Skip navigation
1 2 Previous Next

Verified Expert

17 Posts authored by: Matthew Rosenquist

Bio Vulns - crop.jpg

Authentication in the modern enterprise is becoming more difficult.  The risks are rising, but adding more security controls can impede workers and are difficult to integrate into legacy systems.  Biometrics may be a better path to improve security while not adversely impacting the user experience.  But there are risks.  Biometric systems are not without vulnerabilities themselves. 

 

ABI Research has recently published an infographic showing a comprehensive view of biometric system vulnerabilities as well as a whitepaper talking to the recommendations for enterprise environments.   

 

The traditional username/password method is entrenched in most businesses, but in desperate need of improvement.  A sole reliance on passwords to gain access to devices, networks, and data is proving to be weaker as attackers are getting better at undermining them.  Passwords can be hacked, social engineered, and are a major source of vulnerabilities.  Once compromised, they open a vast number of doors for attackers. 

 

Passwords alone simply are not good enough.  Users as well as system administrators find them difficult to manage.  Changing the status quo is difficult, as the majority of business processes are built to support passwords and workers typically adverse to new security practices. 

 

Biometrics have been in use for some time in limited ways.  Considerable advances have brought the technologies forward to meet some of the challenges to drive broader adoption.  This has created very complex ecosystems to satisfy a variety of demands.  But like any technical authentication system, there are potential vulnerabilities at every step.  The key to improved biometrics security may be to simplify the technology to lessen the number of vulnerable points of attack.  Cost, user experience, and risk aspects must be recognized and proactively addressed for any additional controls.

 

Reducing risk.

Multi-Factor Authentication (MFA) reduces the risk of compromise as it does not suffer from the reliance on just one method to grant access.  Attackers must compromise at least two different controls.  The downside is by adding additional factors, it can undermine the user experience to the point of affecting productivity and acceptability.  Having biometrics satisfy one of the factors in MFA, holds the potential of reducing the friction users must endure, while improving the overall security of the system.

 

User Experience. SSG_16_02_EvangelistProgram_CyberSecurityImages_Final_B.png

Automating the awareness of the user can make authentication a seamless experience.  We automatically carry our biometrics with us.  Nothing to forget, lose, or break.  Advanced technology can make the process even easier.  For example, the tracking of a user’s face while in front of their laptop can make the device aware when they walk away to get a cup of coffee and leave the system unattended.  The system can automatically lock the screen.  Conversely, when the logged-in user returns, the system can recognize the familiar face and automatically unlock the system.  Such an experience is beneficial to the user while keeping the device safer.

 

Managing Costs.

Nobody wants to spend money on identity security.  Yet, there are a plethora of peripherals and secondary devices which enterprises purchase, maintain, manage, and service.  Fingerprint scanners, hardware card readers, and digital USB keys are popular but incur additional costs and frustrate users who have to carry the gadgets and cables.  What if devices themselves had integrated and trusted components which could do the authentication work?  Specialized cameras, microphones, fingerprint scanners, and electronics to securely match the profiles locally on the machine may be the path forward.  Hardware which is optimized and secured, supplanting the need for users to deal with secondary peripherals, could lower the overall total cost of ownership for enterprises.

 

 

Is biometrics the answer?  Well, it is one answer which is growing in popularity with organizations seeking better security, employee productivity, and paths to reduce costs. 

 

 

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

5G security.jpg

5G holds the potential for massive immersion of technology into the lives of people and businesses. It is an evolution of technology which could allow bandwidth for 50 billion smart devices, driving towards a world where everything that computes will be connected.  Such transformative technology opens great opportunities, but comes with new unimaginable risks.  The scalability of improved speed, connections, and responsiveness will fuel unprecedented growth of data from more sensors and devices in our cities, homes, vehicles, and close to our bodies.  These will have access to our personal events, conditions, and provide new experiences of convenience, entertainment, and productivity; all of which, have amplified security, safety and privacy concerns. 

 

The fifth generation of networking represents an important technology enabling the next wave of computing devices to be connected for the benefit of users.  Upcoming 5G networks are designed to be vastly superior to our current 4G LTE mobile networks by increasing data speeds potentially 30 to even 100 times faster, shorten the latency for responsiveness, and perhaps most importantly scale to connect the billions of devices anticipated in the coming years.  Cars, smart clothing, ingestible health sensors, home appliances, drones, street signs, light posts, industrial equipment and many more in just about every field imaginable will connect and share data.  In many ways, it will bring computing to a more personal level.  The wearables, embedded sensors, smart vehicles, home automation, individualized healthcare and monitoring, and environment-aware entertainment devices will connect communities and enrich lives.  Devices will more easily and reliably share information, and work together to enhance our convenience, productivity, safety, health, and interpersonal connections with the people we care about. But such powerful tools can also be leveraged by those with malice or insensitivity. 

   

We must protect our technology, data, and privacy from those who intend or would do harm.  The value of 5G networks and devices must include aspects of security, trust, and privacy.  We will embrace technology that vastly improves the way we communicate and interact with the world, and at the same time act responsibly to support the establishment of protections for systems and people. 

 

As devices become more intelligent and capable, we trust them to complete physical-world assigned tasks.  In doing so, people relinquish a certain amount of control.  In most cases this is positive, could drive sweeping benefits, enhance productivity, and promote safety.  Having a smart car parallel park for me is much safer than my bumbling attempts to do the same.  I have never really mastered the task which results in delaying other traffic, higher stress levels, and eventually higher insurance rates due to the small dents I will likely cause.  So having a car respond to my request to park, measure the space and quickly maneuver the vehicle safely into the spot is nothing short of blissful magic for those like me who normally drive in endless circles waiting for an easier parking spot.  But to gain such benefit, I must understand that the vehicle is engineered in a way so it has the ability to sense immediate surroundings, accelerate, brake, and turn.  This is fine at a slow speed when I want to squeeze into an advantageous parking spot, but not so good for passenger safety if a malicious attacker takes control while traveling down the highway.  In the end, technology is a tool.  As 5G rapidly advances the connectivity and capabilities to open the possibilities of a better world, we cannot be ignorant or complacent when it comes to the risks and necessary security.

 

 

The biggest risks of 5G networks

Safety and Privacy, specifically for emerging IoT devices, represent the greatest risk. The Internet of Things will bring new levels of convenience, automation, awareness, entertainment, and productivity to people’s lives.  However, in the wrong hands, such connected smart devices we come to treasure, may be turned into tools to undermine our security, invade our privacy, and be misused to become a safety risk. 

 

Some would argue industrial controls hold the greatest risk.  But I would challenge such positions.  Industrial Control Systems (ICS) have long been in place in our power plants, water treatment, and chemical facilities.  Over time these systems gradually get connected to the internet, but in my opinion the introduction of 5G is not terribly important in this space from a risk perspective.  ICS operators have recognized the risks and realize they have been under attack for years.  To compensate, they have tried to limit the exposure of these systems and in many cases not upgraded connectivity capabilities on purpose.  Smart devices in ICS facilities could in theory be exploited, but it is more likely more sophistical control computers like servers and PC’s would be targeted. 

 

As 5G begins to roll-out, in the 2018 to 2020 timeframe, I think it will be the consumer devices which will hold the greatest risks.  I predict it will be the transportation, healthcare, and drone industries that will be the source of the most talked about abuses to security, privacy and safety.

 

Here are some examples where benefits accompany risks:

Scenario: Automobiles/Autonomous-Vehicles

Next generation automobiles and public transportation can use 5G networks to communicate with other vehicles and road sensors to avoid collisions, shorten travel times, and improve fuel economy.  But under the control of a malicious attacker, such vehicles may slow the flow of traffic or even worse, actually cause a serious accident. 

 

Scenario: Healthcare

Health monitors can enhance fitness, warn of impending medical conditions, summon help when the user is unable, assist doctors in fine tuning medications, and aid researchers in finding patterns across dispersed groups for improved treatments to some of the most severe chronic conditions.  But such power can also be abused.  Personal privacy can be undermined and tampering with data can cause an opposite effect with potentially serious consequences for patients under medical care.

 

Scenario: Drones

Drones are rapidly being adopted to extend the reach of a variety of services and capabilities.  They deliver medicines quickly over difficult terrain, assist with the detection and fighting of forest fires, explore hazardous environments, conduct military missions in dangerous zones, give artists new capabilities to capture expressive viewpoints, and may become the workhorse for the rapid package-delivery service of the future.  Conversely, they are a risk to passenger planes during takeoff and landing, they have impeded firefighting efforts, could be used as weapons of terror, be a hazard during social protests, support narcotics smuggling, and we have already seen how they can be a nuisance to privacy when watching people in what would normally be considered personal settings.

 

 

Securing 5G devices

Users, devices, software, networks, and back-end infrastructures must all play a role to improve the security of 5G devices.  The improved scalability of connectivity allows for a greater number of devices to communicate and results in the generation of much more data.  The devices, applications, and data form a chain which must be protected.  The problem is similar to the challenges we currently face with the Internet, just amplified to a much larger scale.  Emerging IoT devices represent a new challenge, as they are not as powerful and capable of defending themselves as PC’s, servers, and smartphones.  Most lack the power and speed to run sophisticated feature-rich security solutions.  So, more emphasis will need to be placed in other areas, such as hardware, networks, application validation, and back-end infrastructures to compensate.


 

Establishing trust as a foundation in 5G begins now

Cooperation among technology leaders to define robust standards which embed aspects for stronger security, improved privacy, and greater controls for life-safety related systems is imperative.  If security is not proactively addressed, the value proposition for IoT on 5G may be undermined by an erosion of the appeal and adoption by customers. 

 

Trust is hugely important.  Security must be designed into the 5G standards as part of the foundation, especially when considering its use in IoT connectivity.  Privacy aspects, to give end-users more oversight, default anonymity, and choice, must be included in product and software designs.  Systems which may represent a threat to the life-safety of people should possess elevated levels of security, administration, and control.  As consumers embrace technology, such as automated transportation and medical management systems, the level of trust must rise to compensate for the risks. 

 

The industry is at a point where security can be woven into the fabric, rather than suffer as a bolt-on afterthought.  Leaders in technology must work together now, to establish trust in the foundations and usages for 5G.  Consumers must do their part and be vocal in such expectations.  The demand for security is a critical driver for the delivery by suppliers who want to be competitive and service their customers.

 

 

How will top technology leaders play a role in supporting security, safety, and privacy?

Technology innovation and influence must occur in 3 areas to support 5G security, safety, and privacy. 

  1. Develop architectures and platforms to embed security and trust into the foundations of 5G connected devices and the back-end infrastructures which will handle the vast amounts of data from those devices.   
  2. Influence industry best practices and collaboration to establish robust frameworks and technology standards which implement strong security, safety, and privacy principles.  Intel’s automotive team is a great example where security recommendations and an industry consortium are driving the development of best practices.
  3. Deliver best-in-class security software solutions to protect from rapidly evolving threats on devices and in applications.  Software has the greatest flexibility to attune to new threats and the risk appetite of how devices are being used.  These solutions will be tailored to run within the potentially constrained computing environments for smaller or fixed-function devices as well as on the manageability infrastructure which provides oversight to groups of systems.

 

 

In the end, 5G is coming and it brings with it tremendous advancements to connect more and smaller devices to our electronic ecosystem.  This opens unforeseen opportunities as well as risks.  To reap the benefits and minimize the risks, technology leaders and security professionals must work in concert now to make the foundations and subsequent implementations of 5G networking safe, private, and secure. 

 

 

 

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

Sophisticated organizations defend themselves against cyber attacks with tools, products, services, and perhaps most importantly highly capable security professionals.  But it is becoming very difficult to attract and retain good talent.  The pool of qualified available resources has run dry and it is now up to the academic institutions to replenish the workforce population.  It won’t be easy, but higher education must save cybersecurity!


Cybersecurity may be fought with technology.jpgThe demand for security professionals is at an all-time high, but the labor pool is largely barren of qualified candidates.  Various data sources paint a similar picture with estimates hovering around ~70% of security organizations are understaffed, ~40% of junior-level jobs are vacant and senior-level roles are unfilled ~50% of the time.  A lack of security talent, especially in leadership roles, is a severe impediment to organizations in desperate need of staffing in-house teams. 


Hiring a quality cybersecurity professional is not as easy as you might think.  Universities are trying urgently to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel.  Some experts have described cybersecurity as a “zero-unemployment” field.  In fact, the gap is widening, with 2020 predictions expecting the shortfall to reach 1.5 million workers.  Adding to the challenge, with demand high and supply low, security technology salaries are going up fast and are far outpacing their IT counterparts.  Specialty positions show strong double digit growth in salary over last year’s figures.  Leadership roles are in great demand as well, with compensation rising to match.  Relief of this situation will only come about by balancing the supply side of the equation.


Barriers to resolution

Higher education institutions and governing bodies are working feverishly to fill the tremendous demand with significant numbers of new security graduates, but serious barriers stand in the way.  Academic structures are not well aligned to the needs of the industry, there is a lack of consistent degree and curriculum standards, and educating students with relevant content, in a rapidly changing field, is proving difficult with traditional practices.


Positions within the industry are constantly evolving, with new roles and responsibilities emerging at a rapid pace.  The titles are changing as are the expectations for education and experience.  A recent inventory of federal job responsibilities showed more than 100 occupation-series which include a significant amount of cybersecurity work, representing ~1.6 million employees or roughly 4% of the workforce.  Adding to the mix are new industry jobs emerging around privacy, big data, internet-of-things, policy, customer protection, product design, testing, audit, investigation, and legal aspects of security.  Education institutions are having a difficult time in aligning the skillsets of graduates with the shifting landscape of what employers truly need at any given moment.


Ponemon Report - 2014 Best Schools for Cybersecurity.jpgConsistency across different higher education institutions is a separate problem which must be addressed.  A nationally recognized degree in cybersecurity does not exist.  Instead, most programs are customized and can have a vastly different emphasis and graduation requirements depending upon the host university.  There is not even a consensus on which departments such programs should reside. A 2014 Ponemon report showed a variety of academic departments where cybersecurity is situated, ranging from engineering, computer science, library, military, business, and legal studies.  The result are clusters of graduates entering the workforce possessing vastly different sets of educational knowledge and security skills.  This is problematic for both potential employers trying to fill a position and prospective applicants desiring to show competitive aptitude.


Teaching cybersecurity is difficult in of itself.  The technology, threats, and attack methods rapidly shift.  It seems every eight to twelve months, the industry swings to an entirely new focus.  A fellow security professional stated “if they are learning from a book, it is already outdated”.  Traditional rote teaching styles are insufficient to train professionals as they rely heavily on static material.  More dynamic sources of information, and processes to integrate them into the classroom, are needed.  Cybersecuirty instruction must be agile and stay very close to the pulse of what is happening in the real world. 


Expectations are not being realized by both recent hires into the field as well as companies who are investing in college graduates.  Students told me it was the last six months of schooling which was most relevant.  Before that, most describe the knowledge as an interesting history lesson, but not very practical.  Learning the fundaments are always required to understand the landscape and establish base skills, but the real value is in the pragmatic application of knowledge to supporting risk mitigation.  I have seen frustration with many companies who have hired graduates, only to discover they are not prepared for day-one.  They are glad to have them as part of the team, but the organization must start near square-one to teach them the current challenges and methods to be successful.  Simply put, both sides expect more.


With the vast differences in programs, teaching backgrounds, and content interpretation, sometimes even the basics are overlooked.  Many graduates don’t understand the practical distinction between obstacles versus opposition.  I have found that most, with the exception of those with a statistical background, don’t adequately grasp the relational difference between vulnerability and risk-of-loss.  Most concerning is how many students have a very narrow viewpoint and overlook how cybersecurity is both a technology and behavioral based discipline.  Far too many technical graduates see security as solely an engineering problem, where the right hardware, software, or configuration will achieve the goal and forever solve the puzzle.  This is just not realistic.  Cybersecurity weaves both technology and human elements together in a symbiotic way.  Only addressing one aspect may improve the situation, but will ultimately fail as an isolated stratagem.  These are fundamental constructs every security professional should be fluent in before entering the labor force.   


The solution is apparent

Higher Education Asks.jpgThe solution will arrive in three parts.  First, partnerships between higher education and the industry will need to attract more talent into cyber sciences, including women and underrepresented minorities.  The current numbers of students are just not enough to satisfy demand and expanding diversity adds fresh perspectives to creatively tackle difficult problems.


Second, students must be trained with relevant aspects and materials that take into account the highly dynamic subject-matter and environment.  Optimally, this should extend to post-graduates as part of continual learning programs.  The professionals of today also have a role to play.  They must contribute to the growth and security of tomorrow by advising and mentoring students, assisting educators, and contributing to the development of curriculums.  In a recent presentation to educators and academia administrators at the NSF Cybersecurity Summit, I recommended both an expansion of traditional topics and engaging industry practitioners to help provide timely insights and discussions for students.  Teamwork across academia and the private sector is mutually beneficial and will help raise the effectiveness of graduates as they enter the workforce.


Third, the curriculums must be designed to align to the security roles in the market.  An adequate level of consistency across teaching institutions, attesting to a completion of applicable studies is required.  In short, a recognized degree program for cyber sciences must be established.


Progress toward the goal

The shortfall in talent is no surprise as the industry has seen this coming for some time and a number of groups have been working diligently to change the academic system which supports cybersecurity professionals.  The US National Initiative for Cybersecurity Education (NICE) is a strategic organization tying together education, government and the private sectors to address cybersecurity education and workforce development.  The Association for Computing Machinery (ACM) is an international society for computing working to develop uniformed knowledge content for cybersecurity roles.


Working independently, many higher education institutions are taking the initiative to bring in experts to help teach and advise students to deliver more relevant education and better prepare them for the jobs they will be seeking.  They are reaching out to industry professionals to help staff and students stay current on latest trends, research, and best-practices. 


The Cyber Education Project (CEP) Industry Advisory Board is leading a national academic accreditation program effort to formally establish a Cyber Science degree and necessary certification criteria.  Institutionally, we should see a formal Cyber Science degree be approved in 2016 to establish consistent guidelines for graduates across the landscape of higher education.


Cybersec for HR.jpgIn the meantime however, businesses must adapt to the challenging employment environment.  Hiring of technical and leadership cybersecurity staff will continue to be difficult for the foreseeable future.  Human Resource (HR) departments can play a crucial role in planning and addressing problems.  In a presentation to a Chief Human Resources organization last year, I outlined a number of different areas where HR can facilitate practices to both hold on to good talent already in place and plan accordingly to hire qualified candidates.


HR team must staying on top of competitive salary reviews for current security professionals to insure compensation is at the right level to retain talent in the face of headhunters who are currently circling like sharks, hungry for any opportunity to harvest security professionals.  HR representatives should also be prepared to have candid discussions with managers asking to hire new security staff, as the market price may be misaligned to budgets, compensation disparity could be disruptive to current staffing expectations, and it may take an unusually long time to successfully fill a role.  In some cases, outsourcing may be the best option which should be up for consideration.


Must save cybersecurity

The industry is in trouble as a huge deficit of available professionals continues to grow.  Without well trained personnel, most organizations cannot establish or maintain a sufficient cybersecurity posture.  Academia is the gateway to prepare the next generation of professionals and universities are working purposefully to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel.  Progress is slow, but inroads are being made by the best of academia.  Cybersecurity may be fought with technology, but it is people who triumph.  We must invest in the future generations of professionals who will carry-on the fight.  Higher education must save cybersecurity.

Industry colleagues, I will be speaking at a CIO roundtable luncheon in San Francisco CA on September 10th, discussing how in pursuit of a balanced security posture, organizations need capabilities which deliver smarter and not necessarily more security.

I will be joined by a number of other roundtable members from Apple, Oracle, Zappos, Guidepoint, Freddie Mac, and Barclays.  It should be an informative discussion covering a number of different topics and viewpoints for CSO, CISO, and other executives that set security strategy and architectures.

The event is hosted by Prelert and seating is very limited.  Registration page:  http://info.prelert.com/security-analytics-ema-research-lunch-learn-events

Prelert Luncheon.jpg

sandbox.jpgMalware is working hard to undermine and punish those who employ security sandboxes.  Security innovators are working hard to stay one step ahead.


Security sandboxes are a crucial tool in the battle against the constantly evolving efforts of malware writers.  Suspicious files can be placed in a digital sandbox where security can watch, look, and listen to determine what the code does, who it communicates with, and if it plays nice as expected.  This helps determine if file is benign or malicious.  The sandbox itself is a façade, designed to look and feel like a vulnerable system, yet in reality it is an isolated laboratory which is reinforced to allow malicious files to execute but not cause any real damage.  It is all under the control and watchful eye of the security toolset.  After analysis is complete, the entire digital sandbox is deleted, with whatever potentially harmful activities and changes disappearing with it.  


Many security vendors incorporate this technology to conduct analysis of downloads, executables, and even software updates to prosecute the malicious or allow good files to flow.  Similar tools are employed by forensic experts to dissect malware and unravel the inner workings.  The stratagem has proven worthwhile at confidently detecting dangerous code.  So much so, malware writers began embedding features into their software to detect when they have been put in a sandbox.  In order to remain elusive, upon detection the code either goes silent, temporarily acts innocent, or takes the preemptive measure of deleting itself, in hopes of avoiding being scrutinized by security researchers. 


Security has responded by making sandboxes stealthier to avoiding detection and allow malware to show its true nature, in a safe environment.  This hide-and-seek game has escalated, with new features being employed on both sides to remain undetected while attempting to discover their counterpart. 


In most instances it is passive contest.  That is, until Rombertik.  Given the adversarial nature of the industry, nothing stays secure forever, even security tools.  Rombertik takes a different approach and goes on the offensive to cause harm, incurring a discouraging cost on those employing security tools. 


Rombertik.jpg

Our security colleagues at Cisco have done a great job highlighting the anti-sandbox advances of the Rombertik malware in the Cisco 2015 Midyear Security Report.  They show how the creators of Rombertik have taken a divergent path from their more docile predecessors.  Instead of being passive and self-deleting or remaining quiet, it lashes out at the very systems attempting to analyze it.  It contains a number of mechanisms to undermine, overflow, and detect sandboxes.  Once it believes it is under the microscope, it attacks.  It attempts to overwrite the machine’s Master Boot Record (MBR) or destroy all files in the user’s home folder, with the goal of making the system inoperable after reboot.  


The Cisco report states “Rombertik may be a harbinger of what’s to come in the malware world, because malware authors are quick to adopt their colleagues’ successful tactics”.  It is an insightful report and I strongly recommend reading it. 


The idea of a safe area to test suspicious code is not new.  The original instantiation was simply an extra PC, which could be isolated and completely wiped after the analysis.  But that was not a very scalable or terribly efficient practice.  The revolution really came when software could create virtual sandboxes as needed.  Such environments are quick to create, easy to configure, and simple to delete and start anew.  Dozens or even hundreds could be created and be running simultaneously, each testing for malware.  But software has some inherent security limitations.  Malware can sometimes ‘jail break’ and escape the protected sandbox to cause real harm.  Additionally, the most sophisticated attackers can actually turn the tables to get under the virtual environment so the security environment is running in a sandbox managed by the attacker!


This maneuvering gets more complex over time as both sides escalate their tactics through innovation.  How much longer can software created sandboxes remain one step ahead?  Nobody is sure. 


What is needed is a more robust means of building improved sandboxes.  Beneath software resides the hardware, which has the advantage of being the lowest part of the stack.  You cannot get ‘under’ the hardware and it is much more difficult to compromise than operating systems, applications, and data which run above.  Hardware advances may revolutionize the game with better sandboxes, more difficult to detect and undermine.  I think time will tell, but it seems to be where the battle is heading.  What cannot be foretold is if changes in hardware will be the winning salvo or just a new battlefield for the attackers and defenders to continue to maneuver in the game of cybersecurity.


 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

Security Napkin.jpgRecently I was asked for advice from a passionate professional who is establishing a security company. They asked for strategic insights to help guide their organization. With a quick pen to cocktail napkin, I produced three nuggets of wisdom.

I want to share with the community my thoughts and more importantly hear from others what your advice for this emerging leader of security practices. Share your knowledge and insights.

My three pieces of advice:

  1. The measure of success for a security company is how you can make a meaningful impact on your customers ability for them to manage their security posture
  2. In security, customers must balance three aspects: Risk, Cost, and Usability. Risk mitigation is obvious, as it directly ties to the purpose and benefit of security. Cost must be a consideration as no customer has an unlimited budget. They must seek a level of cost, both initial and sustaining, which is appropriate for the level of risk they want to maintain. Thirdly, usability factors are important as they can impede business and make for a poor end-customer experience. For enterprises, it can also lower employee productivity, create worker frustration, and place greater demands on the IT infrastructure. For consumer facing organizations, security demands can cause customers to dislike products or services, which is greatly detrimental for business. Help customers determine and achieve the right balance for their business objectives.
  3. Risk is about risk of loss. This could be loss of assets, reputation, customers, IP, system uptime, litigation fees, regulatory barriers, etc. Tie the value of what you provide to the real/actual potential losses your customer is currently or will likely experience. Don’t use fear, uncertainty, and doubt, but be realistic to build trust with your customers. In the end, providing security is about trust. Be trustworthy.

Do you agree with my advice. Did I miss the mark?

Be bold and share your cocktail napkin of wisdom!

Security Salary Dice Report Image-500x657.jpgA recent report from Dice.com shows how tech security jobs are far outpacing their IT counterparts.  It is part of a bigger trend as we see demand outstrip supply for cybersecurity professionals.  The cost of hiring or retaining talent continues to climb as organizations struggle in a market with depleted quantities of quality resources.  In highest demand are the security leaders, managers, and skilled engineers.  These roles are the anchors to a healthy security organization and critical for success.  They provide the mentorship, direction, expert guidance, and skills necessary to deliver against challenging tech obstacles, meeting the expectations of concerned executives, and countering the acts of creative cyber opponents.


The rise in salaries should come as no surprise.  Security experts have been predicting this for some time and there is not likely any relief for at least a few years.  The increase in compensation is a result of a hiring pool which is basically dry and demand for security capabilities continues to rise quickly.  The need for cybersecurity is growing in almost all industries, as attacks, breaches, and regulations continue to rise.  Some estimates predict a deficit of over a million computer security jobs by the end of 2020.  This is effectively driving up the salaries.


It is great news for the professionals already in the field.  Job security is at an all-time high.  It is commonplace for top and even medium tier talent to be pursued with enticements to change employers.  They are being lured with bigger paychecks and companies are defensively responding with improved compensation to retain the talent they have.  Else they will be in the unfavorable position of themselves trying to attract resources in a very competitive environment.


Human Resource departments can help by staying on top of competitive salary reviews for current security professionals to insure compensation is at the right level to retain talent.  In a presentation to a Chief Human Resources organization last year, I outlined a number of different areas where HR can play an important role in cybersecurity, including overcoming the challenges of hiring of new talent.  HR should be prepared to have candid discussions with managers asking to hire new security staff, as the market price may be misaligned to budgets, compensation disparity could be disruptive to current staffing expectations, and it may take an unusually long time to successfully fill a role.

HR for Cybersecurity Hiring.jpg


2015 International Security Education Workshop.jpgThis is also a great opportunity for higher education institutions to retool and prepare the next generation of security pro's to fill the needs of the industry.  In May, I spoke at the International Cyber Education Workshop, hosted at Georgia Tech in Atlanta, where educators from top academic institutions were working together to figure out how to upgrade their programs to best prepare their cybersecurity graduates to take management and technical leadership roles in the industry.  Additionally, I see a great direction set by the Cyber Education Project (CEP) initiative, which is a diverse group of computing professionals representing academic institutions and professional societies developing undergraduate curriculum guidelines and a case for accreditation for educational programs in the “Cyber Sciences”.  Education programs are the key to increasing the capabilities and numbers of professionals entering the field.


Until the supply of security professionals can come close to meeting demands, the salaries will continue to rise.  Where deficits in hiring quality staff exist, the risks of loss will remain elevated, reinforcing even greater demand.  It is a vicious circle and the only way to break free is with more security talent in the field.



Matthew Rosenquist is a Cybersecurity Strategist at Intel, an Advisory Board Member of the Graduate Professional Studies for Brandis University, and contributor to the Industry Advisory Board of the Cyber Education Project organization


Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

HR and security? Don’t be surprised. Although a latecomer to the security party, HR organizations can play an important role in protecting assets and influencing good security behaviors. They are an influential force when managing risks of internal threats and excel at the human aspects which are generally snubbed in the technology heavy world of cybersecurity. At a recent presentation given to the CHO community, I discussed several overlapping areas of responsibilities which highlight the growing importance HR can influence to improve the security posture of an organization. 

 

The audience was lively and passionate in their desire to become more involved and apply their unique expertise to the common goal.  The biggest questions revolved around how best they could contribute to security.  Six areas were discussed.  HR leadership can strengthen hiring practices, tighten responses for disgruntled employees, spearhead effective employee security education, advocate regulatory compliance and exemplify good privacy practices, be a good custodian of HR data, and rise to the challenges of hiring good cybersecurity professionals.  Wake up security folks, the HR team might just be your next best partner and a welcomed advocate in the evolving world of cybersecurity

 

Pivotal-Role-of-HR-in-Cybersecurity from Matthew Rosenquist

 

 

Presentation available via SlideShare.net: http://www.slideshare.net/MatthewRosenquist/pivotal-role-of-hr-in-cybersecurity-cho-event-nov-2014

 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

My Blog: Information Security Strategy

Global Manipulations.jpgUS Office of Personnel Management (OPM) recently announced a massive data breach, containing very personal and private data of government and military personnel.  The stolen data was originally gathered to process security clearances and contains a plethora of background information, including criminal records, mental conditions, drug usage, veteran status, birthdates, social security numbers, pay histories and pension figures, insurance data, financial records, home addresses, contacts, and other profile data.  Millions of records in total were stolen, for current and previous government workers, contractors, and partners.  Investigators concluded the attack was conducted by another nation state. 

 

This leads to the question of why would another nation launch such an attack and how will they use such personal information to their advantage?  The answers might be shocking.

 

Unlike cybercriminals, who would be interested in opening lines of credit, filing fictions tax refunds, creating false identities, siphoning financial assets, and fraudulently charging on accounts, nation states have different motivations which drive their actions.  Nation states are interested in influencing policies in their favor across the globe, boosting national economic strength, military power projection, enhancing intelligence gathering capabilities, and protecting themselves from foreign attempts to do the same against them.

 

For centuries, one of the best ways to accomplish these goals has been by influencing, manipulating, or outright controlling important people in other countries.  Employing tactics to achieve such lofty goals requires two things.  First, key foreigners with the necessary power or access must be identified.  Secondly, the means to best influence them must be determined.  History has shown that with both pieces to the puzzle, governments can maneuver in advantageous ways to achieve nothing short of world change.  

 

Many nations have elaborate infrastructures and organizations dedicated to these goals.  They use a variety of Open Source Intelligence (OSINT), Human Intelligence (HUMINT), and Cyber Intelligence (CYBINT) methods to gather insights and data.  Nowadays, OSINT is very effective and with the meteoric rise in social media sharing and personal applications, has become a highly productive tool at providing personal details of a populace.  However, the deepest secrets and most private information is still difficult to come by.  CYBINT can fill the gaps and provide the hard to come by intelligence and personal connections which are highly valuable for these campaigns. 

 

Profile Intelligence
With the wealth of personal data fleeced from OPM, an attacker can begin building a database of interlocking profiles.  The result is a network showing people, connections, access, knowledge, and spheres of influence.  This information will be blended with any other high confidence data, garnered from other sources, to paint a better picture of individuals who may be of interest.  They will likely be looking for those who are active in local and national politics, drive or enforce inter-agency government policies, leaders and technical advisors to the military, those who possess influence in the decisions of others, have internal access to valuable data, are part of the offensive/defensive intelligence apparatus, and people who have earned the trust of those in power.

 

These people become targets of focus and opportunity for various types of influencing tactics, including bribery, blackmail, marketing, facilitation of revenge, social pressure, ethical conundrums, retribution of justice, and demonstrations of patriotism.   Professional manipulators can be very creative in how to position and push people in certain directions.

 

Methods of Influence
These profiles are also intended to give insights to how people can be motivated and controlled.  Building a collective social picture can show how key individuals are influenced.  It may highlight the respected close community around a target who offer advice and guidance.  Past indiscretions can provide an understanding of how someone is vulnerable to situations involving drugs, money, sex, ideology, or fame.  This can be exactly what is needed by manipulators. 

 

Personal and private information can be embarrassing or give the necessary signs of weakness.  Some people can be blackmailed, threatened, tricked, cheated, bribed, or flipped to provide information, access, or facilitate the influence of others.  A cascade effect can take place as people are linked.  In rare cases, some assets may be groomed to become direct action operatives, where the risks, impacts, and rewards can be much higher. 

 

Achieving success is no easy task for nation state orchestrators.  Private information is a highly prized chip in this game.  The more sensitive, revealing, and humiliating the data, the more valuable it is to those who plan to use it as leverage for their benefit.

 

Beyond the targeting of individuals, such data can be valuable in other ways.  To disrupt the operational effectiveness of an organization, key personnel can be affected with campaigns to publicly embarrass or undermine renewals for top clearances therefore causing gaps or delays in the work of important positions.  This can also provide advancement avenues for others who may be more conducive to support the attacker’s objectives.

 

Compromising computer systems becomes much easier.  In the cybersecurity realm, private information and a list of known contacts makes phishing attacks near impossible to defend against.  Emails, texts, attachments, and files can appear to be sent from friends, family, coworkers, academia, and professional colleagues with no good way for the average person to discern the difference between legitimate and malicious, until it is too late.  These phishing attacks can bypass system defenses and allow hackers to gain access to computers, networks, databases, and cloud environments.  Follow-on attacks in this manner should be expected, both at home and work.  Infecting and controlling devices of people with security clearances is an opportunity not likely passed-up by nation state attackers.

 

The data itself has value and can be sold, traded, or given to a variety of other groups.  Terrorists, allies, political rivals, in-country revolutionaries, radicals, or other nation state intelligence agencies would be likely interested parties. 

 

There are national economic advantages as well.  Discretely providing profile data to state-owned companies can greatly improve their business negotiations, bidding, pricing, employee recruiting activities, and overall competiveness abroad.  This can boost domestic economies while undermining foreign positions.  

 

Politically, in a bit of irony, such attacks may also drive the desire of attacked nations to establish international accords governing global cybersecurity practices with their attackers.  In essence, hacking can motivate governments to come to the negotiation table and put them at a disadvantage in the agreement of terms.   

 

With the loss of millions of highly personal records, the outlook is not a pretty picture.  Time will tell which of these tactics will be employed by those who took OPM data.  But keep in mind such spycraft has been around for thousands of years.  The intents and purposes are not new, just the scale, tactics, and tools have changed to include the information rich world of cyber. 

 

My heart goes out to those whose data was part of the recent breach, their families, friends, and associates.  In a very personal way, they are all now part of a larger geopolitical game.  Take all necessary precautions to protect your name, reputation, finances, history, and honor.  Although the attack cannot be undone, governments around the world can learn from these situations and institute better controls, data policies, and political responses to protect future generations.


All cyberthreats originate with a person.  It is people who act in unsafe or malicious ways which drives the security risks across our digital lives.  It may seem an unusual way to look at the problem of cybercrime, data breaches, and intentional service outages, but that is the hidden truth in computer security.  Humans and technology are intertwined.  It is an unpopular sentiment as technology is an easy culprit to blame.  It is a simple story when fault can be described as a code vulnerability, weak passwords, or a TAL Motivation white paper 2015.jpgsystem hack.  These are straightforward problems with equally straightforward fixes.  But in fact, our electronic ecosystem of devices and software, simply represents the playing field where the battle is fought.  Regardless if it is a careless employee, cybercriminal, or nation state cyberwarrior, people are the genesis of all risks. 

 

Sun Tsu provided insights over two thousand years ago, which remains relevant “Know your enemy and know yourself and you can fight a thousand battles without disaster”. 

 

The Intel security team has released a whitepaper Understanding Cyberthreat Motivations to Improve Defense which builds upon previous work to help understand different types of attackers.  It is only through the understanding of both the threat agents and the technology, can a truly comprehensive and sustainable security be achieved.

 

Full disclosure: I am a true believer and have spent much of my career expounding the need to pay attention to both the technical and behavioral aspects of cybersecurity.  I am a member of the Intel Threat Agent Library team, developed the Threat Agent Risk Assessment (TARA), and have used both successfully to understand and manage risks across projects both enormous and small.  I know the value of understanding ones enemy and am resolute in my position is it an absolute necessity to maintain a sustainable and optimal security posture.  So in all fairness, take my position as one of an advocate and temper it accordingly.

 

I urge you to download the white paper and consider adding threat agent perspectives into your risk assessment processes.

 

 

 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

My Blog: Information Security Strategy

 

Hacking The OS v2.jpg

In cybersecurity, hacking people is much easier than overcoming advanced technical defenses.  Attackers are refining their social engineering techniques, the practice of exploiting people to compromise a system, to deploy their malicious capabilities and do harm.  Social engineering continues to be a significant security problem for the industry, even in the face of improving security technologies. 

As Sun Tsu stated over two thousand years ago, “It is best to win without fighting”.  Why effort overcoming all the technical barriers, when people are the easiest avenue to success?  Attackers are smart.  They tend to follow the path of least resistance in pursuit of their goals.  With ~80% of workers unable to detect the most common and frequently used phishing scams, attackers are winning when they target human behaviors.


Even the most serious investments in security technology can be undermined by poor human behaviors.  Making the castle walls tall and thick will be meaningless if the guards at the gate let everyone in.  This is exactly why attackers have historically maneuvered to manipulate victims into making bad decisions.  In the digital world, it can be as simple as luring an unsuspecting target to click on a malicious link in an email or visit an infected website, which initiates a chain of events to undermine the security and unravel an entire network.  It is that easy.


Raj Samani, Intel Security EMEA CTO and Charles McFarland have released a report Hacking the Human Operating System which outlines the challenges to the cybersecurity community.  They describe the hunting and farming techniques, discuss the social engineering attack lifecycle, and provide a number of defenses against these types of attacks.


Social engineering attacks are not going away anytime soon.  They are evolving to become more effective and represent a significant risk to the security of every person and organization connected to the Internet.  Security fundamentals include a combination of both technical and behavioral controls.  People are part of the battlefield and can be the greatest weakness or asset.  We all must make hacking humans a more difficult proposition for cyber attackers.

 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

Google Bullseye 2.jpgGoogle has been criticized recently for its vulnerability disclosure policy.  They have taken an aggressive, some would argue haphazard, position of publicly releasing details on a rigid schedule and sometimes before software vendors have distributed patches to customers.  Software companies, including the likes of Microsoft, are given a 90 day notice when Google security researchers find and provide details of a weakness they discover.  This can result publicizing a window of opportunity for attackers to develop hacks, causing exposures of unprotected organizations and individuals. 

 

Software vendors are not happy.  Ninety days is not much time to understand the problem, develop a fix, test it thoroughly, and deploy to their customers.  For enterprises, patches are a disruption which require resources, testing, and potentially downtime.  Coming from this world, I can attest to having a regular patch cycle helps tremendously with resource planning and to minimize overall disruption.  But these are all tactical issues.

 

As one never lacking an opinion or afraid to fight against the current, let me say it simply: I LIKE what Google is doing! 

 

Yes, this is my opinion and I know it is not shared by many, perhaps most, of my colleagues.  But, here is the thing, the software industry must change to better adapt to cyber threats.  The status quo of pushing software products into the market as fast as possible with inadequate security and counting on future updates to close holes, is short-sighted and increasingly less effective.  Patching is an aberration of good product development practices.  It has become a necessary evil to supplement, in many cases, the weak security design and testing of software.  Some patching and updates of software makes sense, but many of the numerous security patches pushed out every year could have been identified and resolved before the product was released, if the developer chose that path.

 

The industry, being very competitive, has evolved to a point where products are rushed to market.  I’m not arguing if this is good or bad, as it has elements of both, but that is the world we live in.  Security tends to be an afterthought.  Any software developer who takes their time to thoughtfully design, code, and thoroughly test their software to find the types of vulnerabilities being discovered, would probably not have many products in the market and not survive as a business.  The industry itself has evolved in such a way as to deprioritize security and instead rely heavily on post-release patches.  Good security design practices are being penalized in this paradigm.

 

Something much change.  Attackers are now teaching us this is not a sustainable model.  The technology industry must adapt and make products better.  Google is acting like a cattle prod, painful and disruptive, but driving the heard in a better direction. 

 

Google is driving change and picking up the cost themselves.  Google employs top-notch talent as part of the Google Zero project to find sophisticated zero-day vulnerabilities in other vendors’ products.  The program has a high degree of transparency and aligns to a noble objective which benefits us all.  This is not Google’s first foray into safer and secure software.  In 2010 they started a highly successful bug bounty program, which has paid out over $4 million to hundreds of different researchers for finding vulnerabilities in their software.  Google may in fact, be one of the few companies which has enough clout, resources, and talent to change the software industry for the better. 

 

Google’s policy has a number of short term drawbacks, but as a strategist, I am most interested in the long term effects.  Google is funding a top-notch research team to identify critical vulnerabilities in software we all depend upon.   An unwavering position is needed to drive better software development and put necessary tension in the system for developers to respond quickly with fixes when vulnerabilities are discovered.

The reality is, a 90 day window is a major headache for software developers.  Make no mistake, this pain is intentional and by design!  

 

It will force software developers to do 2 things:

  1. Better quality assurance security testing on products before they ship.  Otherwise they will not be able to handle the ‘vulnerability fix’ workload after and release
  2. Improved responsiveness for better sustaining management of products by listening to vulnerability reports and developing quality fixes rapidly.  Otherwise, their customers will be at greater risk of being victimized publically.  Some vendors take YEARS to develop fixes, even after exploits are in the wild.

 

One element not being discussed by the community is the fact attackers are also looking for vulnerabilities.  If they find them independently of Google, they do not publicize their findings, give developers time to shore up weaknesses, or show any mercy.  One of the roles of white-hat security researchers it to undermine zero-day exploits.  Google’s short deadlines may result in vulnerabilities, already discovered by attackers, being closed before catastrophic damage occurs. 

 

So Google, if you are reading, keep up the good work.  It benefits us all through the encouragement of the software industry to embrace better practices, prioritize security in their products, and enhance the trust of technology.  I for one, see your commitment to a largely ungrateful community.  Stay on the path. 

 

 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

 

2015 Predictions.jpgCybersecurity is poised for a notorious year.  The computer security industry had a tumultuous 2014, with significant breaches, compromises, and vulnerabilities permeating the news.  Governments, businesses, and huge swaths of everyday people were affected.  In the next twelve to eighteen months will see even greater, bolder, and more complex attacks emerge. 

This year’s installment for the top computer security predictions highlights how the threats are advancing, outpacing defenders, and the landscape is becoming more professional and organized.  New targets will emerge and the expectations of security will rise.  As the industry changes, there will be struggles, setbacks, victories, and surprises.  Although the view of our cybersecurity future is obscured, one thing is for certain, it will be an exciting ride.


Top 10 Predictions:

  1. Cyber warfare becomes legitimate

    Governments will leverage their professional cyber warfare assets as a recognized and accepted tool for governmental policy.  For many years governments have been investing in cyber warfare capabilities and these resources will begin to pay dividends.  Most activities will remain discrete, but governments will not be apologetic when activities become public.  Such national capabilities are another instrument, complementing traditional military and espionage resources, for leaders to use in driving international policy.  State sponsored attacks will rise globally, supporting various foreign policy agendas, as will intelligence and surveillance activities.

  2. Active government intervention

    Governments will be more actively involved in responding to major hacking events effecting their citizens.  The increased law enforcement resources for investigative and forensics functions will aid local authorities and enterprises of key economic and infrastructure organizations, in identifying and prosecuting attackers.  Expect government response and reprisals to foreign nation-state attacks, which ordinary business enterprises are not in a position to act or counter.  This is a shift in policy, both timely and necessary to protect how the public enjoys life under the protection of a common defense.  They may also take on the role as public advocate to point fingers and direct blame, something few companies want to do themselves.  This will also be the year which cybersecurity regulations, specifically in response to recognized attacks, emerge and get ratified much faster.  Although, the term ‘faster’ is of course relative in comparison to the normal time it takes to pass cyber related regulations.  Overall, governments will take a more active and public role to investigate, prosecute, and respond to significant cyber-attacks.

  3. Security talent in great demand

    The demand for security professionals is at an all-time high, but the workforce pool is largely barren of qualified candidates.  A lack of security workforce talent, especially in leadership roles, is a severe impediment to organizations in desperate need to build and staff an in-house teams.  The best talent has been scooped up.  Universities are trying desperately to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel.  We will see many top level security professionals jump between organizations as big companies are willing to lure them with better compensation packages.  The demand will drive a rise in salary for cybersecurity professionals, drawing in more recruits.  Eventually, the pipeline of professionals will grow to meet demand, but that will not happen in 2015.  Those seeking to fill roles should plan accordingly.  Organizations will struggle in filling crucial security roles to protect their business and customers. 

  4. High profile attacks continue

    High profile targets will continue to be victimized.    As long as the return is high for attackers while the effort remains reasonable, they will continue to target prominent organizations.  Two types of victims exist, those who have something of significant value and those who are easy targets.  As it stands, many large organizations are both easy to compromise and have tremendous value to attackers.  Expect more business data theft, forgery, impersonation, and hijacking.  Also expect a resurgence of social activists expressing themselves through hacking, in more creative ways than just Denial-of-Service attacks.

    The financial industry, although tougher from experience from the past few years of being targeted, will see new attacks intensify.  Bank and credit cards remain the easiest to compromise and fraudulently use.  Although they will feel more pain, their efforts are making a difference and lessening lower classes of attacks overall.  Unfortunately, advanced and directed attacks will continue to be successful.  Lastly, we will see more nation-state sponsored cyber warfare attacks against governments and their defense apparatus.  The public will see a large variety and number of complex and bold compromises in the next year. 

  5. Attacks get personal

    We will witness an expansion in strategies in the next year, with attackers acting in ways to put individuals directly at risk.  This will take many forms, but the common thread will be a personal feeling of being targeted.  Instead of your bank being compromised, it will be your PC infected to steal your account access.  The most worrisome tactic will be how cyber attackers will seek ways to threaten damage of the physical world and put people in harm’s way.  This may include personal threats, damaging industrial facilities, critical infrastructures, and even tampering with safety controls in devices we operate.  This can put human lives at risk.  Executives, politicians, government officials, and the wealthy will be singled out and targeted more than ever.  Governments will work to monitor political dissidents and effort ways to identify social protesters.  High profile individuals will be threatened with embarrassment, exposing sensitive healthcare, photos, online activities, and communication data.  Everyday citizens will be targeted with malware on their devices to siphon bank information, steal crypto-currency, and to hold their data for ransom.  For many people this year, it will feel like they are being specifically targeted for abuse.

  6. Enterprise risk perspectives change

    Enterprises will overhaul how they view risks.  Serious board level discussions will be commonplace, with a focus on awareness and responsibility.  More attention will be paid to the security of their products and services, with the protection of privacy and customer data beginning to supersede ‘availability’ priorities.  There will be much less tolerance for failure or apathy on the part of the CIO, CSO, and CISO.  

    Changes will be made in how risks are evaluated.  Many more considerations are added to the mix and the overall 'impact' potential rises across the spectrum.  The ‘who’ and ‘why’ of the attackers becomes important, not just ‘how’ the defenses might be breached.  Calculations, now relevant and understandable at the board and C-suite levels, will be included when determining the optimal security posture, thus driving more focus, accountability, funding, and overall visibility.  Enterprise leaders will adapt their perspectives to focus more attention on security as a critical aspect to the sustaining success of the business.

  7. Security competency & attacker innovation increase

    The security and attacker communities will make significant strides forward this year.  Attackers will continue to maintain the initiative and succeed with many different types of attacks against large targets.  Their success will encourage more attacks and bolder endeavors.  Advanced threats will leverage the tremendous computing power from cloud hosting services to accomplish brute force attacks and support the important command, control, and communication infrastructures necessary for broad and complex attacks.  Popular cloud drive services, application stores, and web advertising networks will be used to deliver malware.  Crypto currencies such as Bitcoin will continue to be the preferred economy supporting underground activities, compelling more regulation and oversight.

    Certificate theft will increase as well as the supporting dark markets who peddle and offer up services using them.  Stolen credentials are used to sign malware, making them appear legitimate to slip past network filters and security controls, and in phishing campaigns.  This is a highly effective trust-based attack, leveraging the very security structures initially developed to reinforce confidence when accessing online content.  Rising demand will drive black market prices higher.  Hackers who are adept at compromising networks will realize they can make a quick profit by stealing certificate credentials.  Cybercrime will grow quickly in 2015, outpacing defenses and spurring smarter security practices across the community.

    Security industry innovation will advance as the next wave of investments emerge and begin to gain traction.  Protections for next generation data centers, tools for communication surveillance, attack attribution, threat intelligence, and contextual security controls are a few capabilities which will significantly improve to aid defenders.  The security industry will go through another cycle of consolidation where larger companies absorb smaller start-ups to harvest innovation and point products, to expand established offerings.  Cross technology alliances will form to allow disparate tools to communicate and collaborate together to increase overall effectiveness of cybersecurity postures.  Smarter, not more security, will be the trend.

  8. Malware increases and evolves

    Malware numbers will continue to skyrocket, increase in complexity, and expand more heavily beyond traditional PC devices.  Malware remains the preferred means to control and exploit systems.  Malicious software will continue to grow at a relentless pace, averaging 50%+ year-over-year growth.  More sophistication of the code will make detection, analysis, and permanent eradication more difficult.  Writers protect their most specialized and insidious code with obfuscation techniques, to keep activities stealthy.  This can include the heavy use of encryption, certificates, self-updating, sandbox sensing, system demolition, and self-destruction protocols, all in an effort to make attribution, dissection, and removal problematic. 

    Malware expands to work on more specialized devices, beyond personal computers and traditional server environments.  Industrial, automotive, home devices, phones, tablets, online service environments and even the Apple ecosystem will see more tailored code, putting them at risk. 

    Two types of malware attacks will see a spike.  Ransomeware and theft of banking login credentials will grow significantly to infect end-users devices.  As banks are closing easy avenues of attack in their infrastructure, the end-users become the next easiest path of compromise.  Second, crypto-extortion will expand into a booming market, where malware encrypts users’ data files and holds them for ransom.  Individuals, businesses, and even police departments have succumb to this type of attack.  With hundreds of millions of dollars to be made, organized criminals will commit serious resources to this electronic disease.  The rapid growth and rising complexity of malware will create significant problems for the security industry.

  9. Attacks follow technology growth

    Attackers move into new opportunities as technology broadens to include more users, devices, data, and evolving supporting infrastructures.  As expansion occurs, there is a normal lag for the development and inclusion of security.  This creates a window of opportunity.  Where the value of data, systems, and services increases, threats surely follow.  Expect attackers to explore the emerging world of IoT, wearables, home automation devices, banking and Bitcoin ATM and Point-of-Sale machines, and multi-functional digital display and sale devices.  Attacks against phones will increase and legacy ATM's will become a favorite target for organized crime.  National cyber warfare teams will continue to target communications for intelligence gathering, but will also focus on being able to compromise, monitor and tamper with high-tech industrial controls and critical infrastructures.  Attackers are fast-followers for market shifts, attracted by areas of recognizable value, and will seize the new opportunities driven by the adoption of popular technology.   

  10. Cybersecurity attacks evolve into something ugly

    Cybersecurity is constantly changing and the attacks we see today will be succeeded by more serious incursions in the future.  We will witness the next big step in 2015, with attacks expanding from Denial-of-Service and Data Theft activities to include more sophisticated campaigns of monitoring and manipulation.  Attackers will compromise defenses to gain internal access and establish a beachhead for conducting long-term surveillance and exploitation.  Professional threats will take the time necessary to understand the inner working of their victim and position themselves deliberately to gain from this knowledge. 

    Foregoing the temptation of a quick smash-and-grab of user and credit account data, they will show patience for a more strategic and profitable purpose.  They will begin to tamper with data to manipulate the operations of their host.  Combined with long-term data collection, they will use this capability for a variety of financial gains and as a prelude for more insidious control schemes.

    Imagine what an attacker can accomplish if they had the ability to tamper with transactions occurring within a financial institution, modify the settings of the safety systems in an industrial control environment, or control the communications infrastructures from trusted entities.  This type of integrity attack has not been widely seen to date.  Security controls in this space are weak in the industry.  Detection and recovery will be very problematic, bordering on nightmarish. 

    Welcome to the next evolution of security headaches.


I predict 2015 to be an extraordinary year in cybersecurity.  Attackers will seek great profit and power, while defenders will strive for stability and confidence.  In the middle will be a vicous knife-fight between aggressors and security professionals.  Overall, the world will take security more seriously and begin to act in more strategic ways.  The intentional and deliberate protection of our digital assets, reputation, and capabilities will become a regular part of life and business

 

 

 

 

Take a look at previous years predictions to see how cybersecurity history has unfolded.

 

 

 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

Cybersecurity is a difficult and serious endeavor which over time strives to find a balance in managing the security of computing capabilities to protect the technology which connects and enriches the lives of everyone. Characteristics of cyber risk continue to mature and expand on the successes of technology innovation, integration, and adoption. It is no longer a game of tactics, but rather a professional discipline, continuous in nature, where to be effective, strategic leadership must establish effective and efficient structures for evolving controls to sustain an optimal level of security.


This presentation, first delivered in October at the Cybersecurity 2014 Strategy conference in Rome Italy, discusses the emerging challenges as it analyzes the cause-and-effect relationships of factors driving the future of cybersecurity.


2014 the future evolution of cybersecurity from Matthew Rosenquist

 

 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

My Blog: Information Security Strategy

Danger 2.jpgHackers are always on the lookout for new ways to monetize their activities.  We know cyber attackers have the first-move advantage and are currently outpacing security capabilities and implementations.  Even now, they run undetected and unabated through the networks of many large and respected companies and government sites.  When they are detected or choose to show their position, what makes news is the breach, data loss, and potential financial liabilities.  What is rarely spoken of is how such incidents on trusted organizations can be used to greatly amplify broader cyber-attacks across the systems of other entities and their respective customer base.

 

As attackers are rummaging and shopping around compromised networks, one of the highly valued targets are the certificates of the host.  These are used when communication, updates, and applications are sent to customers and partners to validate content is coming from a legitimate and trustworthy source.  Certainly not as sexy as credit card numbers, but in the wrong hands it can be a much more powerful tool to professional attackers.  These stolen credentials are being used to ‘sign’ malware which will get past typical defenses and then infect and compromise the computers of the host’s customer base.

 

Say for example you have a media or game company that requires end-users to install an application to access news, movies, songs, games, entertainment, or anything really.  The content pushes, program updates, and even security patches are electronically signed by the host, to ensure they are legitimate.  This is good security practice that is often used by app stores, anti-malware software, network filters, etc.  If this host company is compromised and their certificates are then used to ‘sign’ a malicious update, one which will compromise the target system and open it to the attackers, the entire community is at a heightened risk of these slipping past the security controls.  Chances are very good that recipients will receive and install code designed to hack their systems.  Now imagine that such users have this app on their phone, home system, and most worrisome their work computer.  All could be quickly compromised, at the speed of updates.  Most security defenses will not stop such an attack until it becomes known the certificates have been stolen.  Even then, it is not such a simple process to revoke usage across an entire community.  It can take years to close the vulnerability on all the potential targets.

 

Welcome to the 3rd Level of future cybersecurity attacks.  Here is my prediction: the broader community of attackers will soon realize the value of these certificates and begin to regularly harvest them as a resource for resale to discrete buyers, much like how vulnerabilities are being sold today.  Additionally, we will see more darknet services emerge where a malware writer can pay to have their software ‘signed’ with a stolen certificate for propagation to targeted communities.  This will be the next big market for hackers and will become a standard practice for cyber warfare teams worldwide.

 

Hold on, this is going to be a bumpy ride.

 

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

My Blog: Information Security Strategy