How does a security expert discern what the future holds? A number of factors should influence your planning as you try to draw a road map for your information security strategy:
1. Historical progression of threats
If you are familiar with how threats have progressed over time, you will have a better understanding of where those threats may be headed in the future. For example, 10 years ago, virtually all malware attacks were focused on operating systems (OSs).
Today, malware attacks go after applications far more than OSs. Browsers are a particularly popular target for attacks today.
2. Your industry
Each industry has a different focus when looking to the future. For example, a bank will have very different requirements from a shoe store. Understand your industry, network with your peers, and make sure you are looking at the proper framework for your planning.
It is always a good idea to see what the people who predict the future of the industry think before doing your planning. Although experts can disagree over certain specific predictions, if you keep an eye on the major information sources (some of which are provided later in this chapter), you can develop a pretty good idea of where information security is headed.
Because they are frequently trying to sell you their next-generation solution, vendors usually have a biased view of the future. They can, however, provide valuable information for your planning.
If the vendors you work with or follow are all targeting a particular threat or technology, they view it as an area to generate revenue. If an industry targets a specific area as a source of revenue, it’s a good bet that a threat lurks there somewhere.
5. Role of cybersecurity in national security
In March 2019, President Trump increased the cybersecurity budget by 5 percent, and in May of that year he spoke about his plan to “strengthen America’s cybersecurity workforce to secure our nation and promote prosperity.”
Although the number of trained security professionals is still inadequate, public awareness, along with that of lawmakers, heads of organizations, and—importantly—employers has increased dramatically.
Every major publication from The New York Times to The Wall Street Journal has stated that there are not enough—and will not be enough—trained security professionals to fill the future need within the workforce.
One area that is evolving extremely quickly is the variety of threats to your infrastructure. Several years ago, the most prevalent threats were from unsophisticated attackers whose main goal was to accomplish something they could brag about in chat rooms with their buddies.
Today, organized crime has zeroed in on the huge amounts of money to be made in computer hacking. You now see targeted attacks against specific industries and companies; viruses that target credit card numbers, bank account information, and Social Security numbers; and rootkits that, once installed on a computer, turn it into a host the attacker can control remotely to attack other systems and networks.
Some attackers will threaten to crash networks with denial of service attacks or encrypt system data unless the system owner pays extortion money—the high-tech equivalent of a protection racket.
In the future, you will see more resilient networks that will mitigate the risk of traffic-based attacks, more secure OSs and applications to resist malware, intrusion prevention systems that will respond instantly to attacks, and cloud triage that can isolate the threat before it can damage your infrastructure.
7. Firewall Capabilities
Firewalls have been adding capabilities since appliances were first introduced. Early firewalls contained some limited filtering and NAT capabilities and not much else. You will learn about the wide range of today’s firewall capabilities and specialties later in this chapter.
Encryption is a constantly evolving standard. In 1977, the Data Encryption Standard (DES) was specified in the Federal Information Processing Standards (FIPS) Publications. It became a national standard. The standard has since changed from DES, a 56-bit algorithm, to 3DES, an effective 168-bit algorithm, to the Advanced Encryption Standard (AES), which supports a 256-bit algorithm.
The problem with encryption is the constantly improving processing power of computers. As computers get faster and more capable, with bigger and bigger memory space, encryption algorithms become easier and easier to break through brute force and other techniques.
Encryption’s popularity has grown as concerns about protecting data at rest, in transit, and while archived have come to the forefront of many industries.
How many stories have you seen about the stolen laptop with 100,000 Social Security numbers on it or an application compromised by an attacker able to read data directly from a hard drive because it was stored in cleartext? Today, government agencies such as the Department of Defense require full-drive encryption for all laptops.
Recognizing the growing need for encryption, the industry is responding quickly. The AES standard was designated as the replacement for DES. It is designed to scale upward with longer keys.
As you look into encryption solutions, keep in mind whether they support AES or an equivalent algorithm, and be sure that you encrypt your data everywhere it is vulnerable. The days of relying on your VPN as the only data protection are gone. You need to secure data with encryption everywhere it can be accessed.
Another area where you can expect to see dramatic changes in future capabilities is in authentication, especially with respect to identity and access management. In the past, much of user security was based on a user ID and password.
Years were spent trying to teach users what a strong password is, why they need a strong password, and why they need to change their passwords every 90 days.
The effort has been largely ineffective. Users still choose poor passwords; even when they select strong passwords, often writing it down, the passwords can still be cracked with sufficient computer power.
The other challenge associated with authentication is actually a user-management issue. All too often in a complex environment, the creation, permissioning, management, and eventual retiring of user accounts does not work.
Accounts retain permissions long after users move on to other roles, accounts remain on systems long after employees have left the organization, and, in many cases, no auditing of actions using privileged accounts takes place. Collectively, these critical tasks are known as identity and access management.
How will these challenges evolve in the future? One trend is moving away from passwords to tokens, smart cards, and biometric authentication. Multifactor authentication, where multiple proofs of one’s identity are used, is the better way to protect systems. Two-factor authentication is one means of multifactor that requires two proofs of identity.
The proofs come from three categories: something you know (user ID and password or pass phrase typically), something you are (a biometric measure like iris or retinal scan, hand geometry, or voice or signature recognition), or something you have (such as a token, automatic number generator, or authentication application).
This is occurring during the contrary movement to offer single sign-on solutions to systems that allow users access to multiple devices or services after entering one set of credentials instead of separate credentials for each device accessed.
On the identity and account management front, a number of solutions automate these activities, providing full account life-cycle management and the associated auditing capabilities many companies look for.
The one challenge with these solutions is that, due to the sophistication of most corporate computing environments, these are complex to install and maintain. It is not just a matter of automating the creation of Microsoft Active Directory accounts in most cases.
Companies have multiple application systems and authentication requirements. Making all of these components work together is not easy. Once you get them working together, however, you have removed a significant threat to your security landscape.
One of the biggest complaints from chief information officers (CIOs) about information security is the lack of measures for the success of a program. Information security has moved from being an esoteric discipline practiced by a few misunderstood experts to a core business function vital to supporting the bottom line.
While this evolution has been long overdue, today management expects you to quantify your contribution to the company and justify the expenditures made to support security.
The application of data analytics principles to better understand what is happening on a network, including statistics on how it functions, throughput, bandwidth usage, and security anomalies, can provide essential perspective and aid in finding unauthorized actions.
The good news is that the industry has been moving in this direction for some time and has developed a number of performance metrics. The most popular is the Information Technology Infrastructure Library (ITIL), which is a set of concepts you can use to formalize your security management practice and the associated reporting.
In addition, numerous solutions allow you to automate not only these processes, but also the associated measurements.
Another area of significant evolution in information security is in the nature of what you are trying to protect. Initially, information security was all about keeping the hackers out of your network. As a result, companies invested significant amounts of money in firewalls and other network security technologies.
Then focus shifted from the network to the host, and organizations attended to managing patches, hardening OSs, and installing host-based firewalls.
Once the industry secured the host, attackers shifted to threatening the applications running on those hosts. IT then started focusing on integrating security into the software development lifecycle, testing and evaluating code, hiring penetration testers to try to break code deliberately, and deploying firewalls and proxy servers specifically to secure applications.
The next shift in focus for information security is a growing focus on what is truly valuable: the data. Ultimately, all the measures developed to date, from the network firewalls, to the host hardening, to the penetration testing, have all been about securing the data.
The industry is now moving toward a data-centric security model, which is a significant paradigm shift from previous models. A data-centric model forces companies to focus on classifying and applying values to the data they choose to store. Although it will undoubtedly be a painful process for many companies, this approach will ultimately yield a much more secure environment.
12. Securing the Cloud
Cloud computing is still a relatively new phenomenon in computing infrastructure that involves moving computing resources out to the Internet.
This often means contracting with a third party to maintain the data and provide access to it so that an organization need not purchase additional infrastructure. Resources are then shared by multiple applications and, in many cases, shared by multiple corporations.
Think of how the phone networks or the electrical grid operates. These clouds are typically built using virtualization that allows for exceptional efficiencies, but also opens up a number of new security challenges.
To leverage the true benefits of cloud computing, you have to trust the vendor providing your cloud. This requires a shift in focus from deploying security technologies to ensuring that your vendors are contractually obligated and physically able to keep your data secure.
You also need to be able to evaluate vendors to determine trustworthiness. If you have the available resources, you should be auditing the vendor(s) to ensure that your data is consistently kept secure.
13. Securing Mobile Devices
A rapidly growing sector of the end-user computing space is the use of mobile devices like smartphones, smart watches, netbooks, or tablet computers.
These devices present some unique challenges. Think about how many people today receive email on their smartphone, or who use an iPad to review confidential documents while riding the train to work. How do you secure these devices?
The good news is that once the industry identifies issues like these, it concentrates resources and ultimately solves the problem.
The computer security industry has very few “unsolvable” issues. Already, virus protection, mobile device management, and encryption applications are available for mobile devices. The challenge you will typically see in both current and future technology is that these types of devices are frequently overlooked or discounted when documenting security risks.
Be sure to keep these devices on your list of risks. Personal devices possess an alarming amount of storage and processing capacity, which makes it easy for an employee to inadvertently store confidential information on a personal device.
14. Internet of Things
The term Internet of Things (IoT) describes how a wide variety of devices and sensors can connect and be accessed, typically over a wireless network. IoT devices or sensors are used in security systems, insulin delivery systems, wearable activity trackers, building automation, thermostats, light bulbs, electronic appliances, and much more.
The use of IoT devices is rapidly increasing, which creates issues and challenges. Security professionals are concerned that IoT development and connectivity are outpacing security, privacy, and regulatory compliance. Many discussions today revolve around how to better protect these IP-connected devices and the networks to which they connect.
15. Mobile IP
The future will bring with it an increased clarity of the techniques, technologies, and protocols associated with making IP mobile, from the technology actually called Mobile IP to a potential host of other technologies, including IP Multimedia Subsystem (IMS), and changes to the Domain Name Service and other fundamental technologies.
16. Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD) will increase, as will the need to secure a growing number of mobile endpoints and different OSs and applications.
The BYOD mobility aspect becomes even more important when it is considered in light of the discussion of mobility technologies and the mobility enablement of base technologies, and when you consider that employees, contractors, clients, and others need to connect securely, with potentially varying permissions, to the assets of the organization.