threat horizon 2015 - information security forum€¦ · byoc (bring your own cloud) adds unmanaged...

More danger from known threats

January 2013

Threat Horizon 2015

Threat Horizon 2015 • Information Security Forum www.securityforum.org

WarningThis document is confi den al and is intended for the a en on of and use by either organisa ons that are Members of the Informa on Security Forum (ISF) or by persons who have purchased it from the ISF direct.

If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected].

Any storage or use of this document by organisa ons which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permi ed and strictly prohibited.

This document has been produced with care and to the best of our ability. However, both the Informa on Security Forum and the Informa on Security Forum Limited accept no responsibility for any problems or incidents arising from its use.

Classifi cationRestricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.

Key to symbols

Member quote ISF Live

Published byInformation Security Forum LimitedTel: +44 (0)20 7213 1745Fax: +44 (0)20 7213 4813Email: [email protected]: www.securityforum.org

Project teamMathieu CousinDavid MoloneyAdrian Davis

Review and quality assuranceSteve Thorne

DesignLouise LiuAdam Cheeseman

Threat Horizon 2015 • Information Security Forumwww.securityforum.org

While many of the threats addressed in this year’s Threat Horizon report have been around for some time, this is not as reassuring as it might first sound. Whether the threats we face are new or old is less important than the risk they pose to our organisations. While some threats diminish with time, others become more dangerous.

Research for this year’s Threat Horizon report found familiar culprits: organised cybercrime, social engineering, mobile devices, social networking, cloud computing and malicious software. What’s new this year is the increasing sophistication of these known threats as they mature.

For example, the first computer viruses were poorly written – many were more likely to crash than do harm. Compare that to today, where SQL Slammer reportedly infected 75,000 systems in ten minutes. PlaceRaider takes advantage of mobile devices, secretly taking pictures, then selecting the better ones and transmitting them so an attacker “can construct a 3D model of the environment and gain reconnaissance on a victim’s work space”1. sKyWIper (also known as Flame or Flamer) “has very advanced functionality to steal information and to propagate” and is “arguably…the most complex [malicious software] ever found”2.

Hacktivists have developed from the proverbial teenager in the bedroom into Anonymous and other online collectives, causing hundreds of millions of dollars in damage to numerous organisations. Hacktivists later combined with the Occupy movement to gain mass attention and create significant disruption. Cyber criminals have evolved from lone agents to collaborators and competitors in what we call Malspace, where they have a marketplace to satisfy every demand – from malicious software development, testing and quality control to target identification, and from payment and currency conversion to money laundering.

So while the threats in this year’s Threat Horizon report may seem familiar, there is much that’s new in their potential to do harm. ISF Members continue to tell us surprising stories of the persistence, sophistication and severity of attacks on their organisations. Also increasing in sophistication is the way in which ISF Members anticipate, pre-empt and respond to these threats. As always, the ISF’s Threat Horizon and other deliverables can help.



The ISF Security Model

KNOW

LEDGE

EXCH

ANGE

TOOLS & METHODS

RESEARCH & REPORTS

Tools & Methods The Information Security Forum (ISF) offers Members a unique set of practical tools and methodologies to manage and control information risk throughout the enterprise.

Designed to be as straightforward to implement as possible, these offer Members an ‘out of the box’ approach for addressing a wide range of challenges – whether they be strategic, compliance-driven or process-related.

Process Business processes, applications and data that support the operations and decision making.

TechnologyThe physical and technical infrastructure, including networks and end points, required to support the successful deployment of secure processes.

Governance The framework by which policy and direction is set, providing senior management with assurance that security management activities are being performed correctly and consistently.

RiskThe potential business impact and likelihood of particular threats occurring – and the application of controls to mitigate risk to acceptable levels.

ComplianceThe policy, statutory and contractual obligations relevant to information security which must be met to operate in today’s business world to avoid civil or criminal penalties and mitigate risk.

Knowledge Exchange The ISF brings Members together to share and discuss information security issues, experiences and practical solutions in an environment of total trust and confidentiality.

Our program of workshops, meetings and forums is held across the world from Scandinavia through the Americas to the Middle East, India, Africa, Australia and the Pacific Rim, and address both regional and international issues.

KNOW

LEDGE

EXCH

ANGE

TOOLS & METHODS

RESEARCH & REPORTS

RE

PeopleThe executives, staff and third parties with access to information, who need to be aware of their Information Security responsibilities and requirements and whose access to systems and data need to be managed.

key

Very high

High

Medium

Low

Very low

DS

TS

RISK

PROCESS

GOVERNANCE

TECHNOLO

GY

COM

PLIANCE

ESEARCH &

TOOLS & METHOD

Research & Reports ISF Members have unlimited access to an extensive library of reports that provide practical guidance and solutions to information security challenges.

Our research and reports material incorporates an unmatched degree of thought leadership in information security, information risk management and related topics.

PEOPLE

Figure 1: The ISF Security Model

A copy of the ISF Security Model can be downloaded from the ISF Member website (ISF Live) which can be used to clearly describe to your team, senior management or potential Membership prospects the key aspects of the information security environment within your organisation.

The ISF has developed a security model to support organisations in designing their approach to addressing information security and to give them a basis for identifying the key aspects of an information security programme. The ISF provides insights, best practice standards and tools which address each aspect of the model to aid organisations in enhancing their information security environment.

Within the ISF Security Model, the Threat Horizon 2015 report forms part of the Research and Reports service. Using a rating from very low to very high, the way in which this report aligns with the ISF Security Model is shown below.

Contents


1 Getting value from the ISF Threat Horizon reportWays to use this report 1Audience for this report 2Methodology 2

2 What’s on the horizon for 2015? 3

Cyber risk is challenging to understand and address

1. The CEO doesn’t get it 62. Organisations can’t get the right people 103. Outsourcing security backfires 12

Reputation is a new target for cyber attacks

4. Insiders fuel corporate activism 155. Hacktivists create fear, uncertainty and doubt 18

Criminals value your information

6. Crime as a Service (CaaS) upgrades to v2.0 217. Information leaks all the time 24

The changing pace of technology doesn’t help

8. BYOC (bring your own cloud) adds unmanaged risk 279. Bring your own device further increases information risk exposure 30

The role of government must not be misunderstood

10. Governments and regulators won’t do it for you 33

3 Conclusion 36

4 Implementation in practice – how ISF Members use the Threat Horizon report within their organisations 38

Appendix A: Industry Applicability 43

Appendix B: Threat Radar 44

Appendix C: Revisiting predictions from Threat Horizon 2013 46

Appendix D: Revisiting predictions from Threat Horizon 2014 48

Appendix E: References 52

www.securityforum.org Threat Horizon 2015 • Information Security Forum 1

One

The ISF’s annual Threat Horizon report helps organisations to look forward, by considering future threats to information security in today’s interconnected, always-on world. With this insight, organisations can better understand their information risk, and be better prepared to manage that risk.

We recommend that Members review and discuss the threats contained in this report. Doing so may suggest other threats – this is important because it’s not possible for anyone to predict the future with 100% accuracy. Then, consider the threats in the context of your organisation: which are more likely to apply to your industry or geography? What is the potential impact? How does that translate into risk? How should you respond?

By minimising the element of surprise, you can better prepare on all fronts, from mitigation to incident response. Use risk management to deal with those risks that can be predicted, and increase organisational resilience to deal with those that can’t.

Ways to use this report ISF Members use Threat Horizon reports in many ways.

As a communications and awareness tool, to:

• help frame future thinking and discussion• conduct strategic planning• launch an awareness campaign• create an opportunity to engage different audiences.

To align business and security strategy, and:

• understand impact • prepare responses to anticipated threats • determine future changes to business critical systems• help build a credible business case to enhance the information security function (which is cheaper to do up-front than

after an incident).

To influence their organisation’s risk appetite:

• start discussions across a varied audience• promote information risk assessment into the strategic and tactical agenda• set the information security strategy• perform risk assessments and risk prioritisation• help with information security business cases and prioritisation.

In particular, we recommend:

• evaluating applicable threats to your organisation in the context of the organisation’s most valuable assets• using your knowledge of the organisation to consider which threats are more likely to have considerable impact and

which could create risk• considering the recommendations suggested in the report along with your own remedies to mitigate those risks• sharing Threat Horizon 2015 with senior management and with other functions including risk management

professionals, risk committees and business continuity planning teams• joining the active Threat Horizon community on ISF Live to share thoughts, information, articles and to debate the

findings in this report.

1 Getting value from theISF Threat Horizon report

www.securityforum.org2 Threat Horizon 2015 • Information Security Forum

One

1 Getting value from the ISF Threat Horizon report

Audience for this reportThis report is aimed at senior business executives, up to and including board level, to help them understand the cyber threats that could have an impact on their organisations. It can also be used by information security professionals to explain threats to business audiences and to engage with them.

It will also be of interest to anyone who has a strong desire to drive down business risk from cyberspace, including information security leaders, business managers, risk managers and internal auditors.

Methodology

Political

Legal and Regulatory

Economic

Socio-cultural

Technological

P

L

E

S

T

Threat Horizon Report

ThreatDataset


January 2013

Threat Horizon 2015

This report is based on:

• information submitted by Members via the collaboration space on the ISF Member website, ISF Live• interviews and discussions with ISF Members from around the globe• discussion at ISF Chapter meetings around the world• a Threat Horizon workshop at the ISF Annual World Congress in Chicago• input from various Member and non-Member experts • research conducted for other ISF projects• news articles, conference presentations, blogs and online research• thought leadership provided by the ISF Global Team.


Two

There are ten predictions in this report; each begins with a fictional scenario that describes one way the prediction could materialise. The scenarios describe two quite different, fictional organisations:

• Ready Inc is mature in its approach to cyberspace and information risk. Management and the board understand how information risk translates into business risk, and Ready has a strong information security function.

• UnPrep Ltd is the opposite. They did the bare minimum as the Internet and technology evolved around them, not really understanding how their dependence on technology had increased over time. Their CEO is unable to deal with the increased complexity and rate of technological change.

These profiles are deliberately provocative, and while we hope that no organisation is similar to UnPrep, aspects of both organisations should be illuminating to most readers.

The scenarios are followed by detailed predictions, along with trends and other factors that can increase or decrease the probability of the prediction coming true. These include threat magnifiers and reducers, a brief list of technical items that can increase or reduce the magnitude of the threat. These are followed by recommendations.

We have grouped the ten predictions into five themes:

2 What’s on the horizon for 2015?

1. The CEO doesn’t get it2. Organisations can’t get the right people 3. Outsourcing security backfires

Cyber risk is challenging to understand and address





4. Insiders fuel corporate activism5. Hacktivists create fear, uncertainty and doubt

6. Crime as a Service (CaaS) upgrades to v2.07. Information leaks all the time

8. BYOC (bring your own cloud) adds unmanaged risk9. Bring your own device further increases information risk exposure

10. Governments and regulators won’t do it for you



Ready Inc

Ready is a multinational organisation which started operations in the 1990s and grew rapidly in the early 2000s through organic growth, acquisitions and joint ventures. Ready has branches on all continents and is internationally recognised in its sector as a significant organisation, but relatively unknown to the general public who are much more familiar with its numerous local brands.

Ready sees cyber and information risk as major business risks. The World Economic Forum’s (WEF) 2012 Global Risk survey puts Ready in the minority – one of the 30% of organisations where cyber risks are discussed at board level. They are not only discussed, they are also factored into major decisions. Ready has a mature information security organisation, with one CISO per business unit and a group CISO driving the global strategy. When the previous CISO resigned, the executives carefully considered their options and what they and the board needed from someone in that position.

The group CISO reports through to the board regularly on the nature and magnitude of information risk. This includes ongoing risk in key markets plus new risk associated with new business initiatives.

When necessary, the group CISO also reports on major topics that require the board’s attention.

If information security budgets or initiatives are put on hold, those decisions are carefully considered by the board.

The information security department works closely with every part of the business to define the best approach to respond to their needs. They have set internal guidelines for business units on several trending topics, such as cloud computing and consumer devices. Some business units are buying their own cloud services. These are approved after consultation with IT if IT is not suited to offer the required service. A risk assessment with information security ensures adequate safeguards.

Executives and staff have requested their own devices be connected to the network. Policy and technical controls are in place and the policy defines eligible employees and devices. Executives are leading by example.

Tw

o



UnPrep Ltd

UnPrep is a multinational organisation that started operations in the early 1960s and has since grown steadily. It went through a number of major reorganisations, as a result of acquisitions, sales of business units and major cost reduction initiatives. UnPrep’s internal organisation is consolidated, with a “Corporate” department providing most services, including information security, to the different business units. Its operations are spread across all continents, though its markets vary considerably from one region to another. It is internationally recognised both in its sector and by the general public and figures regularly in the top 100 companies in both worldwide and local market studies.

UnPrep’s increasing dependence on the Internet and technology was not matched by increasing knowledge among the executives. Most aspects of technology were seen as a cost centre and something to be outsourced.

The CISO is very technically inclined, with strong background in both IT administration and information security technologies; he has no business experience. He is reporting within the IT department as information security is one of the numerous functions of IT.

The board is confident information security is under the responsibility and control of the CIO. The board has never received any information on security metric reports and doesn’t know what it should ask for.

Information security budgets and initiatives were put on hold 24 months ago as part of a global freeze on IT investments. Since then, some budget has been invested in 10 IT initiatives marked as top priority, none of which were information security related.

Information security and IT staff who left have not been replaced. Their roles and responsibilities have been redistributed among the remaining team members. This lack of resources has given the IT department a bad reputation; it’s slow to respond and changes are difficult to address.

Several business units have decided to bypass corporate IT and are ordering their own services, including storage, backup, cloud and devices.

The senior executives decided that connectivity of their personal devices was a necessity; no study was done to manage devices and no budget was available for this project. Similar initiatives took place in several business units, and groups of employees deployed local solutions to connect their personal devices to the organisation’s network.

Two


It’s time to get with the programmeIf organisation’ senior executives don’t understand cyberspace they will either take on more risk than they would knowingly accept, or miss opportunities to further their strategic business objectives such as increasing customer engagement or market leadership.

These organisations are more likely to suffer embarrassing incidents (such as the fictional scenario above or a Twitter campaign gone awry) and when they do, they will suffer greater and longer-lasting impact.

Understanding cyber risks and rewards is also fundamental to trust. If organisations can’t maintain a trusted environment in which to communicate and interact with their customers, their business could suffer or even collapse. This is true whether it’s a customer engagement programme using video, or systems that support core customer transactions like shopping, banking or reservations.

Organisations’ dependence on the Internet and technology has continued to increase over the years. For organisations developing new technologies, or consciously keeping up with trends, this dependence was obvious. For others, it happened around them, in the background, while their attention was focussed elsewhere.

CEOs received information and reports encouraging them to consider information and cyber security risk. But not all of them understood how to respond to those risks and the implications for their organisations.

UnPrep’s CEO was aware that information security was managed by a team within the IT department. The CISO had asked to brief the board, but his technical reports were alienating. Worse, they didn’t explain that information risk was a business risk that warranted board attention. As a result, board members never considered information and cyber risks as potential major business risks.

UnPrep decided to use videoconferencing as a way to increase customer engagement. They selected a publicly available video conferencing system delivered by a social network on the basis of its quality and simplicity. The system was deployed to every office and customers were invited to regional offices for “fireside chats with the company executives”. Other customers connected from their home PCs and tablets. The system was also used to host internal meetings. Customer engagement improved and the organisation received valuable intelligence about customer satisfaction and identified new revenue potential.

However, because the organisation had not properly evaluated the risk associated with this initiative, it took on more risk than it would have knowingly accepted. Hackers were able to join meetings undetected. They also found meetings that had been unintentionally recorded and started to publish details that had only been made available during these meetings. The videos went viral, and those that spread the most rapidly were mashups of customers complaining and corresponding internal meetings where staff discussed the customers and their complaints in unflattering terms.

The CEO didn’t know what to say and could not justify overlooking the risk associated with the initiative. He wanted to take action but didn’t have the information he required to make informed decisions or credible statements.

Customers, especially those connecting from home, were outraged and felt their privacy had been violated. UnPrep lost credibility with its stakeholders and the public and its lack of preparedness raised questions about its ability to operate in cyberspace in the long term. Customers took their business elsewhere and shareholder activists attacked the CEO demanding corrective action.

1 The CEO doesn’t get it

Tw

o2 What’s on the horizon for 2015?

Cyber risk is challenging to understand


Over the next two years we expect to see the gulf widen between those organisations that get it and those that don’t. And the longer organisations take to understand this picture, the harder it will be for them to catch up.

Many organisations don’t get itDuring the 2012 ISF Congress, a keynote presenter from the World Economic Forum (WEF) cited a 2012 survey finding that cyber risk was discussed at board level in only 30% of companies, and that it was the third most underestimated risk across all industries after growing income disparities and increased resource scarcity3. An IBM survey in 2011 about the roles of CEOs reported that over half of CEOs questioned were unable to deal with the increased complexity and rate of technological change.

In early 2012, the WEF launched Partnering for Cyber Resilience4, a “global, multi-industry, multistakeholder initiative to improve cyber resilience, raise business standards and to contribute to a safer and stronger connected society”. Despite the quality of this initiative, and the global reputation of the WEF, a year later only 65 organisations had signed up to its four principles.

Dependence on cyberspace is increasingMany organisations still don’t understand the pace or extent of their growing dependence on cyberspace.

In just one year, against largely flat economic growth, online retail sales in the UK increased by 14% in 2012 to more than £50billion5. Predictions indicate this growth will continue, and some retailers have announced significant targets for online sales.

A number of organisations were hit in 2012 with serious unexpected outages, from which they were unable to recover quickly, and for which backup systems didn’t function. Reverting to manual operation is simply no longer possible for many organisations.

Trust: years to build, minutes to wreckOrganisations are not only becoming increasingly dependent on cyberspace, they also increasingly depend on their customers’ confidence that they can operate safely in cyberspace. While outages and other serious incidents have unacceptable impacts, organisations can usually recover from the incidents themselves. Rebuilding trust is a completely different matter. If an organisation loses its customers’ trust, it may not be able to recover. The increased cost and time required, as well as stories surrounding the incident and damage to the organisation’s reputation, might make the effort unaffordable. Organisations will have to demonstrate they provide a trusted environment in cyberspace where their customers can do business. Those that don’t will realise the truth of the adage that trust takes years to build and minutes to destroy.

Organisations that do get it see business benefit The WEF finding that 30% of organisations discuss cyber resilience at board level is consistent with the Ernst & Young (E&Y) 2012 Global Information Security Survey6 finding that 26% of organisations have given responsibility for information security to the CEO, CFO or COO.

And, keeping up pays dividends. Another E&Y report7 found that companies with more mature risk management practices generated the highest growth in revenue. In addition:

• Top-performing companies implemented twice as many of the key risk capabilities as those in the lowest-performing group.

• Companies in the top 20% of risk maturity generated three times earnings before interest, taxes, depreciation and amortization (EBITDA) as those in the bottom 20%.

• Financial performance is strongly connected to the level of integration and coordination across risk, control, and compliance functions.

• Effectively harnessing technology to support risk management is the greatest weakness or opportunity for most organisations.

The same report found that organisations with more mature risk management are not only experiencing less impact from less incidents, they are also more profitable.


Two


BENEFITSBy doing so, CEOs and board members will properly understand the rewards and risks of opera ng in cyberspace, demonstrate to customers, the market and shareholders they are reliable and forward-thinking and show that the organisa on is ready to take on cyber business ini a ves with confi dence.

RECOMMENDATIONSCEOs and boards should develop a clear picture of how informa on risk and cyber risk translate into business risk. They need confi dence that their organisa on understands that risk and has managed it (mi gated, accepted, avoided or transferred it) appropriately. Achieving clarity on informa on security requires CISOs and security professionals to explain informa on risk in business language. These explana ons need to be backed by a clear ac on plan.

CEOs need to understand their dependence on technology and their place in cyberspace in order to maximise the numerous benefi ts that can help them to achieve their strategic goals. They need to become engaged with their organisa on’s informa on risk and cyber security ac vi es, as these play a role in maintaining a trusted environment and protec ng customer confi dence. They should ensure there are well-defi ned communica on channels with informa on security to evaluate risks, defi ne risk acceptance and mi ga on strategies. CEOs should ensure the relevant teams know what to report and when.

CEOs should be able to demonstrate that they and their organisa ons have this understanding, and be able to evidence that they have considered cyber risk as part of relevant business risks when making decisions. They should ensure an appropriate level of resourcing is in place to manage risk and provide cyber resilience.

Organisa ons should engage with programmes designed to promote understanding of cyber risk, such as the ISF’s Cyber SIG (Special Interest Group) and the World Economic Forum’s Partnering for Cyber Resilience3 ini a ve. Many governments have important ini a ves, such as the UK Government’s Cyber Security Strategy8, as do other organisa ons, such as conference boards and local chambers of commerce.

INDUSTRY APPLICABILITYU li es Very High

Retail Trade Very High

Finance and Insurance Very High

Management of companies and enterprises Very High

Public administra on Very High

THREAT MAGNIFIERS AND REDUCERSVoIP phone systems are becoming vulnerable to a ack 8

The role of the CISO is evolving within the organisa on

Tw


AND R


CONFIDENCE RATING 90%

ISF RESOURCESRole of Informa on Security in the Enterprise (2008)

Risk Convergence - Implica ons for Informa on Risk Management (2009)

The Informa on Lifecycle – A New Way of Looking at Informa on Risk (2010)

Cyber Security Strategies: Achieving cyber resilience (2011)

Informa on Security Governance: Raising the game (2011)

The Standard of Good Prac ce for Informa on Security (2012)(Categories: Security Governance and Security Requirements)

How to get the A en on of the Board (upcoming 2013)

The Changing Role of the CISO (upcoming 2013)


• Cyber SIG

Two


You can’t perform without the talentDespite high unemployment rates, skilled technical and managerial positions will remain difficult to fill. Education systems are gearing up to teach skills but can’t provide people with relevant experience. As long as the current economic climate persists, some governments will be reluctant to ease immigration quotas that would allow talent to be imported. Organisations will find themselves at risk of negative public reactions to offshoring activities – even when they address talent shortages at home. Within two years, we can expect more organisations to poach information security staff from one another, creating the instability seen in previous skills shortages in other fields. Without the right expertise, organisations will be challenged to prevent, manage and recover from incidents.

A significant barrier In 2012, large organisations voiced their concerns about the difficulty of hiring skilled staff to fill technical positions10. They also said their educational systems were not providing the right skills.

In a 2012 survey5, 43% of respondents cited a lack of skilled resources as a main obstacle to the ability of their information security function to deliver. The Lloyds Risk Index11 in 2011 placed talent and skills shortages at the second highest risk facing businesses after loss of customers, also reporting it was “one of only two risks that respondents felt they were insufficiently prepared for”.

Some governments will continue to face political pressure to restrict immigration12, and some restrict visas for foreign students13.

UnPrep started looking for staff who understood information risk. The CEO and management team had committed to place the right people in the right roles as part of their corrective actions to address their information security deficiencies and improve the organisation’s cyber resilience.

But the required skills were hard to find in the local job market and the organisation could not recruit the right people. The situation was made worse by UnPrep’s reputation – many CISOs and security people weren’t interested in working for a CEO who had only recently started to grasp the problem.

Facing these difficulties, UnPrep decided to look abroad for candidates with the right skills. But the government refused to issue more work visas. It could not justify easing immigration restrictions in the face of unemployment figures and economic stagnation.

UnPrep decided to offshore non-customer-facing activities to locations where skilled staff could be found. Still on the media’s radar, UnPrep was criticised for seeking ways to get cheaper staff while local unemployment remained high. Facing more and more pressure from the public and the government, the organisation initiated a programme to train staff to meet its requirements. But this investment was short-lived as competitors seeking similar competencies quickly poached the newly trained staff.

The crunch came on the eve of Cyber Monday, when all systems went down. The new staff demonstrated that training was no substitute for experience, and because they did not understand the environment or the organisation’s processes. Their response was slow and ineffective. Speculation emerged on social networks that customers’ private information had leaked as part of the attack, although there was no evidence. UnPrep had no response plan, and the CEO didn’t know what to say about the incident or what UnPrep was doing about it. He didn’t get the information he needed to be able to respond to shareholders and media requests for information. The delays in communication generated suspicion that UnPrep was trying to mask the true impact of the incident and hide information. The lack of incident management skills made the incident worse, and extended the downtime, affecting UnPrep’s ability to run and support its business.

Organisations can’t get the right people2

Tw



Some organisations are dealing with this issue by providing training and retention packages, while continuing to lobby government.

A skills shortage can have other consequencesOrganisations are at risk of feeling the skills shortage in other ways too. An already overstretched information security team wouldn’t have the capacity to deal with an unexpected or prolonged attack, such as those seen recently.

Under-resourced teams at suppliers can increase supply chain information risk. For example, organisations needing to use suppliers for custom technical work, such as mobile app development, may find that a lack of skills and experience at the supplier could jeopardise security supposedly embedded in the apps.

RECOMMENDATIONSThere must be a clear defi ni on of the role and value of the informa on security func on, communicated throughout the organisa on, to build the credibility and reputa on of the informa on security team as a business enabler. Key staff at risk of being poached can be retained with appropriate packages and development paths; new staff can be a racted and retained through training commitments and compe ve compensa on. Addi onal safeguards should be considered, such as stand-by contracts for skilled contractors and consultants.

INDUSTRY APPLICABILITYInforma on Very High


Health care and social assistance Very High

U li es High

Manufacturing High

THREAT MAGNIFIERS AND REDUCERSFailure to ease and adapt immigra on rules and na onalism make the situa on worse

Failure to adapt the educa onal systems to deliver people with the skills organisa ons require

Return of protec onism where borders are closed to migrants

Loss of fi rst genera on skills leading to a shortage of experts with an understanding of older systems

BENEFITSWith clear and valued roles and responsibili es, the organisa on will be in a stronger posi on to compete for staff , and will also be clearer on the skills and experience important to the organisa on.

If the organisa on takes the approach that informa on security is an enabler, not a showstopper, it will engage informa on security teams on new business ini a ves, further increasing its a rac veness as an employer.


ISF RESOURCESInforma on Security Incident Management: Establishing an Informa on Security Incident Management Capability (2006)

Informa on Security Incident Management: Introductory Guide (2006)

Managing a Security Func on (2007)

Informa on Security Governance: Raising the game (2011)

The Standard of Good Prac ce for Informa on Security (2012)(Category: Control Framework – Topic: CF12)

The Changing Role of the CISO (upcoming 2013)


Two

AND R


Organisations have always looked for ways to reduce costs – and outsourcing activities not directly linked to the core business remains a popular way to demonstrate savings. If information security was largely preserved as an internal function up to 2013, from mid-2014 that situation started to shift.

UnPrep had difficulties retaining skilled staff for activities supporting its business, especially information security. They decided to outsource information security entirely, from strategy to operations. This was a knee-jerk reaction to solve a number of problems including those described earlier. All information security activities were moved to a managed security services provider (MSSP).

Depsite the MSSP’s best efforts to get information and collaborate with UnPrep’s management, none was forthcoming. The MSSP was isolated in its efforts to understand UnPrep’s information security requirements, so suggested customising an information security strategy it had developed to fit a number of its other customers. UnPrep signed off on the plan, without customising it and without really understanding the resources, associated rules, processes or procedures.

After less than a year of service, the MSSP needed to perform some critical security updates, and UnPrep’s management approved the project, without reading the details. The MSSP planned the work for out-of-business hours, starting on the first Friday of September at 21:00. It would be completed by 17:00 the following Sunday.

The MSSP wasn’t aware that the last two weeks of September were a critical time for UnPrep, due to a series of important trade shows and conferences, where industry and the public were gathering, big sales announcements were made, prototypes demonstrated, financial results and forecasts released and key projects launched. Every year, from the beginning of September until the last show, UnPrep’s people were working evenings and weekends. On Saturday morning, UnPrep’s people were unable to connect to their systems or access files or email from either the office or home. As the MSSP only provided support from Monday to Friday during business hours, by the time someone was finally contacted, half a day had been lost.

The MSSP could not simply turn the systems on, as they were in the middle of the upgrade. The whole weekend was lost, seriously impacting UnPrep’s presentations at the shows and its reputation with both industry and the public.

This was the biggest sign yet that information security strategy had become disconnected from the business requirements. It neither supported business objectives nor addressed organisation-specific requirements. Rather, information security strategy had been set by the MSSP according to its limited understanding of the organisation. The only way UnPrep could influence the MSSP strategy was at a cost – every additional business requirement carried evaluation, deployment and maintenance charges.

Worse still, UnPrep could not easily disengage because the MSSP was controlling its critical business infrastructure, and held all the required skills in information security and cyber risk.

Outsourcing security backfires3

Tw



The high price of false economies Organisations will suffer if they outsource key capabilities. Organisations will only be able to leverage value from managed security service providers if they keep the authority and understanding necessary to drive these services. Organisations unable to build and drive their information security strategy will lose control – in the short term to respond to changing threats, and in the longer term to meet the needs of the business. Organisations unable to maintain control of their information security strategy will fail to adapt to changing business needs in an evolving environment.

Information security under-investment as cost pressures continueAs long as the world economy is depressed, there will be a need to contain or reduce costs, maintaining the pressure to outsource. Information security is no exception: a history of budget cuts is only now starting to ease; in a survey14 that asked about security spending over the next 12 months, 36% of organisations said spending would stay the same or decrease, and 44% said it will increase (the others weren’t sure).

This can be dangerous. As one ISF Member said, “the exposures are seldom quantified in the business case to outsource”.

Working with external partners including outsourcers can be beneficial, providing expertise or resources the organisation doesn’t have. This will only be true if the organisation manages the partnership successfully. Doing so requires specific skills and experience within the organisation.

Not learning from mistakesISF research in 2012 found that “incidents provide crucial opportunities to investigate weaknesses. Learning from incidents enables a process of continuous improvement that reduces the probability of future incidents. When conducted as part of a broader information security and risk management programme, post-incident review empowers organisations to respond more quickly and develop the resilience needed to survive the impacts from today’s complex threats”15. Organisations outsourcing a complete function, without consideration for the organisation’s collective wisdom, can deprive themselves of important experience such as optimal approaches or lessons learned.

RECOMMENDATIONSOrganisa ons should understand that informa on risk is business risk. Informa on risk management should therefore be retained as an internal capability alongside core business func ons. With this understanding, the organisa on will retain suffi cient internal capability to manage outsourcers and the services they provide in a way that delivers business value while managing the risk.

With input from the relevant business units and the vendor management func on, informa on security staff should defi ne and communicate the organisa on’s requirements, evaluate whether a given outsourcer is capable of delivering them, whether a contracted outsourcer is in fact delivering them, and to what level of quality. Roles and responsibili es between providers and the organisa on must be clearly defi ned.

As part of this process, informa on security staff should also determine the informa on risk associated with each outsourcing contract, defi ne the security arrangements it requires from the outsourcer, and regularly evaluate the outsourcer’s performance in mee ng those objec ves.

Staff managing outsourcers should ensure their eff orts are aligned to organisa onal priori es (it can help to stay close to senior management and maintain rela onships with the business). Disengagement plans should be prepared and kept ready, in case a provider is unable to deliver the required services to the appropriate standard.

INDUSTRY APPLICABILITYInforma on Very High



U li es High

Manufacturing High

THREAT MAGNIFIERS AND REDUCERSPeople are overwhelmed by cyber security complexity

Over supply of solu ons


Two

AND R


BENEFITSWhen outsourcing is managed well, organisa ons get the support appropriate for their business objec ves and other needs. Informa on security supports the business objec ves and addresses the organisa on’s specifi c issues. The organisa on can evaluate outsourcers’ capabili es and performance, and the contracts defi ne roles, responsibili es and service level agreements.


ISF RESOURCESInforma on Security Strategy: Workshop Report (2007)

Role of Informa on Security in the Enterprise (2008)

Informa on risk management in outsourcing and off shoring (2008)

Securing Cloud Compu ng: Addressing the Seven Deadly Sins (2011)


Securing the Supply Chain (upcoming 2013)

Tw



A number of tax scandals arose when multinationals with a significant presence in a country avoided paying local taxes by incorporating in tax-friendly jurisdictions. This intensified an already strong focus on organisations’ ethics and business behaviours.

But, unlike previously, this interest wasn’t limited to media, public interest groups and hacktivists. Strongly opinionated employees joined the cause.

With employee loyalty at an all-time low, insiders – some with access to sensitive information – increasingly placed their own ethics and ideology above those of their organisation.

Following the methods used by the Occupy movements and the Arab Spring revolutions, corporate activist groups leveraged social networks to initiate actions against organisations they considered to be behaving unethically towards their consumers or suppliers, either nationally or internationally. These groups were organised and could react quickly to information made available to them. They also became mature in leveraging contacts with the insiders and protecting their sources by using the full extent of the regulations providing whistleblowers with immunity and anonymity, thus reassuring potential informers.

A Ready employee found a report about plans for a future manufacturing plant that highlighted several violations of environmental standards, in contrast to the organisation’s much publicised corporate sustainability values and ecological sensitivity. The insider made the report available to corporate activists who published it; highlights were picked up by the media.

With its monitoring of social media, Ready was immediately aware of the issue and quickly identified that the leaked document was an old report, specifically designed to highlight the gaps between the plan and Ready’s ecological standards – precisely so Ready could correct those gaps. The organisation immediately published the updated report, dated some months previously, evidencing how the issues had already been addressed. Informed and credible media interviews, online videos and blogs quickly quietened the critics.

Although confidential internal information had been leaked, Ready was able to identify the inappropriate access rights, and also addressed the information integrity issue: an out of date report being available without appropriate context.

A

fe

g

Ws

Insiders fuel corporate activism4

Legal compliance isn’t enoughBusiness practice will be scrutinised, not only by watchdog bodies, but also by employees, contractors and customers. More insiders will emerge as more people place their own ethics and perceptions above those of their employers. Corporate activists, already organised, will get better at gathering information and bringing it to the media and public’s attention. Criticisms will go viral and information that comes from credible insiders will spread rapidly, be picked up faster and see increased media exposure. Coordinated action, such as boycotts and protests, will attract hacktivist groups, who will bring their own expertise and initiate sympathetic cyber attacks.

A number of global brands, including Amazon, Google and Starbucks – and high profile individuals – have recently encountered public relations issues arising from tax avoidance. People publicly announced their boycott of both the corporate and personal brands. The argument that tax avoidance is legal (tax evasion is not) – and that the issue should be left with the governments and regulations responsible for the loopholes – did not play well in the media and did nothing to resolve the problem, because the public decided the behaviour was unethical.

What’s significant about this development is that 100% legal compliance is no longer enough. Criticism has extended from clear wrongdoing (actions that broke the law or violated regulations) to perceived wrongdoing (actions that were completely legal, yet judged in the court of public opinion as unethical or otherwise unacceptable).


Two



Hacktivists join the fightIn several public actions, Anonymous launched associated hacktivist operations. The 2012 student protest in Quebec, for example, saw Operation Quebec which included attacks against government websites and released the personal information of people who bought tickets for the Formula One Grand Prix of Canada16.

Who needs WikiLeaks?Once strong enough to affect a major bank’s share price, WikiLeaks hasn’t been central to recent cases of social activism. This hasn’t prevented the issues from becoming front page news and having a negative impact on the target organisations, nor does it mean that the threat has gone away. WikiLeaks proved the concept that there is online interest in leaked documents, and that interest will remain.

Introducing Tyler: WikiLeaks on steroids?In early 2013 Information Security magazine ran a story describing codenametyler.org, a site it says is being developed for Anonymous by a systems architect and former financial engineer. “What is being developed is a complete, secure and anonymous distributed social network, where individual members of the public can whistleblow securely, network with fellows anonymously, and feel safe from surveillance”17. codenametyler.org claims to have corrected the problems that plagued WikiLeaks – its funding model and its dependence on its founder.

RECOMMENDATIONSOrganisa ons should stay vigilant in their eff orts to protect informa on and prevent data loss. Established controls, from managing employee access to monitoring network traffi c and removable media should be maintained and updated.

The informa on security func on should work closely within the public rela ons func on and community management specialists to enable the organisa on to keep up to date with what’s being said about the organisa on online, and to track public sen ment on current issues. Poten al fl ash points, such as off -shore tax arrangements, can be iden fi ed and a response prepared.

Organisa ons should recognise the changing nature of the workforce and work to establish trust, explaining the organisa on’s posi on and its point of view about important issues.

THREAT MAGNIFIERS AND REDUCERSPoor BYOD policy will place confi den al informa on at risk

Privileged accounts s ll an issue as users are s ll granted elevated privileges

INDUSTRY APPLICABILITYRetail trade Very High

Professional services Very High

Administra ve and support and waste management and remedia on services Very High



Tw


If video killed the radio star, social engineering surely haskilled the security analyst.

AND R


ISF RESOURCESAligning Business Con nuity and Informa on Security (2006)

Insider threats (2007)

Informa on Leakage (2007)

Blogging and Social Networking (2009)

BENEFITSWith monitoring, data loss preven on and managed access controls the organisa on will have be er traceability of data access and transfers.

The deployment of security controls, screening candidates and staff , when authorised, as well as establishing workforce trust will limit data leakage



Two


Ready’s reputation was fundamental to its success and strong relationships with its customers. For years it had been recognised for delivering products of great quality, designed with safety from the ground up. Over the years Ready publicised its investment in the safety and quality of its products. Defects in just one product’s quality could have serious consequences on the entire business.

When the media reported an accident which may have involved some of Ready’s products, a hacktivist group was quick to claim it had obtained a list of plaintiffs who were suing the organisation. They stated customers were seeking compensation from Ready for product defects that caused serious injuries over a number of years.

The information went viral on Twitter as an insider, under the cover of anonymity, reported in a major newspaper that his role consisted of building and publishing fake quality reports. Hacktivists claimed they had gained access to the organisation’s internal network and found evidence that the organisation was aware of the issue long before the first accident happened. They threatened to release the evidence unless the organisation negotiated a settlement with the victims.

Ready knew there were no plaintiffs and no litigation pending. It was unlikely there was a product defect. Ready relied on its incident management systems and processes, and its investigations capability, to confirm no systems had been compromised, no documents were accessed, and no information was transferred electronically or physically. Good relationships with the media enabled it to communicate credibly, transparently and through multiple channels to the public, shareholders and regulators, discrediting the false claims. Outside advisors issued independent verification of the situation, further reinforcing Ready’s statements to the media.

Its safety record enabled Ready to quickly re-establish its customers’ trust and manage other stakeholders including shareholders. Ready considered taking legal action against the newspaper.

The story was long forgotten when the regulatory investigation into the accident reported that Ready’s products were not involved.

Hacktivists create fear, uncertainty and doubt5

Reputations are fair gameAs long as systems continue to be compromised, and the incidents make headlines, claims will be believed. Whether the claim is true or false is secondary: organisations will be guilty until proven innocent in the court of public opinion. And the impact on the target organisation will be independent of whether the claims are intentionally malicious or the result of honest mistakes.

The faster the organisation responds, the more it knows and can say credibly, and the more trusted its reputation, the less severe the impact will be. Organisations who are unable to respond quickly may find that the public and their customers continue to remember the false incident long after the organisation’s innocence was proven.

No time to reactOrganisations have less time than ever to respond, as information flows around the planet at the speed of light. They must track multiple channels: viral emails and web page views have been joined by Twitter trends, Facebook likes and YouTube views, to name a few. News sites invite readers to comment on stories, creating dialogue and commentary that is often unmoderated.

Tw



A fertile ground for FUD – fear…Stories about attacks on control systems, be they pacemakers18 or Iranian centrifuges, will continue to resonate with the public’s primal fears. The media continues to report on the potential impact of a cyber attack on power grids, citing old control systems that lack up-to-date security.

The rapid introduction of new technology – much of it not fully understood – also fuels imaginations. A documentary praising the ability of doctors to perform surgery from 100 miles away could easily be undermined by an off-hand quip by a journalist about whether such a system could be hacked.

…uncertainty and doubtWhile some major news organisations have improved their verification processes, making them less likely to report false claims, others haven’t. They all face relentless and increasing pressure to report the story first, increasing the chances that verification efforts will be inadequate.

Increasingly, the public’s consumption of news uses non-verified sources. Mass media lost market share to independent web sites, blogs and Twitter. In addition, a 2012 Pew Research Centre study found that people are increasingly getting their news from YouTube19, which includes significant amounts of citizen-provided footage. In describing the new interaction between citizens and news organisations, the report says that “all this creates the potential for news to be manufactured, or even falsified, without giving audiences much ability to know who produced it or how to verify it”. The same report states that YouTube is the “third most visited destination online, behind only Google (which owns YouTube) and Facebook”.

RECOMMENDATIONSOrganisa ons need processes that enable them to stay current with what’s being said about them online. Solid and rehearsed incident management processes are a necessity, as are communica ons plans that include all involved par es, such as shareholders and the media.

If they haven’t already done so, organisa ons should broaden their communica on plans to include blogs, Twi er, YouTube and so on. For example, blog pla orms, Twi er accounts, and YouTube channels should be set up in advance so they’re in place, and more importantly are followed by media and customers, before there’s a crisis. Organisa ons should make the modest investment needed to enable them to shoot video in house that can be posted immediately.

Spokespeople, media representa ves and agencies should prepare specifi cally to deal with false claims. This may include having a sound knowledge of what is and isn’t likely, knowing what’s realis c for the organisa on to inves gate and how quickly, and being connected to independent advisors such as outside inves gators or legal counsel.


Manufacturing Very High

Retail trade Very High


Health care and Social assistance Very High

THREAT MAGNIFIERS AND REDUCERSSecurity of embedded devices raises concerns

Falsely a ribu ng the source of leaked informa on to government organisa ons20


Two

AND R


BENEFITSThe combina on of careful monitoring of social media ac vi es with a prepared communica on plan will allow the organisa on to quickly release clear and accurate informa on before a false claim spreads out of control. Transparency about the situa on and the organisa on’s ac ons will reassure customers, shareholders and other stakeholders, and help to maintain their trust.


ISF RESOURCESInforma on Security Incident Management: Establishing an Informa on Security Incident Management Capability (2006)

Profi t-Driven A acks (2008)

Hack vism (2011)

The Standard of Good Prac ce for Informa on Security (2012)(Category: Control Framework – Topic: CF11.2)

You Could Be Next: Learning from incidents to improve resilience (2012)

Tw



When criminal organisations re-crafted their attack plans, identifying the skills they needed, they found a diverse talent pool. Disgruntled employees of 20-years standing had insider information. Unemployed experts knew product details, potential defects or vulnerabilities. Eager new graduates formed an enthusiastic and readily available workforce.

Many of the recruits weren’t aware of the criminal organisation sitting behind the seemingly respectable front company.

Accuracy of victim selection increased, as did the sophistication and effectiveness of the attacks. Supply chains were attacked with surgical precision that innovatively combined past successes in two distinct areas: social engineering and malicious software development. They pre-installed malicious software on new equipment.

UnPrep had a new business initiative that required the acquisition of new equipment. The budget was tight and several ideas had been explored to reduce costs. The business unit was cold-called by a new supplier, who claimed it could offer a significant discount on the equipment – one that the incumbent provider could not match.

Deadlines and competitive pressure caused UnPrep to skip its new vendor validation process. The equipment was delivered on time, installed correctly, and provided the agreed service. Some months later, the provider was nowhere to be found. The former provider agreed to take over the equipment’s maintenance, and immediately raised concerns about the whole installation. Though UnPrep initially dismissed these concerns as supplier rivalry, disturbing evidence triggered an investigation. It revealed that the equipment had been supplied with pre-installed malicious software that used its privileged place in the network to steal information and provide access to UnPrep’s systems.

UnPrep had to replace all the equipment at significant cost, delaying its business initiatives and losing ground to its competition. Worse, because UnPrep was attacked through a channel it trusted, none of its traditional defences detected the attack. It had no details of what information was lost and which systems were compromised. It had to notify all its suppliers, customers and the general public, further reducing confidence in the organisation.

Ws

de

t

A

Crime as a Service (CaaS) upgrades to v2.06

Malspace hits the terrible teensAttacks will become more innovative and sophisticated – as organisations develop new security mechanisms, cybercriminals will develop new techniques to circumvent them. Unemployed and disgruntled employees will form a talent pool for criminal groups to gather the capabilities and information needed for these attacks.

Just as the value of a person’s identity has far surpassed the value of an individual’s credit card number, it, in turn, will be eclipsed by the value of organisational information. From knowledge of business operations that enables a fake supplier to call the right person at the right time, to details about an organisation’s vulnerabilities, corporate information will become increasingly valuable.

Built-in crimewareWhen Microsoft employees bought 20 computers in a local market, all 20 had counterfeit operating systems with lower security settings, and four had malicious software pre-installed. In 2012, Microsoft received court permission to attack criminals who were controlling the malicious software. This action came from a 2011 finding that criminals distribute counterfeit, insecure versions of Windows21.


Where there is a will, there is a way.The question is really one of risk acceptance.

Two



Ten months to do damageResearch by Symantec shows that attackers exploit vulnerabilities in software for ten months on average before being detected. The successful “windows event viewer scam” saw attackers use correct names of IT department staff to gain their victims’ trust22, suggesting that sophisticated attacks can be successful even against security-aware staff.

Mobile viruses, Franken-viruses, ransomware – malware’s constant evolution Criminals are actively developing new and more sophisticated types of malicious software. Symantec reported in the Internet Security Threat Report 2011, more than 33 million new variants of malware were created every month23. PlaceRaider takes advantage of mobile devices, secretly taking pictures, then selecting the better ones and transmitting them so an attacker “can construct a 3D model of the environment and gain reconnaissance on a victim’s work space”1.

Just as Mary Shelley’s Dr. Frankenstein assembled a person from parts, Franken-viruses look for software already present on a computer, and then assemble it, subverting it to its own aims. While there’s not yet any evidence of successful attacks, there has been successful proof of concept.

In 2012, Sophos predicted that the volume and effectiveness of ransomware infections would increase in 201324. Ransomware is malicious software that holds something hostage, a typical example being a programme that encrypts data and will only unencrypt it for a fee. Watch for this to move from home computers into organisations.

Hackers for hireJust as rentacoder.com (now freelancer.com) helps organisations find talent to get a job done, experienced hackers are making their skills available to the highest bidder. Criminals are becoming more experienced buyers, and as a result are exploiting new avenues to circumvent security.

Talent pool: 52 applicants per graduate position The lingering effects of the economic crisis result in headlines stating that every new graduate position in the UK attracts 52 applicants25. In France, an unemployment study in September 201226 reported that almost 10% of graduates are without a job, while in the US, an Associated Press report showed more than 50% of “bachelor’s degree-holders under the age of 25 last year were jobless or underemployed, the highest share in at least 11 years”27.

These uncertainties for a young, tech-savvy population creates a talent pool for cyber criminals.

THREAT MAGNIFIERS AND REDUCERSCyberwar career path

Spontaneous supply chain

Compe tor espionage and IP the using criminals

Java zero-day bug stays unpatched as it becomes ‘massively exploited in the wild’28

Commodi sa on of pla orms such as Linux and ARM processors in cars, phones or satellites creates longer a acks surface

Tw


Examples like Eurograbber, Stuxnet, Shamoon show that adversaries are thinking about the end-to-end process to get what they want.

AND R


RECOMMENDATIONSOrganisa ons should be vigilant in fi nding ways a ackers can circumvent security mechanisms. New suppliers or staff that seem too good to be true might be, and should be subject to the same background checks as everyone else, as an integrated part of exis ng processes.

While not all organisa ons will want to comply with the US House Select Commi ee recommenda on to avoid purchasing network hardware in China, it is probably wise to consider all vendors of core infrastructure and systems, seek assurances from them, and work with governments to help ensure the security of these devices.

Current strategies try to detect counterfeit equipment by analysing devices’ behaviour and examining the devices themselves. Researchers are looking for new approaches that look at the founda onal components of systems and would detect malicious behaviour even if it’s from so ware installed at the factory29.



Administra ve and support and waste management and remedia on services Very High



BENEFITSBy iden fying how a ackers could circumvent security mechanisms, the organisa on can re-evaluate threats and determine if the risk is within what it is ready to accept.

Evalua ons and background checks as part of exis ng process for both providers and staff will not only detect malicious a empts but might also act as a deterrent, criminals preferring an easier target.


ISF RESOURCESInsider threats (2007)

Profi t-Driven A acks (2008)



Two


In late 2013, a group of criminals became dissatisfied with the success rates from their mass campaigns. They started specific campaigns against handpicked targets. Fundamental to this approach was a new marketplace that built detailed profiles of potential victims, for sale to the highest bidder. The amount of information and its accuracy – validated by independent sources – determined the value of a profile.

Sources were plentiful. The builders started by combining publicly available information with that from social networks and public clouds such as iCloud, Google Drive and Skydrive. Generation Y was a valuable source of information too, owing to their eagerness to share information about what they were doing, where and with whom. The information they shared not only provided information about themselves, but also about others, such as friends, co-workers, managers and customers.

Profiles became more and more accurate and specific, going well beyond the traditional login and password, email address, credit card number or social security number. They included information such as the make and model of mobile devices, network provider and contract details, and recent orders from online retailers. Better profiles contained more private information such as marital status, employment history, neighbours’ names and children’s schools. The best included time-sensitive data – such as travel plans, holiday bookings or appointment details – and behavioural information such as habits, temper, sensitivity , loyalty or propensity to being bribed.

As expected, attacks using these extensive profiles were more successful. But criminals quickly realised that the real money was in attacking organisations. The profiles provided access to the people, the people provided access to the organisation.

Some attackers were opportunistic and attacked whatever organisation employed the individuals with high-quality profiles. Others planned attacks against specific organisations and waited for relevant profiles to be built. Only the correlation of attacks could tell a victim organisation whether they’d been targeted or were simply unlucky.

While an UnPrep senior executive was away on business, an individual arrived at the executive’s home, introduced himself as a colleague, presented a valid-looking ID and used the name of a known employee.

He knew that organisational policy prohibited staff taking corporate laptops to certain countries, and that the executive was about to return from one of them. He requested the executive’s laptop, and supported his request with very specific information. He cited the organisational policy, knew the executive was travelling back on that day, knew the flight and terminal, and said he was picking him up from the airport. He knew the executive’s work location and said the executive had an emergency meeting with his boss. He referred to the executive’s assistant by name and provided a credible reason why the assistant hadn’t called the house. He had specific information such as the laptop brand and could plausibly explain why the executive had not called to warn about the laptop pickup – the emergency meeting had only been scheduled after the flight left. The person at home handed over the laptop.

Investigation after the incident revealed that shortly after the laptop was stolen, the thief called the VIP helpdesk number and the IT support team helped him recover the encryption key for the laptop. The caller had all the information to confirm his identity as the laptop owner and IT support could not have known that the caller was not legitimate. Compared to a traditional phishing email, this attack was a significant step up in social engineering using credible information. UnPrep compromised sensitive information subject to non-disclosure, opening itself up to legal action and jeopardising an important deal.

Information leaks all the time7

Tw



Information, information everywhereCriminals will get better at combining public records and information from the Internet with what they can get through intrusions and data leaks. Today they use this information to craft credible emails targeted at specific individuals or organisations in an attempt to acquire sensitive information, which, when combined with a general lack of awareness about cyber threats, are more likely to succeed than mass emailing of fraudulent messages. In the future we expect hackers will leverage these sources of information to launch a new range of attacks, both virtual and physical which will specifically target individuals based on their ability to provide access to and information about their organisation. While personal information will continue to be valuable, organisations’ information will be more so, and pursuing it a more profitable criminal activity.

The social engineering attack illustrated in the scenario is less risky than outright theft; however criminals will continue to break into houses to steal employees’ laptops and other devices.

Information leaks all the timeA 2012 KMPG30 revealed that more than 75% of Forbes 2000 organisations were leaking information – it can come from sources under the organisation’s control, such as its web sites, or sources outside its control such as search engines, online forums and social networks. New technologies such as the chips in employee passes or corporate credit cards may be unknowingly revealing information.

The Zetas, a criminal cartel in Mexico, is leveraging information from Facebook and Twitter to identify potential opponents and take preventive action. They also predict who might be willing to go to the police, and then intervene to prevent them from doing so.

People are the weakest linkPeople like talking about themselves. That willingness helps criminals. Some awareness programmes aren’t keeping up with the new generations of people in the workforce, or the new issues introduced by social media.

Online accounts often use the same email address, making it easier for hackers to gather information on individuals. Each account will reveal a little information, the ones with weaker security provide valuable information to access accounts with stronger protection. Mat Honan wrote in wired.com that “hackers destroyed my entire digital life in the span of an hour”. The culprit was a combination of the “explosion of personal information being stored in the cloud” and human nature: “tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another”31.

Who has your information?New technologies are putting more personal information in external providers’ infrastructure, such as Facebook, iCloud and Skydrive. New organisations, called data lockers, are collecting private information in order to provide convenient services, such as notifying banks, telephone and electric companies of a change of address.

Sadly they also create a repository of private information, making detailed profiles readily available to anyone who might guess a password.


Everyone – from the CEO who can’t set up an iPhone to the teenage summer student – needs to realise that everything they say or

digitalise can be captured and used against them or the company.

There will always be a need for customer service, for helpdesks, password resets, etc. If the people behind those processes cannot

understand the full implications of the information they are providing to the caller, it will be easy for social engineers to work their way

around all technical protections we have put in place.

Two


ISF RESOURCESBlogging and Social Networking (2009)

DLP Tools (2009)

Protec ng informa on in the end user environment (2010)

Solving the data privacy puzzle: Achieving compliance (2010)


RECOMMENDATIONSOrganisa ons should consider what informa on about themselves and their people may be leaking out, and what they can do to control the fl ow. Conversely, being clear on what informa on is in the public domain can help security: if staff are aware that certain informa on is public knowledge, they can refuse to accept it as proof of iden ty.

Organisa ons should also consider ways to circumvent controls, such as the tradi onal encryp on key reset procedure. While it’s necessary to have one, the helpdesk should be just as demanding of execu ves or VIPs as they are of everyone else, and the challenge/response ques ons and answers should not involve publicly available or easy-to-obtain informa on.

Organisa ons may want to consider extending security awareness training to friends and family of staff ; beyond improving security it may be seen as public service that helps the community.

INDUSTRY APPLICABILITYManufacturing Very High


Professional, scien fi c, and technical services Very High


Management of companies and enterprises Very High

THREAT MAGNIFIERS AND REDUCERSOpera on Red October infi ltrated government and other systems in Europe and US for more than 5 years32

Cyber Security Awareness campaign in the UK: The Devil is in Your Details

Untrained use of social networks in organisa ons/Employees disclosing informa on

Facebook ID as proof of iden ty

Realisa on of value of informa on

BENEFITSThe organisa on will be less vulnerable as its employees will be more prepared to detect suspicious ac vi es and respond appropriately. By tes ng ways to circumvent controls, the organisa on can assess the controls’ eff ec veness, change them if necessary, and maintain a more accurate risk assessment.


Tw


S AND R


UnPrep’s IT department was understaffed and slow to react to new business requests. They’d had no time to evaluate cloud services and therefore didn’t support their use.

Business units were attracted by the flexibility of information anywhere, anytime, on any device – and were starting to buy cloud services directly, bypassing IT and procurement. Employees who used personal cloud services started to use them at work. They didn’t read the terms and conditions of these services which specified important facts about information location, sharing or processing.

Employees were transferring copies of information between the organisation’s systems and the cloud. Copies proliferated, resulting in multiple versions that quickly became out of sync. Managers made decisions using inaccurate or out-of-date versions, sometimes with severe consequences.

The organisation was getting ready for an audit of its compliance with the certification allowing it to process and store information from its European customers. It had validated all its requirements against industry standards as well as against the certification which restricted processing and storage of European customer data to within the borders of Europe.

The auditor raised concerns when it located some information in the cloud, contradicting UnPrep’s statement that it did not use any cloud services. This potential breach of standards could invalidate UnPrep’s ability to process its European customers. UnPrep had 30 days to provide evidence that no European customer’s information was stored with this cloud provider.

UnPrep didn’t know what information was in the cloud. Upon investigation they found the relevant project, which involved European customers’ data, and reviewed the business unit’s rudimentary assessment of the cloud provider made at the time the service was started. Though the cloud provider did not present any issue with the compliance initially, it had since been bought by one of its competitors. The report prepared about the cloud provider was now out of date.

Data centres had been moved to another country, outside of the EU, and regulation prevented UnPrep from having its customers’ private information in that country. UnPrep had now confirmed the non-compliance, and unless they could prove they had disengaged from this provider and retrieved all their data, the certification would be revoked, forcing them to sub-contract the processing and storage of their European customers to a certified provider.

When the organisation tried to disengage, the cloud provider could not provide the assurance it did not have copies of the data, and argued it was due to technical dependencies.

UnPrep had no idea where its information was. Business initiatives taken for local gain had repercussions on the whole organisation and its capability to do business in Europe was threatened by the compliance breach. The organisation was losing control of data without noticing, versions were unsynchronised with some staff using old versions while the latest versions could disappear if an employee left the organisation.

s

a

sts

BYOC (bring your own cloud) adds unmanaged risk8


Two



The big bang information dispersalIf an organisation’s IT function or technology provider is insufficiently flexible or unable to adapt, people will move to the cloud. Unmanaged deployment of cloud solutions within organisations can create duplicate and incomplete repositories of outdated information – which could have worse consequences than a data breach.

Organisations that can’t determine where their information is now certainly won’t be able to do so in two years’ time when information volumes will have increased exponentially.

Cloud adoption continuesThe benefits of cloud services are changing the way organisations are managing their data and using IT. In its 2012 State of Information Report33, Symantec reported that 46% of large organisations are storing information in the cloud, and that on average 23% of organisations’ data is stored in the cloud.

Unmanaged use of cloud services by staff? By suppliers?Organisations need to know precisely to what extent they rely on cloud storage and computing. They may have information in the cloud they don’t know about. The simplicity of acquiring cloud services makes it easy for local initiatives to store information in the cloud.

Outside of the organisation itself, information shared with suppliers might be stored by them in the cloud, especially as small and medium enterprises are known to have embraced cloud services as flexible and cost effective solutions.

The information explosion continuesIn 2012, IBM reported that 90% of the information in the world had been created within the previous two years. Other predictions indicate the amount of data produced in the next 12 months could be equivalent to all the information generated for the last five years. Managing information will become impossible for organisations who don’t start now.

Adoption of cloud services Demand for cloud services continues to increase: 83% of respondents attending the Cloud Computing Expo in New York said they planned to deploy cloud storage in some capacity, and 43% said that cloud storage was one of their three top priorities34.

Fifty percent of organisations use cloud for sensitive data35.

INDUSTRY APPLICABILITYHealth care and social assistance Very High





THREAT MAGNIFIERS AND REDUCERSConsolida on of cloud providers

Intrusion in cloud providers’ infrastructure

Low price and ease of use from a wide choice of cloud providers

Tw


Getting people to agree on the value of the informationthey manage is the key.

AND R


RECOMMENDATIONSForbidding the use of cloud services will fail. IT and informa on security teams should instead work with the business on fi nding the best solu ons, embracing cloud services that can deliver what internal systems can’t. They should provide the business with expert advice, discussing the advantages and risk of using cloud services. Together with the business, IT, informa on security and informa on risk management teams can work together to ensure adequate safeguards are in place. Such a proac ve approach will make it less likely that unmanaged ini a ves will circumvent processes and defences.

In order to iden fy cloud services already in use, whether compliant with the organisa on’s policy or not, organisa ons can monitor network connec ons – and vendor payments, expense claims and corporate credit card transac ons that could iden fy cloud providers.

Organisa ons should create and distribute a corporate policy on the use of cloud services and run a user awareness programme. When contrac ng for cloud services, organisa ons should follow ISF guidance to ensure the service contracts comply with informa on security best prac ces.

BENEFITSBy developing a deep understanding of the needs of the business, and knowing when cloud services can meet those needs be er than internal services , IT will empower the business and demonstrate agility.

The organisa on is less likely to be exposed to the risk of unmanaged cloud ini a ves. Business units will be more aware of the risk associated with the use of cloud services and will welcome informa on security support in both risk management and contract terms.


ISF RESOURCESSecurity Implica ons of Cloud Compu ng (2009)

Securing Cloud Compu ng: Addressing the Seven Deadly Sins (2011)


Securing the Supply Chain (upcoming 2013)

Data Privacy in the Cloud (upcoming 2013)


Two


2012 was the year organisations explored how to incorporate employees’ devices into the network. By the end of the year, several organisations had rolled out a Bring Your Own Device policy. A number of mobile device management solutions were available on the market, with different targets and different approaches and capabilities.

2013 had been the year of adoption and general deployment of device management solutions to connect employees’ personal laptops and mobile devices to the corporate network. Staff and executives demanded their devices, and UnPrep had to comply. The competitors were already doing it, attracting staff that UnPrep wanted to hire or retain. Vendors of device management solutions promised huge cost savings from these initiatives.

2014 was the year of troubles. Though the number of stolen mobile devices had been increasing, mostly due to their high resale value, new patterns emerged clearly demonstrating that some devices were targeted for their content or their capability to connect to organisations’ networks. Research by criminal organisations and security professionals revealed a number of vulnerabilities, affecting all devices, and putting organisations’ information further at risk. To complicate things further, the exploding number of apps and their constant updates made traditional controls obsolete. New controls were rejected by staff because they were too difficult or intrusive.

UnPrep started with senior management, who wanted access for their tablets and personal laptops. They saw an opportunity to reduce costs by extending the offer to the entire staff.

The incident occurred when an employee installed the latest version of the operating system on his device, at home, on the weekend. He didn’t have a compatible version of the security package provided by UnPrep, and eager to get the device working by Monday, he continued his install. He downloaded all the tools he regularly used from a software sharing site, rather than downloading them individually from each developer’s website. Unfortunately, the tools he downloaded were infected.

When he connected to the organisation’s network, the infected software requested personal and professional information about the device’s owner and his role in the organisation. The employee was prevented from using his device and the information on it until he provided all the required information. Thinking it was a new corporate process to improve information security on the device, the employee willingly provided all the information.

His device provided a backdoor for criminals to access the organisation’s network. It also propagated the infection to co-workers’ devices. His colleagues assumed, as he did, that this was a new security process, and they too answered all the questions. While many complained, no one questioned the new system or raised their concerns. It was only discovered by accident. By then, the criminals had collected a considerable amount of personal and corporate information to use in phishing and other social engineering attacks.

Bring your own device further increases information risk exposure9

Must have my mobile Organisations won’t be able to ignore bring your own device (BYOD) initiatives. They create a differentiator for organisations to attract and retain talent, and the productivity and collaboration benefits are promising.

But organisations that do not carefully consider the integration of privately owned devices into the organisation’s network will expose themselves to significant risks. The change of ownership of the device will create different expectations, but organisations cannot impose an acceptable use policy similar to corporate provided devices. Not all device management solutions will provide the same quality of service and support a comprehensive range of devices; the diversity of future devices will be difficult to manage.

Tw



Exploding devicesBYOD will continue to be a trending topic; the coming years will see an explosion of new devices along with their continuous adoption. Organisations are now employing a generation that has always known smartphones, and will likely be eager to adopt new gadgets, such as smart glasses and other wearable devices, as they emerge.

Organisations will realise the full complexity of BYODBYOD is promoted as a solution that allows organisations to save the cost of buying devices for their workforce. The potential saving should be balanced against the cost. Integrating employees’ devices within the organisation’s infrastructure requires planning and redesign – and the addition of a mobile device management system or equivalent. Employees may resist the controls organisations will impose.

Consumer dream, support nightmareManufacturers announced during the 2012 Consumer Electronics Show (CES) in Las Vegas that they will introduce their own mobile devices operating systems. If that happens, organisations may be asked to support an increasing number of different systems and devices from different manufacturers. Even if they restrict employees to a limited number of approved devices, they still have to support each new release of operating systems, applications and security updates.

When the organisation owns the device, it can manage the software versions and only apply updates once they’re known to be stable and secure. When the employee owns the device, the organisation loses this control.

NPD DisplaySearch announced in July 201236 that it expected tablet sales to surpass laptop shipments by 2016. In January 201337, they re-evaluated their forecast saying that tablet shipments would surpass laptops in 2013.

Malware proliferation: no cure in sightAnti-virus vendors see more than 33 million new variants of malicious software every month23. And while some people found assurance from device diversity, claiming that Apple devices were immune to PC viruses, for example, new research shows that cross-platform viruses are possible, targeting disparate systems simultaneously.

Consumer, not business, devices Whereas some mobile devices are designed for enterprise use, others are designed with the consumer in mind. Consumer devices are bringing upgrades backed up by consumer demands while they provide little evolution in the features to manage these devices in organisations38. More importantly, with their emphasis on the consumer, they often come with features designed for consumers that organisations would oppose. For example, the latest release of the iPhone/iPad operating system was criticised by organisations for its use of iCloud, and its integration with Facebook and Twitter. Similarly, Android and Windows devices use Google and Microsoft clouds respectively.


Users are bringing in their own devices or are using web-based(cloud) systems that are diffi cult to control centrally.

Two


RECOMMENDATIONSOrganisa ons need to determine their requirements and understand the risk associated with connec ng employees’ devices to the organisa on’s infrastructure. This risk assessment should be regularly updated, as hardware and so ware change.

Organisa ons should determine and communicate the intended and acceptable use of privately owned devices, specify which devices and opera ng systems are supported, and when new ones will be added. Staff must be assigned to manage the technical infrastructure and provide support to employees.

Incident management is essen al and organisa ons will want the capability to perform forensic analysis and monitoring of devices when necessitated by an incident; this can be a challenge when the organisa on doesn’t own the device.


U li es Very High

Informa on Very High



THREAT MAGNIFIERS AND REDUCERSOrganisa ons, pressured by execu ves and boards, deciding to implement BYOD without considering security

Applica on as a malware vector where mobile applica ons propagate viruses across pla orms

BENEFITSBring your own device ini a ves promise signifi cant benefi ts, including improving produc vity, a rac ng and retaining talents and reducing costs. But these business benefi ts will only materialise if the ini a ve is carefully managed by the organisa on.


ISF RESOURCESBring Your Own Device (BYOD) Dra Checklist (2012) – as part of the MDSIG

Best Prac ce in Securing Endpoint Compu ng Devices (2007)

Protec ng Informa on in the End User Environment (2010)

Securing Consumer Devices: No me to stand s ll (2011)


Tw


• Mobile Device Special Interest Group(MD SIG)

• Bring Your Own Device (BYOD) Dra Checklist (2012) – as part of the MDSIG

AND R


Governments were quick to announce all kinds of cyber security initiatives, and declare the importance to businesses and citizens of being able to operate safely in cyberspace. They brought businesses, government organisations and non-profits together to collaborate on cyber security. They took a leading role raising awareness with both the general public and the private sector.

Some governments created initiatives to provide guidance to organisations on how to tackle specific issues. A few governments opened their threat intelligence sharing system to private organisations for better cooperation.

UnPrep somehow missed the government’s very clear position that cyber security was not its exclusive responsibility – that it expected organisations to be responsible for their own cyber security. And while compliance with regulations was necessary, it wasn’t sufficient.

UnPrep learned that a patent application had been filed by a new organisation, unknown in the industry and located in a foreign country, for technology that UnPrep had been developing for several years. The technology was fundamental to a series of projects that were key to UnPrep’s future.

UnPrep regularly hired people using a government sponsored employment agency. Further investigation uncovered that several of the employees referred by the employment agency had played an active role in the patent leak. UnPrep had expected the government agency to check the people it recommended, but the agency said that background checks were UnPrep’s responsibility.

UnPrep also expected the government’s systems to have detected that a significant amount of its most important intellectual property was leaving the country. The government repeated its message that it expected organisations to be responsible for their own cyber security, and that its monitoring was limited to critical national infrastructure and significant attacks.

While sympathetic to the business issue of lost intellectual property and its potential damage to the economy, the government was limited in what it could do with an organisation in a foreign country. The foreign government was not willing to help and did not accept UnPrep’s evidence that it owned the technology.

When UnPrep’s product went to market, the foreign organisation sued for patent infringement. Its patent was legal and UnPrep lost the case; they had to pay compensation and saw its products banned in several regions.

UnPrep paid the price for not understanding the role of governments and regulations, lost valuable intellectual property and corresponding revenue, and suffered negative press for not protecting its research.

Gas

So

Governments and regulators won’t do it for you 10

Big brother is not watching (out for) you Governments have a key role to play in securing cyberspace: from coordination and advocacy to raising public awareness and potentially sharing threat information39. But they have no intention to lead information security and cyber security efforts. They expect organisations to manage risks in cyberspace and prevent information and systems from being compromised. Likewise, regulations are not a substitute for risk management, and will never evolve as quickly as technology and its uptake. Organisations that depend on governments to lead or secure cyberspace will suffer, as will those who only respond by complying with regulations.

Over the next two years, while governments will face cyber security threats like any other organisations, we expect them to share their intelligence, promote collaboration between organisations and issue guidance and support to help organisations and individuals to help protect themselves. Regulators will address some of the issues introduced by new technologies, facing the usual tension that regulations should offer protection without stifling business development.


Two



Governments are expecting organisations to manage their own risksDuring the 2012 ISF Congress, panellists were unanimous in saying governments expect organisations to be adequately prepared. They expect organisations to manage risks in cyberspace and not to compromise what’s important to protect.

Regulations are not keeping up with the speed of technology and its adoptionRegulations are complex and take time to develop. Regulators cannot keep up with the pace of technology evolution and should not try to. In 2012, the PCI Security Standard Council admitted the PCI DSS standard was not currently addressing every issue specific to mobile payment. For many mobile payment options, the industry is going to have to wait longer40.

RECOMMENDATIONSUnderstand the role government plays in relevant jurisdic ons. The general view of governments in Europe and North America is that governments want to encourage organisa ons to protect their informa on by:

• providing guidance • working with independent par es (such as the ISF) • sharing informa on (threat intelligence).

They also want to raise public awareness, and provide some assistance to small and medium enterprises which don’t have the same capabili es as large organisa ons.

Understand that governments think it is the organisa on’s responsibility to protect their own assets – and they expect organisa ons to be adequately prepared.

Organisa ons should, where possible, improve informa on security by leveraging regulatory compliance eff orts. Rather than pu ng in place the bare minimum to qualify for strict compliance, use the opportunity to bring security standards up to the level appropriate for the organisa on.




Retail High

Manufacturing High

THREAT MAGNIFIERS AND REDUCERSMore regula ons and stronger regula on might create confl icts

Confl ic ng interests around cybercrime preven on, for example, governments preven ng networka acks while promo ng human rights by allowing online communica ons

Automated evalua on of auditability bases on fi xed criteria

Cyber compliance vs cyber coopera on, creates fear that governments will implement regula on to enforcecompliance with cyber laws, driving people away from coopera ng in cyberspace


This is not a ballistic missile defence that you leaveto governments. Organisations must do their part.

Tw

o

AND R


BENEFITSBy determining how government will help, and what support law enforcement will provide when an incident occurs, the organisa on will ensure it’s not relying on government to take on ac ons that won’t be forthcoming.

By leveraging informa on made available by governments both in term of threat intelligence and guidelines, the organisa on will supplement its exis ng eff orts to accurately assess and manage the risks to its business.


ISF RESOURCESSecurity and Legisla on: Complying with informa on security-relatedlegisla on (2005)

The Standard of Good Prac ce for Informa on Security (2012)(Categories: Security Requirements and Security Monitoring and Improvement– Topics: SR2 and SI2.3)


Two

Thr

ee


The relative novelty of threats described in the previous pages is largely irrelevant. Whether they’re old or new is much less important than their potential to do harm.

The risk to our organisations from known threats is increasing, because:

• Threats mature with time, their sophistication and effectiveness increase. • Many attackers just want results and will take the path of least resistance.• Evolutionary changes can have revolutionary impact.

In addition, new threats will continue to emerge as new technologies are introduced before they are fully protected. Criminals will consider how they can develop new attacks that will further their aims.

Threats mature with time, their sophistication and effectiveness increase As with any endeavour, time brings experience which in turn brings effectiveness. Attackers have improved their skills, learned what does and doesn’t work, and honed their methods. Viruses have increased in effectiveness to the point where they can infect tens of thousands of systems in minutes.

Emails that attempt to convince the recipient to take action, such as resetting a password or revealing information, have become so convincing they have caused losses in the millions.

Many attackers just want results and will take the path of least resistanceCyber criminals want results and will do what’s easiest and most effective. Why bother with something new that might fail? New or emerging threats can take time before they’re effective, and it can make more sense to go with a sure thing.

In 2011 the ISF coined “Malspace” to describe the organised global industry that has evolved to commit cybercrime, espionage and other malevolent activity in cyberspace. As Malspace matures further, cyber criminals will continue to purchase the components of attack – whether it’s a piece of software, a service to plan and coordinate an attack, or detailed information about an organisation or individual.

Evolutionary changes can have revolutionary impact Evolutionary changes, such as the upgrade of 3G mobile networks to 4G, can have revolutionary impacts as they fundamentally change the way people use their devices. Early adopters of 4G networks would rather download a five-minute video of the latest news report than read an online article. They are using cloud-based music and video more than music and video saved on their devices.

In the early months of 2010, smartphones represented barely 17% of all mobile handset sales41. In the two years since then, they have revolutionised our access to information and are everywhere in our organisations. By the end of 2012, they represented almost 40% of all mobile phone sales42, a 47% increase from the year before in a decreasing market (-3.1%). A major police force reported that mobile phones accounted for 70% of items stolen in personal robberies43. Many of those likely held organisational data, and as more criminals target devices for their data rather than the device itself, they’ll defeat the remote wiping capabilities.

3 Conclusion


3 Conclusion

Three

New threats will continue to emergeWhile this year’s report focuses on familiar threats, new ones will still emerge. Those that take advantage of historical knowledge about what works and what doesn’t (good practice, in essence) are likely to become more effective more quickly.

IPv6 is yet to be widely adopted by organisations and could be used as a vector for new threats to emerge. These new threats, exploiting a new technology, will take advantage of the knowledge built from the technology IPv6 is going to replace.

The Raspberry Pi, a fully functional PC about the size of a credit card, costs only US$35. A device that small, used for malicious purposes, can be more easily hidden and less easily detected. A PC that cheap enables inexpensive accumulation of computing power at an extremely low cost. As their computing power increases, we may even see a new BYOC threat: build your own cloud.

There is no room for complacency. Organisations must act now or be left behind. They must raise their understanding of cyber risks and rewards, and position appropriately skilled people in the right roles. The longer an organisation delays action, the harder it will be to catch up.

No organisation wants to find that it has waited too long, only to find a hill too steep to climb – that achieving cyber resilience has become unaffordable or too difficult to achieve given their organisational constraints.


Fou

r

The following case studies show the ways ISF Members have used previous Threat Horizon reports in their organisations, and the value they’ve received from doing so.

1. Communica ng threats to business

Type of ISF Member Large manufacturing organisa on

Approach taken? Communica ons tool

Why Threat Horizon? • Creates discussions, debate, engages diff erent audiences • Helps framing a future thinking mindset in a discussion • Gives a reason to think strategically, proac vely • Gets big buy-in from corporate communica ons • Timing, given the Sony hacks, helped engage the board

How was Threat Horizon used?

• To conduct strategic planning • To launch an awareness campaign • To create an opportunity, a reason to engage diff erent audiences

What changes were made to be able to apply Threat Horizon internally?

• We mapped Threat Horizon trends to our business strategy (opportunity and risk – both forward looking) to the Threat Horizon themes, internal implica ons and ac ons to overcome them

• We created four versions of the Threat Horizon for diff erent audiences, two of which were wri en by a professional writer

• The awareness version was supported by quotes from CEO and CFO • We reviewed all the threats and discounted those that didn’t apply to the organisa on

Who was engaged? • Execu ves (briefi ng) • Informa on security (strategic planning) • Stakeholder groups (synergies) • Trusted partners (innova on) • All employees (awareness)

How much me and eff ort was required to do all this?

• About fi ve staff -days of eff ort over about a month to have a good internal dra

What were the overall outcomes?

• We created a personal version of the Threat Horizon for diff erent people (for example the HR director, the CFO...)

• We launched two successful security ini a ves as a direct outcome

4 Implementation in practice – how ISF Members use the Threat Horizon report within their organisations



Four

2. Developing a risk modelling tool

Type of ISF Member Large manufacturing organisa on

Approach taken? Risk modelling tool

Why Threat Horizon? • Provides structure, good place to start for blue-sky thinking • Great tool for communica on with the business • Threat radar and threat indicators used for early warning if a threat is likely to materialise • Used to obtain recogni on that business ac vi es could infl uence the threat environment • It might help in mi ga ng an emerging threat before it hits • Helps reinforce the diff erence between threats and risks – that threats may turn into

business risks • Business ac vi es can infl uence threats


• To assess the relevance of threats and threat actors • To perform threat modelling • To communicate with the business • To help with overall risk management training – good awareness training for security func on


• We created an overview of threats with a corporate outlook, threat type, threat actors, corporate signifi cance and (early warning) indicators

• We changed a few threats to make them more relevant to the business • We added indicators and triggers that can drive a threat

Who was engaged? • Informa on security, business con nuity • Business leaders • Employees


• Total eff ort was less than a week • It saved us me by reducing the need to review other resources


• It helped to bring our overall risk processes to life • It improved relevant communica on with senior risk management


Fou

r

3. Crea ng a broad threat model

Type of ISF Member Large regulated informa on service ac vi es organisa on

Approach taken? Crea ng a broad threat model

Why Threat Horizon? • It helps the broader business understand the universe of threat • It provides a line of sight between controls, threats and people


• To obtain the threat intelligence • To focus security controls • To update security strategy – medium and long-term requirements • To explain to stakeholders why security resources are invested the way that they are


• We built it into a threat model

Who was engaged? • Execu ve commi ee • Technology and business leadership • Auditors and customers

Was it easy or diffi cult? • Rela vely easy to do


• One person for one week


• Consensus on threat enables us to plan with more certainty • Improve our response me when previously reviewed threats get raised again (no need to re-jus fy whole threat model every me)



Four

4. Aligning business and security strategy

Type of organisa on Large manufacturing organisa on

Approach taken? Strategy tool

Why Threat Horizon? • Threat Horizon and other ISF tools help with the three main aims of a security func on: − supporting the organisation − raising the profile of the security function − defending against threats

• Helps the broader business understand threats • Confi rms the value of a security strategy being implemented • Allows you to look at the crystal ball • Free as a part of Membership (an equivalent report on this topic produced by a consultancy would cost £50k)


• To provide an annual update to the strategy • To review threats from previous years • To understand impact and prepare the responses to an cipated threats or change in short / medium / long-term requirements

• To determine changes to business cri cal systems (communica ons, cri cal infrastructure) • To help build a credible business case to enhance the security func on – cheaper to do up-front than a er an incident


• PLEST analysis applied to the internal opera ng model to make it real and relevant to the organisa on

• Included the geographic perspec ve

Who was engaged? • Business owners of the cri cal business applica ons (in terms of iden fying impact) • Stakeholders in the end-to-end business process (to build the business case) • Enterprise architects (to understand what controls are in place that can be used and how to fi ll the gaps)

• The board (to sell the business case) • Fundamental business partners in Asia (to understand their business long-term strategy)


• Two weeks to get the business case sharpened up • Four weeks to take Threat Horizon through internal PLEST analysis and turn it into a strategy


• Live, up-to-date, strategy • Business plan for security modelled against business opera ng model • Made the security func on look good (when predic ons materialised)



Fou

r

5. Infl uencing the risk appe te

Type of organisa on Large, regulated fi nancial and insurance ac vi es organisa on

Approach taken? Infl uencing organisa on’s risk appe te

Why Threat Horizon? • Regulated environment, to avoid reputa onal damage and breaches • Relied upon by business partners, industry bodies, third party processors


• To start meaningful discussions across a varied audience • To promote informa on risk assessment into the strategic and tac cal agenda • To set the informa on security strategy • To perform risk assessments and risk priori sa on • To help with proposal approval and priori sa on


• Amended the deliverable to refl ect direct perceived threats to the organisa on, expected future regula on and iden fi ed strategic business opportuni es that could impact the informa on security posture (both posi ve and nega ve).

Who was engaged? (outside infosec)

• Board • Audit Commi ee • Informa on risk execu ve • Departmental risks and issues groups


• To work with the so ware and adapt the base deliverable to our needs approximately twostaff -weeks of eff ort


• Focussed a en on on key individuals within the organisa on helped smooth the introduc on and acceptance of Threat Horizon as a valid business tool

• Worked into the overall informa on security awareness programme; it was easy to disseminate the principles and highlight the impact of events, decisions and responsibili es in respect of informa on security across all areas

• Greater apprecia on of the growing importance of informa on security • The need for involvement in business planning (both strategic and tac cal) at the earliest opportunity

• A concise document for discussion with senior business management • Be er understanding of the poten al convergent risk to our informa on security posture



Though threats are universal, certain industry sectors are more prone to cyber attack. In this summary we have selected the four most vulnerable and tempting sectors for criminals to attack.

Lack of government intervention will be a very high priority for those industry sectors listed above but perhaps not so for others: navigating the evolving cyber landscape while understanding tighter financial and industry specific regulations will make this a very real issue for Financial Services and Utilities organisations, whereas others, such as professional services organisations are less likely to be affected by the lack of government action in this arena.

Organisations must identify the risk these threats pose to them in order to take appropriate mitigating actions. If your industry sector is not listed as having a high or very high risk do not assume the threat does not apply: it almost certainly does.

Appendix A: Industry Applicability

The utilities sector is the backbone of a country’s critical national infrastructure. It’s also a sector which has relied on Industrial Control Systems (ICS) and SCADA systems for many years. These systems have a reputation, whether accurate of not, for not reaching the same level of security as other systems45. This situation is creating a fertile ground for FUD, and stories from the past have proved people are quick to jump on to cyber attack explanations, and the media to relay these stories, even in the case of innocent system failures.

Banking is likely to be the most attractive target for criminals and hacktivists. Not only is it ‘where the money is’, it’s also perceived by many as capable for leading the global economy into decline. Insurance companies are also likely targets for the same reasons.

As the financial sector business is – and for a long time has been – based on IT systems, it’s most likely that information security arrangements are robust and that the ‘CEO gets it’. However, this is not always guaranteed and instance when that doesn’t apply could lead to an attack that could be termed disastrous, particularly considering the fragile state of the world economy.

Furthermore, false representations by hacktivists could have serious repercussions both within and beyond this sector. Now, more than ever, finance sector organisations need to monitor what is said about them – and address any rumours that could affect their reputations.

The retail sector has already been a target in the past, with some online and high street brands allegedly conducting themselves in an unethical way. Though this sector is a less attractive target to activists and hacktivists, attacks against well known brands are still likely to hit the front pages44. Information kept by retailers about their customers constitutes extremely high value to malicious users, who might consider exploring where organisations store their information and which profiles make the best targets.

In the healthcare sector, where intellectual property is developed across long periods, patents are often applied only shortly before the product is released to market. A CEO who doesn’t understand information security and cyber risk could potentially greatly endanger the future of his or her organisation as the theft of IP not protected by patent could greatly impact the organisations profitability.

Additionally, this sector holds some of the most private information about individuals and the exposure of this information has been shown to be a great embarrassment to the organisations involved. Furthermore patient data that has been maliciously altered, thus losing its integrity, could put the lives of patients at risk.

Unmanaged use of cloud services by healthcare providers could have disastrous consequences and the introduction of BYOD should be carefully considered in light of the risk of exposure of personally identifiable information.

Finance and insurance

Retail

Health care and social assistance

Utilities


The key difference between threats and risk is context. Threats are universal and are independent of context, whereas risk is specific and is a function of context. The risk a given threat poses to an organisation is specific to that organisation, its vulnerabilities, industry, geography, preparedness and so on.

A threat radar is a tool organisations can use to view the relative risk of different threats. Different threat radars have different axes, plotting different elements of risk. For example, one threat radar could plot impact vs likelihood and another could plot impact vs ability to manage. (A three-dimensional radar could plot impact, likelihood and ability to manage all on one graph.)

To use a threat radar, first collect threats from this report and other sources. Then choose the axes that best suit your organisation, or create multiple threat radars. Next, evaluate the threats according to the axes, and place them on the radar accordingly.

The illustration below shows how three threats pose different risks to the fictional organisation Ready Inc.

Appendix B: Threat radar

LOW ABILITY TO MANAGE HIGH ABILITY TO MANAGE

HIG

H IM

PACT

LOW

IMPA

CT

VERY LOW LOW HIGH VERY HIGHMEDIUM

6

5

8


Appendix B: Threat Radar

Its information risk assessment methodology, so it doesn’t want to consider it’s here. They and their management team have a current focus on cyber resilience, and wants to consider how well they could manage incidents, so they’ve chosen the axes “ability to manage” and “impact”.

Threat 5: Hacktivists create fear, uncertainty and doubtReady recognises that it is vulnerable to attacks that spread misinformation, as its reputation is very important. Ready conducted a post-incident review of a recent incident where false claims created negative publicity, and found that many of its customers simply didn’t believe the stories, so they’ve assessed the impact of this threat as medium.

They have a high ability to manage such incidents – they monitor what’s said about them online, and have plans in place and responses prepared (as confirmed by the post-incident review) – so have rated the ability to manage as high.

Threat 6: Crime as a Service (CaaS) upgrades to v2.0Not being a bank or other high-profile target, Ready hasn’t been targeted by cyber criminals. They’ve also traditionally not been a target for intellectual property (IP) theft, as their IP is quite specific and their products, medical devices, have been difficult to manufacture. Ready has ranked the impact as medium but increasing, as the advent of 3D printers is lowering the barrier to entry for counterfeit product. The impact is increasing, as 3D printers expand from plastics to include other materials such as titanium, increasing the risk that their IP will be stolen.

Ready ranks their ability to manage this as “low”. Because they’ve recognised the urgent need to address it, they’ve shown their ability to manage it as increasing (as shown by the white arrow). The potential impact is increasing as well, although not as quickly.

Threat 8: BYOC (Bring your own cloud) adds unmanaged riskReady uses cloud services to store clinical trial data, and although the data is anonymised and encrypted, Ready knows that the headlines surrounding a breach would likely omit this detail. Because a data breach in the cloud would have a very high impact, threat 8 sits high on the graph.

Ready is confident in its ability to manage this specific threat, namely staff making their own cloud arrangements. Ready is aware of all its cloud usage. It allows cloud services to be deployed where IT services can’t meet the business need, and has sound processes for risk assessment and mitigation. With its well-developed policies and successful track record so far, Ready puts threat 8 far to the right.


Appendix C: Revisiting predictions from Threat Horizon 2013

Trend and trend descrip on Should I s ll pay a en on to this trend?

Cyber (in-)security Governments are soon going to take a starring role in cyberspace. While many of the changes will be benefi cial, look for legisla on and regula on that mandates procedures and behaviours in cyberspace – much of which may be disjointed – and an increase in cyber-defence ac vi es.

IncreasingThe US government has admi ed developing a pre-emp ve strike capability against cyber threats which could harm US ci zen or na onal infrastructure. US government is ready to bypass the House of Representa ves to pass the cyber bill by Execu ve Order.

Increasing level of a acks are being detected worldwide against infrastructure, including recent a acks against Israel and a acks against US banks and infrastructure (increased 17-fold between 2009 and 2011).

During October 2012, Kaspersky labs uncovered a high-level cyber espionage campaign called Red October that had targeted several governments and businesses.

An open knowledge society The overall a tude toward the way informa on is used is slowly undergoing a major change due to benefi ts from transparency, mely informa on sharing and open collabora on on mul ple levels – personal, organisa onal and global. All are le struggling to strike a balance between transparency and confi den ality (or privacy).

S ll a concernOpendata ini a ves from central governments are making more government informa on publicly available. At the same me, the prevalence of Wikileaks is on the decline.

The number of informa on and data sharing tools is ever increasing along with their acceptance as the norm by younger genera ons. Many social networks are changing privacy and informa on policies to make even more informa on ‘public’ as a default, indeed Facebook have recently announced powerful new search func onality (though this is likely to appeal as much to adver sers as to end users).

There is a dark side to this – as use of public services increases (eg growth in Wikipedia), credibility and trust is in some cases declining.

The ISF Threat Horizon 2013 report was released in 2011 and looked at threat scenarios that were likely to arise by 2013. This appendix reviews our predictions for 2013 in light of real world developments that have taken place since the Threat Horizon 2013 report was published and provides commentary as to whether Members should still pay attention to the predictions.



The Internet: A fl at Earth? A host of new entrants – many from the developing world – will suddenly crash headlong into the Internet, poten ally increasing instability and accelera ng cybercrime.

DecreasingThe size of the Internet is ever increasing. In several regions globally, the IPv4 addresses limit has been reached forcing a switch to IPv6.

The cost of responding to cyber crime con nues to increase, both as a result of actual losses from real a acks, and from organisa ons increasing their defences.

The number of non-compu ng devices (eg in-car systems, home appliances, smart meters etc) a ached to the Internet is increasing in many regions, and will soon outnumber tradi onal compu ng devices. Many of those devices will use IPv6 and new protocols that may not be protected using tradi onal mechanisms; many do not have in-built security.

However, cyber security awareness is increasing amongst the public and businesses alike, helped by events such as the Na onal Cyber Security Awareness Month. This has been held in the US each October for several years, and since 2012 has also been held in Europe.

Smart Enterprise The need to boost effi ciency and improve the u lisa on of assets will con nue driving organisa ons to greater use of cloud compu ng, smart sourcing and smart technologies.

S ll a concernCloud compu ng is s ll perceived as a signifi cant cost improvement. Increasing entry of tradi onal ‘boxed product’ vendors (eg Microso with Offi ce 365) show that this market is taken seriously by so ware providers.Customers are also responding and driving the adop on of SAAS and ‘as a service’ products.

Consumerisa on The iPad eff ect has added further impetus to the use of consumer technology at work. Adop ng a stance that completely prohibits such an approach is unlikely to be successful.

Increasing Bring your own device (BYOD) is changing the provision of workplace IT forever; adop on for many organisa ons is no longer a ma er of ‘if’ but of ‘when’.

New devices and opera ng systems are increasingly end-user rather than business oriented (eg default synchronisa on to and reliance on cloud services in iOS6, Windows 8 and Google Chromebooks).

PC sales con nue to decline as businesses extend product lifecycles (to reduce costs) and consumers adopt new device formats. Those organisa ons that have not yet considered BYOD are likely to review their posi on as product replacement cycles approach.

Appendix C: Revisiting predictions from Threat Horizon 2013


Appendix D: Revisiting predictions from Threat Horizon 2014

The ISF Threat Horizon 2014 report was released in 2012 and looked at threat scenarios that were likely to arise by 2014. This appendix reviews our predictions for 2014 in light of real world developments that have taken place since the Threat Horizon 2014 report was published and provides commentary as to whether Members should still pay attention to the predictions.

External threats


Cyber criminality increases as Malspace matures further The sophis ca on and scale of the global industry that has evolved to commit cybercrime, espionage and other malevolent ac vity will grow and develop.

IncreasingMalspace has matured even further during the past year with hacking tools available at low cost and with support services equivalent to major so ware companies. The situa on con nues to change away from skilled individuals ac ng alone to mafi a-like organisa ons ac ng across borders. Law enforcement must focus arrests away from the “lieutenants” or pawns of the organisa ons towards iden fying and arres ng the key players.

Cybercrime con nues to develop and mature in its approach to targe ng vic ms, taking advantage of changing behaviours (eg people looking for “free Wifi ” services whilst travelling).

In the UK, Project Auburn was a fi rst step in government and industry partnership to share risk and response informa on to improve collabora on.

The cyber arms race leads to a cyber cold war Na ons developing more sophis cated ways to a ack via cyberspace will get be er at it, those who haven’t will start, and organisa ons will suff er collateral damage. Targets for espionage will include anyone whose intellectual property can turn a profi t or confer an advantage.

Increasing Countries are further developing their arsenals of cyber weapons and defences, training organised teams for immediate response to threats. The US Pentagon has publicly declared the ability to trace cyber a acks and mount pre-emp ve strikes if there is a risk for US ci zens or of physical destruc on. A acks are not only against government or military targets; a acks against banks and other fi nancial infrastructures con nue to increase, with several cases naming specifi c adversaries worldwide.

In October 2012, the US government moved to prevent two leading Chinese manufacturers from bidding for Government and na onal infrastructure contracts. The situa on created tensions between the US and Chinese governments. In the UK, however, the same organisa ons have been cleared to supply 4G mobiles and other equipment.

www.securityforum.org



More causes come online; ac vists get more ac ve Anyone not already using the Internet to advance their cause will start: customer affi nity groups, community associa ons, terrorists, dictators, poli cal par es, urban gangs – the list is endless. Online organising will become easier and protest channels will be available to greater numbers.

S ll a concernSeveral global movements (such as the “Occupy” protests in 2011) relied heavily on social media and mobile technology. Other social-media protests have had poli cal impact such as student protests in Quebec which led to the provincial government suff ering an elec on defeat.

Organisa ons will increasingly be responsive to changes in public opinion expressed on social media, and will seek to use it to their own advantage.

Cyberspace gets physical The increasing convergence of cyber and physical worlds will bring more a acks on physical systems, from a empts to turn out lights or climate control systems to disrup ng manufacturing systems. Whether a acks are successful or not, credible publicised threats will cause disrup on and panic.

IncreasingRisks are increasing as devices are increasingly connected but without adequate security being in place. Consolida on of architectures, especially around ARM processors and open source opera ng systems, will mean that successful a acks may aff ect many more systems and services than the intended target.

Devices as diverse as heart pacemakers and in-car systems have been demonstrated to have weaknesses that can be exploited. The pace of change is increasingly rapid whilst security (in many cases) con nues to be absent by design.

Regulatory threats


New requirements shine a light in dark corners, exposing weaknesses Further movement toward increasingly transparent security disclosures will publicise weaknesses, making organisa ons more vulnerable to a ack. Organisa ons forced to report security risks may have as much to fear from customers and business partners as they do from hackers and regulators.

DecreasingThe EU has made a recommenda on for a no fi ca on requirement with large fi nes for failure. In the US the SEC is recommending the disclosure of informa on security incidents. The MAS (Monetary Authority of Singapore) made a June 2012 no ce that fi nancial ins tu ons shall inform the Authority in wri ng within 30 minutes of the discovery of all IT security incidents and major systems malfunc on.

As organisa ons have improved their security monitoring and response ac vi es, they are be er prepared to address these requirements.

A focus on privacy distracts from other security eff orts New privacy requirements from consumers, business customers and regulators impose a heavy compliance burden. Organisa ons will need to decide whether to invest in the necessary security and legal controls, outsource to someone who can, or exit certain markets. They will also need to consider the message their ac ons send to their customers.

S ll a concernRegulators are responding to incidents with proposed changes to legisla on that will place onerous penal es for breaches. The EU has issued a data protec on direc ve including provision for large fi nes (up to 2% of world wide GDP), with further regula on likely to follow. The scope of privacy legisla on con nues to broaden; even without fi nes, burdens to no fy individuals of PII breaches can be onerous on organisa ons. Many states in the US are inves ga ng legisla on, though much is likely to stall before becoming law.

Information Security Forum • Threat Horizon 2015 49



Internal threats


Cost pressures s fl e cri cal investment; an undervalued func on can’t keep up It would be normal to see investment increase a er the prolonged downturn, but some economies are s ll struggling. Even organisa ons that are increasing security spend have a legacy of under-investments that can’t be corrected overnight. But cyber criminals have been inves ng, and it will become easier and less expensive to buy criminal technology and services.

S ll a concernMalware for hire and hacking tools are now commercially available, o en with be er support than those off ered by many legi mate so ware providers. A ackers are skilled and professional – they can o en respond more quickly and eff ec vely than those organisa ons under a ack, increasing the impact of a acks.

Organisa ons are responding with 45.4% of respondents to one survey (GSISS 2013) indica ng they will increase their security spend over the next 12 months. However, Microso and Ponemon report that there is s ll an imbalance between where organisa ons are spending and where the threat is, and IBM report that many organisa ons do not have a CISO-like posi on to direct eff orts.

A clouded understanding leads to an outsourced mess Con nued cost pressure will lead to a new form of digital divide: between organisa ons that understand the marriage between IT and informa on security – and everyone else. Leading organisa ons will appreciate the strategic value of channels, systems and informa on and will invest; the others will suff er compe ve disadvantage and heightened risk of damaging incidents.

S ll a concernThings have not improved. Stagnant economies in many countries has limited investment in security, and increased pressures to cut costs. Outsourcing contracts that include improved security provision may reduce poten al saving, especially during early parts of contracts as vendors seek to recover addi onal costs.

New technologies overwhelmOrganisa ons are unlikely to slow their adop on of new technology or decrease their par cipa on in cyberspace. Along with business benefi ts come poten al vulnerabili es and methods for a ack, and organisa ons will con nue to be hit. Organisa ons that don’t understand their dependence on technology may have a nasty surprise if it leads them astray or suddenly goes offl ine.

DecreasingThe rate at which organisa ons adopt new technologies is not slowing down. Despite this, the threats from the adop on of cloud services and mobile devices have not worsened because organisa ons are learning to manage these devices and services more eff ec vely.

Businesses are taking advantage of users’ a rac on to new devices; several organisa ons off er staff desirable consumer-focussed devices such as iPhones as part of the remunera on package (and improved staff reten on as a result).

Recurrent upgrades of these systems are increasingly oriented towards end-users (eg automa c sync and backup to the cloud) crea ng issues for some organisa ons because new features must be adopted to receive security updates. New entrants such as Windows 8 could create uncertain es and new device types for organisa ons to observe and a empt to manage.



The supply chain springs a leak as the insider threat comes from outside A modern organisa on’s data is spread across many par es, and more organisa ons will fall vic m to incidents at suppliers. This will increase as organisa ons further digi se supply chains, outsource func ons and rely on external advisors. 3D printers create three-dimensional products from digital blueprints – increasing the the of intellectual property, the frequency of a acks and the amount of counterfeit product on the market.

Increasing The increasing reliance on complex global supply chains and the amount a data shared with suppliers con nues to increase. Many companies have switched from local suppliers to low cost suppliers which are o en geographically distant, making control and monitoring more diffi cult. Low cost also means that the maturity of the informa on security processes, and for confi den al informa on protec on might not be up to the standards set by the purchasing organisa on.

There is hope for the situa on to improve. Whilst the issue is s ll present (and in many cases increasing for small and medium sized businesses), awareness of the situa on is improving providing opportunity for organisa ons to respond.



1. Mobile Trojans Can Give Attackers An Inside Look – http://www.darkreading.com/insider-threat/167801100/ security/security-management/240008705/mobile-trojans-can-give-attackers-an-inside-look.html2. sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks – http://www.crysys.hu/skywiper/skywiper.pdf3. Congress 2012 Keynote Presentation - The view from the C-suite - Derek O’Halloran – https://www.isflive.org/docs/DOC-46664. Partnering for Cyber Resilience (PCR) – http://www.weforum.org/issues/partnering-cyber-resilience-pcr5. Online retail sales hit £50bn – http://www.guardian.co.uk/money/2012/jan/19/online-retail-sales-hit-50bn6. E&Y – 2012 Global Information Security Survey – http://www.ey.com/GL/en/Services/Advisory/ 2012-GISS---Fighting-to-close-the-gap---Overview7. E&Y – Turning risk into results: Managing risk for better performance – http://www.ey.com/GL/en/ Services/Advisory/Turning-risk-into-results-Managing-risk-for-better-performance8. Hack turns the Cisco phone on your desk into a remote bugging device – http://arstechnica.com/ security/2013/01/hack-turns-the-cisco-phone-on-your-desk-into-a-remote-bugging-device/9. UK Cabinet Office – Cyber Security – http://www.cabinetoffice.gov.uk/content/cyber-security10. Strengthening American Competitiveness and Creating Opportunity for the Next Generation – http://blogs.technet.com/b/microsoft_ on_the_issues/archive/2012/09/27/strengthening-american-competitiveness-and-creating-opportunity-for-the-next-generation.aspx11. Lloyd’s Risk Index – http://www.lloyds.com/news-and-insight/risk-insight/reports/risk-index-201112. Obama letter to Senate – Nov 201213. Tough new laws on foreign students in the UK – http://www.scotsman.com/news/uk/immigrationfalls- after-crackdown-as-tough-student-laws-help-cut-figure-by-25-1-266735514. The Global State of Information Security® Survey 2013 – http://www.pwc.com/giss201315. You Could Be Next: Learning from incidents to improve resilience – Report – https://www.isflive.org/docs/DOC-358716. Montreal F1 ticket-buyers hacked by Anonymous – http://www.cbc.ca/news/canada/montreal/story/2012/05/30/montreal-f1-info-hacked.html17. Tyler – an overview, and interview with Anonymous – http://www.infosecurity-magazine. com/view/30103/tyler-an-overview-and-interview-with-anonymous/18. Hacked Pacemakers Could Send Deadly Shocks – http://techcrunch.com/2012/10/17/hacked-pacemakers-could-send-deadly-shocks19. A New Kind of Visual News – http://www.journalism.org/analysis_report/youtube_news20. Hackers Claim to Have 12 Million Apple Device Records – http://bits.blogs.nytimes. com/2012/09/04/hackers-claim-to-have-12-million-apple-device-records/21. Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain – http://blogs.technet.com/b/microsoft_ blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx22. “I am calling you from Windows”: A tech support scammer dials Ars Technica – http://arstechnica.com/ tech-policy/2012/10/i-am-calling-you-from-windows-a-tech-support-scammer-dials-ars-technica/23. Symantec Internet Security Threat Report 2011 – http://www.symantec.com/threatreport/topic.jsp?id=highlights24. Ransomware infections expected to massively improve and infect in 2013 – http://www.scmagazineuk.com/ ransomware-infections-expected-to-massively-improve-and-infect-in-2013/article/270750/?DCMP=EMC-SCUK_Newswire25. Every graduate post ‘receives 52 applications’ – http://www.bbc.co.uk/news/education-1869474826. Le taux de chômage selon le diplôme (in French) – http://www.inegalites.fr/spip.php?article1585&id_mot=8727. 53% of Recent College Grads Are Jobless or Underemployed—How? – http://www.theatlantic.com/business/ archive/2012/04/53-of-recent-college-grads-are-jobless-or-underemployed-how/256237/28. Critical Java zero-day bug is being “massively exploited in the wild” – http://arstechnica.com/ security/2013/01/critical-java-zero-day-bug-is-being-massively-exploited-in-the-wild/29. Georgia Institute of Technology Emerging Cyber Threats Report 2013 – http://www.gtsecuritysummit.com/report.html30. Publish and be Damned – KPMG – http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/ Documents/PDF/Advisory/Forbes-Survey-publish-and-be-damned.pdf31. Kill the Password: Why a String of Characters Can’t Protect Us Anymore – http://www.wired.com/ gadgetlab/2012/11/ff-mat-honan-password-hacker/?cid=464007432. Red October espionage campaign targets governments and organisations – http://www.scmagazineuk.com/ red-october-espionage-campaign-targets-governments-and-organisations/article/275902/33. 2012 State of Information Report – http://www.symantec.com/content/en/us/about/presskits/b-state-of-information-report.en-us.pdf34. Twinstrata – A snapshot into Cloud Storage Adoption – http://twinstrata.com/white-papers/ snapshot-cloud-storage-adoption (free registration required)35. Survey finds 50 percent of organisations use cloud for sensitive data – http://news.techworld.com/ security/3374557/survey-finds-50-percent-of-organisations-use-cloud-for-sensitive-data/36. Tablets to surpass notebook shipments in 2016 - NPD – http://www.zdnet.com/tablets-to-surpass-notebook-shipments-in-2016-npd-7000000490/37. Holy post-PC era! Tablet shipments will surpass laptops this year – http://betanews.com/ 2013/01/08/holy-post-pc-era-tablet-shipments-will-surpass-laptops-this-year/38. Why iOS 6 offers lots for consumers, little for business IT – http://www.telecomstechnews.com/ blog-hub/2012/jul/06/ios-6-offers-lots-for-the-consumer-little-for-the-it-department/39. The role of governments in securing cyberspace: ISF Congress, 2012 Chicago – https://www.isflive.org/groups/ isf-global-team-private-group/blog/2012/12/05/keynote-videos-from-congress-now-complete40. Mobile payments and PCI DSS compliance: Some, but not much, clarity (yet) – http://www.csoonline.com/ article/685564/mobile-payments-and-pci-dss-compliance-some-but-not-much-clarity-yet-41. Gartner Says Worldwide Mobile Phone Sales Grew 17 Per Cent in First Quarter 2010 – http://www.gartner.com/it/page.jsp?id=137201342. Gartner Says Worldwide Sales of Mobile Phones Declined 3 Percent in Third Quarter of 2012; Smartphone Sales Increased 47 Percent – http://www.gartner.com/it/page.jsp?id=223731543. 314 mobile phones ‘stolen in London every day’ – http://www.bbc.co.uk/news/uk-england-london-2101856944. How Apple and Amazon Security Flaws Led to My Epic Hacking – http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/45. Poor SCADA security will keep attackers and researchers busy in 2013 – http://www.computerworld.com/s/ article/9234968/Poor_SCADA_security_will_keep_attackers_and_researchers_busy_in_2013

Appendix E: References


For a large text version of this document please contact the Information Security Forum on+44 (0) 207 212 5128

Reference: ISF 13 01 01 Copyright © 2013 Information Security Forum Limited. All rights reserved.

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.