There is still time for any list of the "top information security issues of 2014" to be rendered obsolete. The holiday shopping season is just getting into high gear, after all, and everybody knows it was from late November to mid-December last year when the catastrophic Target breach occurred.
But this list is about more than attacks and breaches -- it is about broader infosec issues or trends that are likely to shape the future of the industry.
Several experts offered CSO some thoughts on their top picks, what can be learned from them and whether that knowledge can help organizations improve their security posture in the coming year.
Cyber threats trump terrorism
An Associated Press story this past week on the federal government's $10-billion annual effort to secure its multiple agencies noted, almost in passing, that, "intelligence officials say cybersecurity now trumps terrorism as the No. 1 threat to the U.S."
That makes sense to Sarah Isaacs, managing partner at Conventus. While cyber attacks have been expanding and evolving for decades, Isaacs said there has been a qualitative change: It is not just criminals trying to steal money -- it is nation states using it for espionage and even military advantage.
In May, "the Department of Justice indicted five members of China's People's Liberation Army on felony hacking charges for stealing industrial secrets," she said. "We've never seen that before."
Then in September, "NATO agreed that a cyber-attack could trigger a military event," she said. "This is about more than protecting credit cards. This is escalating to new levels."
Author, security guru and Co3 Systems CTO Bruce Schneier, would likely agree. In a recent blog post, he wrote that increasingly sophisticated attacks, especially advanced persistent threats (APT) that are not about financial theft, are coming from, "a new sort of attacker, which requires a new threat model."
There is evidence of that in a recent study by ISACA on APTs. CEO Rob Clyde said 92% of respondents, "feel APTs are a serious threat and have the ability to impact national security and economic stability."
Clouds -- private, public and hybrid -- are not new. But the steady increase in the use of cloud storage services is posing larger risks to businesses.
Schneier, in his blog post, said the continuing migration to clouds means, "we've lost control of our computing environment. More of our data is held in the cloud by other companies ..."
While experts say cloud service providers frequently provide better security, that may not be true of so-called "shadow" or "rogue" use of clouds by workers who believe that is an easier way to do their jobs than going through IT.
Internet of Everything (IoE) -- a hacker frontier
The Internet of Things (IoT) is so last year. It is now the IoE. Smart, embedded devices in homes, cars, electronics, machines, and worn by individuals are now mainstream. They already number in the billions, and estimates of their growth range from 50 billion by 2020 to more than a trillion within the next decade.
And that means a growing tsunami of data flowing to the Internet, where it can be sold for marketing purposes or stolen for more malicious means.
Isaacs, who says she is among those who uses an exercise wearable, said she used "dummy data" to register it. "So nobody knows it's my data," she said. "It can't be mapped directly to me."
In general, however, she said, "everyone is oversharing everything. The threats are broad and potentially catastrophic. I'm very nervous about the smart cars I see.
There does seem to be an increasing awareness of the privacy implications of smart cars. The AP reported this week that 19 automakers that make most of the cars and trucks sold in the U.S. signed on to a set of principles, delivered to the Federal Trade Commission (FTC), that seek to reassure vehicle owners that the information gathered by those vehicles, "won't be handed over to authorities without a court order, sold to insurance companies or used to bombard them with ads ... without their permission."
The vulnerabilities of "smart" devices to hacking have been demonstrated numerous times, prompting Phil Montgomery, senior vice president of Identiv to call for, "a more regimented standards-based security approach that relies less on outdates processes around username/password technology and more on stronger forms of authentication."
No parties for third parties
This was the year that the risks of breaches through third-party contractors made it into mainstream consciousness. The Target breach, which exposed 70 million records, was just one of many that came through outside vendors.
Regulatory agencies are trying to maintain that awareness. Stephen Orfei, the new general manager of the Payment Card Industry Security Standards Council (PCI SSC) noted in a recent interview that, "security is only as good as your weakest link -- which means the security practices of your business partners should be as high a priority as the integrity of your own systems."
Christine Marciano, president of Cyber Data-Risk Managers, said that in addition to vetting vendors for rigorous security standards, companies should, "require their vendors to carry and purchase cyber/data breach insurance, to indemnify them for any costs associated with a data breach caused by the vendor's negligence."
The porous, sometimes malicious, human OS
While third parties may be a weak link in the security chain, that is less likely due to technology and more due to the human factor.
It was former National Security Agency contractor Edward Snowden who brought the risks of malicious insiders to international attention in 2013, but the danger to enterprises can be just as great from loyal insiders who are simply "clueless or careless," and fall for social engineering scams.
Joseph Loomis, founder and CEO of CyberSponse, said he is, "sure there are major companies out there with little controls over their employees and their access rights. Who is watching who and what they're doing?"
It is also about employees controlling themselves when presented with ever-more persuasive social engineering attacks.
The federal government reported earlier this year that 63 percent of the breaches of its systems in 2013 were due to human error.
According to Marciano, "employee negligence was at an all-time high in 2014," with the problems ranging from, "failure to perform routine security procedures to lack of security awareness, routine mistakes and misconduct."
Eldon Sprickerhoff, cofounder and chief security strategist at eSentire, noted that, "phishing emails are getting better and better. I've seen some that were so well targeted, so well done that I could not tell the difference."
And it is not just the average worker who is a problem. Identity Finder CEO Todd Feinman said the problem goes all the way to the top. "Many executives don't know where their sensitive data is so they don't know how to protect it," he said.
While BYOD is now mainstream in the workplace, Isaacs calls the increased focus on mobile computing, "very scary, and it's going to get even worse."
BYOD is now bringing, "extremely unreliable business applications inside the walls of corporations," she said. "There are a lot of software vulnerabilities. Every app that is free or 99 cents, probably doesn't have great level of security. And people don't install patches either."
According to Clyde, "there are now many times more mobile devices than PCs in the world. In fact, in many regions of the world, mobile devices are the only way most users connect to the Internet," yet security remains a relative afterthought.
ISACA found that, "fewer than half (45%) have changed an online password or PIN code.
And now, connected wearable devices (BYOW) are becoming common in the workplace, yet, "a majority of professionals say their BYOD policy does not address wearable tech, and some do not even have a BYOD policy," Clyde said.
The age of Incident Response (IR)
All of the above issues have led to an increased focus on IR. According to Schneier, this is not just the year but the decade of IR, following a decade of protection products and another of detection products.
In his blog post, he cited three trends: More data held in the cloud and more networks outsourced; more APTs by nation states and; a continuing lack of investment in protection and detection, leaving the bulk of the burden on response.
But IR has been more on everybody's lips in 2014 than even a couple of years ago. The mantra of security experts is that it is not a matter of if, but when, an organization will be breached, and that an effective IR plan (combined with detection) can make attacks more of a nuisance than a disaster.
Getting IR right is crucial, but Tom Bain, vice president of CounterTack, calls it, "the hardest job in security. You can have all the technology in place to detect, prevent and analyze, but if your workflow is broken, or the team is so inundated with incident investigation, you are still vulnerable," he said.
More regulation, please
An industry that generally decries government regulation -- retail -- is now singing the opposite tune when it comes to cyber security.
A Nov. 6 letter signed by 44 state and national organizations representing retailers, addressed to the leaders of both houses of Congress, called for, "a single federal law applying to all breached entities (to) ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."
Sprickerhoff said such a law would be, "a good first step. There are 38 states with different definitions of what is a breach, so things are getting a bit out of hand," he said. "If you had unifying description of what needs to be done, that's not a bad thing."
But, of course, notification is not the same as improving security. And there are limits to what regulation can accomplish in that area.
"I worry that 'compliance with frameworks' attracts a lot of attention," said Richard Bejtlich, chief security strategist at FireEye. "I would prefer that organizations focus on results or outputs, like what was the time from detection to containment?
"Until organizations track those metrics, based on results, they will not really know if their security posture is improving," he said.
What to do?
There are, of course, no magic bullets in security. Isaacs said, noting that it's almost impossible to say what is the biggest threat. "I heard a speech where it was described as, "death by a thousand cuts," she said.
But experts do have suggestions. Sprickerhoff said more training is crucial, not just the security awareness of employees, but the next generation of IT security experts.
"I don't think it's ever been harder to find good people in IT security," he said. "There's not much in course work at the college level."
Eyal Firstenberg, vice president research, LightCyber, said improving security is going to take a combination of technology and training.
"There is a need for fast and accurate alerts and notifications, which ultimately determine the outcome of these cyber engagements," he said, but added that, "organizations need more professional diagnosticians on staff who are trained to know what threats are real and need to be addressed, and which ones aren't."
Ashley Hernandez, an instructor for Guidance Software, calls for more communication among organizations. "Security professionals need to have a way to share intelligence about patterns or attack types to others in their industry or trusted security groups," she said.
Clyde notes that ISACA, "has a number of programs, from risk governance frameworks like COBIT 5 to the Cybersecurity Nexus (CSX), to ensure cybersecurity professionals have the skills they need to defend enterprises from the plethora of threats."
Finally, Loomis offers a short list:
- Improve procurement processes. "It takes too long to buy new tools," he said.
- Start educating your staff on what the DHS and NIST Frameworks really are. Read the MITRE book on the 10 strategies to a world-class SOC.
- Stop believing the marketing and get real-world feedback on tools. "Security has put a lot of money into marketing, but that doesn't mean the solution is right for the organization," he said.
- Run simulations. "When was the last time a company ran a real cyber drill?" he asked.
- Stop following paper policy, "Militarizing your team, running drills, making it second nature is what will help the response process, not following a check list," he said.