CS1803

2018 predictions
Technical Debt is already a well
understood concept in software
development - the cost of additional
rework caused by choosing an easy
solution now, instead of using a better
approach that would take longer or
cost more.
This translates well into security; not
as the potential downside resulting
from a decision to compromise, but
as the direct, concrete, real-time and
quantifiable cost of a trade-off between
the best possible approach to securing
something and the more attractive,
practical, convenient or affordable
approach. Security debt can be compared
to monetary debt. If debt is not repaid,
it can accumulate 'interest' and grows
over time until it is repaid.
It sits on a business' balance sheet in
big red letters for all the world to see,
speaking to the very heart of the business
- its value. If business have more liabilities
in the form of security and other debt
than it has assets, then you're bankrupt
and eventually you must fail.
In 2018, we may see the damaging
effects of Security Debt that has been
stacking up in the form of legacy code,
third party libraries and dependencies,
and even architectures used by
companies. This has been building
up for the past 30 years and may
be catastrophic, if the right set of
circumstances come to pass. Companies
have been living on borrowed security
for too long and 2018 may the year
when those debts get collected.
RIK FERGUSON, VP OF SECURITY
RESEARCH, TREND MICRO:
We at Trend Micro are constantly
scouting out future threats that will have
the greatest impact for businesses and
we predict which vulnerabilities will make
the biggest waves in the coming year.
Many devastating cyberattacks in 2017
leveraged known vulnerabilities that
could have been prevented, had they
been patched beforehand. This trend will
continue next year, as corporate attack
surfaces expand and expose more security
holes. While this remains a challenge
for enterprises, executives should
prioritise vulnerability management
as they make 2018 cybersecurity plans,
particularly in the looming shadow of
GDPR implementation.
Ransomware will continue to be a
mainstay, due to its proven success.
There will be an increase in targeted
ransomware attacks, in which the
criminals go after a single organisation
to disrupt operations and force a larger
ransom payout. Business Email
Compromise (BEC) attacks will also
continue to gain popularity with
attackers, as the return on investment
for successful attacks is quite high.
PAUL MCEVATT, SENIOR CYBER THREAT
INTELLIGENCE MANAGER, FUJITSU UK
& IRELAND;
BRYAN CAMPBELL, SENIOR SECURITY
RESEARCHER, FUJITSU UK & IRELAND:
Cyber Threat Intelligence (CTI) can be
defined in many different ways and it can
simply be a threat feed. In the coming
year, it will be important to use threat
intelligence to provide an early warning
system to customers and context to
threats. In short, by doing the hard work,
so customers don't have to be dependent
on the service and level of access,
suppliers can actually block threats before
they have a chance to do any damage.
That threat intelligence, in most cases, is
simply providing guidance on 'protecting'
using basic defences such as patch
management. It's challenging in any
corporate environment expressing the
severity of a vulnerability not only as a
technical risk, but also a financial, human
and business risk. In a perfect world we
would patch all the things, but reality
dictates an alternative practical world.
More often than not, patching a financial
system for a critical vulnerability in Java
the day before end of the financial year
will not whet many appetites through
fear of breaking the system, despite
successful pre-production patching.
Combining vulnerability management
with threat intelligence is a great use case
for protecting corporate environments.
Customers are right to be worried about
the next strain of global cyber-security
incidents, but with last year's Petya and
Wannacry outbreaks, the malware used
an SMB vulnerability for propagation
known months earlier that simply needed
patching. For example, here at Fujitsu, we
actually provided a threat advisory on
that patch to CTI customers three months
before Petya spread. What's more, we
also provided our CTI customers with a
threat advisory of the Apache Struts
vulnerability Equifax was exploited with
several months earlier. We also observed
exploits in the wild for this attack, so
there was clearly a high impact.
The line between cyber security and
politics is distorted with continued reports
of election tampering or breaches of
government agencies and departments.
Investigations surrounding the US Election
will rumble on into 2018 with core
concerns around the manipulation of
security controls and 'sleight of hand'.
There were reports of similar inferred
disruptive activity during the 2017 French
election. In recent years, senior members of
political parties around the world became
all too familiar with concepts such as
'Phishing' and 'Incident Response'.
In the case of the Democratic National
Committee (DNC), the infamous
compromise, which Crowdstrike traced
back to Russia, the monthly cost of the
incident response to remove the attackers
from the DNC network was reportedly
$50k a month.
www.computingsecurity.co.uk @CSMagAndAwards March/April 2018 computing security
15