The following article was originally published in the Information Security section of the BCS ITNow Magazine, Spring 2012 issue (Volume 54, Issue 1), which was on the topic of Upcoming Threats and Countermeasures:
“Gareth Niblett, Chairman of the BCS Information Security Specialist Group, takes a glimpse into the future* to see what emerging threats we might have to contend with.
Cloud computing offers many benefits over the traditional approach of owning, growing and maintaining a network of computers. It also brings complications and risks related to multi-tenancy hosting, off-shoring, consolidation and jurisdiction.
With such growth in this area, attackers are likely to increase their targeting of both cloud-based services and their underlying platforms, as well as leverage their scalable processing power, e.g. to break encryption.
Extraterritorial application of laws, such as the US PATRIOT Act can undermine, for example, even EU data protection rules and trust if a cloud provider is in scope.
The scale of compromises may be massive when they do occur and the scope for forensic examination of complex platforms is severely restricted by contracts, accessibility, capability and jurisdiction; thereby hampering investigations and prosecutions.
Those putting their, and their customer’s data, on cloud services should ensure that they are able to meet their legal, regulatory and contractual obligations to all parties in contracting, operation, incident response and migration.
Ghosts in the wires
So-called advanced persistent threats (APT), or continued state of ignorance (CSI), will continue. These are large-scale compromises, over a long period of time, possibly state-sponsored or condoned, aimed at extracting commercially or personally sensitive information from the targets.
They will reconnoitre, infiltrate, establish a beachhead and back doors, conduct whatever espionage they have in mind and then exfiltrate data. Social engineering / blagging, spoofing, spearphishing, blackmail/bribery, infiltration, break-ins, dumpster diving, bugging, hacking etc. can all be part of the repertoire.
If even journalists can find out information from phones and computers of celebrities, police and politicians, what do you think your chances are against a suitably motivated, technically capable and well-funded attacker?
Use of targeted attacks and malware will grow, sometimes deniable and sometimes for publicity. Stuxnet and Duqu may have been the tip of an iceberg and based on flexible attack toolkits that can be tailored for specific targets and carry specialist payloads, e.g. for espionage or disruption.
Hacktivism, where a specific message is aimed at the target group and often the intent is as much to embarrass and drive home the message as to compromise systems or information, is also gaining traction.
Not forgetting mass attacks, using vulnerabilities that affects popular software and affects many organisations; this is low hanging fruit for an attacker.
Simply keeping patches up-to-date is clearly insufficient to counter this threat, as recent attacks have used multiple zero-day (0-day) vulnerabilities. If you are running a system that holds customers’ personal and financial data, encryption needs to be both utilised and effective.
The adage of defence in depth should be de rigueur, as competent attackers will come quietly, with patience and persistence.
Your organisation needs the right personnel, policies, technology and procedures to detect, repel, contain and respond, in short order, to minimise downtime, data losses, embarrassment and costs when it does occur.
Excuses for filtering and blocking will carrying on growing, adding to the regime of ineffectual prevention of web access to material related to child sexual abuse, terrorism, religious and racial hatred, sedition, defamation and libel as well as blocking offshore services providing online gambling, copyright infringement and sale of controlled or duty-paid goods, such as drugs, alcohol and tobacco.
Laws and agreements with unintended consequences are the result of addressing the symptoms rather than root causes, i.e. sources – SOPA, PIPA, HADOPI, ACTA, as well as court orders requiring ISPs to block.
Breaking DNS, for example, to render websites inaccessible, undermines the security of the internet and fails in the face of technical competence. Only by removing content or services can they be truly blocked.
International rules should recognise the cross-border nature of the internet and understand that local laws might not work well in an environment that doesn’t have physical borders.
We need better agreements, cooperation and action in tackling harmful and illegal online content and services; those in child safety have had great success in taking down content, services and rescuing those being harmed with international cooperation and assistance from ISPs and others.
Lawmakers should be encouraged not to legislate in areas they don’t understand, especially when based on one-sided arguments put to them by lobbyists. The issue will remain difficult to resolve while there is a disparity in legal and moral positions between countries.
The military has traditionally favoured growth and the adoption of new technologies; a bigger empire with more weapons. ‘Cyber’ is no different. The main difference is the unresolved issue of attribution as plausible deniability is much easier in a cyber context.
An attacker’s computers don’t need to mass at a border, nor are they marked so that independent observers can identify them; indeed compromised systems may be used to further obfuscate things.
Cyber arsenals are being built up, not only by the usual suspects of US, UK, Russia and China, but by Israel, Japan and smaller countries.
Cyber warfare capability is a force multiplier and provides the potential for asymmetric warfare. Israel and others have said that they will treat a cyber attacker in the same way as a physical attack and may respond kinetically, rather than simply in kind. Bits vs bombs, if you will.
Rules of cyber conflict, broadly similar to traditional rules, are starting to emerge. This needs to continue and ensure that some of the trickier questions are answered.
The false zero sum game of security vs. privacy will continue to play out, with the enforced information sharing of personal and financial data, in the name of protecting life and liberty.
As everyone is a suspect, who needs to be monitored to ensure compliance, we need a panopticon for all communications – so say an increasing number of governments, trying to suck up everything to find needles.
Without transparency, oversight and being made to justify and temper ambitions, governments, law enforcement and intelligence agencies will continue to take liberties with our privacy, and abuses will stay hidden, unless citizens take a stand.
Trap and trade
Where miscreants are identified, we will see increased use of mutual legal assistance, international arrest warrants and extradition even where the suspect may not have committed an offence in the jurisdiction where they are sought from.
Nationals that would not be extradited by their home country will be tricked into, or tracked, travelling to more co-operative countries where they are then seized.
This will not just be for criminal hackers and fraudsters but also whistleblowers, copyright infringers and online gambling site operators etc.
International rules in this area should be equitable and extradition requests should be based on the same level of evidence required for a prosecution in the country holding the subject in question; preferably for a crime recognised there also.
Writers will continue to conflate and confuse denial of service with hacking and downloading with sharing.
The fear mongers will repeat long in the tooth scare stories about terrorist hackers taking down all the technology and services we take for granted.
There will often be seeds of truth and fact behind the dark sinister tales, but should not be taken as gospel without supporting evidence.
UK citizens will fail to realise the benefits of a robust service-focussed digital identity, due to past government mistakes on the national ID card, whereas, in the US, NSTIC may create a two-tier internet in relation to online identity.
ID cards and online identities need not be bad things, provided the intentions of those providing them can be trusted and the necessary checks and balances are in place and used.
Problems arise when your information is gathered without clear informed consent, analysed, sold and used ‘against’ you. Users can gorge on cookies, becoming the product that is marketed to advertisers, whilst adding increasing amounts of personal detail and value to their social profiles.
Use of social logins and sharing will exacerbate this. ‘Do not track’ will fail to gain significant traction, due to technical reasons and user adoption, as have other web privacy and security standards.
What can be done? Well, I don’t think people are going to suddenly stop using Google, Facebook, Twitter and LinkedIn, but the new EU Data Protection reforms may well finally make non-EU entities play fair with data belonging to EU citizens.
People share passwords between accounts. It is human nature, especially when long and complex passwords are required.
The brain can only cope with so much, and there’s only so much space for Post-Its. If you register with any online service you need to be mindful that many attacks have exposed client information (including personal details, passwords and credit cards).
This can lead to further compromises, especially when an email address is used as the user ID and the password is reused.
Use a password manager. Long, Unique, Complex and Kept safe – you make your own LUCK. Password reminders and resets are often sent to your registered email account.
Never use your email password with another online service; otherwise you may be gifting an attacker with another route in. If you have control of your own domain name(s) and email accounts, you have the option of using a different email address for each online service.
Combined with unique logins, this would mean that a single compromise doesn’t undermine all your accounts.
*Risk can increase as well as decrease. Past security performance does not guarantee future success. We suggest you seek advice from a qualified security advisor etc.“