Derek Oliver, director and CEO of Ravenswood Consultants and co-chair of COBIT 5 Task Force provided an ISACA Prediction.
"Although providing a futuristic solution to data storage and, in particular to data sharing, the 'Cloud' is fraught with dangers, for those of us dealing with personal data in the EU in particular. Cloud Security may well be improving but we are at the mercy of the inexperienced and "unwilling-to-learn" user. Whatever assurances they may give when setting up cloud storage solutions, it is all too easy for someone to include person identifiable information (PII) in the cloud along with other, less sensitive data then grant read access to the whole folder to someone entitled to see the non-sensitive data but who has no right to access the PII. There is also the unknown factor of the Cloud server location, which may well be in the USA, for example. Both of these instances are likely be in breach of EU directive on personal data security, encoded in the UK as the Data Protection Act, 1998."
"Despite ISACA's efforts to engage with and inform Executive management, especially with the publication of the Business Model for Information Security (BMIS), the role of the Information Security Manager is still not being seen as a full time job by many organisations, particularly in the Public Sector. Some places believe it can be covered by "somebody" in the "margins of time" but there are still many instances of the old "We have an IT Security Officer so that covers information security" which is, of course not the same thing."
Jeff Hudson, CEO of Venafi, takes us through where Third Party Trust compromises leave us for 2012.
"In the first quarter of 2011, the previously unimaginable happened: Hackers breached RSA's security and compromised the root of this third-party trust provider's SecureID technology. Virtually all SecureID tokens immediately became untrustable. Companies are still in the process of replacing these tokens and the costs to do so were astronomical. In the ensuing months, 4 CAs fell prey to attackers (Comodo, GlobalSign, Digicert, OpenSSL, and DigiNotar), cementing 2011's identity as the Year of the Third-party Trust Compromise.
As a parting gift, this 2011 personality left three valuable lessons:
1) Third-party trust is an integral piece of our worldwide security infrastructure. It is important; the world we know cannot operate without it.
2) Because the world relies on digital certificates and the CAs (third-party trust providers) that sign them, digital certificates and CAs are among the highest-value targets for hackers. If hackers can compromise CAs and create counterfeit certificates, they can perfectly assume others' identities.
3) Organisations must be prepared for an epidemic of third-party trust compromises, which they were not in 2011. Such compromises were not even represented in 2011 risk analyses and mitigation plans. The DigiNotar compromise virtually shut down the Dutch government for days as it scrambled to find and replace its affected certificates. Unfortunately, many organisations are still using DigiNotar certificates, even though these certificates provide a near-zero level of trust. Why? The answer to this question is alarming: Organisations don't know which CAs issued the certificates they're using and they don't know where these certificates are or how many they have in their environments."
2012 is the year of mobile attacks
Towards the end of 2010, and during 2011, smartphone malware, or 'MitMo', attacks began to emerge and develop. The only reason we've not yet seen a prolific increase in the wild is that banks have been cautious in introducing a full range of banking services from mobile devices.
That will change in 2012.
We've already seen snippets of how financial institutions plan to incorporate all channels into their offering, and I believe this will be the catalyst for mobile malware. Fraudsters are ready to go straight for the jugular.
Attacks will be simple and straightforward as, currently, there aren't many defence mechanisms to block them. We'll then see a rapid evolution, similar to that experienced on the desktop, however rather than the 10 years financial malware has taken to evolve, fraudsters will simply transfer this experience and intelligence expediting a mobile malware evolution.
Consumerisation of IT
Continuing with the theme of mobile malware, another factor of this phenomenon is as an infection carrier. We're all aware that these portable devices are used to steal corporate data, but at least CISO's could consider them clean. That has changed.
While we've already seen malware for Android, it doesn't mean that iPhone is, or will continue to be, any more secure. Jailbreakme.com demonstrates remote access to versions of iPhone and, while much of this site is benevolent, the same concept can be applied to flaunt malware.
Cryptzone predicts Trends for 2012
With 2012 just around the corner, Cryptzone, the IT Threat mitigation experts, today announced its 8 key predictions for the top security trends for the coming year.
Peter Davin, CEO of Cryptzone, comments "Employees are now demanding to use their own devices for work with security as a prerequisite. On the other side, hackers have become more sophisticated in whom they target, opting away from indiscriminate strikes. 2012 will see these trends develop even further."
In 2011, we saw a number of examples of targeted attacks such as Anonymous targeting Sony and the AT&T Terrorist attack. This trend will continue to rise and rather than hackers attacking randomly they will have specific targets whether for political issues or personal vendettas. Therefore more customers will be a target from these pre-designed attacks with the purpose to steal intellectual property. Also attacks against well-known brands will become more common as unsuspecting recipients receive malicious e-mails containing hostile code. Therefore companies need to start thinking about zero-day threats and how to secure their data.
According to Michael Hamelin, chief security architect with Tufin, the predictions - and recommendations - represent the considered thoughts of his research team, who develop leading edge solutions covering a variety of areas, including PCI DSS compliance and automatic security policy generation strategies.
Tip #1 is on the subject of firewall operations, with the prediction that next generation firewalls will continue their strong adoption by mid- to large-size organisations. As a result of this trend, Tufin sees the operations management challenges of multi-vendor firewall environments as calling for increasing levels of automation of daily change management tasks.
Tip #2 covers the area of firewall compliance and auditing - a key requirement in the increasingly regulated IT security space we now live in. Continuous compliance, says Tufin, will become essential for many more organisations that are striving to keep an always-compliant security status, without waiting for a third party auditor to carry out an annual check,
Tip #3 will see CIO's needing to show their CEO's - and their board of directors - a 360-degree and holistic report on the state of their organisation's IT resources that clearly outlines the business's network security status.
Regulatory compliance requirements - particularly in the PCI DSS space - and the consequent legal implications, will drive more companies to automate their network security audits and rely less on periodical audits.
This was first published in December 2011