Across the board, information security experts are predicting artificial intelligence, the Internet of Things (IoT), and cloud computing will make headlines in 2017. Unfortunately, these emerging technologies bring promise and peril. Many of the products do not yet have robust security features, and companies do not always have the expertise to implement these tools without incurring additional risk. In this issue of CISO Beat, we examine the threat landscape unfolding as we head into 2017.
As connected devices proliferate at home and in the workplace, information security professionals worry about the growing attack surface. At the same time, older, obsolete devices pose a lingering risk. New vulnerabilities are constantly discovered in older software, and IoT devices are no exception. Unsupported IoT devices will not disappear. While the latest innovations will capture the most attention, security requires practitioners to keep older devices in mind. Many of these devices today lack the ability to update firmware after a critical security vulnerability is discovered.
Big threat to IoT! https://t.co/FWANRju6HU
— Manuel Santander (@manuelsantander) December 15, 2016
Security providers are beginning to look at the benefits artificial intelligence can bring to enterprise security. Machine learning holds the potential to help security teams overcome alert fatigue and comb through massive amounts of user data. On the other side of the coin, researchers are already nervous about the applications AI will have for cyber criminals. New technologies like AI offer cyber criminals scale and agility. By making use of AI, software used to launch attacks could learn to imitate users and better conduct targeted phishing campaigns, which are involved in 91% of cyber attacks. Automation also increases “as-a-service” offerings requiring minimal effort on the part of attackers, making it easy for new groups without technical expertise to enter the cybercrime industry.
How AI-powered cyberattacks will make fighting hackers even harder | ZDNet https://t.co/Ns75ccWoCa
— Troels Oerting (@TroelsOerting) December 14, 2016
Software vulnerabilities may never be prevented, but the industry has made groundbreaking progress in keeping ahead of hackers. Bug bounty programs crowdsource penetration testing to hundreds or even thousands of freelance researchers. The programs have caught on across industries, even in the federal government, as organizations warm to the prospect of harnessing the wisdom of the crowd in a cost-effective way. Companies offering private bug bounty programs with approved researchers show that not all security innovations require complex technology.
The rise of Bug Bounties and the downfall of pentesting. https://t.co/sCgct9ryS7
— Leo Niemelä (@leoniemela) December 16, 2016
While the industry was looking ahead to 2017, the past clawed back into the picture. Yahoo’s 2013 breach exposed user data on an unprecedented scale and for an extended period of time. The security stakes are much more significant than access to Tumblr and consumer email accounts. Stolen passwords and security questions can be reused across enterprise accounts to infiltrate corporate assets; compromised email accounts can be used to conduct phishing attacks. The breach shows the impact digital companies can have on online security. Only an internet conglomerate like Yahoo could affect users on this scale and across such a diversity of applications. Security departments will need to actively manage the fallout from the breach to ensure corporate data is not exposed.
More than 150,000 U.S. government and military employees are among the victims of Yahoo! Inc.’s data breach. https://t.co/HMOYcbzh5P
— Dan Lohrmann (@govcso) December 15, 2016
Not all security liabilities are accidental. Evernote called business use into question by retaining the right to review user data. Users may not take issue with exposing to-do lists, but uploading go-to-market plans or other confidential corporate data creates unnecessary risk. Companies should systematically evaluate all cloud applications’ user agreements for terms that violate their policies. Many enterprise IT security teams insist on encrypting data with their encryption keys to maintain complete confidentiality of data, even from the cloud provider.
— Al Berg (@alberg) December 16, 2016