9 biggest information security threats through 2019

Each year, the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues, releases its 'Threat Horizon' report to provide a forward-looking view of the biggest security threats over a two-year period. Here are the top nine threats to watch for through 2019.

1 2 Page 2
Page 2 of 2
  • Take steps to validate and maintain the integrity of key databases.
  • Incorporate scenarios of compromised information integrity into business risk assessments; involve appropriate stakeholders across the organization gauge business impact.
  • Collaborate with peers to share intelligence about attacks on information integrity.
  • Consult with legal professionals before making public any information that provides factual evidence to counter false claims.
  • Monitor access and changes made to sensitive information using tools like Federated Identity and Access Management (FIAM) systems and Content Management Systems (CMS).

Subverted blockchains shatter trust

Many organizations are exploring blockchain technology because it promises to ensure the integrity of transactions without the need for a trusted third party at the center of the exchange.

In an article for Harvard Business Review last year, Don Tapscott and son Alex Tapscott, authors of Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, And the World, argued, "our two-year research project, involving hundreds of interviews with blockchain experts, provides strong evidence that the blockchain could transform business, government, and society in perhaps even more profound ways."

The Tapscotts suggest 65 percent of top global banks will have large-scale blockchain implementations in place by 2019.

But Durbin notes that like any technology, blockchains will be vulnerable to compromise. Potential vulnerabilities include weak encryption, hashing and key management; poorly written programs; incorrect permissions; and inadequate business rules. In the event a blockchain is compromised, ISF says customer, senior management and user trust in the affected process will be shattered, and will require substantial effort to rebuild.

A compromised blockchain could lead to unauthorized transactions or data breaches, diversion of funds, fraud and even validating fraudulent transactions.

To avoid that fate, Durbin says attention must be paid to building information security into the design, build, implementation and operational phases of blockchain-based applications. Close collaboration will be required between business managers, developers and information security professionals.

The ISF recommends you do the following:

  • Appoint a sponsor or steering committee to consult widely and take decisions concerning the adoption and use of blockchains throughout your organization.
  • Train employees on how to use blockchains securely, and to detect suspicious activity.
  • Assess the security controls of external parties using blockchains (e.g., audit the strength of their security controls, such as cryptographic key management and access control measures).
  • Engage with industry forums and experts to contribute to the development of good practice guidelines and standards for secure implementation.
  • Consult legal to understand the contractual implications of using a blockchain.
  • Demand that information security requirements are incorporated during the design, implementation and operation of a blockchain-based application.
  • Consider the implications of decentralized blockchain systems on existing governance and change management processes

Theme 3: Deterioration when controls are eroded by regulations and technology

Over the next two years, the ISF believes that rapid advances in intelligent technologies and the conflicting demands posed by heightened national security and individual privacy will erode organizations' ability to control their own information.

New surveillance laws intended to improve national security will require communications providers to bulk-collect data that could reveal corporate secrets, Durbin says. Organizations won't be able to define the security arrangements around these data reservoirs, and they could become attractive targets for attackers who have the knowledge and capability to extract and exploit the data stored in them.

At the same time, Durbin says, new data privacy regulations like the European Union's General Data Protection Regulation (GDPR) will make it more difficult for organizations subject to them to monitor the behavior of insiders. The GDPR requires that organizations be transparent about their use of tools to monitor user behavior, which Durbin says will give malicious insiders exactly the information needed to bypass such controls.

Meanwhile, technological innovation will continue to outpace regulations. Durbin says increasingly mature AI in automated systems will start to make independent decisions that will contradict defined business rules, disrupt operations and create new security vulnerabilities.

While many of these factors will be out of the direct control of your organization, Durbin says business and security leaders can prepare for these threats through considered risk assessments, open and honest negotiations with communications providers, taking legal counsel to understand the effects of new regulations and building a workforce ready for the adoption of advanced technology.

Surveillance laws expose corporate secrets

Some governments have already begun creating surveillance legislation that requires communications providers to collect and store data related to electronic and voice communications. The ISF anticipates that the trend will continue over the next two years.

The intention of such legislation may be to identify and monitor terrorists and other such groups, but the data collection will necessarily sweep up a great deal more information, including sensitive data from organizations.

The ISF notes motivated attackers will quickly recognize the value of this data, know where it is and how to get it, and have the capability to analyze, interpret and exploit it. Such information could reveal things like plans for mergers and acquisitions, IP under development and details of new products in the pipeline.

The ISF argues that five factors will combine to make it a question of when, not if, data stolen from a communications provider will expose secrets:

  1. No organization will be able to avoid the collection of their data; it will be a legal requirement.
  2. The data is likely to be stored in multiple locations by multiple external parties — each applying different levels of security.
  3. The increasing volume and impact of data breaches across the globe suggests the data won't be adequately protected.
  4. Attackers seeking to exploit the data are likely to be better funded and more motivated than the people responsible for protecting it.
  5. The potential value from analyses of the data will make it an obvious target for well-resourced, highly skilled and determined attackers, including organized criminal groups, competitors, terrorist groups and nation states.

To protect your organization, ISF recommends you take these actions:

  • Obtain advice on the metadata that communications providers must legally store, in every jurisdiction in which you operate.
  • Collaborate across your organization and conduct a risk assessment to understand the impact of metadata lost by a communications provider.
  • Engage with communications providers to agree to responsibilities and set minimum requirements for the secure storage of metadata.
  • Establish if, how and when communications providers will notify you of a breach and work together to minimize impact.

Privacy regulations impede the monitoring of insider threats

According to a study released by McAfee in 2015, 43 percent of data breaches in that year were caused by insiders: users, managers, IT professionals and contractors. It should come as no surprise, then, that User Behavior Analytics (UBA) tools, which flag anomalous user behavior, have become increasingly popular: a 2016 report by MarketsAndMarkets Research predicted sales of UBA tools would increase nearly 600 percent from $131.7 million in 2016 to $908.3 million by 2021.

But the ISF says new privacy regulations like the GDPR, South Korea's Personal Information Protection Act (PIPA), Hong Kong's Personal Data (Privacy) Ordinance and Singapore's Personal Data Protection Act, have the potential to constrain the use of such tools. They stipulate that an employers' use of such tools must be controlled and transparent to the user. Under GDPR, for instance, all profiling of employees is forbidden unless the employee is informed of the logic underpinning the process. While Durbin notes that transparency and creating a culture of trust is good, these regulations will position malicious insiders to circumvent UBA.

To address the insider threat and the implications of new regulations, the ISF recommends you do the following:

  • Take legal advice on restrictions regarding user profiling in every jurisdiction in which your organization operates.
  • Establish a rigorous program (tied to the disciplinary process) that is transparent about any employee monitoring activity.
  • Make employees aware of insider risk and train them to identify suspicious behavior.
  • Undertake more regular and stringent audits of access privileges for insiders, assuring appropriate role-based access.

A headlong rush to deploy AI leads to unexpected outcomes

AI systems represent a major innovation in terms of automation. The ability to learn independently will allow them automate increasingly complex and non-repetitive tasks in areas ranging from manufacturing to marketing and consulting. But Durbin notes that while AI are no longer in their infancy, they're only likely to reach adolescence in the next two to three years. And that makes them prone to errors: learning from wrong or incomplete information can lead to inaccurate conclusions, for instance.

When leveraged in environments where outcomes can affect an organization's reputation or performance, AI could function unpredictably. Examples include the following:

  • Vulnerability introduction. An AI system could initiate a new relationship with customers or suppliers and connect to an insecure external network.
  • Misinterpretation of commands. A smart assistant could pick up the wrong conversation or misunderstand instructions, leading it to process incorrect orders.

To protect your organization against this threat, the ISF recommends you take these three steps:

  • Collaborate across the organization to establish which areas will benefit from deployment of AI, and when
  • Recruit, develop and retain talent with the skills to understand and manage AI systems
  • Collaborate with industry peers and academic bodies to develop best practice for deploying AI systems
  • Update governance structures to manage AI effectively (e.g., incorporate security in design, provide oversight of decisions taken by the AI system, ensure the system can be manually shut down if a serious incident occurs)

This story, "9 biggest information security threats through 2019" was originally published by CIO.

Copyright © 2017 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful companies in enterprise networking 2022