Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security


Mark Weatherford Security Predictions 2011 - 2012


Mark Weatherford

Mark Weatherford's Observations as a CISO of a Large Organization

Mark Weatherford, CISO State of California weighs in with, "one of my personal challenges when preparing for a panel like this is to try and avoid sounding like “Chicken Little.” Because we (as security professionals) know and are privy to much more information about cyber threats than your typical citizen, I personally have an unfortunate tendency to lay on the FUD. Of course, it all depends upon the audience because speaking to a group of our peers is different than speaking to a group of the general public. I suppose off the top of my head I would say that the growing use of Smart Phones and mobile computing in the context of Teleworkers and remote workers are threats that I see growing.

However, and these may not be emerging threats in the context you are asking about, here are a few of the big picture things that I’m worrying about these days as the CISO of a (very) large organization:

1. The continuous discovery of bad code in software applications. “Patch Tuesday” and the daily list of data breaches is a constant reminder that even in 2010, the software industry has not completely incorporated security into the Software Development Life-Cycle. Not only is this a headache we have to deal with regularly with patch management and systems updates, it creates very real risks to the critical infrastructure of the United States. The McAfee Dat file issue of last week is example of this on a different level when we have trusted vendor inflicted pain and realize that even those we depend upon to help keep us safe can actually put us at risk. Much of the conversation around bad code has centered around two things:

a. We must train our developers better
b. We must hold software vendors accountable for flaws in their code.

2. There continues to be confusion in many organizations about the difference between Security and Privacy. We understand that: Privacy is about the ability to decide what information about you goes where, while Security is about the controls to be confident that those privacy decisions are respected. More specifically (and I don’t remember the source of this):

a. Security is a process, privacy is a consequence
b. Security is action, privacy is a result of successful action
c. Security is the strategy, privacy is the outcome
d. Security is the sealed envelope, privacy is the successful delivery of the message inside the envelope

With the explosion of social media and social networking, many people simply don’t seem to care about their privacy or any associated security risks. There was a report yesterday. Here’s an interesting thought from an article titled “Toeing the line between privacy and social media”:

“As the social media director for a privacy organization the conflict between the seemingly opposing worlds of oversharing and being social can aptly be described as Buzz vs. Buzzkill” http://blogs.zdnet.com/feeds/?p=2663&page=2

Then there are these two conflicting articles about how people care and don’t care about privacy:
“Ok You Luddites, Time To Chill Out On Facebook Over Privacy” - http://techcrunch.com/2010/01/12/ok-you-luddites-time-to-chill-on-facebook-over-privacy/#ixzz0mKBPFbNj

and this “Study: Young people concerned about privacy” http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/04/15/BUTM1CVCCA.DTL

and Bruce Schneier talks about it here: http://www.schneier.com/blog/archives/2010/04/young_people_pr.html

So we have to ask, have we reached the point that Scott McNealy infamously pointed out in 1999 - "You have zero privacy anyway, get over it."

3. The regulatory compliance environment has spawned a number of information security sub-sectors and fortunately or unfortunately depending upon which side of the fence you live, it seems to be one of the more robust growth areas in today’s dismal economic environment. From a resource perspective such as requiring additional skilled security professionals, new security tools, and general funding requirements, CISO’s face incredible obstacles in meeting compliance requirements. Does that constitute a security threat? Perhaps not in the usual sense but it’s a threat to me because it creates significant challenges and costs a lot of money. Of course, I suppose we’ve brought it upon ourselves to a certain degree because unless there’s some economic incentive, businesses simply don’t spend money, even on important things like security.

4. Given the current economic situation in public and private sector organizations, where CEO’s, CFO’s, and government organizations are trying to squeeze every penny out of the budget. Subsequently, Cloud computing is the topic de’ jour and while the economic incentives for organizations to move in that direction are compelling, security concerns remain. Never mind that we’ve actually been doing it for years, it is now the nirvana for efficiency and saving money and many people are throwing caution to the wind without taking an appropriate risk management approach.

5. Smart Meter technology promises efficiencies to both the consumer and the companies delivering electricity. The concern is that smart meters must be able to reliably and securely communicate the information they collect back to some central location. Smart grid technology is much like the Internet in that it has two layers: infrastructure and applications. Not to downplay the impact of the infrastructure layer which includes advanced hardware for transmission and distribution and new infrastructure for metering, but applications running over this infrastructure are the real key to leveraging the technology and increasing energy productivity. Here’s the problem in my mind: TCP/IP technology appears to be the common communication platform for Smart Meter applications and Advanced Meter Infrastructure (AMI). Given that TCP/IP is the root of many of the security problems we deal with daily, what makes us think that the Smart Meter and AMI manufacturers of have addressed the inherent vulnerabilities of TCP/IP to meet the ‘Availability” issue of delivering electricity?

6. Success in our global economy depends more and more on intellectual property (IP) assets and IP-based businesses and entrepreneurs drive more economic growth in the United States than any other single sector. Industry estimates the cost of IP theft range from $250 billion to 750,000 jobs per year and these threats to ongoing invention and innovation make it important to consider securing IP protection, whether you're a major firm or a start-up. The aggregate economic and overall security costs on a nationwide scale are impossible to quantify but I was talking to a colleague a couple of weeks ago who had been in discussions with the US Patent and Trade Office and the theft of Intellectual Property is one of their greatest concerns. I just wonder about the consequences for government and the security of our national infrastructure, not to mention the ability of the private sector to compete globally?