viable. However, there are actions that can be taken.

Identify and prioritise the protection of the critical information assets in the organisation.

Participate in local or regional cyber threat information-sharing programmes, for example Europol’s European Cyber Crime Centre.15

Assess options for legal recourse against malicious actors, for example Microsoft’s assertive legal campaign against the operators of the Waldec botnet.16

Evaluate the costs and benefits of cyber insurance, as a method of transferring the impacts of criminal activity.17

Invest in recruiting, developing and retaining specialist skills, to maintain parity with increasingly sophisticated criminals.

Extend cyber security preparedness to encompass business units beyond IT and security, assuring a linkage between individual units and the wider organisational strategy.

Emerging markets will be hit the hardest, particularly where newly connected organisations are novices with online security. This may also occur where the rule of law is weak and political structures are susceptible to co-option or corruption. Cooperation between governments and international organisations such as Interpol will be strained and appear feeble when faced by the challenges of safe havens for criminal organisations.

Legal grey areas, for example what constitutes legitimate offence and defence in cyberspace, will open up new market niches to organised crime. One of the most prominent markets will be for criminal groups who ‘hack back’ on behalf of legitimate organisations and who base their operations in countries with permissive legal environments.14 These groups will leverage ‘jurisdictional arbitrage’ to provide services to companies who have lost valuable data and are frustrated with the inability of law enforcement to cooperate internationally and deter expensive and embarrassing hacking incidents.

Organisations will struggle to cope with the quantum speed and sophistication of attacks and will need to prepare to be targeted 24x7 by multiple assailants.

14 C. Timberg, E. Nakashima, and D. Douglas-Gabriel, “Cyberattacks trigger talk of ‘hacking back’”, The Washington Post, 9 October 2014, www.washingtonpost.com/business/technology/cyberattacks-trigger-talk-of-hacking-back/2014/10/09/6f0b7a24-4f02-11e4-8c24-487e92bc997b_story.html

15 Europol European Cybercrime Centre (EC3), www.europol.europa.eu/content/megamenu/european-cybercrime-centre-ec3-1837 16 A. Stevenson, “Microsoft Trustworthy Computing tour: Company takes hard line on cybercrime”, V3.co.uk, 22 June 2012, www.v3.co.uk/v3-uk/analysis/2186333/microsoft-trustworthy-computing-tour-company-

takes-hard-line-cyber-crime17 B. Kenealy, “Catastrophe modelers developing cyber risk technologies to assess exposures”, Business Insurance, 4 January 2015, www.businessinsurance.com/article/20150104/NEWS07/301049978?ta

gs=|299|303|335

ISF RESOURCES MaturityModels

The Standardof Good Practice2014

CyberInsuranceBriefing Paper


Financial

Operational


Reputational

• Increased security budgets to maintain defences against crime syndicates.

• Disruption to critical business systems from a shortage of the specialised skills necessary to keep pace with cyber-criminals.

• Information loss from criminals operating in countries or regions beyond the reach of effective law enforcement mechanisms.

• Restrictions by governments on how an organisation may retaliate.

• Long-term damage as governments struggle to devise timely and comprehensive regulatory responses.

• Diversion of scarce resources to ensure reputation remains undamaged after one or more organised attacks.


Figure 1.3 - Estimated economic costs from major social and environmental disruptions21

WHY DOES THIS THREAT MATTER?In response to record levels of socio-economic inequality, widespread social unrest will break out in countries around the world, led by ‘tech rejectionists’. Discontent will be motivated by uncertainty and confusion and inflamed by job losses and displacement due to globalisation and automation. Rejectionists will dismiss the benefits of technology-enabled globalisation, pointing instead at the social and economic costs shouldered by those who are not among the economic elite. They will express themselves through protests, boycotts, strikes and violence, causing significant disruption to local and regional economies. Organisations with supply chains and investments in the affected regions will be caught in this chaos and forced to respond at short notice in order to avoid financial and reputational exposure.

RATIONALEIn technology-rich countries, it may be presumed that technological progress benefits everyone. However, while advances may occur, they disrupt long-established social and economic equilibriums, including labour relations, wage agreements, and talent acquisition and retention. Jobs will be displaced increasingly by technology-enabled changes, for example off-shoring or re-shoring in sectors such as manufacturing.

It will be increasingly accurate to say that “some human skills are more valuable than ever, even in an age of incredibly powerful and capable digital technologies. But other skills have become worthless, and people who hold the wrong ones now find that they have little to offer employers. They’re losing the race against the machine.”18 These losses will begin in advanced economies, confirming the prediction that, by 2020, “the labour reduction effect of digitalization will cause social unrest and a quest for new economic models in several mature economies”.19

In response, tech rejectionists will rise up against relentless technological advances that displace workers and intensify the ‘digital divide’ between those that are digitally literate and those that are not. Their goal will not be to eradicate digital technology, but to challenge the assumption that it automatically leads to progress. They will expand their ranks by forming alliances of convenience with those who embrace technology, but wish for it to be more socially and environmentally conscious. The irony is they will not be able to fully realise their goals without the use of technology to mobilise effectively and spread their message.

Unrest will also emerge in technology-poor regions as a result of technology-enabled globalisation. Strikes, protests and violence will disrupt tightly coupled supply chains and produce cascading effects. This will be comparable, for example, to disruptions experienced by the technology and automotive manufacturing industries in the aftermath of the 2011 floods in Thailand or to cities around the world during the Occupy protests, making business continuity planning a high priority.20

1 2 3

18 E. Brynjolfsson and A. McAfee, “Race Against The Machine: How The Digital Revolution Is Accelerating Innovation, Driving Productivity, and Irreversibly Transforming Employment and The Economy”, The MIT Center for Digital Business, January 2012, http://ebusiness.mit.edu/research/Briefs/Brynjolfsson_McAfee_Race_Against_the_Machine.pdf

19 Gartner, “ Gartner Reveals Top Predictions for IT Organizations and Users for 2014 and Beyond”, 8 October 2013, www.gartner.com/newsroom/id/260321520 J. Yang, “Worst Thai Floods in 50 Years Hit Apple, Toyota Supply Chain”, Bloomberg, 21 October 2011, www.bloomberg.com/news/2011-10-20/worst-thai-floods-in-50-years-hit-apple-toyota-supply-chains.html21 A. Censky, “Japan earthquake could cost $309 billion”, CNN Money, 23 March 2011, http://money.cnn.com/2011/03/23/news/international/japan_earthquake_cost/, Swiss Re, “Achieving a viable approach to flood

insurance in Thailand”, March 2013, www.swissre.com/reinsurance/insurers/property_specialty/Achieving_a_viable_approach_to_flood_insurance_in_Thailand_anz.html, V. Dodd, “Cost of English riots much higher than first thought, Met police report suggests”, The Guardian, 24 October 2011, www.theguardian.com/uk/2011/oct/24/england-riots-cost-police-report, BBC News Business, “Hong Kong protests may cost retailers HK$2bn says ANZ bank”, BBC, 3 October 2014, http://www.bbc.co.uk/news/business-29470815

TECH REJECTIONISTS CAUSE CHAOS1.3


Organisations that are highly dependent on supply chains will be caught in the chaos caused by tech rejectionists. They will struggle to cope with this unpredictable and volatile environment or to extricate themselves from the affected region.

1 2 3


It is important for an organisation to develop robust business continuity plans which include close communication with suppliers and flexible and safe working arrangements for staff. Priorities include:

Assess the social and economic footprint of the organisation, in order to identify areas where it could be targeted.

Develop new strategies for social and economic responsibility in countries where the organisation does business and its workforce lives.

Develop business continuity plans that consider and mitigate social and economic disruption to countries with critical suppliers.

Conduct threat assessments that consider socio-economic factors as well as more familiar information security factors such as network security.

Review risks to account for chaos and disruption to critical suppliers caused by tech rejectionists.

ISF RESOURCES CyberSecurityStrategies

Supply Chain AssuranceFramework

Risk Appetiteand RiskAcceptanceBriefing Paper

IRAM2


Financial

Operational

Reputational

• Loss of sales from unavailable products and services while sourcing alternative suppliers.

• Damage and disruption to systems and operations from being caught in unrest.

• Damaged brand if perceived to be unsupportive of socially sustainable ‘use of technology’ policies.

• Negative publicity from the political, social and economic impacts of withdrawing operations from volatile areas.


Digital networks will continue to grow in complexity. More organisations in more sectors will invest heavily in Internet technologies that deliver their business strategies and enable market growth. More individuals will be connected, consuming online content and using the services that are available. Increasing network complexity will be a feature, not a bug, of the global digital ecosystem.

The relationship between critical infrastructure (including communications, emergency services, energy, financial services, food, health, transport and water) and digital connectivity will become a concern for governments and other sectors.22 They will be exposed to attacks and accidents that require significant resources and time to address. Regulators will scrutinise critical infrastructure and the extent to which it is dangerously exposed, forcing remedial actions when necessary.

Organisations around the world will be increasingly dependent on homogenous and widely distributed software and hardware – ‘technology monocultures’ – that transmit the effects of an attack or accident at a speed and scale that was previously impossible.23 When vulnerabilities in these monocultures are weaponised, it will result in economic damage and a loss of public confidence in digital products and services. When this occurs, organisations will be forced to shift investment toward technological resilience, sacrificing service innovation and growth for operational efficiency.

As digital connectivity within and amongst organisations grows, they will be forced to deal with a backlog of fragile legacy infrastructure scattered throughout business units. Legacy infrastructure will increasingly include more recent technologies, as rapid development cycles and version releases accelerate the process of obsolescence. Organisations will have to prioritise costly technology modernisation projects, sacrificing earnings and efficiencies regained since the financial crisis.

The disruption of digital systems will result in publically verifiable deaths. This will result from accidents and attacks on digital systems that are connected to physical systems, e.g. connected cars or building environment management. As a result, commercial liability risks will increase significantly and organisations will be forced to respond with robust security measures and improved public relations. For advanced digital economies, the psychological impact will be disproportionately high relative to deaths from more familiar causes.

Organisations will not be passive. They will realise that their investments in resilience are inadequate. However, with the compounding complexity, they will have to constantly re-assess risks in light of changing threats and the fragility of their security infrastructure.

THEME: COMPLEXITY CONCEALS FRAGILITY2

1 2 3

22 D. Clemente, “Cyber Security and Global Interdependence: What Is Critical?”, Chatham House, February 2013, p. 1, www.chathamhouse.org/sites/files/chathamhouse/public/Research/International%20Security/0213pr_cyber.pdf

23 F. Sheldon, S. Batsell, S. Prowell, and M. Langston, “Position Statement: Methodology to Support Dependable Survivable Cyber-Secure Infrastructures”, Proceedings of the 38th Hawaii International Conference on System Sciences, 2005, www.csm.ornl.gov/~sheldon/public/SheldonFT-HICSS38v9c.pdf


1 2 3

WHY DOES THIS THREAT MATTER?Following several large cascading failures, hidden dependencies on digitally connected critical infrastructure will become transparent. Ageing, poorly maintained and highly complex infrastructure will be exposed as internal systems are shown to be accessible from the public Internet.24 Infrastructure on which whole societies depend will be subjected to attacks and accidents that require significant resources and time to remediate. This will force governments and regulators to take a much closer look at critical infrastructure and the extent to which it is dangerously exposed. Many organisations will be caught unprepared for both the attacks and new regulations. As a consequence, they will be forced to update their resilience and invest in technology transformation programmes.

RATIONALEThe practice of connecting critical infrastructure sectors to each other over the Internet is long-overdue for reassessment. The impact of incidents will be felt across a variety of sectors, but finance, transport and energy will be the most far-reaching and systemic (i.e. the sectors that all others depend upon). The challenges of managing complex interdependent systems will increase along with the risks of cascading failures when something goes wrong in infrastructure such as the Global Positioning System (GPS) or transnational energy distribution networks.26 In 2011 the US Department of Homeland Security “surveyed 15 critical infrastructure sectors and found GPS was essential to 11 of them, although it took many months to reach that conclusion”.27 By 2017 this situation will not have improved, but the costs of failure will have increased.

Attacks for financial gain will become more lucrative, for example manipulation of share prices by spreading false market-moving information. In the worst case a financial crisis could result from a cyber attack on the financial sector, or an accident that is mistakenly believed to be an attack (with political misunderstanding resulting in counter-attacks and significant collateral damage).28 One example comes from April 2013, when hackers used the Associated Press Twitter account to falsely report an attack on the White House, sending stock markets down 1 percent within seconds. This ‘flash crash’ undermined public confidence and briefly wiped $136 billion USD off the Dow Jones before markets recovered, as shown in Figure 2.1.

DEPENDENCE ON CRITICAL INFRASTRUCTUREBECOMES DANGEROUS

2.1

24 R. King, “Cyberattack on German Iron Plant Causes ‘Widespread Damage’: Report”, The Wall Street Journal, 18 December 2014, http://blogs.wsj.com/cio/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/

25 UK Centre for the Protection of National Infrastructure, “The national infrastructure”, www.cpni.gov.uk/about/cni/ 26 GPS World staff, “Massive GPS Jamming Attack by North Korea”, GPS World, 8 May 2012, http://gpsworld.com/massive-gps-jamming-attack-by-north-korea/27 C. Evans-Pughe, “GPS vulnerability to hacking”, Engineering and Technology Magazine, 15 April 2011, http://eandt.theiet.org/magazine/2011/04/gps-vulnerabilities.cfm28 BBC News Business, “Japan stocks rattled by $617bn ‘fat finger’ trading error”, BBC, 2 October 2014, www.bbc.co.uk/news/business-29454265, K. Rushton, Cyber-criminals could spark next financial crisis, The Telegraph, 10 December 2014, http://cyberfpn.advisen.com/fpnHomepagep.shtml?resource_id=226387115-119700337#top29 E. Lee, “Associated Press Twitter Account Hacked in Market-Moving Attack”, Bloomberg, 24 April 2013, www.bloomberg.com/news/2013-04-23/dow-jones-drops-recovers-after-false-report-on-ap-twitter-page.html

Figure 2.1 - Twitter hack “flash crash” (April 23, 2013)29

“ “

Critical infrastructure sectors, particularly at the national level, have been defined as government, communications, emergency services, energy, financial services, food, health, transport and water.25


Many elements of critical infrastructure contain industrial control systems that rely on proprietary software or are otherwise dependent on security through obscurity, but this will offer little protection when they are connected to the Internet.30 In these environments it will become common to have mission-critical devices “that are now connected and accessible, that are frequently unmanaged, un-patchable, yet connected to both the Internet and other vulnerable systems,” which reveals an “underlying trend of exposing control systems to opportune hackers, criminals and even terrorists”.31 For many organisations this exposure will create risks that result in additional costs related to compliance and resilience.

Because of the recent economic climate, many organisations that are part of the critical infrastructure delayed economic investment and slowed the process of improving infrastructure security. When disruption occurs, these organisations will discover they have neglected options for redundancy, for example, by not investing in backup communication channels. They will also discover that efficiency gains have eliminated their options for reversion, for example, because legacy knowledge and infrastructure no longer exists.

In the short-term, organisations will respond by revisiting overdue technology transformation programmes, which are subsequently rushed through budgeting and procurement processes. In the long-term, renewed emphasis will need to be placed on resilience as a way to mitigate the effects of disruption to critical infrastructure.


Organisations that own or operate critical infrastructure will be required to increase regulatory transparency and invest in security measures. Potential actions include:

Update business continuity plans and conduct regular scenario planning and simulations.

Increase operational resilience by identifying and securing connected devices and sensors, particularly in mission-critical systems.

Assess the impact of disruption to infrastructure that is important, but may not be categorised as critical by most governments, for example cloud services or web search engines.

ISF RESOURCES

30 PwC, “Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015”, 30 September 2014, www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf

31 PC Magazine, “10 Scariest Hack Attacks From Black Hat 2014”, 14 August 2014, http://uk.pcmag.com/software/34913/gallery/10-scariest-hack-attacks-from-black-hat-2014

1 2 3

CyberSecurityStrategies

The Standardof Good Practice 2014

You CouldBe Next


Financial


Reputational

Operational

• Loss of those customers who are unaware that incidents arising from unreliable national infrastructure are outside the organisation’s control.

• Unplanned expenditure from the need to comply quickly with new regulation.

• Erosion to reputation from a public perception of being unable to deliver a quality service.

• Disruption to operations and production from compromised industrial control systems (e.g. those controlling factories or building access).

• Inability to service customers until dependency on key infrastructure (e.g. GPS) is circumvented during an incident.

• Delayed production and deliveries.

• Unreliable command and control mechanisms.


WHY DOES THIS THREAT MATTER?Targeted exploitation of widely distributed and homogenous technologies will occur frequently. This will have implications for the normal functioning of the Internet and the wider global economy. The Cambridge Centre for Risk Studies notes how “software systems of individual technology companies underpin a large proportion of the cyber economy”.32 Malicious actors will weaponise systemic vulnerabilities in this ‘technology monoculture’, threatening the integrity of Internet infrastructure. Targets include government, critical infrastructure and other organisations of interest for economic and political reasons. This will force organisations to both invest in resilience and re-evaluate their technology strategies.

RATIONALEA global technology monoculture is creeping into organisations and their supply chains driven by efficiencies, and the reassurance of buying from a supplier with an established reputation as illustrated with Oracle in Figure 2.2. Social, economic and political reliance on digital connectivity will continue to expand into all areas of daily life, along with the potential for damage when systemic vulnerabilities in monocultures are uncovered and exploited. These vulnerabilities are similar to those experienced with Heartbleed and Shellshock (2014), where millions of servers and websites were found to be exposed.33 They also include weaknesses in core systems, such as Internet traffic routing (e.g. Kaminsky in 2008) and online identity authentication (e.g. DigiNotar in 2011).34 Vulnerabilities in widely used software could cause disruption that would impact many major sectors.

SYSTEMIC VULNERABILITIES ARE WEAPONISED2.2

32 Cambridge Centre for Risk Studies, “Cyber Catastrophe: Defining a Risk Test Scenario for managing the business risks posed by cyber threats”, University of Cambridge, 16 December 2014, slide 20, http://www.risk.jbs.cam.ac.uk/news/events/other/2014/141216_riskbriefing_cybercatastropherisk.html

33 B. Schneier, “Heartbleed”, Schneier on Security, 9 April 2014, www.schneier.com/blog/archives/2014/04/heartbleed.html, BBC News Technology, “Web attacks build on Shellshock bug”, BBC, 26 September 2014, www.bbc.co.uk/news/technology-29375636

34 K. Zetter, “Kaminsky on How He Discovered DNS Flaw and More”, Wired, 22 July 2008, www.wired.com/2008/07/kaminsky-on-how/, D. Fisher, “Final report on Diginotar hack shows total compromise of CA servers”, threatpost, 31 October 2012, http://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170, K. McCarthy, “ICANN HACKED: Intruders poke around global DNS innards”, The Register, 17 December 2014, www.theregister.co.uk/2014/12/17/icann_hacked_admin_access_to_zone_files/

35 M. Tuveson and S. Ruffle, “Diversity is the way to avoid cyber collapse”, Financial Times, 27 April 2014, www.ft.com/cms/s/0/7fc4e282-bfcf-11e3-b6e8-00144feabdc0.html, www.theactuary.com/features/2014/12/cyber-catastrophe/

36 D. Geer, “We Are All Intelligence Officers Now”, RSA Conference, 28 February 2014, http://geer.tinho.net/geer.rsa.28ii14.txt

Figure 2.2 - Oracle as a technology monoculture35

As the online environment becomes more complex and volatile and less predictable for businesses, governments and individuals, the integrity of core systems are called into question. In addition, these core systems are often reliant on software with inherent flaws or software that was properly written, but is being used in ways that were never intended.

1 2 3

“ ““Above some threshold of system complexity, it is no longer possible to test, it is only possible to react to emergent behaviour”.36


Software vulnerabilities will persist for years. One example is the Heartbleed bug, which allowed attackers to compromise the encryption keys of systems protected by flawed versions of OpenSSL software. OpenSSL is an open source software library which is appealing for many companies due to permissive licensing agreements.37 It is found in software that is specifically procured, as well as software that is hidden in embedded systems.38 While this software is often available for scrutiny by security professionals, lack of time and human resources means that it receives far less attention than it should.

When a vulnerability in a technology monoculture is exploited, the damage will be disastrous. More than half a million websites were vulnerable to Heartbleed and there are undoubtedly similar bugs waiting to be discovered and disclosed. Organised criminals, hackers and governments will turn these vulnerabilities into weapons. The systemic nature of vulnerabilities like Heartbleed makes remediation a significant operational challenge. It is lengthy and resource-intensive, with the half-life of vulnerabilities (i.e. the time interval for reducing occurrence by half) often measured in months and patching is never complete.39

A vulnerability that is highly diffuse can be considered a common-mode failure, such as “a design fault that causes redundant copies of the same software process to fail under identical conditions”.40 One example of this would be a vulnerability that affects all versions of Apple’s iOS or one that allows hackers to attack and ‘brick’ (i.e. render useless) all routers from a particular manufacturer.

This digital dependence on technology monocultures will increase over time. In response to weaponisation of this systemic vulnerability, organisations will sacrifice innovation and shift investment from research and development to strengthening their technological resilience.


Organisations must be prepared to assess and respond swiftly to systemic vulnerabilities. Recommendations include:

Broaden risk assessment beyond traditional organisational boundaries to identify dependencies on widely used technologies and suppliers.

Re-evaluate organisational technology strategy with the aim of increasing resilience.

Ensure purchasing agreements with technology suppliers contain robust contingency plans and specific response mechanisms.

Update organisational response plans, including public relations, to account for systemic vulnerabilities that can be weaponised.


IRAM2

ISF RESOURCES

37 Open Source Initiative, “About Open Source Licenses”, http://opensource.org/licenses38 B. Schneier, “Security Risks of Embedded Systems”, Schneier on Security, 9 January 2014, www.schneier.com/blog/archives/2014/01/security_risks_9.html 39 B. Niester, “Patching Progress in the Enterprise and How to Expedite It”, Qualys, 10 June 2010, slide 6, http://help.unc.edu/help/patching-progress-in-the-enterprise-and-how-to-expedite-it/40 D. Geer, “Heartbleed as Metaphor”, Lawfare, 21 April 2014, www.lawfareblog.com/2014/04/heartbleed-as-metaphor/

1 2 3

InformationSecurityStrategy


Operational • Reduced or unavailable customer service as a result of long response times from affected technology suppliers.

• Disruption to production and services as suppliers shift resources to respond to attacks.

• Loss of business-critical information as widespread vulnerabilities are exploited at surprising speed.


WHY DOES THIS THREAT MATTER?Organisations will continue to prolong the life of their ageing and unsupported hardware and software in an attempt to delay the costs of expensive technology transformation programmes. This legacy technology will be scattered throughout the organisation and include mainframes, portable devices, embedded sensors and other technology that is even more obscure. Even new technology will age more swiftly than suspected, as rapid development cycles and version releases accelerate obsolescence. As digital connectivity inside and between organisations grows, legacy technology will be further exposed to attackers and a greater likelihood of accidents, resulting in damage exceeding anything that has come before. This will prompt a re-evaluation of ageing technology, particularly where maintenance is increasingly cost prohibitive.41 Modernisation will be required to replace backlogs of legacy technology. The challenge will be to keep pace.

RATIONALEOver time the technology has aged and includes “outdated computer systems, programming languages or application software that are used instead of available upgraded versions”.43 One quarter of worldwide desktops were using Windows XP when support was discontinued (April 2014) and 95 per cent of the world’s 2.2 million ATMs continue to run on XP even though it has been superseded many times.44 This has added to the backlog of legacy systems that will have to be recognised and addressed in the near future.

Ageing and unsupported systems increasingly have the capability to be connected to each other, both internally and externally, and to the public Internet. As organisations become more digitally connected, the fragility of legacy technology will become apparent, leading to damaging accidents and attacks.

Legacy systems in numerous sectors including energy, transport and telecommunications will decay and fall prey to technical glitches, a dwindling supply of specialised skills and malicious hackers. These factors will result in dramatic incidents that effect “vulnerabilities in widely used, but unsupported, software like Java 6 and Windows XP”.46

The financial sector, for example, relies on “obsolete legacy IT, surrounded by an ever-increasing plethora of newer systems to give consumers the impression that the banking systems are fit for purpose in our Internet and smartphone world”.47

LEGACY TECHNOLOGY CRUMBLES2.3

41 D. Drinkwater, “German iron plant hit by APT attack”, SC Magazine, 19 December 2014, www.scmagazineuk.com/german-iron-plant-hit-by-apt-attack/article/389236/ 42 J. Evans, “Why Is Yahoo Still So Bad At The Basics?”, TechCrunch, 20 December, 2014, http://techcrunch.com/2014/12/20/why-is-yahoo-still-so-bad-at-the-basics/43 C. Janssen, “Legacy System”, technopedia, www.techopedia.com/definition/635/legacy-system 44 M. Smith, “Twice as many desktops still running Windows XP than Windows 8, 8.1 combined”, Network World, 2 April 2014, www.networkworld.com/article/2226663/microsoft-subnet/twice-as-many-desktops-still-

running-windows-xp-than-windows-8--8-1-combined.html 45 F. Richter, “End Of Support Changes Little About Windows XP’s Popularity”, statista, 3 June 2014, www.statista.com/chart/2322/market-share-of-desktop-operating-systems/46 Trend Micro, “Blurring Boundaries: Trend Micro Security Predictions for 2014 and Beyond”, 9 December 2013, www.trendmicro.co.uk/cloud-content/us/pdfs/security-intelligence/reports/rpt-trend-micro-security-

predictions-for-2014-and-beyond.pdf47 K. Flinders, “IT problems hit RBS and NatWest customers again”, ComputerWeekly.com, 3 December 2013, www.computerweekly.com/news/2240210304/IT-problems-hit-RBS-and-NatWest-customers-again

1 2 3

Figure 2.3 - Windows XP worldwide desktop market share (May 2014)45

“

“

“Technology is increasingly at the core of every major company. Eventually they will face the choice Yahoo! did a decade ago: explicitly embrace being a technology company, and ride the tsunami … or try to reject it, and, eventually, capsize.”42


Legacy issues are prevalent and rarely discussed because they fail to capture the imagination like cyber warfare; however, they have a more tangible impact on an organisation.48 This is particularly true in organisations with multiple legacy applications, where knowledge is scarce but old processes remain. Making one change often has cascading effects on interconnected systems, requiring a myriad of other changes and driving up costs. Even relatively young organisations face these problems, with growth and commercial success taking priority over system upgrades.

Although it may be beneficial in the long term, modernisation is painful, disruptive and expensive in the short term. There is little incentive for management to advocate for change, resulting in a risk-averse mentality towards modernisation. The transformation process is organisationally difficult and there are far more attractive systems that managers can procure and take credit for.49 However, flashy interfaces and new gadgets won’t help when business services suffer serious disruption due to outdated IT infrastructure, as was the case with numerous UK banks over the past few years.50

Technology updates will come too late in organisations where bureaucratic and budgetary inertia is too slow to compete with agile adversaries. Updates will be consistently delayed and when disruption occurs the recovery period will take too long. The problem will not only be restoration of service, but also the simultaneous replacement of old hardware and software. As a result, competitors will have plenty of opportunity to lure dissatisfied customers and the affected organisation will suffer prolonged damage.


As legacy technology crumbles and becomes a liability, organisations will be forced to take action. There are a number of options for mitigating these risks, including:

Identify and assess organisational exposure to legacy technology.

Analyse emerging methods for transferring risk from legacy technology, for example through cyber insurance or new cloud services.51

Update system architecture and plan modernisation, prioritising changes that require immediate and long-term attention.

Identify where specialised legacy skills must be retained and where (and how fast) they can be reduced.

CyberInsuranceBriefing Paper


48 T. Rid, “Cyberwar and Peace: Hacking Can Reduce Real-World Violence”, Foreign Affairs, November/December 2013, www.foreignaffairs.com/articles/140160/thomas-rid/cyberwar-and-peace 49 h2index, 22 October 2012, “Anton Collyer, formerly Head of IT at GSK: The dark side of the IT moon”, www.h2index.com/2012/10/anton-collyer-formerly-head-of-it-at-gsk-the-dark-side-of-the-it-moon/ 50 H. Wilson, “RBS IT ‘glitch’ leaves bank facing £1bn bill”, The Telegraph, 3 December 2013, www.telegraph.co.uk/finance/newsbysector/banksandfinance/10491846/RBS-IT-glitch-leaves-bank-facing-1bn-bill.html51 J. Somaini, “The Need of a New Security Model”, Somaini’s Cyber Security Blog, 15 August 2013, http://somaini.net/blog/2013/8/15/the-need-of-a-new-security-model

1 2 3

IRAM2

ISF RESOURCES


Financial

Operational


Reputational

• Costly remediation of skills shortages during both maintenance and operations, and continued system replacements.

• Unplanned and major budget impacts as upgrade options are limited and expensive.

• Inability to maintain consistent delivery of services and products during extended replacement timescales.

• Disruption to other strategic initiatives when faced with the need to modernise at pace.

• Fines and sanctions set by regulators in response to impact on customers.

• Customer backlash from the realisation that the organisation has put service at risk through lack of modernisation.


52 K. Low, “Project 2020 - Preparing Your Organization for Future Cyber Threats, Today”, RSA Conference, 22 July 2014, www.rsaconference.com/events/ap14/agenda/sessions/1429/project-2020-preparing-your-organization-for-future

53 C. Doctorow, “Lockdown”, boingboing, December 2011, http://boingboing.net/2012/01/10/lockdown.html54 C. Evans-Pughe, “GPS vulnerability to hacking”, Engineering and Technology Magazine, 15 April 2011, http://eandt.theiet.org/magazine/2011/04/gps-vulnerabilities.cfm55 K. Zetter, “It’s Insanely Easy to Hack Hospital Equipment”, Wired, 25 April 2014, www.wired.com/2014/04/hospital-equipment-vulnerable/56 S. Freedberg, “‘Cyberwar’ Is Over Hyped: It Ain’t War Til Someone Dies”, Breaking Defense, 10 September 2013, http://breakingdefense.com/2013/09/cyberwar-is-over-hyped-it-aint-war-til-someone-dies/57 S. Rogers, “Mortality statistics: every cause of death in England and Wales, visualised”, The Guardian, 28 October 2011, www.theguardian.com/news/datablog/2011/oct/28/mortality-statistics-causes-death-

england-wales-2010#external 58 E. Avers, “Cyber-related physical damage risk prompts concern, opportunity”, Advisen Cyber Risk Network, 16 January 2015, www.cyberrisknetwork.com/2015/01/16/cyber-related-physical-damage-risk-prompts-

concern-opportunity/

WHY DOES THIS THREAT MATTER?Disruption to digital systems will lead to verifiable human deaths, after a long existence in the realm of science fiction. Most of these deaths will be caused by failures in cyber-physical systems – i.e. systems that have direct physical impact, such as car-to-car communications, process control systems, building environment management and automated pilot avionics.52 For advanced digital economies, the public response will be disproportionate relative to the number of deaths from more common causes, leaving organisations forced to respond.

RATIONALEDigital systems are pervasive and have crept into many areas of daily life. Levels of dependence are growing steadily with little thought for security. For most countries around the world, levels of exposure to cyber-physical systems are high. While this exposure is often perceived as indirect, in many cases it is more direct than realised.

Some of the first deaths will be caused by accidents with smart and self-guided cars, as well as degradation to GPS causing fatal disruption to air, naval and ground transport systems.54 This is followed by hacking of Wi-Fi enabled medical devices and attacks on hospital networks including life-support devices and surgery suites.55 Hype around ‘cyber deaths’ grows and incidents that came before – low-level hacking, data breaches, even espionage – will seem petty and insignificant by comparison.56 There will be only a handful of deaths initially (as illustrated in Figure 2.4) but they will generate far more attention than conventional causes of mortality. This will make it difficult for organisations to accurately assess cyber-physical risks and plan proportionate responses.

Software liability will become a more public topic of debate. As a result, governments will be pressured to introduce new legislation and regulations along with additional layers of scrutiny and product assurance. Many organisations will discover that physical impact from digital disruption is not covered under their existing insurance policies and insurance companies will respond by developing tools for actuarial analysis of ‘cyber deaths’.58

Figure 2.4 - UK Mortality statistics57

DEATH FROM DISRUPTION TO DIGITAL SERVICES2.4

1 2 3

“ ““We don’t have cars anymore; we have computers we ride in. We don’t have airplanes anymore; we have flying Solaris boxes attached to bucketfuls of industrial control systems”.53


‘Cyber deaths’ will result in reputational damage and change customer behaviour by discouraging them from, for example, buying smart cars or using connected medical devices. Organisations will be forced to manage expectations from product users worried about safety and from shareholders concerned about financial implications of new liabilities. The impact will be felt across numerous sectors, including those that design, own or operate vulnerable cyber-physical systems.

As the extent of cyber-physical risk becomes more evident, the information security profession will fundamentally change. It will be forced to broaden its perspective beyond security to embrace the concept of safety, which has been much discussed in the civil nuclear energy and transport sectors for decades.59 This will require security professionals to maintain their expertise in protecting against malicious hacking (i.e. security), while sharpening their skills to protect against accidents or hazards (i.e. safety).60


Death from digital disruption is new and terrifying for many organisations, but there are areas of best practice that remain applicable, including:

Assess potential liabilities for physical harm occurring as a result of accidental or malicious disruption to connected digital devices.

Engage with and learn from individuals, organisations and sectors that have more mature approaches to safety.

Conduct rigorous risk assessments and identify internal and external exposure to cyber-physical systems.

Update crisis response mechanisms to cope with disruption to digital systems.

Review insurance policies to determine where additional coverage may be needed.

ISF RESOURCES

1 2 3

59 UK Department of Energy & Climate Change, “Providing regulation and licensing of energy industries and infrastructure”, Gov.uk, 13 October 2014, www.gov.uk/government/policies/providing-regulation-and-licensing-of-energy-industries-and-infrastructure/supporting-pages/safety-at-uk-civil-nuclear-sites

60 E. Albrechtsen, “Security vs safety”, Norwegian University of Science and Technology Department of Industrial Economics and Technology Management, August 2003, www.iot.ntnu.no/users/albrecht/rapporter/notat%20safety%20v%20security.pdf


EngagingWithThe Board

IRAM2 CyberInsuranceBriefing Paper


Financial

Operational


Reputational

Healthy and safety

• Loss of profit as significant insurance costs (against the legal liabilities of a death) are passed on to customers.

• Increased costs to review and strengthen technology strategies.

• Delays from lengthy reviews of technology strategies.

• Additional and unforeseen costs from complying with new and reactive safety regulations.

• Potentially irreversible loss of customer trust when details of a digital death become public.

• Loss of life

• Delayed ability to respond to or eliminate the likelihood of further deaths due to the lack of skilled professionals.


The forces of globalisation will increasingly affect the global information security risk landscape. Organisations will initially ignore these forces, suffering the financial consequences of their complacency later.

Large information providers will continue to expand into emerging markets, solidifying their global ambitions and frustrating government attempts at regulation.61 The resulting global consolidation will be bad for competition and will do little to rebuild the trust lost in the wake of the Snowden revelations. Governments will be forced to cooperate to encourage internationally competitive markets. For all the talk of disruption, innovation, and freedom, it will become clear that the giants of Silicon Valley have goals that are similar to the monopolistic titans of the Industrial Revolution.

Large data breaches will become commonplace as customers become numb to ever-larger incidents and organisations become complacent about securing their data and networks. Politicians and regulators will struggle to keep pace with rapidly changing modes of commerce, leading to regulations that are enforced selectively and which fail to incentivise organisations to move in the desired direction. Together, these dynamics will encourage the continuation of a reactive environment, where preventative security investments are difficult to justify and instead organisations will wait until something has gone wrong before acting.

Governments will strengthen existing multi-lateral and bilateral regulatory regimes and create new ones, pressured by citizens affected by international failures of governance. International standards bodies will attempt to play a leading role, but be limited by the speed of their decision-making. Any leadership will most likely come from several emergent technology companies that position themselves as the stewards of safe and democratised technology.

THEME: COMPLACENCYBITES BACK3

1 2 3

61 J. Naughton, “The Master Switch by Tim Wu – review”, The Guardian, 2 April 2011, www.theguardian.com/books/2011/apr/02/master-switch-tim-wu-review


1 2 3

WHY DOES THIS THREAT MATTER?The new Big Four, Google, Amazon, Facebook and Apple (GAFA), will continue to expand into increasingly connected regions such as Africa, Asia and Latin America, solidifying their commercial dominance globally. This will raise regulatory concerns for governments and organisations that are wary of the consolidated power of information companies and the monopolistic power they wield. This will be compounded by post-Snowden security concerns and US-based companies in particular will have to work harder to win the trust of potential international customers. Organisations will also be concerned about the security implications of trusting one provider for essential services and in response will invest in diversification. In some cases, this will not be possible and organisations will have to increase their resilience to disruption or failure of single-source providers.

RATIONALEThe rise to prominence of information companies follows a well-trod path. They start small and the successful ones expand domestically and internationally, seek market domination, and eventually exhibit monopolistic inclinations. Today’s equivalents are able to expand with a speed and scale that would have astonished their 20th Century phone, radio and TV counterparts. Individual countries and trading blocs such as the EU have limited power to discourage collusion or monopolistic behaviour among the current dominant information companies, many of which come from the US.62

Multinational information companies will continue to be particularly difficult to regulate, given the ease with which they can reside in one country but offer services to the entire globe (e.g. Twitter or Facebook). Serious global regulatory questions will arise with greater frequency regarding the applicability of competition and anti-trust law.64 While some essential services offered by information companies are free, many are dominant – for example, Google Search, as shown in Figure 3.1. Many domestic organisations will struggle to create international or domestic market entry points and will have little chance of competing with incumbents that dominate at a global level.

GLOBAL CONSOLIDATION ENDANGERS COMPETITION AND SECURITY

62 D. Hakim, “Google Is Target of European Backlash on U.S. Tech Dominance”, The New York Times, 8 September 2014, www.nytimes.com/2014/09/09/technology/google-is-target-of-european-backlash-on-us-tech-dominance.html

63 J. Naughton, “The Master Switch by Tim Wu – review”, The Guardian, 2 April 2011, www.theguardian.com/books/2011/apr/02/master-switch-tim-wu-review64 Out-Law.com, “How many telecoms firms left in Europe? Another mega-billion deal slated in France”, The Register, 31 October 2014, www.theregister.co.uk/2014/10/31/french_telecoms_acquisition_marks_latest_

market_move_towards_consolidation/ 65 NetMarketShare, “Desktop Search Engine Market Share”, accessed 8 January 2015, www.netmarketshare.com/search-engine-market-share.aspx?qprid=4&qpcustomd=0&qptimeframe=Y

Figure 3.1 - Search engine market share (January - December 2014):64

3.1

““

“From somebody’s hobby to somebody’s industry; from jury-rigged contraption to slick production marvel; from a freely accessible channel to one strictly controlled by a single corporation or cartel - from open to closed system. It is a progression so common as to seem inevitable, though it would hardly have seemed so at the dawn of any of the past century’s transformative technologies.”63


InformationSecurityStrategy

1 2 3

ISF RESOURCES

One difficulty in regulating global companies comes from the fact that they are ‘platform markets’.66 Their value is in providing a platform that joins two different parties, for example “payment networks that join merchants and customers, Apple’s iOS ecosystem for developers and users, internet service providers connecting content-providers with internet surfers, or Uber’s car service bringing together drivers and riders”.67

These platform markets can expand quickly, (e.g. Uber), as initial entrants gain a powerful first-mover advantage and lock out competitors. Governments will have difficulty keeping pace with innovations in platform markets and regulators will struggle to “be watchful that the incumbent isn’t erecting barriers to entry that might prevent its replacement by a new more dynamic firm.”68 As this happens at a global level across a variety of sectors, regulators will be forced to cooperate with each other and engage directly with the private sector in order to restrain monopolistic behaviour.

As modern information companies expand and dependence on them grows, resilience and security will become global topics of debate. Security concerns will arise from heavy commercial and societal dependence on single-source providers and single points of failure. It will be difficult for organisations to maintain robust continuity plans when multiple critical services come from one provider and the lack of alternatives means that customers are locked to the provider. When major disruptions occur, either malicious or accidental, they will impact whole sectors and when data breaches happen they will expose data from entire populations.

66 D. Warsh, “Everything You Wanted To Know (But Were Afraid To Ask) About Two-Sided Markets”, Economic Principals, 8 July 2007, www.economicprincipals.com/issues/2007.07.08/256.html 67 T. Fernholz, “Meet the economics Nobel laureate who explains net neutrality and app stores”, Quartz, 13 October 2014, http://qz.com/280197/meet-the-economics-nobelist-who-explains-net-neutrality-and-the-

ios-app-store/ 68 M. Yglesias, “One paper by Nobel Prize winner Jean Tirole that every internet user should know”, Vox, 13 October 2014, www.vox.com/2014/10/13/6968423/jean-tirole-platform-competition


IRAM2 Risk Appetite and Risk AcceptanceBriefing Paper

Cyber InsuranceBriefing Paper


The impact of these global shifts is potentially significant, but there are actions that organisations can take, including:

Identify and assess risks related to dependence on the suppliers for which there are few alternatives.

Engage in dialogue and exchange information with governments to assess the extent to which markets remain either competitive or closed.

Invest in expanding and diversifying the suppliers of critical services.

Where diversification proves difficult, focus instead on embedding resilience in information security strategies.


Financial

Operational


• Significant, unplanned costs from compliance with strengthened national and international regulations.

• Enduring business disruption from a forced dependence on a few major information providers.

• Shifting landscape as legislators and regulators struggle to curb monopolistic behaviour.


1 2 3

WHY DOES THIS THREAT MATTER?The number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organisations of all sizes. The first billion-person data breach will finally happen and be ruinously expensive for the company at fault.69 Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties.70 Angry customers will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. The resulting mess of international regulations will create new compliance headaches for organisations while doing little to deter attackers.

RATIONALEThe scale of data breaches will continue to grow and individuals around the world will wearily expect their personal data to be compromised multiple times per year. In some cases, sophisticated defences will be circumvented by persistent criminal organisations that swiftly exploit stolen data. The significant cost of the resulting cyber crimes (as reflected in Figure 3.2) will rise steeply. In other cases, suppliers will inadvertently provide useful points of entry into vulnerable corporate networks, with incident detection through external parties such as information security researchers or law enforcement. Although successful attacks will increasingly bankrupt the affected organisation, the attack vectors will change little, with point-of-sale software and web applications serving as primary targets.71

The impact to customers will be tangible as a result of more advanced attackers and a changing relationship between banks and their customers. The 2008 financial crisis was not an opportune moment for banks to shift information security liability to customers, but this will change as the crisis diminishes. The financial sector will begin to shift the burden of proof to customers whose accounts have been compromised and require customers to have certain configurations and levels of protection on devices they use to access financial accounts.

In many cases, the costs of an incident will be spread across a whole supply chain, increasing the temptation for any single organisation to avoid investments in security. Breached organisations will resist accepting responsibility for costs including fraud and identity theft, arguing that no single entity can be held liable.73 This will result in increased litigation as companies attempt to transfer liabilities associated with a data breach, for example, by a retailer challenging their contractual obligations to suppliers such as payment card providers and payment processors.74 This will merely shift the burden of oversight from the regulators to the courts and will do nothing to mitigate reputational damage.75 The lawyers will be the only winners as jurisdictionally complex litigation drags on for years.

Figure 3.2 - Average cost of cyber crime(s) from a sample set of 257 organisations (2014)72

USD (000)

IMPACT OF DATA BREACHES INCREASESDRAMATICALLY

3.2

69 The biggest publically-known data breach of 2014 was eBay with 145 million people affected. Only a seven-fold increase would be needed to impact one billion people. J. Bradford, “2014 by the numbers: record-setting cyber breaches”, Advisen Cyber Risk Network, 31 December 2014, www.cyberrisknetwork.com/2014/12/31/2014-year-cyber-breaches/

70 A. Tsotsis, “Employee Data Breach The Worst Part Of Sony Hack”, TechCrunch, 16 December 2014, http://techcrunch.com/2014/12/16/hack-sony-twice-shame-on-sony/71 Verizon, “Verizon 2014 Data Breach Investigations Report – Executive Summary”, Verizon Enterprise Solutions, April 2014, www.verizonenterprise.com/DBIR/2014/reports/rp_dbir-2014-executive-summary_en_xg.pdf 72 Ponemon Institute, “2014 Global Report on the Cost of Cyber Crime”, October 2014, http://docs.media.bitpipe.com/io_11x/io_119292/item_1055106/2014%20GLOBAL%20CCC%20FINAL%205.pdf73 N. Perlroth, “Banks’ Lawsuits Against Target for Losses Related to Hacking Can Continue”, The New York Times, 4 December 2014, http://bits.blogs.nytimes.com/2014/12/04/banks-lawsuits-against-target-for-losses-related-to-

hacking-can-continue/?_r=074 M. Geuss, “Judge rules that banks can sue Target for 2013 credit card hack”, Ars Technica, 5 December 2014, http://arstechnica.com/tech-policy/2014/12/judge-rules-that-banks-can-sue-target-for-2013-credit-card-hack/75 C. Hemenway, “Travelers fights to block P.F. Chang’s cyber coverage under CGL”, Advisen Cyber Risk Network, 7 October 2014, www.advisenrisknetwork.com/2014/10/07/travelers-fights-block-p-f-changs-cyber-coverage-cgl/


1 2 3

These costs will be compounded by a steady loss of customers who are upset at the compromise of personal data and resulting fraud and who have been persuaded by competitors to take their business elsewhere. In some cases these costs will drive organisations out of business, while in other cases profitability is reduced allowing competitors to overtake newly damaged rivals.

The US and European Union will initiate the majority of data protection regulations, while other governments adapt these to suit specific national requirements. Many of these new regulations will be enforced selectively and unpredictably (e.g. for political reasons), leaving companies less able to accurately assess regulatory obligations, yet liable for dramatically increased fines and scrutiny.76 The sum of these actions is a complex international regulatory environment that proves difficult to harmonise (e.g. as with multilateral free trade areas), and early negotiations will begin with a view towards harmonising data protection laws at a global level.

Organisations will be confronted with an array of geographically and legally overlapping and contradictory regulations. They will be faced with preventing, detecting and responding to increasingly large data breaches, which will require renewed attention to behavioural awareness, technical defences, and robust and adaptive internal policies.


In response to increasingly large data breaches and resulting government regulation, organisations will be forced to raise their defences. Recommendations include:

Assess potential jurisdictional liabilities based on the variety and volume of data the organisation handles.

Invest in understanding the national and international implications of emerging data protection regulations.

Work with procurement and other business units responsible for contract management to ensure information security arrangements are included in contracts.

Avoid costly litigation by clarifying with suppliers the contractual actions all parties must take in the event of a data breach.

Work with auditors to assess existing contract provisions.

ISF RESOURCES

76 S. Room, “Data protection – entering the ‘post-regulatory’ age”, PwC Cyber security updates, 8 September 2014, http://pwc.blogs.com/cyber_security_updates/2014/09/data-protection-entering-the-post-regulatory-age.html


EngagingWith TheBoard

IRAM2 CyberInsuranceBriefing Paper


Financial

Operational


Reputational

• Unplanned costs of legal counsel.

• Additional resources needed to design, develop and implement new policies and controls.

• Unforeseen costs from lengthy and expensive remediation (e.g. replacement of payment cards).

• Significant customer impact and delay as unclear and complex liabilities are unravelled in the courts.

• Reduced trust and morale of staff exposed by attacks (e.g. the late-2014 Sony incident).

• Erosion of public trust as tempers fray while blame is apportioned.


Members should expect their organisations to accelerate in their relentless pursuit of advantage from technological innovations. At the same time, however, they should prepare and take action against the emerging security threats that may come into play as a result.77 A failure to do so may have the potential to place the entire organisation and its endeavours at risk.

The nine threats in this Report expose the dangers that the ISF considers the most prominent. They have the capacity to transmit their impact through cyberspace at break-neck speeds, particularly as the use of the Internet spreads beyond the estimated 50% of the literate population who are already connected.78 As a result, the ISF predicts that many organisations will struggle to cope as the pace of change intensifies. Consequently – at least until a conscious decision is taken to the contrary – the threats should appear on the radar of every organisation. Now.

APPLY GOOD PRACTICEThose who have already studied the previous pages in detail will have identified a number of key threads running throughout, such as complexity, connectivity, advances in technology and the dependence on supply chains. In the same way, the recommendations and tips have their own threads, all of which already form a major part of information security good practice. For example:

• Apply a rigorous information risk assessment approach to all risks: for example, by using the ISF’s Information Risk Assessment Methodology, IRAM.

• Focus on resilience arrangements: to be clear on what needs to happen should an incident occur.• Ensure robust Business Contingency Plans are in place and have been rehearsed.

CONCLUSION 1

There is one area, however, that may be new for some Members – to work and collaborate with others. For example, by using:

• ISF Live for resources and sharing information on threats• Government contacts to influence regulation and legislation• Existing sector and industry initiatives to improve foresight• Contacts at key suppliers to ensure continuity of service• Auditors and business advisors to advise on best business practice.

CONCLUSION 2

ENGAGE…ENGAGE…ENGAGEAs dangers accelerate, disciplined and widespread commitment will be needed to ensure that practical plans are in place to deal with major changes the future could bring. People at many levels of the organisation will need to be involved, including board members and managers in non-technical roles. The Threat Radar shown at Appendix B should assist.

CONCLUSION 3

CONCLUSIONS AND NEXT STEPS

77 J. Naughton, “How a 1930s theory explains the economics of the internet”, The Guardian, 8 September 2013, www.theguardian.com/technology/2013/sep/08/1930s-theory-explains-economics-internet 78 Internet Live Stats, “Internet users in the world”, accessed 30 January 2015, www.internetlivestats.com/internet-users/

There is no call for a range of radically new practices: the requirement is to focus on anticipation and preparation.

There is no need to ‘go it alone’. Resources are widely available to assist.

Begin preparations now – don’t be a victim.


This appendix revisits the 20 threats identified in the 2015 and 2016 Threat Horizon reports. An assessment is provided on how the threats have changed (increasing, still a concern or decreasing). The assessment is based on input from ISF Members and the ISF Global Team.

Of the 20 threats, three have experienced a reduction in criticality, six have remained broadly the same and 11 have increased. None of the threats have disappeared and in many cases the 2015 and 2016 threats form a foundation on which the 2017 threats are built.

Each Member should consider their individual circumstances and assess and prioritise these threats accordingly.

APPENDIX A:

Revisiting predictions from 2015 and 2016

INCREASING

DECREASING

STILL A CONCERN

Organisations cannot get the right people - Despite high unemployment rates, skilled technical and managerial positions will remain difficult to fill. Education systems are gearing up to teach skills but cannot provide people with relevant experience. As long as the current economic climate persists, some governments will be reluctant to ease immigration quotas that would allow talent to be imported.

Insiders fuel corporate activism - More insiders with malicious intent will emerge as more people place their own ethics and perceptions above those of their employers. Corporate activists, already organised, will get better at gathering information and bringing it to the media and public’s attention. Criticisms will go viral and information that comes from credible insiders will spread rapidly, be picked up faster and see increased media exposure.

Crime as a Service (CaaS) upgrades to v2.0 -Attacks will become more innovative and sophisticated – as organisations develop new security mechanisms, cybercriminals will develop new techniques to circumvent them. Unemployed and disgruntled employees will form a talent pool for criminal groups to gather the capabilities and information needed for these attacks.

The shortage of skilled information security professionals continues to affect the private and public sectors and shows no signs of slowing. This challenge is not confined to North America or the European Union. It impacts all countries that are increasingly reliant on secure information technologies as a cornerstone of their economies.79

The insider threat is unlikely to diminish. Efforts to mitigate this threat, such as additional security controls and improved vetting of new employees, will remain at odds with efficiency measures.

The barriers to entry for cyber crime continue to decrease “allowing those lacking technical expertise – including traditional organised crime groups – to venture into cybercrime by purchasing the skills and tools they lack”.80 Crime syndicates provide a trusted space for individuals with diverse skillsets to test and perfect innovative criminal tools, tactics and procedures.

79 E. Chabrow, “Senate Passes Cybersecurity Skills Shortage Bill”, Bank info Security, 20 September 2014, www.bankinfosecurity.com/senate-passes-cybersecurity-skills-shortage-bill-a-7340/op-1 80 Europol, “Organised Crime Groups Exploiting Hidden Internet in Online Criminal Service Industry”, 29 September 2014, www.europol.europa.eu/content/organised-crime-groups-exploiting-hidden-internet-online- criminal-service-industry

2016 REPORT

ANALYSIS

2017 REPORT

ANALYSIS2015 REPORT PREDICTION 2017 RATIONALE


2016 REPORT

ANALYSIS

2017 REPORT

ANALYSIS

Information leaks all the time - Criminals will get better at combining public records and information from the Internet with what they can get through intrusions and data leaks. Today they use this information to craft credible emails targeted at specific individuals or organisations in an attempt to acquire sensitive information. These are more likely to succeed than mass emailing of fraudulent messages when combined with a general lack of awareness about cyber threats.

Bring your own device further increases information risk exposure - Organisations will not be able to ignore bring your own device (BYOD) initiatives. They create a differentiator for organisations to attract and retain talent, and the productivity and collaboration benefits are promising. But organisations that do not carefully consider the integration of BYOD devices into the organisation’s network will expose themselves to significant risks. The change of ownership of the device will create different expectations, but organisations cannot impose an acceptable use policy similar to corporate provided devices.

Outsourcing security backfires - Organisations will suffer if they outsource key capabilities. Organisations will only be able to leverage value from managed security service providers if they keep the authority and understanding necessary to drive these services. Organisations unable to build and drive their information security strategy will lose control – in the short term to respond to changing threats and in the longer term to meet the needs of the business.

Governments and regulators will not do it for you -Governments have a key role to play in securing cyberspace: from coordination and advocacy to raising public awareness and potentially sharing threat information, but they have no intention to lead information security and cyber security efforts. They expect organisations to manage risks in cyberspace and prevent information and systems from being compromised. Likewise, regulations are not a substitute for risk management and will never evolve as quickly as technology and its uptake. Organisations that depend on governments to lead or secure cyberspace will suffer, as will those who only respond by complying with regulations.

Data breaches continue to grow in number and in volume of compromised records, as attackers exploit security vulnerabilities at the organisational and individual levels. Accidental leaks continue to grow as well, due to misconfiguration, negligence, and poor oversight. This threat will grow for the foreseeable future.

This threat now appears to be levelling out and widespread disaster has not been realised. This assessment is supported by the 2014 Verizon data breach incident report, which notes that “as far as asset ownership, we see insiders abusing corporate-owned rather than employee-owned (“BYOD”) assets allowed for corporate use. However, we do see evidence they often leverage unapproved personal devices to help them get the data out of the organization (which shows up as use of unapproved hardware).”81

This threat persists but has not increased measurably. Information security tasks continue to be outsourced, although external management of the entire information security function is rare in large organisations. Lack of control over service providers remains, in particular, regarding externally-designed or operated security systems that are based on proprietary intellectual property.

A number of governments are providing cyber security guidance to the private sector, for example the US with NIST, the UK with CBEST, and Anglo-American war games designed to harden critical infrastructure. However, organisations remain responsible for maintaining their own cyber resilience, and this will not change substantially.82 In many cases governments will be perceived as contributors to cyber security problems, not as part of the solution.

81 Verizon, “Verizon 2014 Data Breach Investigations Report”, Verizon Enterprise Solutions, April 2014, www.verizonenterprise.com/DBIR/2014/ 82 J. Huergo, “NIST Releases Cybersecurity Framework Version 1.0”, NIST, 12 February 2014, www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm, Bank of England, “CBEST Vulnerability Testing Framework Launch”, www.bankofengland.co.uk/financialstability/fsc/Pages/cbest.aspx

2015 REPORT PREDICTION 2017 RATIONALE


2016 REPORT

ANALYSIS

2017 REPORT

ANALYSIS

Hacktivists create fear, uncertainty and doubt - As long as systems continue to be compromised and the incidents make headlines, claims will be believed. Whether the claim is true or false is secondary: organisations will be guilty until proven innocent in the court of public opinion. And the impact on the target organisation will be independent of whether the claims are intentionally malicious or the result of honest mistakes.

The CEO doesn’t get it - If an organisation’s senior executives don’t understand cyberspace they will either take on more risk than they would knowingly accept or miss opportunities to further their strategic business objectives such as increasing customer engagement or market leadership. These organisations are more likely to suffer embarrassing incidents and when they do, they will suffer greater and longer-lasting impact.

BYOC (bring your own cloud) adds unmanaged risk - If an organisation’s IT function or technology provider is insufficiently flexible or unable to adapt, people will move to the cloud. Unmanaged deployment of cloud solutions within organisations can create duplicate and incomplete repositories of outdated information which could have worse consequences than a data breach.

This threat was written at the height of the Anonymous incidents, and in the past two years the (often exaggerated) threat of hacktivism has diminished. Anonymous has been rendered largely irrelevant as a result of internal strife and law enforcement investigations, and has not been replaced by any other comparable entity.83

Analysis from Threat Horizon 2016 indicated that “The CEO gets it, now you have to deliver”, signalling that awareness among senior management was improving. The business impacts suffered in many publicised data breaches, in concert with impending EU data privacy reforms, indicate that awareness of information security among senior management continues to increase in 2017.

In the past two years, the threat of unsanctioned cloud services being introduced into an organisation has decreased, largely because of the growing number of usable and secure options. Major cloud service providers such as Google and Amazon have developed more granular offerings for a wider variety of clients. New enterprise solutions such as Box have emerged to offer viable options to public clouds and specialist cloud security businesses are developing custom offerings.84

83 D. Stuckey and A. Blake, “Exclusive: How FBI Informant Sabu Helped Anonymous Hack Brazil”, Motherboard, 5 June 2014, http://motherboard.vice.com/en_uk/read/exclusive-how-an-fbi-informant-helped- anonymous-hack-brazil84 Google Cloud Platform, “Managing Complex Applications in the Cloud”, Google, https://cloud.google.com/developers/articles/managing-complex-applications-in-the-cloud/



2017 REPORT

ANALYSIS

Nation-state backed espionage goes mainstream - Governments and non-governmental organisations will deepen their espionage capabilities and those that have not been active in this space will be incentivised to invest. Organisations will be targeted by nation-state backed actors with large budgets and varying agendas – all with minimal legal recourse. The result will be an even more unruly cyberspace trading environment, with more actors and more attempts at espionage or other malicious activities.

A Balkanized Internet complicates business - Organisations will no longer depend on a free and open Internet as governments attempt to govern their corners of the Internet. Nation-states have already attempted to introduce governance of the Internet via organisations such as the International Telecommunications Union (ITU), the United Nations and the Internet Governance Forum. This will prove unsuccessful and in its place governments and regional blocs will attempt to set controls at national and regional levels. This increased government involvement will undermine the perception of a free and open Internet, resulting in a less predictable Internet for conducting business, a more complex regulatory and legislative environment, and reduced access to markets.

Unintended consequences of state intervention - Conflicting official involvement in cyberspace will create the threat of collateral damage and have unforeseen implications and consequences for all organisations reliant on it. Varying regulation and legislation will restrict activities, whether or not an organisation is the intended target. Governments’ draconian implementation of these varying regulations and legislation will lead to operational disruptions in organisations’ supply chains. Those affected will have little recourse because of a lackof legal clarity in cyberspace.

This threat is increasing and shows no signs of diminishing – the Sony incident of late-2014 being a prime example. The Snowden revelations revealed substantial levels of Western government espionage via the Internet, and encouraged other governments to accelerate investment in similar capabilities. Non-governmental actors will improve their capabilities and seek to more effectively monetise industrial and corporate espionage. Individuals using online services will be forced to choose between accepting this surveillance or reducing their use of the Internet, sacrificing significant social and economic opportunities.85

The Internet governance debate will continue at a pace that is ponderous and largely ineffective, giving individual governments wide latitude to impose their own social, political and economic preferences. Internet balkanisation continues to spread as governments become more adept and nuanced in their understanding of the Internet and the ways in which it can and cannot be controlled. Development of codes of conduct will proceed slowly and will be dominated by the interests of large economic actors including governments and companies.86

State intervention on the Internet continues, and often has second and third-order implications that should have been foreseen, but were not. This is particularly true in sectors such as finance and government services, where many people can be affected by changes in centralised services. Drastic measures remain rare (e.g. Egypt isolating itself briefly from the Internet during the Arab Spring), but more subtle interventions increase, related to intellectual property, economic prosperity, social cohesion and national security.

85 S. Kelly, M. Earp, L. Reed, A. Shahbaz, and M. Truong, “Freedom on the Net 2014”, Freedom House, 4 December 2014, https://freedomhouse.org/report/freedom-net/freedom-net-2014#.VM9kvVocGxI86 D. Clemente, “Adaptive Internet Governance: Persuading the Swing States”, Centre for International Governance Innovation, 8 October 2013, www.cigionline.org/publications/2013/10/adaptive-internet- governance-persuading-swing-states



2017 REPORT


Service providers become a key vulnerability - Service providers will come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability. What’s more, the rationale behind efficiencies gained from outsourcing business processes will come into question as popular offshoring locations become more expensive and/or politically unstable. At the same time, it may be prohibitively expensive for some organisations to consider ‘reshoring’.

Big data = big problems - Organisations will make important business decisions based on flawed or poorly analysed data analytics. Their failure to respect the human element of data analytics will put the organisation at risk of overvaluing big data output. Poor integrity of the information sets used can mean their analysis leads to bad business decisions, missed opportunities, brand damage and lost profits.

Mobile apps become the main route for compromise - Smartphones will be central to the Internet of Things, creating a prime target for malicious actors. Unauthorised users will target and siphon sensitive information from these devices via insecure mobile applications. The level of hyperconnectivity means that access to one app on the smartphone can mean access to all of a user’s connected devices.

Encryption fails - Ironically, the reaction to NSA revelations has been to boost reliance on encryption. However, encryption will fail to live up to expectations due to weak implementation practices and government attempts to undermine it via backdoors in software. Huge computing power being developed to crack all but the toughest algorithms will further complicate matters. Combined with other threats, the failure of encryption substantially raises the risks of operating in cyberspace.

As supply chains become increasingly complex and efficiency savings motivate companies to outsource business processes, service providers will continue to be a primary vector for information security risks. In part this is because of the lack of usable standards for small suppliers who do not have the resources to adequately implement widely-accepted information security standards, leading to data breaches such as that of US retailer Target in Dec 2013. It is also due to complacency among suppliers (particularly small suppliers) and the mistaken belief that information risk is something they do not need to think about.

Progress is being made in understanding the benefits and constraints of big data, but this will not keep pace with the growing flood of data being produced by devices of all kinds. Aggregation and analysis platforms will struggle to turn this data into credible and actionable information, and accuracy and completeness will remain a problem when using big data for high value or high impact processes such as financial trades or to inform public policy.

The compromise of mobile apps remains a problem at the individual level, but is less serious than “many to one” attack vectors such as DDOS (i.e. a multiple sources attacking a single target). The main source of malware is pirated apps and widespread application compromises will be more prevalent on lower-budget and less secure mobile phones. For example, Apple’s app store continues to place a high premium on security, while Android works to catch up.87 Emerging mobile phone competitors (in particular from China) will often open their own app stores and have less security experience than more established players.

In the wake of the Snowden revelations, significant attention is devoted to strengthening encryption at the government, corporate, and individual levels. Confidence is high that the mathematics behind the strongest encryption protocols remains secure, but new weaknesses in implementation are being uncovered frequently. Insecure user behaviour continues to be a significant vulnerability that will generate the majority of encryption-related security problems.88

87 T. Seals, “Android Malware Rockets 300X in 2 Years”, Infosecurity Magazine, 5 January 2015, www.infosecurity-magazine.com/news/android-malware-rockets-300x-in-2/ 88 S. Aaronson, “NSA: Possibly breaking US laws, but still bound by laws of computational complexity”, Shtetl-Optimized, 20 September 2013, www.scottaaronson.com/blog/?p=1517


2017 REPORT


The CEO gets it, now you have to deliver - Cyber will no longer be a buzzword confined to tech savvy people. Developments in cyberspace and related disasters are already in the news are talked about within the boardroom and reported in some organisations’ annual reports. By 2016, the CEO will understand cyber risk and expect the CISO to manage it, while delivering the value so long promised. The CISO needs to mature the security function to be able to satisfy the CEO’s questions, particularly: “are we ready?” and “are we secure?”

Skills gap becomes a chasm - A maturing information security field and more sophisticated cyber attack capabilities will demand skilled information security professionals who are increasingly scarce. Cybercriminals and hacktivists are increasing in number and deepening their skillsets and while the good guys are still struggling to keep pace. Where will these resources and skillsets come from? CISOs need to build sustainable recruiting practices as well as develop and retain the talent they already have to boost the organisation’s cyber resilience.

Information security fails to work with new generations - As they move into the workplace, the so-called Generations Y and Z will offer fresh and innovative ideas that will change ways of working and conducting business. Their approaches to information security and privacy will certainly challenge traditional models. The question for organisations is: fight or embrace?

Senior managers throughout large organisations realise that cyber risk has to be taken seriously, and their expectations of security practitioners will increase in parallel. While a wider range of tools is becoming available to treat this risk (e.g. cyber insurance), this in turn increases the challenges of coordinating action across large organisations to deliver on the expectations of senior management. CISOs will attempt to improve security maturity but remain responsible for incidents, even though the failing may not be theirs.

The problem of developing, acquiring and retaining skilled information security professionals continues to grow and is a top priority for sectors and organisations of all sizes. Even developed and highly connected countries find that talent is scarce and difficult to develop and that a retiring workforce takes valuable institutional knowledge with them. Support will grow in many countries for a comprehensive overhaul of education programmes as they relate to technology. Not all talent that emerges from this pipeline will go into the security field, but many will, and the benefit to their countries and economies will be substantial.89

This is probably the most contentious item from Threat Horizon 2016, in part due to the generational perspective needed to discern substantive change. This threat also contains the implicit assumption that information security has worked successfully with previous generations, which is contestable. It could easily be rephrased, as “traditional models will struggle to adapt to the workforce of the future”. Needless to say, debate on this topic will continue for some considerable time.

89 D. Clemente, “Written evidence from Dave Clemente, Researcher, International Security Programme, Royal Institute of International Affairs, Chatham House”, UK Parliament, 8 January 2013, http://www.publications.parliament.uk/pa/cm201213/cmselect/cmdfence/106/106vw02.htm


APPENDIX B:

ISF Threat RadarThe ISF Threat Radar (the Radar) is a tool to help senior business management navigate through these threats and establish a cyber security strategy. Further guidance can be found in the ISF report Cyber Security Strategies: Achieving cyber resilience.

The Radar maps the impact of threats to an organisation relative to its ability to manage them. It offers a mechanism for communicating, discussing, agreeing and planning responses to threats and subsequently agreeing priorities. The Radar can be used to present the nine threats in this report along with others that are specific to a given organisation. It is intended to be dynamic, using directional arrows to demonstrate anticipated changes to impact or ability to manage.

Figure B.1 provides an example of the Radar. The impact measurement is on the horizontal axis and the ability to manage measurement is on the vertical axis. The closer a threat is to the bottom left of the Radar, the more attention it merits.

The figure shows how the nine threats in this report might be plotted on the Radar for a fictitious organisation. A short description for each threat is provided for each on the following page, along with the rationale for the positioning of each threat and how it might change over time.

USING THE RADAR IN PRACTICEEach organisation is likely to have a different view of where the threats should be plotted on the Radar. Before using the Radar, consider how it can best be used with different audiences, for example:

• for colleagues in the information security function: populate the Radar beforehand and ask for comments on placement of the threats and likely direction

• with individuals specialising in the threat areas: brainstorm factors that might affect changes over time

• with senior business managers: explain the threats that should be placed on the Radar (including any specific to the organisation) and workshop the threat placements with them, gaining buy-in through their involvement.

When the threats have been plotted and a common view reached, plans can be prepared that show what needs to happen to achieve the organisation’s resilience goals.

Figure B.1 - Example Threat Radar

Information Security Forum Threat Horizon 2017: Dangers accelerate 37

PLOTTING THE THREATS ON THE RADAR:A worked example from the perspective of a ficticious Member organisationThe organisation in this example designs and manufactures high-end consumer goods. It is a nascent organisation that has developed a limited number of innovative technology products. It relies on external suppliers for most activities outside of its core business functions, such as IT, HR and Legal. It has outsourced the manufacture and assembly of its product to a partner in Vietnam, while it distributes most of its products through well-known Internet retailers.

Supercharged connectivity overwhelms defences Impact: High Ability to manage: LowWe are highly dependent on electronic communications and it is easy to see our sales people will want augmented reality views of our products on-line as soon as possible. The potential exists for on-line sales channels to be affected by DDOS attacks. Communications with key functions (especially our Vietnamese operation) could be either compromised or made unavailable leaving us with insufficient information to manage the business on a day-by-day basis. Crime syndicates take a quantum leapImpact: Very high Ability to manage: MediumWe have considerable IP data for our products, as well as R&D information that represents a great deal of our potential revenue and growth for the future. Losing the latter would be especially damaging to us. We continue to have concerns that all our suppliers and partners may be failing to protect our information according to terms in contracts. Tech rejectionists cause chaos Impact: Low Ability to manage: MediumThere have already been comments in the media that our organisation – based in a high unemployment area – has sent its manufacturing overseas. However, we are active in the community and our niche market should make us a low profile target. Dependence on critical infrastructure becomes dangerousImpact: Low Ability to manage: HighAs a new company, we have made sure we have developed robust policies and procedures – including well-tested continuity plans. One of the reasons we selected Vietnam for our manufacturing base is its political stability. However, our disparate nature makes us vulnerable should circumstances change. Systemic vulnerabilities are weaponised Impact: Low Ability to manage: Very highAt the outset we decided to limit the number of IT suppliers we use so we could ensure that systems would be patched consistently and vulnerabilities reduced. However, like many others, our IT suppliers were surprised by Heartbleed and needed to take decisive action for us and their other clients. To their credit, they managed the situation well and in a timely manner giving us confidence they would do the same again in the future.

Legacy technology crumblesImpact: Medium Ability to manage: MediumWe found several pieces of unsupported software, but have since upgraded them. We will discuss this with our suppliers as this is a risk we expect them to manage in the future. Death from disruption to digital services Impact: Very high Ability to manage: HighSome of our industrial control systems operate complex machines that use toxic chemicals. If these systems were compromised, there is always a possibility that someone could be hurt or even lose their life. We pride ourselves on being a responsible employer worldwide so we need to keep this threat front of mind and will review our policies.

Global consolidation endangers competition and securityImpact: Low Ability to manage: HighWe rely on many channels to market our products, including Internet search, Facebook, LinkedIn and their regional equivalents. At the moment, we do not have a concern that we are over-exposed with any one channel, but there is little doubt that we should keep a watch on this. Impact of data breaches increases dramaticallyImpact: Very high Ability to manage: Very LowWe hold a lot of customer data as we aim for a great deal of repeat-business – and we share some of this data with our suppliers. If this data – including payment card data for smaller customers – were to be compromised, we would stand the chance of losing a significant portion of our customer base. It is a priority for us that any customer data is protected as if it were our own top secret information.

AGREED WAY FORWARD• Threats 1, 2 and 9 need immediate attention. Plans,

targets and budgets should be produced in the next 6-8 weeks that enable us to maintain organisational resilience goals.

• Threats 3, 6 and 7 need plans, targets and budgets by the end of the next quarter. If there is any issue on priorities, threat 7 should receive greatest attention as it could affect the safety of our people.

• It was the view of the senior management meeting that threats 4, 5 and 8 should be monitored and reviewed in six months, particularly 4 and 5 which may change to our disadvantage.

1

2

3

4

5

6

7

8

9


Threat Horizon is one of the ISF’s flagship publications and has been published every year for nearly a decade. The report looks ahead 24 months and predicts the top cyber security threat trends. Researchers draw upon research material from a variety of sources including:

• ISF meetings

• ISF Council and Advisory Board

• Threat Horizon workshops at the Annual World Congress

• Interviews and discussions with Members around the world and on ISF Live

• Business leaders across a variety of sectors

• Academics and subject matter experts

• Conferences and workshops

• Credible news articles, blogs and other online research.

APPENDIX C:

Methodology

The ISF thanks all Members and external experts who contributed to the information gathering and validation phases of this report, as well as those who reviewed pre-publication drafts. We are grateful to the Council and Advisory Board bodies and to those who participated in discussions at ISF Chapter meetings and Annual World Congress. Members often contribute research information related to their own organisations and those contributions have been anonymised by default. The views, opinions and comments in this report are not necessarily of work group participants or Member organisations.

Acknowledgements

Information Security Forum Threat Horizon 2017: Dangers accelerate 39

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

FOR FURTHER INFORMATION CONTACT:Information Security Forum Tel: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813 Email: [email protected] Web: www.securityforum.org

REFERENCE: ISF 15 02 01 Copyright©2015 Information Security Forum Limited. All rights reserved.

THREAT HORIZON 2017 - Information Security Forum...2013/01/08 · emerge that will “exploit the...

Documents

Transcript of THREAT HORIZON 2017 - Information Security Forum...2013/01/08 · emerge that will “exploit the...