As the year draws to a close, many businesses are looking to industry experts for advice on where they should be focussing efforts to protect themselves for the year ahead. Dr Rob Hegarty is sharing his predictions so that you can do just that.
The tricky task of predicting future security threats came up at a recent round table hosted by UKFast. As an academic and security practitioner, I thought this blog would be a great place to share my thoughts on this topic. Other than the inevitable curveballs that are bound to make a mockery of my predictions, I suspect the following topics to be prevalent in 2016; Commercialisation of malware, Ransomware, Social engineering & Misunderstanding encryption.
The commercialisation of malware and Ransomware go hand in hand. While Cryptolocker might be so 2013, the trend of the commercialisation of malware looks set to continue with malware authors offering source code and development kits on the internet and dark web, leading to an inevitable increase in quality and accessibility to “end users”. Readers should be mindful that although the flaws in the original Cryptolocker malware have likely been banished, it’s proclivity to infect any and all network shares almost certainly has not. Ensure your offline backups are up to date and viable!
Social engineering attacks are unlikely to abate in 2016. While it’s interesting and fun to develop innovative new technical countermeasures, we need a step change in the way business hierarchy impacts on operational security.
Historically, businesses have fostered the use of a chain of command whereby unquestioning respect is paid to senior employees, who are either time-served or higher up the chain of command. This fact is not lost on attackers who employ social engineering tactics to leverage this engrained way of thinking against a business’s security.
We need to move to a situation where employees feel comfortable questioning requests for sensitive information from their peers and bosses, in which bosses value the actions of employees who enforce security by validating identities and questioning requests to access information.
This transformation will take time, and has implications outside of the corporate sphere. How often do you authenticate telephone calls from your bank or utility provider before handing over personal information?
Recent high-profile data breaches have highlighted two important facts, the first being that large companies are still failing to get info-sec right. The second is that there is a lack of understanding on what role encryption should play in protecting a systems. Time and time again we see sheepish company executives facing the inevitable question from the media: where are the passwords encrypted?
The word encryption appears to have become synonymous with security, and while encryption undoubtedly plays a role in security, it is only part of the picture. Before discussing how encryption can play its role, let’s revisit the question. Where are the passwords encrypted?
Given that the purpose of storing passwords is to enable user authentication, it is vitally important that they are kept secret, yet remain fit for purpose, i.e. they can be used to authenticate users. In order to achieve this, the two-way process of encryption/decryption is unsuitable: encrypting data implies it can be decrypted, and for the purpose of authentication this not required.
So, at the risk of stating the obvious, passwords should be hashed, using a cryptographic hash function that creates a unique output for each password, from which the password itself cannot be derived. This enables user authentication, without divulging the password.
In order to store the password securely for later use in the authentication procedure, it should be salted (combined with a unique random value) then hashed prior to being added the database. The salt should be stored in the database to enable regeneration of the hash each time the user provides their password as part of the authentication process.
Still on the topic of encryption, there appears to be the assumption that once data is encrypted it is safe. In order for encryption to secure data it must be employed correctly in tandem with good key management and access control practice.
It would be naïve to assume that FDE (full disk encryption) provides protection from the SQL injections that have been used in recent high profile breaches, or for attacks in which privileged user accounts are compromised.
Leverage the privileges associated with the user account in order to extract data that has been encrypted lower down the stack (e.g. on the disk). A secure architecture should be employed around the concept of least privilege for the benefits of encryption to be realised. In the above database example, separating the application server from the database server and employing field-level data encryption would provide a better solution than employing FDE alone on a single multi-purpose server.
Finally, on to potential curveballs. I suspect a combination of poor default configuration and the IoT (Internet of Things) may coincide to create the perfect storm in terms of invading our privacy.
With the potential for hundreds of poorly configured, embedded devices bristling with sensors to come online inside our homes, I image there will be numerous high-profile attacks on a whole range of devices; lightbulbs, IP Cameras, Vehicle, Smart TVs, Alarm Systems, etc. Once this occurs the race to secure our data will begin all over again.
UKFast has some predictions of its own, which we’re sharing in our 2016 Predictions for IT Security and Cloud Technology webinar in January – sign up now to hear more!
Dr Rob Hegarty is a senior lecturer in Computer Security and Digital Forensics at Manchester Metropolitan Uni. Throughout his career Rob has worked as a consultant for various police services engaging in the development of software, provision of training and case consultation.