Fuelled by cybercrime, cyber warfare, and cyber terrorism, the cost of cybersecurity and risk management will double in 2015. That’s the bad news. The good news is there will be a shift to cyber offense that will begin to stem the tide of cyber threats.
Coalfire, the leading independent information technology governance, risk and compliance (IT GRC) firm, today released its top ten cybersecurity predictions for 2015.
“As 2014 ends, it is clear this was the year everything changed in the world of information security,” said Rick Dakin, Coalfire’s CEO and chief security strategist. “As high-profile data breaches were announced one after another, consumers stopped believing companies took protecting their information seriously. It’s time for companies to start looking ahead at the next generation of threats and to step up their game to better protect consumer data. The threat landscape is continuously evolving. If you don’t already have threat intelligence and response plans ready for implementation in 2015, now is the time.”
Coalfire conducts more than 1,000 audit and assessments of systems containing sensitive data each year. Based on the trends in those investigations, Dakin predicts the following for 2015:
- Motivated Threat Actors. The number and sophistication of cyber threats will continue to increase exponentially. Fueled by both geopolitics and economic incentives, international (and often state sponsored) criminal organizations will escalate their development of offensive cyber capabilities.
- Redefining the Defense. The demands of cybersecurity are fundamentally changing IT. Cyber risk management and security compliance will take an equal weight to other design criteria like functionality, capacity and performance. Financial ROIs will be balanced by a new understanding of risk exposure for sub-par solutions.
- Three Heads vs. One. In large organizations, there are technical roles that require the knowledge and experience of CIOs, CTOs and CISOs. While some have predicted the death of the CIO role, we see instead a balancing of responsibility between three peers.
- Investments Will Increase. In the face of pernicious new threats, the cost of cybersecurity and risk management will remain on track to double over the next three years.
- New Fronts. The expansion of mobility, cloud computing, bring-your -own – device (BYOD) policies, and the Internet of Things will provide new (and previously unforeseen) opportunities for cyber-crime, cyber-warfare, and cyber-terrorism.
- Universal Monitoring. As a result of cyber-incidents, every organization (or person) will be using some form of continuous monitoring service (threat, scanning, identity or credit). These will be legislated, mandated by financials institutions or insurers, or acquired on their own behalf.
- Business Leadership on Policy Development. Executive leadership will lead to further development and maturation of standards across private sector and governmental organizations. This approach to security and cyber risk management will reduce the potential for “unforeseen” damage from cyber-attacks, cyber warfare and cyberterrorism.
- New Threat Detection and Response Technologies. There will be an increased use of crowdsourcing, machine intelligence, and cognitive/advanced analytics to detect and stay ahead of threats. Bounties for catching bad actors and advanced algorithmics will help the “good guys” identify and stay ahead of the hordes of malicious players.
- Improved Security. New and better applications of authentication, EMV, encryption and tokenized solutions will increase the security of payments and other personal and confidential information. Apple Pay and other next-generation solutions will overcome anti-NFC inertia and lead to increasing adoption of mobile-based security technologies for both retail payment and other applications, such as healthcare, where critical and confidential information is exchanged.
- Back to Offense. We will see the beginnings of a shift from cyber-defense to cyber-offense. From attempting to build impenetrable systems, to building systems that make it possible to identify attackers and provide the means to prosecute, frustrate or delay them.
The PCI Security Standards Council (PCI SSC), have announced that the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) 3.0 are now available in nine languages.
“It’s important that organizations around the globe have the resources they need to protect card data,” said Bob Russo, general manager, PCI Security Standards Council. “We’re happy to make the PCI Standards available in a number of languages to assist organizations as they work to make payment security part of their business-as-usual practices.”
PCI DSS and PA-DSS 3.0 were published in November 2013, with updates made based on feedback from the Council’s global constituents and response to market needs.
Over 50% of this feedback came from outside of the U.S., emphasizing the Council’s active international membership base.
The PCI SSC website supports translated pages and PCI materials including the new PCI DSS v3.0 and PA-DSS v3.0 in the following languages:
“We continue to be encouraged by the growing participation from global stakeholders in PCI Standards development, said Jeremy King, international director, PCI Security Standards Council. “We’re optimistic that these translations will increase awareness and adoption of the standards and drive improved payment security.”
With the spate of cyber attackers on US retailers recently Coalfire’s European MD, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where Chip and Pin technology is more widely deployed.
Working in both the US and Europe gives us a good perspective on the payment security landscape. The US has a much higher rate of credit card usage than most European countries, loyalty schemes and reward incentives are much more mature and embedded in consumer culture. In Europe card usage is increasing but the type of card varies by country. In the UK credit card use is moving in a similar direction to the US and includes a high rate of debit card usage; cards are quickly replacing cash. The UK now has lots of innovative mobile tech trying to disrupt the card market as well. Germany is very different, credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system. However both of Europe’s large economies moved away from using the magnetic stripe years ago.
EMV or Chip and Pin as it is more commonly referred to in the UK has been in heavy use since 2006 which has helped lower the impact of brick and mortar retail breaches significantly. It doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.
With retailers adopting more of the security controls detailed in the Payment card industry data security standard and with widespread adoption of Chip and Pin for authenticating customers huge losses from face to face retailers are less common.
Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently. If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases.
Where transactions are authenticated using EMV’s Chip and Pin verification method less data is transmitted to the processor. If this data is stolen it is harder to be used fraudulently. It’s not impossible but a lot harder. EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University. These typically attack the card reader and try to grab the Pin as it is sent to the smart card on the Chip for verification.
For US retailers minimizing exfiltration possibilities should be a high priority, lock down and monitor the outbound connections.
The fraud bubble has been squeezed attackers focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholder not present transactions. As the cost of implementing attacks against the smart card declines Europe serves to be a good learning ground for the US. If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.
Article written by Andrew Barratt
A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos. A summary of the study is below.
Cyber security is often not a priority
- 58% of respondents say that management does not see cyber-attacks as a significant risk
- 44% say a strong security posture is not a priority.
- Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
- While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.
Senior management rarely makes decisions about IT security
Who is responsible for determining IT Security Priorities?
- CIO 32%
- 31% no one
Lack of in-house expertise hinders the achievement of a strong security posture
- Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.
Security threats and attacks experienced
“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months
- 42% of respondents say they were
- 33% are unsure
- 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
- Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.
Data breach incidents are known with greater certainty
More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.
More than half of respondents say their organization has had a data breach
- 51% Cited is a third-party mistake or negligent employee or contractor
- 44% cannot identify the root cause.
Most organizations say cyber-attacks are increasing or there is no change
- 76% of respondents say their organizations face more cyber-attacks or at least the same
- 18% are unable to determine
Most organizations see cyber-attacks as becoming more sophisticated
- 56% say cyber-attacks are more sophisticated
- 45% say they are becoming more severe
- 28% of respondents are uncertain if their organizations are being targeted
- 25% are unsure if the attacks are more sophisticated
- 23% do not know if these attacks are becoming more severe.
The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.
Disruptive technology trends
The cloud is important to business operations
- 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
- 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
- 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services
The use of cloud applications and IT infrastructure is not believed to reduce security
- 45% of respondents say the cloud is not considered to have an affect on security posture
- 12% say it would actually diminish security posture
- 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected
The use of mobile devices to access business-critical applications will increase
- 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
- 69% of respondents expect this usage to increase over the next 12 months.
While respondents do not seem to be worried about cloud security, mobile device security is a concern.
- 50% of respondents say such use diminishes an organization’s security posture
- 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.
BYOD also affects the security posture
- 26% of mobile devices owned by employees are used to access business-critical applications.
- 70% of respondents either expect their use to increase or stay the same
- 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD
BYOD is a concern for respondents
- 32% say there is no affect on security posture
- 45% of respondents believe BYOD diminishes an organization’s security effectiveness.
Effectiveness of security technologies
The majority of respondents have faith in their security technologies
- 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
- 23% are unsure
Big data analytics and web application firewalls are technologies growing in demand
Today, the top three technologies in use are:
- client firewalls
- endpoint management
They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.
The cost impact of disruptions and damages to IT assets and infrastructure
Damage or theft to IT assets and infrastructure are costly
- 1 the cost of damage or theft to IT assets and infrastructure
- 2 the cost of disruption to normal operations
The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.
Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197
The uncertainty security index
The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:
- Did their organization have a cyber-attack during the past year?
- Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
- Are the root causes of these data breaches known?
- Are the cyber-attacks against their organization increasing or decreasing?
- Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
- Do they understand the nature of advanced persistent threats (APTs)?
- Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
- Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture
Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).
U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.
Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.
An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.
Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.
For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure. Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.
The most valuable technical information was presented during the ‘Assessors Only’ session on Tuesday afternoon. The SSC covered the upcoming changes to the PCI DSS and PA-DSS standards. There was an open Q&A session with excellent insight on the industry’s concerns and the SSC’s intent with many of the proposed changes. Some of the key announcements and observations were:
ASV Changes – A lot of information was presented about upcoming changes to the Approved Scanning Vendor (ASV) baseline (which is currently in progress). The SSC has created a task group to deal with the issue around “Scan Interference”. The task force will deal with this issue and communicate clear expectations to the rest of the industry. A number of “hints” were dropped with regard to web-based vulnerabilities and how they will play a bigger role in ASV scans (and the revised baseline) going forward.
PCI DSS 3.0 – Business as Usual – Clarifications on this new section within the 3.0 standard in the sense of no assessor validation or documentation will be required. This is merely a section on implementation best practices for continuous PCI DSS compliance.
PCI DSS 3.0 – Template Changes – New to the 3.0 release, the SSC has created a reporting template that they would like all QSA organizations to use. The reporting instructions had previously been outlined in a separate document. They are now included within the standard itself.
PCI DSS 3.0 – Scope – The SSC made some significant improvements to its intent around PCI DSS scope of validation. These clarifications were covered again during the assessor and general sessions. Most importantly the following: Systems that affect the security of the cardholder data environment should be considered as in-scope for the assessment. During one of the Open Forum sessions, we asked if this would include A/V servers, patching servers, DNS systems, etc…and the SSC confirmed yes. It’s important to note that they indicated that this will include originating web-servers for ecommerce outsourcing solutions.
PCI DSS 3.0 – Phase-in Requirements – There are several new requirements that will be considered best practice only until June, 2015. It’s important to review and analyze these new requirements now to prepare your organization for the upcoming impact to your compliance efforts. Our favorite is the change to the penetration testing requirements:
Penetration testing must now validate segmentation technologies
Avoid the Silver Bullet – We heard this phrase a lot during the SSC presentations and informal discussions with the card brands. The SSC wants to dispel the myth that so many merchants seem to be falling prey to. There is no such thing as a “Silver Bullet” solution that eliminates all PCI DSS scope and responsibility.
PA-DSS Template Changes – There was very little content presented on the upcoming changes to the PA-DSS. We met several key SSC representatives that will allow us to provide direct feedback about the draft standard. Coalfire has concerns and questions on two major areas in the new draft that we will clarify in the near future:
Hashing requirements for passwords – SDLC guidelines
PCI SSC Tokenization Standards – It seems surreal, but the SSC plans on releasing four tokenization standards in 2014. These standards will cover hashing strength and other considerations for using tokenization technologies to reduce scope. These are not to be confused with the “Tokenization” guidelines recently announced by some card brands.
The original post by Matt Getzelman, PCI Practice Director, can be found here.