Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2018 predictions<br />
Technical Debt is already a well<br />
understood concept in software<br />
development - the cost of additional<br />
rework caused by choosing an easy<br />
solution now, instead of using a better<br />
approach that would take longer or<br />
cost more.<br />
This translates well into security; not<br />
as the potential downside resulting<br />
from a decision to compromise, but<br />
as the direct, concrete, real-time and<br />
quantifiable cost of a trade-off between<br />
the best possible approach to securing<br />
something and the more attractive,<br />
practical, convenient or affordable<br />
approach. Security debt can be compared<br />
to monetary debt. If debt is not repaid,<br />
it can accumulate 'interest' and grows<br />
over time until it is repaid.<br />
It sits on a business' balance sheet in<br />
big red letters for all the world to see,<br />
speaking to the very heart of the business<br />
- its value. If business have more liabilities<br />
in the form of security and other debt<br />
than it has assets, then you're bankrupt<br />
and eventually you must fail.<br />
In 2018, we may see the damaging<br />
effects of Security Debt that has been<br />
stacking up in the form of legacy code,<br />
third party libraries and dependencies,<br />
and even architectures used by<br />
companies. This has been building<br />
up for the past 30 years and may<br />
be catastrophic, if the right set of<br />
circumstances come to pass. Companies<br />
have been living on borrowed security<br />
for too long and 2018 may the year<br />
when those debts get collected.<br />
RIK FERGUSON, VP OF SECURITY<br />
RESEARCH, TREND MICRO:<br />
We at Trend Micro are constantly<br />
scouting out future threats that will have<br />
the greatest impact for businesses and<br />
we predict which vulnerabilities will make<br />
the biggest waves in the coming year.<br />
Many devastating cyberattacks in 2017<br />
leveraged known vulnerabilities that<br />
could have been prevented, had they<br />
been patched beforehand. This trend will<br />
continue next year, as corporate attack<br />
surfaces expand and expose more security<br />
holes. While this remains a challenge<br />
for enterprises, executives should<br />
prioritise vulnerability management<br />
as they make 2018 cybersecurity plans,<br />
particularly in the looming shadow of<br />
GDPR implementation.<br />
Ransomware will continue to be a<br />
mainstay, due to its proven success.<br />
There will be an increase in targeted<br />
ransomware attacks, in which the<br />
criminals go after a single organisation<br />
to disrupt operations and force a larger<br />
ransom payout. Business Email<br />
Compromise (BEC) attacks will also<br />
continue to gain popularity with<br />
attackers, as the return on investment<br />
for successful attacks is quite high.<br />
PAUL MCEVATT, SENIOR CYBER THREAT<br />
INTELLIGENCE MANAGER, FUJITSU UK<br />
& IRELAND;<br />
BRYAN CAMPBELL, SENIOR SECURITY<br />
RESEARCHER, FUJITSU UK & IRELAND:<br />
Cyber Threat Intelligence (CTI) can be<br />
defined in many different ways and it can<br />
simply be a threat feed. In the coming<br />
year, it will be important to use threat<br />
intelligence to provide an early warning<br />
system to customers and context to<br />
threats. In short, by doing the hard work,<br />
so customers don't have to be dependent<br />
on the service and level of access,<br />
suppliers can actually block threats before<br />
they have a chance to do any damage.<br />
That threat intelligence, in most cases, is<br />
simply providing guidance on 'protecting'<br />
using basic defences such as patch<br />
management. It's challenging in any<br />
corporate environment expressing the<br />
severity of a vulnerability not only as a<br />
technical risk, but also a financial, human<br />
and business risk. In a perfect world we<br />
would patch all the things, but reality<br />
dictates an alternative practical world.<br />
More often than not, patching a financial<br />
system for a critical vulnerability in Java<br />
the day before end of the financial year<br />
will not whet many appetites through<br />
fear of breaking the system, despite<br />
successful pre-production patching.<br />
Combining vulnerability management<br />
with threat intelligence is a great use case<br />
for protecting corporate environments.<br />
Customers are right to be worried about<br />
the next strain of global cyber-security<br />
incidents, but with last year's Petya and<br />
Wannacry outbreaks, the malware used<br />
an SMB vulnerability for propagation<br />
known months earlier that simply needed<br />
patching. For example, here at Fujitsu, we<br />
actually provided a threat advisory on<br />
that patch to CTI customers three months<br />
before Petya spread. What's more, we<br />
also provided our CTI customers with a<br />
threat advisory of the Apache Struts<br />
vulnerability Equifax was exploited with<br />
several months earlier. We also observed<br />
exploits in the wild for this attack, so<br />
there was clearly a high impact.<br />
The line between cyber security and<br />
politics is distorted with continued reports<br />
of election tampering or breaches of<br />
government agencies and departments.<br />
Investigations surrounding the US Election<br />
will rumble on into 2018 with core<br />
concerns around the manipulation of<br />
security controls and 'sleight of hand'.<br />
There were reports of similar inferred<br />
disruptive activity during the 2017 French<br />
election. In recent years, senior members of<br />
political parties around the world became<br />
all too familiar with concepts such as<br />
'Phishing' and 'Incident Response'.<br />
In the case of the Democratic National<br />
Committee (DNC), the infamous<br />
compromise, which Crowdstrike traced<br />
back to Russia, the monthly cost of the<br />
incident response to remove the attackers<br />
from the DNC network was reportedly<br />
$50k a month.<br />
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security<br />
15