Feeds

Remember Anna Kournikova? Come with us on a tour of bug-squishing history

We'll also take a look at the more pernicious malware

Secure remote control for conventional and virtual desktops

No target too small

In this chaotic landscape, almost any business is a target. “I see the current environments of threats as more full on than before,” says Paul Dorey, director at security consultancy CSO Confidential and visiting professor at Royal Holloway, University of London.

“We have always seen attacks on the big targets like governments and banks, but now the whole supply chain is attacked to find the weakest link into corporate and personal data, no matter where it is held.

“Nobody is too small to be below the radar if they hold data worth stealing or manipulating.”

And more is to come. “It is not going to get any better soon – especially as there is much more money in selling security products than there is in training people in common sense,” says Schifreen.

The malware of the future is likely to be more destructive, while mobile threats will become more pernicious than the premium-rate SMS Trojans that make up most of the problem so far, says Jason Steer, director of technology strategy at security company FireEye.

“The Dark Seoul attack [which wiped systems at South Korean banks and TV stations] last year has really opened people’s eyes to more destructive attacks coming along. We did see a recent Zeus kit that had a wipe feature, so even crimeware that is prolific is getting this destructive capability now,” Steer says.

“Destructive is going to happen more as legislation comes in to report events. Hackers don't want to get caught so they will burn more to avoid prison,” Steer says.

“Mobile is going to become more sophisticated. It is still immature and will only improve. The bad stuff is focused on monetising but expect to see more in the espionage and surveillance field to get bigger.”

The biggest test of security chiefs’ abilities, however, will come with the rise of the Internet of Things (IoT). As embedded devices spread, operating on an automated basis and with limited security functionality, previously unconnected machines will become targets, whether they are printers or TVs.

IoT will not only expand businesses’ attack surface, they will also lead to greater complexity, meaning various controls will need to be applied to ensure trust is embedded in the machines, says Dave Raggett from the World Wide Web Consortium.

“Trust has to be earned. Services will need to provide clear privacy policies and to underpin that with strong security, both proactive and retroactive,” he says.

“Proactive security involves encryption, authentication, access control and approaches for handling privacy and provenance. Retroactive measures include monitoring for abnormal behaviour, defence in depth and mechanisms for limiting the effects of attacks.”

Dark cloud in view

IoT is also expected to change the nature of corporate security teams. Analyst firm Gartner has gone so far as to claim IoT security requirements “will reshape and expand over half of all global enterprise IT security programmes by 2020”.

It will bring about increased use of contractors and cloud providers, while businesses will seek to foster different skillsets, according to Earl Perkins, research vice-president at Gartner.

“During the early years of the IoT, skills for securing this environment will be scarce and will force many security officers to use contractor services while building expertise internally,” he says.

“Traditional security will go to hosted and cloud-based services to make way for the security teams to focus on this initial IoT security surge. Most IoT services will be heavily data-centric, so expect a surge in cloud-based data analytics to augment security-staff capabilities.

“Security teams will become more proficient in embedded software and systems, machine-to-machine communications and key management, to name a few new skills. Threat detection and response, vulnerability management, identity management and data protection – all will expand to include these new platforms and networks at scale.”

Call the experts

Many are already looking to outside help to assist with the growing pressures. Managed security services providers (MSSPs) are becoming increasingly attractive, as are pentesters helping to uncover holes in infrastructure.

In a survey of 833 security professionals, vendor Trustwave found 36 per cent already use MSSPs and 46 per cent plan to do so in the future.

Not that services providers can always be trusted, however. “There is a lack of maturity in that market as well,” says Dorey.

“Better standards of certification of security services and individuals, such as Institute of Information Security Professionals accreditation, is essential to help the less sophisticated buyer. Most companies will aim for a blended capability of internal and external security expertise.”

With the number of threats becoming unmanageable and traditional perimeter defences failing to repel new ones, the shift to increased use of MSSPs and cloud-based security is already in full swing, according to Honan.

Even the likes of the NHS have lumped money into the cloud, as seen in the health service’s deal with Zscaler to detect threats.

But providers are being trusted only with the most boring parts of security, as security officers look to involve themselves in strategy rather than getting bogged down in rudimentary technical tasks, according to Honan.

“I see companies looking to outsource a lot of their mundane and time-consuming tasks to third parties to enable their own experts to focus on the threats to their business,” he says.

“Risk management and other strategic tasks should remain in-house. It is too vital to the business to outsource such functions to a third party.”

Some are reluctant to give up any control whatsoever, especially since Edward Snowden’s revelations regarding NSA and GCHQ access to companies’ information.

“Anything security-related is best kept in house. Period,” says Schifreen. “Ask Snowden if you don't believe me.” ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.