It's that time of year again, but since I like to buck the mainstream, I figured, why do a "predictions" piece when I could just as easily do an observations/trends piece? So... here ya go...
Three Trends for 2013
1. Human Risk
2. Gamification
3. Increased Federal Activity
Human Risk
The social engineers have been warning us for many years now that humans are the weakest link in the security chain. They're right, but not necessarily for the reasons they might advocate. Traditionally, social engineers (or, "human hackers," if you will) have bemoaned the myriad ways in which humans can be tricked into being compromised or revealing information. However, while they're right that humans represent such a risk, there's an even greater problem today that is exaggerated by BYOD and the explosion in cloud services and online collaboration tools. Not only are people easily fooled by things like spearphishing attacks (which are themselves getting very tricksy), but we're actually advocating policies that allow people to bring personally-owned devices into the enterprise, and to walk out with who-knows-how-much sensitive data on them.
We're going to continue seeing a lot of problems around human risk factors in 2013, and I even think we'll continue to see this trending up toward being the most common compromise vector. We're still in the transitory midst of the digital industrial revolution, which means that technologies are continuing to evolve, leaving little hope that humans will evolve and catch-up any time soon.
Here are some references that you might find interesting on the topic. Highly recommended is the first piece, which is an excellent post by PhishMe debunking a piece by the Washington Post on social engineering.
* Breaking the Myths of Social Engineering
* SANS Security Awareness Metrics
* "Research Publications" from Wombat Security, including excellent pieces on phishing
* The Anti-Phishing Working Group
* Wired piece "How Apple and Amazon Security Flaws Led to My Epic Hacking" - made headlines in August 2012
* Social-Engineer.org - the social engineering portal (educational resource)
Note that there's far more to this "human risk" matter than just phishing attacks. Check out the last link provided above, in particular, as it is very comprehensive on the subject. It's time to do more with security awareness and training programs than simply running annual CBTs. Reducing human risk factors will only come through ongoing educational efforts combined with sane policies and enforcement practices that establish a culture of accountability.
Gamification
How we train and interact with people is beginning to change drastically. Remote workers are now extremely common place. This situation can be problematic from a security perspective because you may not know who you're engaged with on the other end of the internet. How do you gauge and track reputation? How do you effectively train and educate people whom you've never seen before, and may never actually meet f2f/IRL.
Gamification is the notion that we can move away from stodgy, rote CBT-style training programs and move to more of a game-based approach to learning. Presenting people with simple, short, but enjoyable games that include lessons on proper security thinking and behavior can be a more effective approach. I fully expect to see real progress in this area in 2013 as next-generation training programs emerge that allow businesses to roll-out simple games that draw people back on a regular basis, possibly through the lure of competition, with the happy side-effect of subconsciously training them on proper security behaviors. The company that nails this approach will be very successful going forward, and will likely set the mark for how corporate training is done in the future. This almost makes me want to contact Sal Khan to get his thoughts on the topic.
Here are a couple posts from Adam Shostack on the New School site that mention gamification:
* "Smashing the Future for Fun and Profit"
* "Running a Game at Work"
Increased Federal Activity
In my post, "A Little Historical Perspective," I noted that the pace of change in the regulatory space has increased tremendously over the past decade-plus, with no less than 15 major regulatory changes. This pace is only going to continue for the foreseeable future as the US Government continues to believe that it must "do something" to address "the problem," even as they flounder about without really defining what "the problem" is, let alone coming up with a reasonable approach on what to do (maybe they should read my piece on unbalancing the status quo for some ideas).
I fully expect to see emanations from Washington, DC, over 2013 on cybersecurity, "active defense" (hacking back), as well as increased DHS involvement on security critical infrastructure. 2012 already saw considerable efforts on the topic, and this pace will only continue to accelerate, for better or for worse. To top this off, we're also likely to see major privacy-related initiatives out of the EU in 2013 as they begin to move forward with their new framework. These efforts will almost certainly include considerable debate around the proposed "right to be forgotten" notion. For privacy, 2013 may prove to be a tipping point year. Lastly, don't rule-out UN involvement coordinating a cyber "non-aggression" treaty of some sort to help back countries away from their current espionage/cyberwar footing. Such proposals will inevitably be resisted by the US given how active CyberCommand appears to be in the space. We shall see what, if anything, comes of these programs.
Some references:
* "S 3454 Amendments - Intelligence Authorization Act" - discussing "Cyber Supply Chain Security" references
* On the expected Executive Order from Pres. Obama on Cybersecurity - "Obama may issue cyber security order in early January" and "Obama Executive Order On CyberSecurity Coming In January"
* Commentary/Criticism: "Obama's Cyber Executive Order: More Government Control of the Network"
* Full Text: Cybersecurity Act of 2012 (stalled/dead)
* "Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century" - English version, see here for other languages
2013 proves to be yet another interesting year. My only hope is that we can rein-in Boomer generation politicians who don't understand what they're trying to legislate. As I've said numerous times before, it takes a generation. We cannot change everything overnight, and we shouldn't try to change much of anything (if anything) using a prescriptive approach. The tech landscape is still changing/evolving rapidly, and to think that a prescriptive requirement will make sense in another few years is just naive. Ah, well...
Happy New Year!
