A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.
We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc 
).
Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.
Am I being unfair? Keen on your thoughts.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.
I don’t think you’re being unfair.
This rings some bells from Curphey’s last post, “Farewell Security Buddha – Hello Curphey 2.0″. Nothing really changes, it’s just people that change, and mostly things go round and round. Insource/outsource, thickclient/thinclient, server logic/client logic.
But you know what it’s like. It’s the “machine”, we’re all cogs in it, it wants to keep on turning, and ’sides, I get to go to work and have fun n stuff you know.
I mean that’s what counts right? Having fun, watching AC/DC or just drinking some beers.
Christian,
Thanks for the post referral:
http://securitybuddha.com/2010/03/05/farewell-security-buddha-hello-curphey-2-0/
Reminds me of my first ever post in Beast or Buddha:
http://beastorbuddha.com/2006/11/27/lip-service-only/
Interestingly, it hasn’t dated either. I think I’ve gone on and spent the rest of the years in posts here trying to out all that I see is wrong, all the FUD and other BS in our industry and those things that impact it. Has it helped?
As I’ve said before, if I’ve been able to change for the better just *one* person or thing….well……that would be a pretty poor result.
You need the “fun”….it’d drive any passionate person to despair otherwise.
With you.
DD
PS. That CIO I mentioned (who was never a client of this business, SG or SA) is still there I believe. You hear things about his organisation today and you just shake your head!
Hey Drazen (been awhile),
I agree with your point around security threats remaining the same. However I still think there are ‘emerging threats’ in the sense of how these play out in reality.
I am sure you have ‘Mobile’ on your slide-deck but rewind just 3 years and you don’t have the kind of platform available to exploit. The technology has changed and also the threat has increased. It’s a fertile area that will grow the more these devices are connected to the internet – and that is approaching a permanent connection. They are pretty much PC’s now and you have Windows/BSD and Linux sitting there. How many developers do you think have applied secure code techniques to applications submitted to the app-store? Is objective-c able to be exploited by buffer overruns? We know the answer right – same exploit, important new application of it in reality.
Another emerging threat is similar to what we might have experienced 3 years ago and that is apathy. A variation of this is lip-service or questioning the need for security. One scary new threat is employees asking for direct access to the internet (open firewall/no proxy) and also asking prospective employees whether they filter internet connections? You won’t believe me but it’s true. Companies need talent, today’s talent isn’t keen to work in an environment that restricts their digital lifestyle. This leads to a scary compromise. Don’t want to compromise? – Lose talent.
So maybe not emerging threats but emerging trends? Eitherway the world today is a 100 times more dangerous than that 3 years ago. There are more people playing for keeps. Serious, targeted, UFC style hacker dudes.
Lastly look at where security professionals are getting the average organisation? What have they delivered? How have they mitigated these emerging threats (if they have stayed the same since 2002). That’s an interesting topic as well
I take it this is what you meant by Emerging Responses.
Software is the constant in this wherever it is found and whether mobile tech or whatever, it is there.
Bad software has not changed. Bad is bad and in this area, we have not improved much.
As mentioned here before, innovation grows the area of bad software further. We know the reasons why. Don’t let security issues delay time to market. Worry about that later if it becomes a problem.
Apathy in this regard combined with so few smart people in IT who care and have a voice is to everyones detriment.
The basics of the threats haven’t changed. They are dressed up differently and bad guys just finding new creative ways to do the same thing.
We need to look at these things in different ways so this is good.
Hi, and a good point is made.
I have often thought that IT security people should not be looking at emerging threats, but rather emerging vulnerabilities or weaknesses. The threats – the actors who are ready to exploit weaknesses – do not change dramatically over time.
However what really changes are vulnerabilities, how they can be detected and exploited, and the scale of the impact. So I would say that the smart grid and the cloud for example are not emerging threats – they are not going to attack your banking application – but they are emerging vulnerabilities, and big ones at that.
Luke, I think we’re splitting hairs over threat agents, threat actors, blah blah blah. Michael is saying there are new attack vectors which weren’t previously considered but the human factor (e.g. apathy) still exists.
BTW Drazen, APT is not new. At all. I agree with Vanderstock on this one:
http://www.greebo.net/2010/02/03/advanced-persistent-threat-risk-management-by-a-new-name/
Christian, interesting you mentioned Curphey. I caught his update too. Does anyone know the real story behind that move? Sounds like he was too demoralised with security based on exactly that – nothing changes.
Hi Jay,
no I don’t want to split hairs, and I am not trying to. What you have called an attack vector I would call a vulnerability, and what you call the human factor I would call a threat. So back to my orignal point, and Drazen’s observation as to why things don’t seem to change, is that (in my language) threats are relatively constant and vulnerailities are doing the emerging. And if you keep fleshing things out, adding consequences and then mitigation actions, again these are mainly constant.
So in short, we know who we should be worried about, what they can potentially do, and what the consequences will be. What changes is the “how”.
rgs
Luke
I was reading an article today and remembered this thread. Despite the nomenclature of vectors and threats it seems the basics are the most exploited (not bad software) in this case
http://www.csoonline.com/article/570813/Data_Exfiltration_How_Data_Gets_Out?page=1
Why complicate things if you can get in an easy way? Good to have you posting Michael. Been a while. I hope all is well.
DD