Conversations in Risk-Based Security

Nostradamus Predicts 2020?

Posted by Bobby Dominguez on Jul 18, 2016 4:07:28 PM
Find me on:
humanity_evolution_3452853b.jpg Nostradamus?  Not quite...  but, UC Berkeley's Center for Long-Term Cybersecurity has produced a set of scenarios - not predictions - that describe future possibilities, exploring how emerging and unknown forces may shape our future.  These scenarios not only describe possibilities, but also describe the security implications."They provide a framework for questions we should be asking today to ensure a more secure information technology environment in the future."

humanity_evolution_3452853b.jpg

Some of the more interesting points from the document include:

  • The internet of the world 2020 will evolve into something of a “Wild West,” with individuals and organizations seeking protection and—sometimes—justice for themselves. ...at some point, cybersecurity incidents shift from being a “tax” or “burden” on what you do in the digital world to being the core reality of internet life.
  • While illicit hacks make headlines...consumers and companies do not significantly alter their communication and consumption habits. Internet users will prove stunningly resistant to altering their online behaviors, despite the escalating risks.
  • Meanwhile, cybersecurity firms and their venture capital backers will be focused principally on enterprise security, not the security of families, individuals, and their connected homes. As a result of these pressures, digital firms will protect themselves first and foremost, allowing the public to bear the brunt of the losses. Firms that cannot afford such protections will be pushed out of the market and, as a result, online innovation will slow incrementally but noticeably. Minimal security and minimal trust will become the new barriers to entry for startup firms.
  • With internet crime almost normalized, the knowledge and programs needed to pull off digital attacks will quickly proliferate.
  • HIPAA will become nearly irrelevant, because many patients will voluntarily make information more available.
  • At the highest level, cybersecurity will no longer be treated as a baseline public good for which the state is ultimately responsible (even if that belief was mostly illusory in 2016). Rather, it will become—in perception and reality—more like a narrow service provided by defense departments and other specialized government institutions to support a limited number of critical public safety objectives, a form of critical infrastructure.
  • In this scenario, cybersecurity researchers in the year 2020 will wish that researchers in 2016 had been looking more deeply at how different institutions (e.g., government agencies, corporations, and nation states) could adapt to an environment of such vast data insecurity.

There are several points here that warrant discussion....  The first one is that the general public will continue to resist altering behaviors that compromise their privacy and security, despite the increasing risks.  Why?  Most likely because the average breach, leading to some sort of fraudulent charge on their card or their bank accounts, typically does not impact them directly.  The compromised company will credit back fraudulent charges, re-issue cards, or provide enhanced customer service to keep the customer happy.  The battle for restitution occurs at the B-to-B level, insulating the consumer from most consequences.  This is why the data continue to support my theory that with breaches, B-to-C relationships are minimally impacted.  The real impact is in the B-to-B relationship; third party businesses must restore faith with the companies where they conduct business. (See Ponemon's latest study for more details.)

The exception to this is where personal data are stolen and then an identity theft occurs.  These situations result in victims having to prove they did not open that new bank account or credit line and that they were not the ones who defaulted on fraudulent loans.  We're also seeing an increase in impact to customers related to health care breaches where personal information is used to commit insurance fraud or provide the fraudsters with "free insurance."  And let's not forget the victims of tax identity fraud that never get their refund checks and have to jump through numerous bureaucratic hoops to prove that the tax return that was filed was not the real one.

Another scenario point is that HIPAA will become irrelevant.  We haven't seen a strong regulatory push for compliance of the new biometric devices flooding the market - the Apple iWatch, the FitBit, and many other such products collect a significant amount of health data, but they are not necessarily subject to the "covered entity" provisions -- yet.  The scenario assumes that not only will these devices proliferate, but their scope of capabilities will increase.  I'm not sure that the HIPAA regulations are aligned with the Internet of Things (IoT) managing healthcare data.

The last point is something I bring up in talks more and more…  the fact that the probability of a breach is approaching 100%.  If risk is a product of likelihood and impact (risk = likelihood x impact), and probability is 100% or close to it, that leaves reducing impact as the most effective risk mitigation strategy.  Additionally, the size of impact has a direct correlation to how soon a breach is detected.  The longer it takes to detect, the more data are compromised, and hackers can get deeper and deeper into your systems to cause maximum damage.

My analogy of current incident response methods is that CISOs are “responding to the sonic boom.”  When CISOs speak about incident response plans, they typically are responding to a big event - the sonic boom: someone outside the organization (the Feds?  Brian Krebs?)  reports that the company's data are on Pastebin or for sale on the Dark Web.  Once you hear the boom, the jet is long gone.  Incident response should be focused on “detecting and reacting to a jet fighter as it flies by,” not the boom. 

It's my opinion the best way to reduce impact is to close that detection-response window.  This is the future of effective security programs.  I won't cover all of the layered defenses that can do this, but it involves a data-centric security approach and not solely the traditional infrastructure security used by so many companies.

  • Cybersecurity researchers will also need to produce new insight into possible warning signs that this new world of baseline insecurity is indeed approaching, and possibly faster than people think. These warning signs might include increasing weakness in the market for encryption solutions and the growing popularity of new and ever-more complex password protection techniques (or replacements for passwords altogether).

The good news here is that encryption is making some interesting strides.  There are numerous articles on quantum encryption and what it really means. Google recently announced some interesting real-world tests, but there is still a lot of hype about this with little commercialization for mass consumption yet.

  • In a world in which algorithms capably predict individual behavior and organizations race to harness that power, cybersecurity will become a segmented enterprise—largely because different realms of human action will not be equally susceptible to predictive algorithms.
  • There will be two key assets that criminals can exploit: the datasets themselves and the humans who work on them.
  • Cybersecurity in this world will converge even more fully with data security, as datasets, repositories, and data markets become the principal targets of attack.
  • The security dynamic in this sector would revolve around a game of complexity management. The highly variegated regulatory environment would, in practice, present an attack surface filled with pockets of vulnerability that are fine-grained and specific. Large-scale attacks may be somewhat more difficult in this environment, but smaller-scale attacks could be much more interesting to invent and harder to detect.

We’re seeing the beginnings of behavioral profiling in security companies such as Exabeam and Interset.  These nascent technologies are not widely embraced yet, because security practitioners still prefer to address security through “show-case projects" related to infrastructure rather than those that focus on data and human behaviors. The human element and ubiquitous data are too dynamic in nature and technologies or even processes to address these are difficult to implement and justify. But this is where security has to move in a decentralized computing world where endpoints consist of the IoT and other devices that are not in direct control of the organizations leveraging them.

  • And because digital technology is now present in almost every domain as part of the intentional IoT infrastructure, the term “cybersecurity” will feel dated. Cybersecurity will just be “security,” seen through the lens of traditional domains.
  • As a result of these new IoT-enabled problem-solving approaches and efficiencies, the perception that “government cannot get anything done” will begin to drop out of public rhetoric. IoT devices in the home will be in the realm of personal security; smart infrastructure and government-run systems will be part of national security; sensors and devices to deal with climate and energy will be a dimension of environmental security; and so on.
  • Technical expertise will be critical to all these domains, but the “cybersecurity specialist” model of years past will give way to a wider suite of skills that technical experts need to get systems running and keep them in working order.
  • The rapid rush to deploy the IoT will compound this problem, leading to security sloppiness that will be very hard to audit, much less clean up.
  • High-end criminals and ambitious terrorists will focus their attention on the most serious cyber-physical targets, such as critical infrastructure. Terrorists in particular will seek to undermine the growing confidence in Western governments created by the intentional IoT. Plausibly, the IoT would replace the airplane as the nexus of terrorist attentions.
  • Maintaining the security of the IoT’s “supporting” infrastructure—wireless spectrum, materials, and supply chains—will be critically important in this world, both for national security and for business and industry security.
  • As communities become over-reliant on IoT technologies, they will struggle to manage even the smallest disruptions to those technologies.

Looks like business will be good for security companies in the future, based on these scenarios!

But as I stated to start, these are not predictions, but scenarios that play out an extension of current trends and then summarize the consequences. They can be used to model appropriate responses for these potential eventualities.  Besides the "fun" nature of playing "what if" and trying to anticipate future events, scenario analysis itself is a great tool for modeling risk.

I've used these techniques by taking qualitative and "quantitative" risk data and converting these arbitrary assessments into scenarios that can be used to illustrate risks to Boards and other business stakeholders.  Scenarios allow you to take your findings and evaluations and make plausible projections that can be compared to your established risk appetite.  Depending on whether the scenarios take you, in terms of the costs of unmitigated risks, you can determine if your strategy keeps you within your risk appetite boundaries. 

The report is full of other items too that are really interesting, and frightening.  Take a look at it - especially the last scenario, Sensorium (Internet of Emotion). If you're afraid of PII and PHI getting out into the public, imagine having your emotional state predicted accurately, and reported to some sort of social media or government agency!  Looks like we may have the PreCrime Department before the year 2054 as in movie, Minority Report.

 "Even though the future seems far away, it is actually beginning right now."    Mattie Stepanek

Topics: Security