Dear readers, TEAM: Editor-in-Chief: Joanna Kretowicz
[email protected] Editors: Marta Sienicka
[email protected] Marta Strzelec
[email protected] Marta Ziemianowicz
[email protected] Senior Consultant/Publisher: Paweł Marciniak CEO: Joanna Kretowicz
[email protected] Marketing Director: Joanna Kretowicz
[email protected] DTP: Marta Strzelec
[email protected] Cover design: Marta Sienicka
[email protected] Art used on the cover by Jack Moreh Publisher Software Press Sp. z o.o. 02-676 Warszawa ul. Postępu 17D Phone: 1 917 338 3631 www.eforensicsmag.com www.hakin9.org All trademarks, trade names, or logos mentioned or used are the property of their respective owners. The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
We are approaching the end of the year, so it is time to think about the future and the year ahead. We are pleased to present you our very special project created by joint forces of eForensics and Hakin9 Magazines – “Predictions for cyber security in 2016”. This special edition was based on interviews with representatives of companies that had agreed to participate in our project. We would like to give our most sincere thanks to all the participants of this project. You made this possible and without you we wouldn’t be able to make this unique edition. Additional and very special thanks to the Proofreaders who helped with this issue. Your involvement and support of the creation of this magazine is invaluable. Thank you.
The cyber security field is evolving at a rapid pace, constantly changing and influencing our lives unnoticed. Will year 2016 be revolutionary for cyber security? How will recruitment in IT change, what new threats will appear in the new year, will Internet of Things influence cyber community? In search of answers to these questions, our guests went on an unexpected journey through thirteen different sections. Armed only with their own experience, they confront the most difficult questions tormenting experts on cyber security. Do you want to find out if they succeeded? Uncover secrets of cyber security and prepare yourself to face new year! Read our new issue and get all the answers you were looking for! As this is our last issue in 2015, we would like to thank all of our readers for their continuous support for both our projects. Without you we wouldn’t be here, doing all this amazing work to bring you the best content we can. We hope we will be able to be even better in 2016, and with that we wish you all the best in the coming year. Thank you for all the support.
eForensics and Hakin9 Teams
t
able of contents
Page
Section
Questions
6
Top 2015 events
What were the most important things that happened this year?
14
Recruitment
What will change in the talent pool? Will talent shortage in the industry continue to grow? What new challenges will recruiters have to face in 2016? What new challenges will people looking for work in cyber security have to face?
29
Training
What role will formal education play in 2016? Will certification keep its role as the main tool to confirm skill and expertise? Will we see a more unified standardization of education and skills? Will online courses influence the level of education in security field?
40
Threats
What threats that emerged in 2015 will remain relevant in the next year? Which threat group will see the biggest growth in 2016? Can you see any old and forgotten threat coming back in the next year? Will threat landscape be affected by international efforts to combat terrorism? Will cyber security in healthcare remain a relevant topic? Will security in automotive industry keep on causing trouble?
63
Mobile
Which mobile phone will be the most secure one? What kind of vulnerabilities will affect mobile phones in 2016? What security measures we should use to protect our mobile phones in the next
year? What risks will mobile industry face in 2016? 76
Internet of Things
Will IoT force the industry to change? What kind of challenges will IoT face in the next year? How will IoT influence cyber community? Will we see the security for IoT emerging along new IoT solutions, or will we have
to wait? 91
Tools of the trade
How will tools evolve in 2016? Will the trend to eliminate passwords continue? What new technology will make an impact on cyber security the most? What new trends will we see on threat intelligence?
www.hakin9.org
www.eforensicsmag.com
t
able of contents
Page
Section
100
Areas of security
Questions What are your predictions for network security in 2016? What are your predictions for software security in 2016? What are your predictions for hardware security in 2016? What are your predictions for cloud security in 2016?
109
Industry
Will 2016 belong to start-ups or big cyber security corporations? Will cyber security events remain an important part of influencing the deve-
lopment of cyber community and companies? Will we see more state-level cooperation in 2016? In which industry will we observe the biggest demand for cyber security services? What do you think will change in the cyber security market in your country? 122
Cyber security awareness
Will the cyber community influence the level of cyber security awareness? How can we work towards improving cyber security awareness in 2016? What obstacle in awareness will remain unsolved? What role will awareness play in corporate cyber security?
133
Miscellaneous
Predictions for cybersecurity
140
Advice
What advice would you give to fellow cybersecurity professionals going into 2016?
143
Contributing companies
www.hakin9.org
www.eforensicsmag.com
C
YBERSECURITY 2015 TOP EVENTS
What were the most important things that happened this year?
Wade Johansen, CouriTech LLC: C&C Botnets go public - DorkBot and the like have become a business model; they cost only $50 to buy in • The Anthem and EBay hacks - along with Target, Home Depot, JP Morgan, etc. • The implementation of private peer-to-peer social networking clouds with unbreakable encryption • TOR has 5% or more of the exit nodes hacked and infiltrated by the NSA • VTechs hack - stealing children’s identities. C`mon ? This will have consequences we can’t even measure yet.
Amit Serper, Cybereason: We’ve been seeing massive data breaches pretty consistently for the past few years, so really, 2015 was just more of the same. However, if I had to pick specific breaches that stand out, the ones that come to mind are, first and foremost, the Hacking Team breach • Aside from the irony of a “surveillance” company getting hacked (and learning how lax their own internal security was), the fact that State-of-the-Art hacking tools and several Zero Day attacks were released into the wild have and will continue to have long term consequences. One of the Zero Days effectively killed Flash, and of course, having all these resources available for consumption lowered the (technical) skills bar for potential cyber criminals to enter into the game • Next comes the Ashley Madison hack - aside from it being one of the highest profile ransomware attacks, it shows the impact that a data breach can have on people's lives - suicides occurred, jobs were lost, families and reputations were ruined. Most companies approach cyber security from a cost-benefit perspective - is it cheaper to fix the security problem or deal with the fallout from it? In this case, how do you quantify the damage done to Ashley Madison customers? Is that something you can even attach a number to?
Mark Bennet, Blustor: The U.S. Office of Personnel Management (OPM) lost nearly 5.6 million fingerprint records in a cyber security attack in 2015. While this event went largely unnoticed by the general public, it highlighted the tremendous risks associated with biometric security when an individual’s biometric templates are not properly protected. For the unfortunate employees impacted by this incident, they can never replace their fingerprints • Just recently reaching the awareness of the mainstream media, hospitals and medical device manufacturers are being shown to be woefully unprepared. A recent article in Bloomberg Business, entitled “It’s Way Too Easy to Hack the Hospital”, is one of many articles emerging in recent months that tells a rather bleak and frightening story related to the vulnerability of medical devices to remote hacking. It is clear that there is a high potential for catastrophic incidences that are likely to result in serious injury as well as large scale identity theft.
Paul Shomo, Guidance Software: RATs Ran Rampant: (Remote Access Trojans) evolved and proliferated to the point that they were seen in forensic investigations of some of the most high-profile hacks of the year, including the Office of Personnel Management (OPM).
www.hakin9.org
www.eforensicsmag.com -6-
C
YBERSECURITY 2015 TOP EVENTS
What were the most important things that happened this year?
Leon Kuperman, Zenedge: 2015 RSA Conference where we introduced ZENEDGE to the world • www.newbingobilly.ag - longest running DDOS campaign that we are aware of, lasting for almost one year; the attacker has failed at bringing down the site but continues to try on almost a daily basis • ZENEDGE introduces RapidBGP, which allows for sub 60-second DDOS mitigation in the cloud for network protection • ZENEDGE launches Toronto Mitigation center, the first large scale mitigation center in Canada for customer adoption • Complex multi-vector attack by Armada Collective, hitting many companies with DDoS for ransom Bitcoin. Our customer was hit with seven attacks in a one day period in Q4, key shopping season including: Chargen, UDP Flood, SSDP Amplification, NTP Amplification and Layer 7 application attacks. We have now seen Armada Collective on five separate occasions.
Shay Zandani, Cytegic: The OPM breach – because of the consequences to its management and the fact that it was a direct and public hit on a government entity • Anthem Breach (alongside Premera and BlueCross Blue-Shield) – because of the scale of the attack and how it emphasized the forecasted trend of PII and medical data theft • Ashley Madison Breach – because it is perhaps the most significant internal breach since Snowden – it emphasized the importance of the internal threat • The “Cyber-War” between Iran and Saudi-Arabia over Yemen – because it showed very clearly the correlation between physical wars and cyber wars, and the mobilization of hackers to support their governments • The US Military Kills the ISIS Hacker and Recruiter that Attacked Them – because it emphasized the fact that cyber-warriors are valid targets for physical attacks and that they are an integral part of the war.
Mitchell Bezzina, Guidance Software: The Human Perimeter Remained Too Permeable: Human error opens more doors to hackers than technical shortcomings. Whether clicking on a phishing email, failing to install security patches on a regular basis, or leaving a laptop with patient healthcare records in a place where it can be easily stolen, humans regularly hand over the keys to the data kingdom—or leave them lying around where they can be readily obtained • Following suit is Australia, releasing a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 in December that affects any domestic or foreign organization that deals directly with Australian consumers
Richard De Vere, The AntiSocial Engineer: The TalkTalk Breach! (and discovering it) helped place cyber security on the radar for the average person. Infosec left the boardrooms and had free reign of the TV • Old issues making a comeback - Crossdomain Abuse, SQLi • BSIDES in London was my favourite event/con • Software - The release of Kali 2.0 hasn’t changed the world but it’s nice to see the GUI updates • SETOOLKIT - Mr Robot Edition (In fact, Mr Robot was the highlight of my year).
www.hakin9.org
www.eforensicsmag.com -7-
C
YBERSECURITY 2015 TOP EVENTS
What were the most important things that happened this year?
Irfan Shakeel, EH Academy: Helped more than 3000 people to become effective computer forensics examiners; training, certification and relationship with the industry have been provided to them.
Rajeev Chauhan, Cyber Oxen: Sony Hack and Retaliation • OPG Hack • Cryptolocker malware • Identity Theft • Cyber Espionage.
Dennis Chow, Millar, Inc : Blue Cross Blue Shield Anthem Data Breach • New Cyber Threat Intelligence initiatives • WITCHCOVEN Campaign • Remote Jeep Hack • FTC enforcement of Cyber Security to companies.
Francisco Amato, Infobyte: ekoparty • troopers • kiwicon • shakacon • chaos communication congress.
Nick Prescot, ZeroDayLab: Talk Talk breach – an obvious choice, but perhaps more than any other • Safe Harbour re-alignment • EU General Data Protection Regulation • Ashley Madison (mainly for the impact) • Sony Pictures.
BroadTech Security Team: A bit difficult to limit to five. Google Deceptively Tracks Students’ Internet Browsing • Pentagon Cyber Attack • Kaspersky Security Breach • Hacking Team Breach • $1 Billion theft from banks • Ship Data Records Vulnerability • Kaspersky, McAfee, AVG vulnerabilities • Industrial System Control Gateway vulnerabilities.
David Clarke, VCiso: Talk Talk Breach • Ransomware • School Breaches • Mobile Vulnerabilities • Mobile Security.
Stephan Conradin: Theft of sensitive data • Privacy concerns with Windows 10. Amber Schroader, Paraben Corporation: EnFuse 2016 • PFIC 2016 • Techno • HTCIA 2016.
Przemek (Shem) Radzikowski, Secbüro: Labs: Ashley Madison Hack • Black Hat USA • First 400+ Gbps NTP reflection DDoS attack • APT28 • TalkTalk hack by 15yo.
www.hakin9.org
Paul Hoffman, Logical Operations: Two Steps Ahead - Rochester. December 8th, 2015 • ISSA Conference, October 2015 • Dispelled Rumor of MAC OS being safe, as it accounted for the largest proportion of vulnerabilities in first quarter 2015 • The State Dept. is breached by Russian hackers.
www.eforensicsmag.com -8-
C
YBERSECURITY 2015 TOP EVENTS
What were the most important things that happened this year?
Roberto Langdon, Nicolas Orlandini, KPMG: As part of our Security Services to customers, we were dealing with networks with unappropriated protection, the Internet of Things is leaving really black holes in the information management and information gathering, people working so far from the existing standards such as ISO 27001 and ISO 27002 mainly, and the lack of security awareness implemented as a continuous process inside the organizations. Most of them are still reactive instead of being preventive. And most of them know nothing about ISO 270037 • Technology considerably helped the business and mainly the users interacting with it, and as one of the key issues is privacy, it is almost more frequent to find ethics codes violation and frauds carried out by people who understand that the digital equipment that they use can “protect” them against these types of investigations. Neither workstations nor smartphones are outside the scope of investigations, and they have key valuable information. • Increase in amount and depth of data breaches • Dark web, Mobile forensic, data encryption and IoT as challenges for forensic teams • Cloud data collections • Black-Hat 2015 Las Vegas • Lack of Cyber Security/Cyber Forensic Investigators personnel.
Craig McDonald, MailGuard: Anthem. In March, this health insurance company suffered an attack that compromised 78.8 million customers’ records from December 2014 onwards. Data affected: names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data. The data was not encrypted, according to reports • Although smaller than the Anthem attack, the attack on 21.5 million records in the database of the US Office of Personnel Management (OPM) is significant because of the type of data accessed – personal information, background checks, names and addresses and a million fingerprints of US Government employees. It is believed that Chinese hackers were responsible • UK telecom company, TalkTalk, suffered an attack that compromised four million records, estimated to be the seventh largest attack (to September 2015), apparently through a third party call centre in India • Australian Bureau of Meteorology breach reported publicly in December this year. There is no clear picture yet how much the breach will cost to fix or how long it will take – but insiders estimate years and hundreds of millions of dollars. And the critical nature of the bureau's services means its systems cannot be switched off for repair.
Michael A. Goedeker, Auxilium Cyber Security: OPM Breach • DEASH (ISIL-whatever) using social media for targeting soldiers • Ukraine Hacks (our story on the „Fire Sale” hack) • The fight for balancing surveillance and privacy • The Beginning of IoT as mainstream (and additional security holes and lack of it) • Increasing vulnerabilities and attacks on global and national critical infrastructure
www.hakin9.org
www.eforensicsmag.com -9-
C
YBERSECURITY 2015 TOP EVENTS
What were the most important things that happened this year?
Rick Blaisdell: Kaspersky Lab revealed in June that it had discovered an infiltration in several of its internal systems. The attack, also named Duqu 2.0, was believed to be a nation-state-sponsored attack, whose other victims included events and venues with links to world power meetings, including negotiations for an Iran nuclear deal. The Moscow-based security vendor said the compromise included information on the company's newest technologies, such as Kaspersky’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services • LastPass got hacked - LastPass is a very well known provider of cloud-based single sign-on and password manager. Enterprise administrators around the globe use it to manage and secure passwords across their infrastructure. However, in June, LastPass CEO Joe Siegrist admitted in a blog post that a network compromise resulted in the theft of customer email addresses and password reminders. Even though the passwords were encrypted, and there was no evidence of customer data being exposed, LastPass required all customers to change their master passwords the next time they logged in • Pentagon failed to offer small firms cyber security resources - The US Department of Defense (DOD)’s Office of Small Business Programs (OSBP) has failed to offer cyber security options to protect the companies it does business with, according to a report from the US Government Accountability Office (GAO). Small businesses, including those that conduct business with DOD, are vulnerable to cyber threats and may have fewer resources, such as robust cyber security systems, than larger businesses to counter cyber threats • The breach at Harvard University, following in the footsteps of eight other education breaches this year, highlighted growing security concerns around the higher-education market. The breach affected as many as eight schools and administrative offices, though it remains unclear what information was accessed by the hackers • When it comes to the health-care industry, health insurer Anthem revealed a breach in February that exposed an astonishing 80 million patient and employee records. Anthem said the breach occurred over several weeks, beginning in December 2014, and could have exposed names, date of birth, Social Security numbers, health-care ID numbers, home addresses, email addresses, employment information, income data and more. It said it did not believe banking information was taken. The Wall Street Journal reported that Anthem had not encrypted the data that was accessed by hackers.
Kenneth C. Citarella, Guidepost Solutions: In no particular order, we cite these as the most significant cyber security events in 2015: The Office of Personnel Management intrusion • Cyber security talks between the U.S. and China, including China’s arrest of several men alleged to have intruded into U.S.-based systems at the request of the U.S. government • The Third Circuit Court of Appeals upholding the authority of the Federal Trade Commission to sue over cyber security failures under its consumer protection powers. A company may be engaged in an unfair trade practice if it does not live up to its cyber security promises • The beginning of regulatory efforts to mandate cyber security standards in certain industries • Known weaknesses and poor security habits continue to be major attack vectors.
www.hakin9.org
www.eforensicsmag.com - 10 -
C
YBERSECURITY 2015 TOP EVENTS
What were the most important things that happened this year?
Anthony Di Bello, Guidance Software: Breaches Abounded: Almost 90 million healthcare records were breached causing $272 million worth of losses to leading United States healthcare organizations. The lesson learned is that healthcare records are extremely valuable to cybercriminals • Emergence of Endpoint Detection and Response (EDR) security technology category — while technologies focused on providing security visibility and incident response capabilities for endpoint have existed for some time, 2015 marked a critical mass in both the need for and emergence of several start-up technologies focused on these capabilities. These vendors span established EDR players, such as Guidance Software, legacy security vendors coming into the space through acquisition, such as Palo Alto, and start up technologies, such as Cylance. These offerings fill a critical gap at the endpoint left by older technologies, such as anti-virus and hostbased IPS • Data Notification Requirements – The US Government began the first steps in creating one Federal breach notification law with the Data Security and Breach Notification Act of 2015 which received both public backing and some initial opposition. The US is not alone, the EU Council found common ground with Members of the European Parliament and put an end to fragmented requirements for minimum security measures and breach notification requirements across critical service organizations in resources, transport, finance, and health. This comes after the heavily publicized advancements in the EU General Data Protection Regulation to enhance data protection rights of EU consumers for any organization, worldwide, storing personal data.
David Coallier, Barricade: VTech's data leak • Ashley Madison's data leak • The iCloud leak • The rise of the internet of things and the internet of vulnerabilities • Ransomware and boot kits. There were plenty more very important leaks, during this last year. What we find interesting is most of the attacks fall into common categories, such as people still using insecure passwords and executives that do not understand the current technological landscape. The rise of ransomware and their exponential growth is interesting as it allows us to witness the evolution of computer viruses and criminal groups in near real-time. A new player in town, the boot kit, is promising an interesting turn of events for 2016 • Meanwhile, the Internet of Things is left very vulnerable because efficiency and simplicity of use took priority over security, leaving a lot of early and late majority of the tech adopters at risk. The so-called advanced persistent threat is still the industry's poster child and as statesponsored attacks and cyber-espionage grows, we'll probably keep hearing a lot about APT in the next year alongside it's lack of security workforce.
www.hakin9.org
www.eforensicsmag.com - 11 -
C
YBERSECURITY 2015 TOP EVENTS
What were the most important things that happened this year?
Wade Lovell, Simpatic: Revenge Porn – Hunter Moore “who operated the Internet’s best-known ‘revenge porn’ website was sentenced to 30 months in federal prison for hiring another man to hack into e-mail accounts to steal nude photos that were later posted on his website.” This seems a little like sentencing Al Capone on tax evasion charges, satisfying but incomplete link • Angler is an extremely capable and readily available exploit kit used by criminals to run choice cuts of the latest Flash, Java, and browser exploits targeting un-patched users. Hackers add exploit kit to article asking 'Is cyber crime out of control? “Hackers have hosed an article published by The Guardian using the world's nastiest exploit kit Angler to pop the machines of exposed readers. The attack firmly answers the article's headline, positing the question 'is cybercrime out of control', based on arguments in a book by one Misha Glenny.” link • VTech Breach – accounts of 2.9 million kids hacked. This is the type of hack no one seems to talk about because it doesn’t directly involve credit card and social security numbers • Georgia’s Secretary of State released confidential information to a dozen entities on 6 million Georgia voters, including driver’s license information, Social Security numbers and dates of birth, and didn’t notify anyone, according to a lawsuit. “The Georgia Secretary of State, Brian Kemp’s office is being sued by two Georgia women who claim that the Secretary's office released personal information that involves 6 million Georgia voters. Mr. Kemp’s office has communicated that … due to what they are calling a "clerical" error, individual voters personal information was included in these files… According to the lawsuit, Mr. Kemp’s office never notified individuals regarding the breach, nor did they contact the consumer reporting agencies.” link • Organized Criminal Hackers stealing $1 billion directly from banks. “… a gang of international hackers have stolen as much as $1 billion from 100 banks across 30 countries by installing malware that allowed them to take control of the banks' internal operations link.
Gerald Peng, Mocato: Anonymous taking down ISIS social media profiles, November - December 2015 • Ashley Madison hack, July - August 2015 • In June 2015, US Office of Personnel Management (OPM) discovered that the background investigation records of current, former, and prospective Federal employees and contractors had been stolen. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases • Stagefright Bug (all versions) for Android phones, July 2015 • International Conference on Cybersecurity, January 5 - 8, 2015, New York City, NY, United States.
www.hakin9.org
www.eforensicsmag.com - 12 -
W
HO IS WHO
Amit Serper Cybereason Lead Mac OS X security researcher
Michael A. Goedeker Auxilium Cyber Security CEO and Founder
Amit is an Information security researcher specializing in embedded Linux devices. His role at Cybereason is to develop novel methodologies for identifying complex hacking operations. For over a decade he led security projects for a government agency in Israel, specializing in the security of embedded systems. Amit is known as for his "out of the box" thinking and is renown for his shell popping abilities on embedded devices such as routers, IP cameras and even home irrigation systems. He has won several Blackhat pen-testing challenges.
I am passionate about technology, teaching and people! My interests, passion and research includes: Cyber Security, Operations, Leadership and Training up to DoD/Mil level (includes every aspect of IT). Author and researcher at the front end of Cyber Warfare, Espionage and Crime, researching in Academia, Press and Security Professionals Globally. Entrepreneur with solid operations and financial background. Easy to work with, people person that sees talent, develops it and can establish rapport with almost anyone.
Irfan Shakeel EH Academy CEO and Founder The founder & CEO of ehacking group. An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. With more than 7 years of professional work experience, he is creating new Infosec ventures and businesses around the globe.
Richard De Vere The AntiSocial Engineer Ltd, Principal Consultant Richard is the Principal Consultant for The AntiSocial Engineer Ltd, has an extensive background in penetration testing and social engineering, including „red team” exercises and information gathering assessments.
www.eforensicsmag.com
www.hakin9.org - 13 -
R
ECRUITMENT What will change in the talent pool?
Richard De Vere,The AntiSocial Engineer: As more and more people fill the shortage we have across the world for well trained and experienced security vendors and testers, we will start to see the number of inexperienced testers rise.
Kris Rides, Tiro Security: I think we will see larger companies moving internally / hiring people in alternative IT positions and cross training them into Security. So expect to see hiring of Infrastructure and Development staff to increase further.
Michael A. Goedeker, Auxilium Cyber Security: Skills needed and the way we look for people for „cyber” security space. Cyber security is dynamic, so we are looking for people that can think outside the box and make complex things simple.
Chase Cunningham, Cynja: Unfortunately, nothing. There will continue to be a vast lack of resources with respect to real cyber security operations personnel. This will continue for at least the next five years, probably much longer. That’s why it’s important to encourage kids to be safe online and learn about technology. My hope is that if we start inspiring kids to join us in fighting the criminals online, that shortage will be nonexistent by the time our kids move out of the house. Looking 20 years down the road, if one person says to me they chose cybersecurity as a profession because of me, then mission accomplished.
Elizabeth Houser, Praesidio: As more people become aware of the ongoing trends in cybersecurity and the increasing opportunities the industry offers, we’ll see an uptick in people desiring a career shift. This will especially become noticeable as expansion of the IoT requires input from experts in other fields.
Dennis Chow, Millar, Inc: There will be increased requirements for new skills to help defend against modern attackers. Certifications and skills considered ‘advanced’ now will soon become standard in the future, such as malware reverse engineering and exploit creation capabilities.
Wade Johansen, CouriTech LLC: Virtualization skills and multitasking abilities are (and will continue to be) a „must-have” talent. The days of specialization in one service domain alone seem to be rapidly coming to an end. Mobile device management and maintenance is also a skill every tech should start getting familiar with.
www.eforensicsmag.com
www.hakin9.org - 14 -
R
ECRUITMENT What will change in the talent pool?
Rick Blaisdell: The increasing volume and detail of information captured by enterprises, the rise of multimedia, social media, and the Internet of Things will fuel exponential growth in data for the foreseeable future. At the same time, the rising demand for data scientists and the resulting pressure on the analytics labor market is increasing the need for analytics talent as more companies with more data to sift through discover they are trying to hire the same workers.
Roberto Langdon, Nicolas Orlandini, KPMG: There is a shortage of professionals who can meet the specific requirements to be an investigator. This will require professional knowledge about networking, security, IT infrastructure, plus “life” experience. And all of the above, under strictest ethical codes and confidentiality. A forensic investigator must be hungry for investigation. In order to build qualified professionals, it is required to make more disclosures and training courses to motivate the IT security professionals to enter in this amazing world.
Mayur Agnihotri: Talent pool constrained on cyber security recruitment as cyber security (Information Security) budgets expand rapidly. “Cyber security (Information Security) industry is facing a new threat: hiring” - Worldwide situation. Company faces cyber security (information security) talent costs more than other IT positions.
Przemek (Shem) Radzikowski, Secbüro Labs: Given the immediate requirement for cyber security professionals, many people will try to reskill and transfer from their existing professions to fill the gap.
Julie Herold, Kenny Herold-Odin’s Eye: Colleges are recognizing the value of IT Security Professionals; eventually we will see a drastic increase in the number of qualified personnel. Although there is a strong belief that acclimation to this type of profession in the field, it is worrisome at best.
Andrew Bagrin, My Digital Shield: There is already a lot of very average security talent in the industry and very few great talent. We are running this industry somewhat handicapped. I predict it will only get worse as more talent is desperately needed and great talent is very hard to find.
www.eforensicsmag.com
www.hakin9.org - 15 -
R
ECRUITMENT What will change in the talent pool?
Paul Hoffman, Logical Operations: As breaches get more serious, companies will start to pay more for skilled people.
Paul Shomo, Guidance Software: Talent availability will increase, but be outweighed by demand. Closely related careers, like computer forensic examiners and network specialists, will seek opportunities in Security as methodology, concepts and practices are closely related, however, they will require in-depth training and time to gather experience. We’ve seen this in other high velocity emerging markets and cyber security is still three to six years away from having a “normal” ratio of availability vs demand.
Wade Lovell, Simpatic: Some undergraduate programs have picked up the baton and are offering an emphasis in cyber security. As students matriculate from these programs, the talent pool will increase at a pace slightly ahead of the churn rate.
Mitchell Bezzina, Guidance Software: Information security leaders will begin to see a new generation of fully mobile workers coming into the workplace who have an instinctive understanding of privacy issues because of social-media hacks and problems they’ve all encountered, but who are not used to being restricted in their practices within large organizations.
Dotan Bar Noy, Re-Sec Technologies: Cybersecurity workforce shortage is expected to reach 1.5 million by 2019 according to Michael Brown, Symantec CEO. While the growth in the need for talented experts in all sectors will drive an increase in professionals in the long run, we are still going to struggle in the next few years.
Einaras Gravrock, Cujo: The demand will continue to outstretch the supply. An increasing number of IT specialists will repurpose themselves to fit the demand.
Amit Serper, Cybereason: In 2016, the shortage of skilled security pros will result in a more diverse workforce.
David Clarke, VCiso: Audit will take a higher priority as more and more cyber services are outsourced.
BroadTech Security Team: More people are going to go after certification rather than acquiring necessary knowledge and skill in hyped up technologies, especially.
www.eforensicsmag.com
www.hakin9.org - 16 -
R
ECRUITMENT What will change in the talent pool?
Anthony Di Bello, Guidance Software: Vendors and industry experts need to support the efforts of universities to create and deliver the required curriculum for success in the ever-changing information security landscape. Through the provisioning of software, assistance in curriculum development, and support through industry events and competitions the community can give back, and help create the next generation of infosec pros.
Ondrej Krehel, LIFARS: More talented people, as well as people going for the name. Overall, I see a dilution in talent as companies do not want to spend money on good resources.
Stephan Conradin: Security becomes more complex because business and technologies change very fast, so real talent pool will become shorter.
Nick Prescot, ZeroDayLab: Existing consultants • New consultants will start on a different track-level, following the new known trends and identifying others in the emerging world of Internet of Things.
www.eforensicsmag.com
www.hakin9.org - 17 -
R
ECRUITMENT Will talent shortage in the industry continue to grow?
Michael A. Goedeker, Auxilium Cyber Security: I don’t see a talent shortage, just prices being ruined by big companies that overcharge for bad work. This does not allow smaller companies to earn enough to attract good people because for some illogical reason, customers „trust” big names without verifying them (bad for security in general).
Elizabeth Houser, Praesidio: Absolutely. The field is experiencing the same personnel shortage as the medical industry continues to face. Not only is there limited space in training programs but disparity also exists in the quality of these programs. Also, a disconnect remains between what IT managers need and what HR is requiring in job candidates.
Richard De Vere,The AntiSocial Engineer: I think for the foreseeable future we will not meet the demand for information security professionals. The need for these testers is clearly documented with global rises in cyber crime but we have been slow with training, especially in youth sectors.
Kris Rides, Tiro Security: I think we will see an increase in requirements and if the industry doesn’t make changes to how it is currently recruiting, then the shortage will grow.
Wade Johansen, CouriTech LLC : Yes! Recruitment is starting early because there aren’t enough coders to go around, so schools that offer it are seeing benefits for their students.Unfortunately, there is a shortage of strong teachers, so this is causing a shortage of classes, and students. This is the case with a lot of technology fields and not just coding.
Irfan Shakeel, EH Academy: The shortage of skillful people will increase, because the community failed to produce skillful professionals. Organizations are lacking in terms of training & development programs. It will have a direct impact on security; we will witness the rise of hacking attacks.
Dennis Chow, Millar, Inc: Yes, even with new talent graduating with new Information Security focused degrees; many will lack the skills and experience that positions are in demand will need.
Einaras Gravrock, Cujo: Yes, absolutely. Given that inventory is growing by multidigit CAGR, it will take a business cycle for the supply to meet the new demand.
www.eforensicsmag.com
www.hakin9.org - 18 -
R
ECRUITMENT Will talent shortage in the industry continue to grow?
Francisco Amato, Infobyte: I personally think that there is always talent floating around, but companies need to go out and find talented people in different environments, not just in traditional places. There are a lot of capable people, but it is necessary to properly promote and nurture them. One interesting way to find young blood is with competitions or challenges like CTFs, which are done in different events worldwide. Also, the rise of the hackerspace movement for me is an ideal training ground to find people with a lot of skills. Of course, one of the biggest things for these kinds of people is keeping them motivated. If IT sec professionals are only in it for the money and are not really passionate about what they are doing, they probably are going to find it hard to stand out in an intelligent and talented industry where you have extremely bright people (who love what they are doing) and these passionate people are the ones that are always going to be a step ahead.
Przemek (Shem) Radzikowski, Secbüro Labs: For the foreseeable future, the talent shortage will continue to grow for another two to three years (the average length of an undergraduate degree). Unfortunately, the ripple effect from the shortage may persist for a longer period while professionals gain industry experience.
Mayur Agnihotri: Yes, talent shortage in the industry continues to grow, demand is high and supply is low. Companies needs to attract and retain cyber security talent. Some elements for attract and retain cyber security talent • Provide training for staff on emerging technology • Companies must participate in different events, like hackathons and open-source community platforms • Companies must collaborate with universities / colleges in emerging technology, as well as cyber security talent.
Anthony Di Bello, Guidance Software: The talent shortage is expected to grow unless a top-down effort is made to create and stimulate interest in information security fields early on in a student’s education.
Mitchell Bezzina, Guidance Software: Yes, due to the demand generated by the unusual amount of potential business risk associated with failed cyber security practices, the proliferation of media attention, and time it takes to train security specialists. The talent shortage will continue until the emergence of the next generation of qualified cyber security specialists.
David Clarke, VCiso: Yes, almost certainly, as more and more skills other than cyber technical skills are required.
www.eforensicsmag.com
www.hakin9.org - 19 -
R
ECRUITMENT Will talent shortage in the industry continue to grow?
Andrew Bagrin, My Digital Shield: Great talent shortage will, but we will see a bunch of new people in the industry. There are schools now trying to get people in the industry.
Stephan Conradin: Of course. More complexity, more needs, fewer people with wide knowledge.
Amit Serper, Cybereason: Yes, but will be offset by better and more automated tools.
Dotan Bar Noy, Re-Sec Technologies: Yes, in the short term we will still have a talent shortage, and even more important is attracting the exceptional experts that are becoming very rare.
Rick Blaisdell: Unfortunately, yes. More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years, according to a Peninsula Press (a project of the Stanford University Journalism Program) analysis of numbers from the Bureau of Labor Statistics. The demand for information security professionals is expected to grow by 53 percent through 2018. According to a recent report from the job board Dice, the demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million.
Paul Hoffman, Logical Operations: Yes, there will be a shortage for three to five more years, as people are trained in the industry.
BroadTech Security Team: There will be a shortage of usable people. Talent alone is not enough. Skill and Experience are also needed, which needs time to be acquired. Technology disruption and information overload is happening in such a rapid rate that time needed to understand, assimilate, gain skill and experience is getting even more limited.
At the same time, according to a 451 Research recent study, based on responses from more than 1,000 IT professionals, primarily in North America and EMEA, security managers reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5%) and inadequate staffing (26.4%). Given this challenge, only 24% of enterprises have 24×7 monitoring in place using internal resources.
Ondrej Krehel, LIFARS: I believe so. Until companies become aware they need talent and reward it, I believe people may not want to enter the field.
www.eforensicsmag.com
www.hakin9.org - 20 -
R
ECRUITMENT Will talent shortage in the industry continue to grow?
Wade Lovell, Simpatic: Yes, while the talent pool is expanding slightly ahead of the churn rate, the demand continues to grow.
Nick Prescot, ZeroDayLab: It depends what talent you’re looking for. Information Security continues to be both.
www.eforensicsmag.com
www.hakin9.org - 21 -
R
ECRUITMENT What new challenges will recruiters have to face in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Becoming more knowledgeable in what makes a successful „cyber” security person. Understanding exactly what the value of certs and experience is. Paying the right money for demanded positions instead of pushing them down.
Kris Rides, Tiro Security: Larger companies will look to hire more niche candidates as they break down their teams into further specialties. This will mean your average generalist IT agency will find it tougher to fill these people as they will need to be focused 100% in this area to build relationships. Medium sized businesses will continue to have to a lot of competition with companies for their Security people. They will need to show the kind of flexibility on job requirements and benefits to really differentiate themselves and allow recruiters to fill their most urgent requirements. Recruitment companies will find it even tougher to supply contractors in Cyber Security. High permanent salaries and the kind of benefits these people will be offered, matched with (at least in the US) the high cost of healthcare mean the benefits of being a contractor will no longer be worth the risk.
Richard De Vere, The AntiSocial Engineer: I think sorting the good from the bad will be harder than ever over the next year. Recruiters have to step up their game and rely more on personal bonds and careful research of their candidates and not just point and click recruiting.
Irfan Shakeel, EH Academy: The recruiters will get confused because of the formal education, infosec certifications without any central governance body and the skills. The recruiters have to develop a methodology to capture the right candidate based on the skills, rather than a piece of paper.
Wade Johansen, CouriTech LLC: There is a large pool of jobs and many of them just don’t pay enough, particularly the Government sectors. There are not enough highly skilled workers to meet the demand and private industry pays far better. Unfortunately, having a good benefits plan isn’t enough now - workers want work at home VPN options, higher salaries and employers that provide ongoing training benefits and perks.
Dennis Chow, Millar, Inc Short: Being able to distinguish ‘paper certified’ professionals compared to ones with true hands-on experience that happen to have those same certifications.
www.eforensicsmag.com
www.hakin9.org - 22 -
R
ECRUITMENT What new challenges will recruiters have to face in 2016?
Chase Cunningham, Cynja: The continued lack of talent will increase the demand for real cyber operators and the starting salaries for those individuals will continue to rise. The men and women who are coming out of the military and intelligence communities will have their pick of private sector jobs and roles and recruiters will have to outbid each other to win those candidates.
Ondrej Krehel, LIFARS: They will have to deal with larger pools of applicants and finding talent among them.
Stephan Conradin: First; they should see and understand this growing complexity. Second: they have to reintroduce good sense when finding talent, not only check for some words in CV.
Amit Serper, Cybereason: Having to find the right soft skills, which will be just as important as the right technical skills.
Paul Hoffman, Logical Operations: Differentiating between actually skilled workers and ones with puffed-up resumes, but they may not care as anyone willing to fight cyber attackers is better than no one.
Rajeev Chauhan: The vanishing line between ethical and unethical behavior in the infosec community will be a matter of growing concern.
Wade Lovell, Simpatic: A growing percentage of entrants into the security talent pool will have absolutely no relevant job experience.
Mayur Agnihotri : Nothing new recruiters fail to attract and retain cyber security talent. Andrew Bagrin, My Digital Shield: Separating the true talent from the rest. Przemek (Shem) Radzikowski, Secbüro Labs: Recruiters will find it tough to sift through a torrent of opportunistic but relatively unskilled candidates who want to jump aboard the rise in pay commanded by quality security experts.
Nick Prescot, ZeroDayLab: Availability of experienced consultants because none of them are available.
www.eforensicsmag.com
www.hakin9.org - 23 -
R
ECRUITMENT What new challenges will recruiters have to face in 2016?
Anthony Di Bello, Guidance Software: A lack of practical experience. While education certainly provides an understanding of systems and how to secure them, all bets are off when they experience their first live cyber-attack.
Dotan Bar Noy, Re-Sec Technologies: Costs of talents will continue to increase as demand is high and companies are recruiting less experienced talents and will need to invest in training etc. According to a recent report from DICE, a leading IT job board, the top five IT security salaries are: No. 1 – lead software security engineer at $233,333; No. 2 – chief security officer at $225,000; No. 3 – global information security director at $200,000; No. 4 – chief information security officer at $192,500; and No. 5 – director of security at $178,333.
Mitchell Bezzina, Guidance Software: Those looking to place experienced cyber security specialists will find it difficult moving an individual into a new organization with career development or ancillary benefits being part of the decision process. It may well be easier to relocate teams who have an understanding of each other and efficient workflows. When looking to place candidates transitioning into cybersecurity as a solution to talent shortage, a more rigorous culling process will need to be defined to ensure there is a great rapport between manager and the new candidate, this ensures a faster, more successful transition.
BroadTech Security Team: I cannot say for large companies. Startups like ours take freshers guide and train them.
David Clarke, VCiso: Recruitment is a vulnerable 3rd party and they will need to apply cyber standards, as well as find the appropriate resources.
Elizabeth Houser, Praesidio: The realities of the field versus how popular culture continues to influence the perception of cybersecurity will continue to be an issue. CSI:Cyber isn’t likely to have the same impact on job candidates to the extent the CSI effect has impacted average citizens but there will be a definite ripple, regardless of size.
Rick Blaisdell: The need for more cyberworkers also explains why info security is considered one of the best jobs out there - for the next seven years. U.S. News and World Report ranked a career in information security analysis eighth on its list of the 100 best jobs for 2015. They state the profession is growing at a rate of 36.5 percent through 2022.
www.eforensicsmag.com
www.hakin9.org - 24 -
R
ECRUITMENT What new challenges will people looking for work in cyber security have to face?
Michael A. Goedeker, Auxilium Cyber Security: Payment expectations vs. reality. Either you get more money working for a big company that likely uses you up, or you work for a startup and gain experience and knowledge to grow. Become lifelong learners or look for another job.
Przemek (Shem) Radzikowski, Secbüro Labs: There is no substitute for experience. Be prepared to work hard and learn fast because the security ecosystem is changing far more quickly than other sectors.
Kris Rides, Tiro Security: It will still be tough to stand out from the crowd, adverts will attract the masses meaning a good quality experienced candidates resume will be in the middle of a pile of people trying to move into cyber security. Expect to see plenty of counter offers, it’s not a new challenge but there will be a distinct rise so it’s important to ensure you have tried your utmost to get the changes you require in your current job before you start your search. If it takes you to get another job before they give you what you are looking for, you are working for the wrong company. It will also be important for candidates to weigh all the benefits of job offers, expect to see some good salary increases but remember, there is a lot more to a job than that. As Richard Branson was recently quoted, “Time is the new money.”
Richard De Vere,The AntiSocial Engineer: People new to the industry or people looking to find that new role will have to strengthen their knowledge of computing in general and not rely so heavily on automated tools.
Irfan Shakeel, EH Academy: The hiring criteria, people are more likely to get confused and they will focus on gaining the certifications rather studying and practicing. This will get them hired but at the end, the organization will suffer the consequences.
Amit Serper, Cybereason: Not only are threats and the external landscape changing, but given the rate of technology innovation, security teams need to rethink how they structure their processes and activities because perimeter based approaches are obsolete, and penetration is inevitable.
Anthony Di Bello, Guidance Software: Certainly not a lack of competition in the job market.
www.eforensicsmag.com
www.hakin9.org - 25 -
R
ECRUITMENT What new challenges will people looking for work in cyber security have to face?
Andrew Bagrin, My Digital Shield: How to defend against the new threats, how to simplify and at the same time reduce cost. We can’t continuously keep spending more and more money on security.
Dotan Bar Noy, Re-Sec Technologies: For the next few years not much. They need to keep up-to-date with industry development and solutions.
Julie Herold, Kenny Herold, Odin’s Eye: Eventually a shortage of jobs and declining wages; cookie cutter vulnerability assessments and penetration testing (which really isn’t penetration testing). We refer to it as hitting the big green “go” button with automated web application or vulnerability scanning tools and removing false positives and calling it a penetration test. As a result of this stance from most IT Security companies, there will be a lack of opportunities to grow in this space with breadth and depth of knowledge and offering additional value to engagements.
Paul Hoffman, Logical Operations: It is not new, but on-going; it is defending against those things that you don’t know. Reducing risk and exposure in areas that are unknown. Hackers are constantly looking for new ways to breach security and companies are just trying to patch those known areas.
Wade Lovell, Simpatic: Entrants will likely find themselves in the security silo without many non-entrepreneurial opportunities to move to other parts of engineering and development.
Stephan Conradin: They must open their eyes and have great interest on what happens just in left or right of them. We could not have only one specialization, we must have several and/or have a generalistic view.
BroadTech Security Team: There are so many tools and using them is very easy. But understanding the underlying technology is something lacking in people even with certifications. People will need to have more than certification if they need to get work. People who do not have certification will have to show their experience and credibility in some tangible way.
Ondrej Krehel, LIFARS: New threats and budgetary challenges as technology emerges.
www.eforensicsmag.com
www.hakin9.org - 26 -
R
ECRUITMENT What new challenges will people looking for work in cyber security have to face?
Nick Prescot, ZeroDayLab: The balance of qualifications vs. experience. There are many consultants who are experienced but don’t have the level of qualifications and others who are well qualified but don’t have the experience.
Mitchell Bezzina, Guidance Software: Proving their skillset can easily transition into cybersecurity would be the main challenge. For those in developing careers, there will be a steep learning curve which may involve odd hours and be prepared to “roll up the sleeves”, as with growing industries, managers rarely manage people but must also take on work tasks and assist in day-to-day activities.
David Clarke, VCiso: A Cyber Role is a journey and the role has to match where the client is their cyber maturity and position it no longer a “finger in the leaking dyke”.
Dennis Chow, Millar, Inc Short: The problem of finding well-paying local security positions as opposed to ones that require relocation to high cost of living areas.
Wade Johansen, CouriTech LLC: Employers who look for talent often don’t understand just how talented an individual really is from a resume. Because every resume is filtered through an HR dept, often by keyword - great prospects are skipped over. Keyword resume searching has become the norm, often when you do get an HR person who calls, they don’t understand the technical abilities of the prospective employee, and so they are often overlooked when in reality they may be a perfect fit. This is a challenge because IT techs often are the worst at describing what they know and do on a daily basis.
www.eforensicsmag.com
www.hakin9.org - 27 -
W
HO IS WHO
Kris Rides TiroSec, CEO and Founder
Elizabeth Houser Preasidio Security Engineer
Kris believes that there is no substitute for building long term relationships with clients and you do that by providing them a great service. This is his 16th year in the recruitment industry and he has built and managed both permanent and contract teams over multiple disciplines in both the UK and all over the USA. Kris is passionate about recruitment and still keeps in touch with both people he placed when he first started his career and clients he worked with. He has spent almost all of his working career in Tech recruitment and he understands his candidates needs as well as the difficulties clients have in some of these niche areas.
Security Engineer for Praesidio and focuses on vulnerability assessments, incident response, and digital forensics. She is a graduate of the University of Washington and lives in Seattle. Her additional interests include malware analysis as well as cyber threat intelligence and serves on the Computer Information Systems (CIS) Advisory Committee for Edmonds Community College in Lynnwood, WA.
Roberto Langdon KPMG Sr Manager, Forensic Technology Services Risk Consulting He has a wide experience in the Information Security market, as well as in the Forensic Practices and Technology. He has 35 years of experience previous to his position at KPMG, within national and multinational companies, from IT & Telecomm sector, and 15 years of experience in Information Security, Physical Security and Urban Security specialization.
Einaras Gravrock Cujo, CEO 12 years digital commerce experience. Founded / built Modnique.com to $50M in annual sales. Named one of Goldman Sacs 100 most intriguing entrepreneurs in 2014.
www.eforensicsmag.com
www.hakin9.org - 28 -
T
RAINING What role will formal education play in 2016?
Michael A. Goedeker, Auxilium Cyber Security: It always plays an important role in research based jobs. Teaches how to do research and work within specific requirements and times. Certification will never replace a degree (IMHO). A degree is also not everything either.
Wade Lovell, Simpatic: As the industry matures, degrees and certifications will play more of a role. This is a mistake. Having held a number of certifications myself, including the CFE (Certified Fraud Examiner), I have little respect for their ability to help practitioners stay up to date and see them more as a gate preventing some experts, especially young ones without corporate CPE and dues sponsorship, from appearing as competent as some of the corporate dinosaurs.
Irfan Shakeel, EH Academy: Formal education should play an effective role and we need to make little tweaks in the formal education. But, the formal education without the required amendments will not play any notable role.
Chase Cunningham, Cynja: The more education that cyber operations personnel can attain before they go looking for work, the higher initial salary they can garner. Thanks to increased specialized training in the military and intelligence communities, the need for actual degrees is not completely necessary. However, surveys show that the gap in starting pay for those with advanced degrees is much greater, by up to 40%, compared to those with similar cyber skills but no formal education. In short—it pays to go to school.
Elizabeth Houser, Praesidio: Formal education will continue to be sought after but the availability of online (especially free) training resources will increasingly augment the education of individuals at all skill levels.
Roberto Langdon, Nicolas Orlandini, KPMG: The education will be very important in 2016, because we need to incorporate already skilled people for this activity that can be very effective from the very beginning of his/her job.
Nick Prescot, ZeroDayLab: Education will become more formalised in 2016 where it will be a training requirements.
www.eforensicsmag.com
www.hakin9.org - 29 -
T
RAINING What role will formal education play in 2016?
Dennis Chow, Millar, Inc Short: There will be an increase in positions requiring an undergraduate degree to even apply. However, I do not believe there will be a large increase in requirements for ‘security’ specific degrees. Certification need will also increase, as well, that teaches handson skills rather than conceptual only.
Stephan Conradin: Crucial, more education for more ability to work with complexity.
Paul Hoffman, Logical Operations: Formal education will have to step up in some capacity and in 2016 you will see some do just that. But it will take time. Those institutions do not move very fast.
Amber Schroader, Paraben Corporation: We have seen a change in a need for a base training and understanding of the principles associated with examination that comes through formal education. However, we see a deficiency when it comes to the ethics that are required to be able to function in the field when it comes to formal training.
Rajeev Chauhan: There can be no substitute for formal education, the formal education provides the base for future. However, exceptions can not be ruled out.
Ondrej Krehel, LIFARS: It’ll be more important, as curriculums are getting better, but still not where it should be.
BroadTech Security Team: It will be an important factor but not a deterministic factor. Skill, experience & passion will win over nonchalant formal education.
Anthony Di Bello, Guidance Software: This depends on the ability for universities to find qualified instructors and develop meaningful curriculum. Given the salaries associated with skilled cyber pros, I can see how attracting qualified educators in the field will be challenging. Perhaps universities can turn to their own internal information security teams for assistance in this area. Universities that offer meaningful cyber programs can be expected to play a big role.
Wade Johansen, CouriTech LLC: In the U.S. it is starting to gain more ground now. The federal Govt has started giving grants to more colleges to develop Cyber Technology and Security programs and degrees. For many colleges, this is the first time they’ve ever had real Cisco or cyber security labs and not just textbooks and desktops. It’s a big leap forward.
www.eforensicsmag.com
www.hakin9.org - 30 -
T
RAINING What role will formal education play in 2016?
Andrew Bagrin, My Digital Shield: Just adding head count in the industry. The security industry requires experience and knowledge about hacking, networking and coding.
Przemek (Shem) Radzikowski, Secbüro Labs: It is difficult to see formal education disappearing completely, but in general, it has been slow to incorporate cybersecurity trends within their curricula. It’s not uncommon for university curricula to remain static for many years because of their reliance on published textbooks.
David Clarke, VCiso: Education needs to start in schools, the gap between schools and IT is getting bigger, Cyber Security is misunderstood.
Julie Herold, Kenny Herold, Odin’s Eye: We think, based on the previous answers, we won’t quite yet see the results this year.
www.eforensicsmag.com
www.hakin9.org - 31 -
T
RAINING Will certification keep its role as the main tool to confirm skill and expertise?
Michael A. Goedeker, Auxilium Cyber Security: They are important but experience is more important. Certs don’t guarantee success but combined with experience through using taught concepts in projects is an indicator.
Wade Johansen, CouriTech LLC: For now, yes! Because most college degrees don’t prove skills in the field, or because the requirements of the degree may use outdated resources, there is a tendency now to look for certified professionals such as VCP, CCNA, MCSA, C|EH, etc., which shows the skills are currently relevant to an architecture or model.
Rick Blaisdell: Yes, that’s for sure. The 2015 CompTIA study HR Perceptions of IT Training and Certification revealed that: 65 percent of employers use IT certifications to differentiate between equally qualified candidates • 72 percent of employers use IT certifications as a requirement for certain job roles • 60 percent of organizations often use IT certifications to confirm a candidate's subject matter knowledge or expertise • 66 percent of employers consider IT certifications to be very valuable - a dramatic increase from the 30 percent in 2011.
Przemek (Shem) Radzikowski, Secbüro Labs: I’ve met many highly-certified people who have turned out to know very little. All too frequently, certifications only test knowledge but not the candidate’s ability to apply the concepts in real world situations.
Dennis Chow, Millar, Inc: Yes, certifications will complement and evolve to help maintain the attestation of a certain level of skill. However, we will see more interviews and other candidate requirements to prove hands-on experience through ‘practical’ assignments.
Dotan Bar Noy, Re-Sec Technologies: Certification plays an important role ensuring your team is up to speed with new solutions and encounters other professional to share ideas and feedbacks on the different solutions.
David Clarke, VCiso: The idea that a five day training course means we have cyber skills, anymore than learning to drive from multimedia training course is valid, we need the equivalent of medical interns, Barristers Pupilage.
Rajeev Chauhan: To some extent, certifications are benchmarks for judging capabilities, but there is no substitution for hands on skills.
www.eforensicsmag.com
www.hakin9.org - 32 -
T
RAINING Will certification keep its role as the main tool to confirm skill and expertise?
Amber Schroader, Paraben Corporation: Yes, certifications are a necessity as they allow for the specialization in the industry that can only be done through specific certifications.
Paul Hoffman, Logical Operations: Certification will continue to play the primary role in confirming expertise.
Ondrej Krehel, LIFARS: I think work experience is the real key, certs are more of a minimum knowledge.
Andrew Bagrin, My Digital Shield: I think certification has already dated itself and it won’t get any better. Accomplishments and understanding of core principles is what I look at.
Anthony Di Bello, Guidance Software: I hope not. I believe practical experience and red/blue team exercises should be the main tool to confirm skill and expertise in this field.
Stephan Conradin: Yes, but certification will have to adapt to new complexity. When I got my CISSP, I had a question about the height of the fences, It is always a good question but now our data is more in the cloud and less protected by fences.
Elizabeth Houser, Praesidio: Likely yes, as the desire for certifications has been consistent over the years and most people are comfortable with that benchmark.
Wade Lovell, Simpatic: I hope not. I prefer directly testing candidates and reviewing their code and thought process.
Roberto Langdon, Nicolas Orlandini, KPMG: Certification is a must to provide calm and confidence to the clients, that the people involved in the investigations and data acquisitions, are recognized professionals to do that, keeping the security triad CIA (Confidentiality, Integrity and Availability) of all the information gathered and processed.
BroadTech Security Team: Certification even now is not the main tool to confirm skill and expertise for CEOs & HRs who care about business. But vendors will push for certification since it is another recurring revenue generation market due its expiry date.
www.eforensicsmag.com
www.hakin9.org - 33 -
T
RAINING Will certification keep its role as the main tool to confirm skill and expertise?
Chase Cunningham, Cynja: New certifications, like those from ISACA’s CSX program, will start to slowly replace some of the “cookie-cutter” certifications that have typically garnered more interest. Recruiters are hiring personnel and senior managers with active performance based certifications at a higher rate than before. The old paradigm of studying for a certification and passing it will start to go away. If one can’t actually conduct the task then they won’t get certified. Another way to put it, people prefer doctors who have practiced their medical skills on patients rather than simply reading books and passing exams. The same is true in cybersecurity.
Julie Herold, Kenny Herold, Odin’s Eye: We’ve always been jaded with regards to an acronym that states you can memorize information so we feel that any answer would be biased. Your work experience and end product should be the proof of your level of expertise as well as your ability to convince your client that A.) You know what you are talking about and B.) You can execute at that level. For clients that rely on the certifications as a compass to navigate through the many vendors with these types of services, they do have their place.
www.eforensicsmag.com
www.hakin9.org - 34 -
T
RAINING Will we see a more unified standardization of education and skills?
Michael A. Goedeker, Auxilium Cyber Security: I hope so, everyone has their „own” standard and it's very hard to judge one cert from another. However „Cyber” and security, in general, are very dynamic which makes standardization extremely hard to achieve.
Wade Lovell, Simpatic: Yes, but it won’t be helpful for the reasons discussed above and because graduates of the new degrees in cyber security seem to be primarily learning Java and have little time on the keyboard with other languages.
Przemek (Shem) Radzikowski, Secbüro Labs: The security ecosystem is becoming highly specialized and new niche areas are emerging each year. If anything, we will see further fragmentation of education.
Stephan Conradin: Not sure. Standardization doesn’t mean quality. We need big certifications, like those of ISACA or (ISC)2 but we need to use very specific certifications very close to technologies.
David Clarke, VCiso: No, unfortunately, not for long time.
Julie Herold, Kenny Herold, Odin’s Eye: We foresee, with the increase in demand, that education will start at lower stages of the education systems which would standardize and unify approach and delivery.
Andrew Bagrin, My Digital Shield: I doubt it. Security changes too often because the threats continuously change. So it will be hard to have a standard training that will last.
Nick Prescot, ZeroDayLab: Not in 2016 but as a growing trend over the years.
Mitchell Bezzina, Guidance Software: Yes, as industries mature, standards will emerge across disparate training and larger cybersecurity training organizations will devote time to university course curriculum.
Paul Hoffman, Logical Operations: I don’t believe we will see standardization beyond the NIST and NICE efforts for a while. Once those standards take hold, we will move to the next level.
www.eforensicsmag.com
www.hakin9.org - 35 -
T
RAINING Will we see a more unified standardization of education and skills?
BroadTech Security Team: In information security, it is important to have ground work in standardization of education to eliminate gaps in topics. But once the foundation is made, standardization of skills would be stupid because hackers don't attack your standard way nor can you ask a hacker to be certified before he attacks. Hackers are ( I mean the good ones ) creative ( kaspersky breach ) and after the standardization of education on fundamentals, InfoSec professionals should be able to think creatively in order to counter non standard attacks.
Wade Johansen, CouriTech LLC: Yes, this is already happening today in the U.S. As the federal Govt is standardizing its own networks, the skills they are looking for in high tech field employees has evolved. Because there has been a lack of qualified candidates, they have begun to fund colleges and universities to develop those necessary skills in students or offer continuing education courses for workers who are looking to enhance or upgrade their skills.
Ondrej Krehel, LIFARS: I think so, but diversity isn’t bad either.
www.eforensicsmag.com
www.hakin9.org - 36 -
T
RAINING Will online courses influence the level of education in security field?
Michael A. Goedeker, Auxilium Cyber Security: Online courses will grow in importance as we see companies limit travel expenses. Online training will also let people learn at their own pace.
Paul Hoffman, Logical Operations: To some degree, of course.
Ondrej Krehel, LIFARS: I believe they will dilute the talent pool. As people who would go remote could just learn on their own.
Irfan Shakeel, EH Academy: Yes, online courses are the rich source to get the basic training & education. Online courses will influence the infosec education.
Stephan Conradin: Online course are more adapted to time of life, it is easier to find time to learn online. But presential courses are important to share with other professionals.
Wade Johansen, CouriTech LLC: They already are. Most students I know are already taking online courses. It opens up a world of opportunity. You can now also get an accredited degree completely online and the adoption rate of this model is growing quickly.
Wade Lovell, Simpatic: Only if there is a complete change in the way course content is created, curated, and sold. For example, Cisco or Microsoft could be incredibly influential in the level of education in the security field had they not made education and certification profit centers.
Przemek (Shem) Radzikowski, Secbüro Labs: Although I have a number of formal credentials, I think online courses provide a tremendous service to the industry by making security education easily and cheaply obtainable to anyone who wants it. That’s a positive. The negative aspect of online courses lies with their clumsy way of proving that the student has passed the material – it still hinges on an honours system.
Andrew Bagrin, My Digital Shield: Yes it will, but not the quality of people. The same reason as above. Security is not something on its own, but security needs to be applied in all areas. (networking, development, process, etc.)
www.eforensicsmag.com
www.hakin9.org - 37 -
T
RAINING Will online courses influence the level of education in security field?
BroadTech Security Team: Yes, especially free online courses are going to play a big part.
Mitchell Bezzina, Guidance Software: Yes, the base level of knowledge should increase.
Nick Prescot, ZeroDayLab: Not really.
Julie Herold, Kenny Herold, Odin’s Eye: Yes, as traditional colleges begin to move more towards the “trade” skill fields, the hands on training will inevitably be supplemented with online courses.
www.eforensicsmag.com
www.hakin9.org - 38 -
W
HO IS WHO Wade Johansen CouriTech LL, CEO and Founder
Andrew Bagrin My Digital Shield (MDS) Founder and CEO
I’ve worked in the IT industry since 1982 and have been a high level systems engineer for more than 10 of those years. I also taught as an IT course instructor for 8 years. I currently hold CISSP, HCISPP, C|EH, CHIT, WG-WCSP, CCSP but have also held over 25 certifications lifetime such as MCSE, CNA, Server+, Net+, Sec+, SCP, SCNA and more. I spend much of my time integrating and merging business domains and large scale environments, and improving network security. My specialities are Active Directory migrations for healthcare, banking, and various other industry verticals.
Andrew Bagrin is the Founder and Chief Executive Officer of My Digital Shield (MDS), a leading provider of Security-as-a-Service (SECaaS) for small businesses. With more than 18 years of experience in the IT security industry, Andrew started MDS in 2013 to bring cloud-based, enterprise-level security technology to small businesses at an affordable price. Prior to founding MDS, Andrew served as the Director of Service Provider Business Development at Fortinet, a network security provider. He held the position from 2008 until 2013, focusing on new security offerings as well as gaps in the security market. Andrew’s career in IT security began in 1997, working for several network security consulting companies. From 2000 to 2004, he served as the Director of Network and Security with Regal.
Chase Cunningham Cynja, CTO Chase Cunningham serves as CTO and fights bad guys in cyberspace. He began his Cynja training serving in the U.S. Navy, where he worked as an analyst in the Department of Defense’s network exploitation program. He lives in Texas with his two young cyber warriors Callie and Caelyn. He earned a B.S. from the American Military University, and an M.S. and a Ph.D. in information systems security from Colorado Tech University.
Rajeev Chauhan C|HFI, C|EH, BSc, BTech IT & Comn, MS Cyber Law and Cyber Security. Cybersecurity enthusiast, Independent Researcher, trainer, consultant and blogger at Cyberoxen. Loves golden oldies.
www.eforensicsmag.com
www.hakin9.org - 39 -
T
HREATS What threats that emerged in 2015 will remain relevant in the next year?
Leon Kuperman, Zenedge: Targeted, advanced threats focused on specific organizations (called ATP’s) – threat actors are well funded, patient and utilize a combination of techniques to infiltrate an organization (including physical, social engineering and standard network and cyber attacks) • Advanced botnets, using Layer 7 DDOS attacks over HTTPS (hard to mitigate) – this trend will continue in 2016 and we will see the next iteration of weaponized zombies with near-browser like capabilities. • IoT – Connected devices with OS’s running on them, with vulnerabilities exposed at an unprecedented rate. • DDOS attacks for Bitcoin.
Shay Zandani, Cytegic: Attacks to steal PII, medical data and sensitive information will continue to be a major concern – not only for the “usual” targets but also for “new types” of targets, such as municipalities, online gaming platforms, tier-2 retailers, production lines, etc. • SCADA and ICS attacks will continue to grow and become a major threat to critical infrastructure, but also for plants, production lines. • Ransomware is likely to continue to evolve and remain mainly a nuisance.
Rajeev Chauhan: Zero-day vunerabilities, clickjacking and ransomware.
Einaras Gravrock, Cujo: IoT. It’s going to get worse before it gets better. IoT penetration is growing at a high multi-digit rate and device makers continue to be unprepared for security challenges.
Michael A. Goedeker, Auxilium Cyber Security: „Cyber” Espionage, Warfare and their influence on new technology in „Cyber” Crime. Increased attacks on personal data in government, increased attacks on critical infrastructure, increased corp espionage by nation states, lack of actionable intel in threat intelligence products
Kris Rides, Tiro Security: As more companies move towards cloud services, the attack surface is increasing. I think we will see more sophisticated attacks targeting cloud service providers. I also think the assumption made by many companies that moving to the cloud pushes security issues to these services providers, alongside with companies running hybrid systems, will leave gaps in their security posture.
Dennis Chow, Millar, Inc: Phishing and Social Engineering based attacks combined with insider threat based breaches.
www.eforensicsmag.com
www.hakin9.org - 40 -
T
HREATS What threats that emerged in 2015 will remain relevant in the next year?
Mayur Agnihotri: Good Malware Never Dies, Fidelis in a recent report as a "reincarnation" of previous malware. Not only can Java-based JSocket control Linux, Mac and Windows PC systems remotely, but the malicious code is also able to affect mobile devices.
David Clarke, VCiso: Security personnel reporting lines reporting to IT, Cyber Security is there to protect against bad things happening, surely this should report to the highest level.
David Coallier, Barricade: Whilst ransomware will probably continue to be used (as they are wildly successful for criminals), I am bullish on the new threat landscape around the Internet of Things. There are a lot of devices which access vast amounts of personal and private information, as well, becoming more intrinsic to your everyday life (i.e. connected cars) and yet, the security of most of these devices is fickle at best.
Dotan Bar Noy, Re-Sec Technologies: Unfortunately, enterprises are still not protected from 2015 threats to worry about 2016 ones. We will still see content based attacks containing APT, Phishing, Ransomware and many more zero-days. Threats will continue to use sophisticated delivery mechanisms that will allow them to perform updates and evolve over time.
Paul Shomo, Guidance Software: Malware designed primarily for long term command-and-control, such as Remote Access Trojans (RATs), will continue to be the bane of incident responders’ existence in 2016. It’s such a simple matter to create a new version of a RAT in minutes and they offer the advantage of being unique and therefore bypass signature and policy based detection methods, relying heavily on technologies with deep endpoint visibility. These tools will form the cornerstone of incident response and security alert triage and validation.
Rick Blaisdell: Wearables - Although most wearable devices store a relatively small amount of personal information, wearable platforms could be targeted by cyber criminals working to compromise the smartphones used to manage them. The industry will work to protect potential attack surfaces, such as operating system kernels, networking and Wi-Fi software, user interfaces, memory, local files and storage systems, virtual machines, web apps, and access control and security software.
www.eforensicsmag.com
www.hakin9.org - 41 -
T
HREATS What threats that emerged in 2015 will remain relevant in the next year?
BroadTech Security Team: Threats in the IoT sector, Compromising Anti-virus to take over systems, Rogue drone causing damage. SSL vulnerabilities until OpenSSL is fully replaced by LibreSSL..
Roberto Langdon, Nicolas Orlandini, KPMG: Although the Banking and Financing sector is a common practice to search for suspicious operations, in order to detect money laundering, frauds, etc., in the rest of the market segments there are no special organisms with the same responsibility, so the corporate and government organizations need to find a confident advisor to help them in this arena. Frauds are not exclusive for Banking and Financing institutions.
Nick Prescot, ZeroDayLab: As with the MTrends Report, the main APT groups around hacktivism, state-sponsored actors and organised cybercrime aren’t going to go away any time soon. The re-publishing and distribution of open source hacking tools is a lucrative market for amateur and veteran threat actors alike, with organised cybercrime groups utilising younger individuals as smokescreens for larger-scale, indepth attacks (i.e. Talk Talk, Oct. 2015).
Przemek (Shem) Radzikowski, Secbüro Labs: We saw some interesting reflection and amplification DDoS attacks this year, in particular those using Simple Service Discovery Protocol (SSDP). The SSDP attack vector was possible as a result of millions of unsecured home-based Internet-connected devices which use Universal Plug and Play (UPnP). These were used as SSDP reflectors. Their sheer scale of numbers and passive availability will likely continue through 2016.
Andrew Bagrin, My Digital Shield: APT didn’t emerge in 2015 but they will continue to grow and get worse, and they will start to overlap with IoT threats as IoT grows.
Kenneth C. Citarella, Guidepost Solutions: Every threat that emerged in 2015 will remain relevant. Unless known security weaknesses are corrected, we will continue to be victimized by the same techniques that have worked previously.
Stephan Conradin: Cybercrime did not really emerge in 2015 but is is clear now we are in cyberwar, with a lot of enemies and no more aliens.
www.eforensicsmag.com
www.hakin9.org - 42 -
T
HREATS What threats that emerged in 2015 will remain relevant in the next year?
Craig McDonald, MailGuard: Ransomware. In 2016, inexperienced cyber criminals will jump onto the ransomware-as-a-service offerings, and accelerate the growth of ransomware. Anonymizing networks and payment methods will continue to fuel ransomware’s rapid growth path • Cloud services. Weak or ignored corporate security policies make cloud services easy targets for cyber criminals. The payoffs are big -- confidential business information, customer data, organizational business strategies, company portfolio strategies, next-generation innovations, financials, acquisition and divestiture plans, employee data and other data • Attacks through employee systems. When organizations do improve their security, attackers shift their focus to their employees, especially insecure home systems, to gain access to corporate networks • Warehouses of stolen data. Stolen personally identifiable information sets are linked together in big-data warehouses; combined records are more valuable to cyber attackers. Watch the dark market for stolen personally identifiable information and usernames and passwords boom in the coming year • Hardware. Attacks on all types of hardware and firmware will continue. The market for tools that make them possible will expand and grow. Virtual machines could be targeted with system firmware rootkits • Wearables. Most wearable devices store a small amount of personal information, but they are desirable targets because of the smartphones used to manage them • Cars. Connected automobile systems that fail to meet best practice security policies in areas are tempting targets. These include vehicle access system engine control units (ECUs), engine and transmission ECUs, advanced driver assistance system ECUs, remote key systems, passive keyless entry, V2X receiver, USBs, OBD IIs, remote link type apps and smartphone access. Julie Herold, Kenny Herold, Odin’s Eye: Continued focus on previous assumptions of lower level security in protocol stacks; as the theoretical attacks are becoming more and more probable and exploitable for nation states and other organizations with computational power exceeding the norm. Continued focus on open source code and taking advantage of a lack of review on said code.
Gerald Peng, Mocato: Personal Information hacking, Cyberterrorism against private and public entities, Cloud computing vulnerabilities, Mobile device exploitation, Credit card fraud via card-notpresent (CNP) technology, Phishing, Malware, Ransomware, Connected device hacking (e.g. medical equipment, cars), State sponsored hacking, Mobile phone vulnerabilities.
Ondrej Krehel, LIFARS: Better ransomware.
Wade Lovell, Simpatic: Ransomware, Wire Fraud, Hacking into databases and offering customized searches on Personally Identifiable Information as one Vietnamese national did who had access to data on 200 million U.S. Citizens.
Wade Johansen, CouriTech LLC: Botnets & CryptoLocker.
www.eforensicsmag.com
www.hakin9.org - 43 -
T
HREATS Which threat group will see the biggest growth in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Cybercrime that works with nation states for corp espionage and warfare (even though it is cyber war and espionage, nations will (hide) behind cyber crime). In addition, depending on how we resolve terrorism, we could also see Cyber Terrorism growth as well.
Roberto Langdon, Nicolas Orlandini, KPMG: The global erosion of values, morals, and responsibility, are affecting strongly the organizations who suffered frauds, money deviation, information theft, manipulation of information in order to obtain personal benefits against the organization objectives, taking advantage of higher hierarchies or powered positions inside the company.
Dotan Bar Noy, Re-Sec Technologies: Guessing from the past year, ransomware and specifically cryptolocker are the ones most of us will encounter this upcoming year. We will see and hear more about new targets such as cars, etc.
The dream of easy money is driving people without loyalty and moral values to take advantage of these “opportunities”. Seeing packets of 50,000 credit cards stolen information on the Dark Web on sale for two or three thousand dollars is just an example. Besides that, as in some organizations, the information gathering and storage is not well addressed when it comes to accomplishing security policies, the rest of the delinquent eco-system is ready to participate.
Shay Zandani, Cytegic: The tier-2 financial hacker groups, which now are able to buy “off the shelf” exploit kits and advanced attack methods, will continue to evolve. As such, the proliferation of advanced tools will continue this year.
Przemek (Shem) Radzikowski, Secbüro Labs: I think it’s worth keeping in mind that 300+ Gbps DDoS attacks will become the norm and may start to see sustained 500+ Gbps attacks. We should also be prepared to see a rise in DDoS attacks which act as a smokescreen for the “real” or “secondary” attack and ultimate exfiltration of data.
Rick Blaisdell: I personally worry about the possibility of U.S. infrastructure becoming the next major target of cybercriminals. Attacks on all types of hardware and firmware will likely continue, and the market for tools that make them possible will expand and grow. Virtual machines could be targeted with system firmware rootkits.
www.eforensicsmag.com
www.hakin9.org - 44 -
T
HREATS Which threat group will see the biggest growth in 2016?
Kenneth C. Citarella, Guidepost Solutions: It is impossible to predict which threat group will be most prominent in 2016. There are too many variables, such as “who” they target, what vulnerabilities that target has and what kind of data is accessed. But the sophistication of many attackers is steadily growing, so we should not be surprised by continuing reports of successful intrusions.
Craig McDonald, MailGuard: Spear phishing. Targeted, specific email phishing scams whereby the sender is impersonated, rendering the email content to be more compelling to the recipient who knows the ‘purported’ sender. Staff within an organisation will wire transfer large sums of money for instance, believing the CEO or CFO has asked directly for this transaction to occur. Integrity attacks. Stealthy, selective compromises to the integrity of systems and data are on the rise. Attackers seize and modify transactions or data for their own purposes, such as changing a victim’s direct deposit settings and having their paycheck deposited into a different account.
BroadTech Security Team: IoT in health care, oil plants, power grids, nuclear facilities, etc.
Wade Johansen, CouriTech LLC: Mobile device security.
Andrew Bagrin, My Digital Shield: IOT because the industry is really growing without any defenses.
Julie Herold, Kenny Herold, Odin’s Eye: Divulgers of dox attacks or pro-privacy groups based on anti-government, anticorporation, anti-organization, anti-X motivations for smear campaigns or proprivacy groups.
Gerald Peng, Mocato: I believe that personal information, especially located on mobile phones and social media channels, will continue to be the main targets for cyber attack and cyber fraud.
Nick Prescot, ZeroDayLab: Phishing and malware.
Stephan Conradin: Theft of sensitive data.
www.eforensicsmag.com
www.hakin9.org - 45 -
T
HREATS Which threat group will see the biggest growth in 2016?
Wade Lovell, Simpatic: Spear phishing, which is an email phishing attack customized with your information so that it appears legitimate.
Paul Hoffman, Logical Operations: Health Care. Vital records about a person that never change are the most valuable information being sold.
Ondrej Krehel, LIFARS: As always, phishing.
Leon Kuperman, Zenedge: IoT Device Vulnerabilities.
David Clarke, VCiso: The threat group that is the biggest already is inadvertent human error “PWC” 95% of all incidents.
www.eforensicsmag.com
www.hakin9.org - 46 -
T
HREATS Can you see any old and forgotten threat coming back in the next year?
Michael A. Goedeker, Auxilium Cyber Security: Always, many attacks come back after people forget them, or they are repurposed and updated.
Stephan Conradin: We have cloud, IoT, BYOD questions and people are thinking the virus front is safe now, but they are still there, more and more polymorphics and hard to detect.
Leon Kuperman, Zenedge: Potentially; for example, there are still many implementations of SSLV3 running, and those are susceptible to POODLE. Old attacks could come back in a slightly modified form.
Craig McDonald, MailGuard: New malware but the same old tactics Social engineering and malware infection are the most common tactics used by cyber criminals. Survey scams on social networking sites, phishing and spear phishing emails for corporate employees, and fake links on search results are successful at the moment. Cybercriminals are constantly morphing their malware and their social tricks – faster than victims can identify them and protect themselves.
Rick Blaisdell: Phishing is not new, but it remains a top threat in the coming year. The Global Phishing Survey of the AntiPhishing Working Group (APWG) found that in the last six months of 2014 alone, there were approximately 124,000 unique phishing attacks worldwide, which occurred on more than 95,000 unique domain names.
Dotan Bar Noy, Re-Sec Technologies: No. I believe traditional security measures offer a sufficient protection from old threats. The challenge will be to battle new types of malware and techniques.
Alina Stancu, Titania: Heartbleed, Poodle and other critical vulnerabilities will resurface as recycled code is being used in other applications.
Mayur Agnihotri: HACKTIVISM with more dangerous faces, and in the present scenario, we see most of the attacks are under Hacktivism, like LulzSec and one more name is added #ISIS.
Dennis Chow, Millar, Inc: Stego and Covert Channel Signaling.
www.eforensicsmag.com
www.hakin9.org - 47 -
T
HREATS Can you see any old and forgotten threat coming back in the next year?
Przemek (Shem) Radzikowski, Secbüro Labs: Brute force attacks have virtually disappeared, but with the proliferation of cloud applications, “Low and Slow” Brute Force attacks have been gaining popularity. The dispersed nature and scale of cloud resources makes possible their use to launch distributed “low and slow” brute force attacks without triggering alert thresholds.
Mitchell Bezzina, Guidance Software: Physical attacks will make a come-back in 2017, where a combination of physical presence will be the easiest entry into an organization. 2016 will focus on individual awareness and closing gaps in cybersecurity strategies.
Wade Johansen, CouriTech LLC: PKI trusts - inherently trusted and ultimately insecure. Richard De Vere, The AntiSocial Engineer: Without doubt, the largest rise will be seen in social engineering techniques. A lot of security has evolved now to the point that only the very smartest and determined criminals hack anything worth hacking. Social engineering techniques will help criminals to get the access they desire.
Anthony Di Bello, Guidance Software: Certainly. There are already old and forgotten threats still prolific throughout the world; see Conficker. The cybersecurity industry ebbs and flows with technology from both the attackers and defenders, this year saw proliferation in POS intrusions and Phishing, while these attack types remain “easy”, they will continue, however, new defense technologies of these attack types will force attackers to pivot and define other entry types.
Ondrej Krehel, LIFARS: I don’t think there are any really forgotten techniques, as hackers keep a large toolbelt. Maybe more into COBOL and Fortran as NASA put it back into the limelight.
Wade Lovell, Simpatic: Yes, EXE injections, for example, are making a comeback and many advanced persistent threats likely remain undiscovered. Macro malware in MS Office documents attached to emails are also on the rise as an attack vector.
Einaras Gravrock, Cujo: The nature of threats has not changed over the last couple of decades; devices and networks have. We will continue seeing old attack methods aimed at new device types.
www.eforensicsmag.com
www.hakin9.org - 48 -
T
HREATS Can you see any old and forgotten threat coming back in the next year?
Andrew Bagrin, My Digital Shield: I don’t think so. I think the threats have grown up quite a bit.
David Clarke, VCiso: Yes. Inadvertent human error, been around for ever, Enigma was cracked because of this.
www.eforensicsmag.com
www.hakin9.org - 49 -
T
HREATS Will threat landscape be affected by international efforts to combat terrorism?
Mark Bennet, Blustor: The debate between the need for intelligence agencies to decrypt data being communicated between potential terrorists and the public’s right to privacy will continue to rage. Overreaching government agencies have abused their ability to collect data on citizens with little oversight by legislatures or the judiciary. Restricting the transfer or development of encryption technology will have little impact on a terrorist organization to illegally obtain those capabilities but it will significantly restrict the ability of law abiding citizens to protect their own privacy. The proposed “backdoors” that some officials are calling for to enable intelligence agencies to covertly access encrypted communications will also make those same devices vulnerable to hackers. There is no such thing as a “backdoor” that only the good guys can use.
Nick Prescot, ZeroDayLab: Governmental supervision via traffic analysis, etc., has become more prevalent in the public eye, and – as with recent proposed surveillance legislation – may only continue to further public perception of ‘state snooping’ of their online activities. As such, encrypted / obfuscated networks such as The Onion Router (TOR) may be utilised more by the general public who may not know the ramifications of using such tools, making them vulnerable to malware attacks and vulnerabilities as yet unknown to signature-based anti-virus systems (i.e. OnionDuke).
Dotan Bar Noy, Re-Sec Technologies: Cyber terrorism becomes the new frontier and terror organizations. The growing impact of cyber space on recruitment and public opinion will mean that much of the war against terrorism will take place in the cyber space.
Einaras Gravrock, Cujo: Yes. I think governments all over the world have made cyber security among their top priorities. Their funding has trickled down to the private sector. This sort of positive attention from the government will fuel the private sector.
Leon Kuperman, Zenedge: Yes, terrorists will use all means possible to achieve their objectives, including cyber-security vulnerabilities. Right now, terrorists are focused on physical targets for the most part, using technology as an enabler. In 2016 and forward, targets will include cyberassets as the primary goal of terrorist campaigns.
Stephan Conradin: I think the war is already here and due to our growing cyberdependencies, it is clear cyberterrorism is a good weapon.
www.eforensicsmag.com
www.hakin9.org - 50 -
T
HREATS Will threat landscape be affected by international efforts to combat terrorism?
Craig McDonald, MailGuard: Although this was a hot topic two or three years ago, it’s no longer attracting a lot of attention. The internet and social media are used as a recruitment tool and a weapons development training ground. Two key areas of cybercrime will be affected by the war on terror: • A market for false identities • Criminals use stolen or false identities to perpetrate frauds and establish business structures and companies to launder money. Identity crime is also used to commit welfare, tax and other fraud against government agencies, to gain unauthorised access to sensitive information or facilities, to conceal other criminal activities such as drug trafficking and procuring child exploitation material, and even to facilitate the commission of terrorist acts. • Rise of data mining • Increasing commercialisation of data from Twitter, Facebook and LinkedIn for data miners for all purposes including terrorism.
Ondrej Krehel, LIFARS: I don’t think so. Nationstates and terrorist groups make up a small minority of breaches. It’s really people out for the money.
Alina Stancu, Titania: If legislation is passed in the wake of terrorist provoked tragedies, there will be significant changes in how future threats will be delivered. It will probably drive the criminals underground and there will be more channelling through Virtual Private Networks, proxy servers, and Tor.
Michael A. Goedeker, Auxilium Cyber Security: Yes, they will likely increase hacktivism and cyber terrorism before they reduce them. Terrorism will show the weaknesses of How? When groups do not work in a coordinated way, they will be disorganized and this disorganization could be used to hack certain countries. In addition, we could see the dawn of a new job title Anti-Cyber Terrorism Consultant/ Analyst. Weaknesses in the way security people are trained will show here as we will see a need for more hacking skills in all computer security related jobs in the future. Security teams can only protect what they know will be attacked and how it will be attacked.
David Clarke, VCiso: Yes it may speed up legislation to make IT Safe.
BroadTech Security Team: The international effort to combat terrorism will be controlled by politics, fear, greed and national interests. So how the landscape will change is not predictable. More than technology, the above mentioned factors will dominate in shaping it.
www.eforensicsmag.com
www.hakin9.org - 51 -
T
HREATS Will threat landscape be affected by international efforts to combat terrorism?
Kenneth C. Citarella, Guidepost Solutions: Terrorist attacks and counter-terrorism will continue to engage in cyberspace. Terrorists will try hard to move past mere website defacing and to create the same type of physical harm through compromising systems that they attempt through kinetic attacks. We cannot assume they will lack the initiative or capabilities to attempt infrastructure intrusions, especially if they are not succeeding through conventional efforts.
Shay Zandani, Cytegic: Yes, the international efforts to combat terrorism and cyberterrorism is equivalent to a “whack-amole” game – with every hit, the attackers pop back in a different location. The efforts to control encryption and to hunt down terrorists will demand innovation on the terrorist and hacker side, as we see these days.
Wade Lovell, Simpatic: Yes, it will. Nation States are becoming bigger players in cybercrime, although they call it something else. Under “the ends justifies the means” argument, countries have recorded all content, required they be allowed top level certificates, etc. If countries cooperate in their data gathering and analysis, there could be a decrease in terrorism funding and mobility while the freedom of the non-terrorists are eroded in lockstep.
Andrew Bagrin, My Digital Shield: I believe so. In any type of battle, resources such as communications and supplies are always hit first to reduce the power of the enemy. Misinformation is also a strategy.
Wade Johansen, CouriTech LLC: Definitely, the landscape evolves to new levels every day. How? Anonymity is still a key. Terrorist networks no longer require social media from the typical resources to operate efficiently, although recruitment will continue to happen across these mediums. Once an individual is involved in the social aspect, they will be able to use a completely new private version of Facebook, Twitter, etc., which is non-dependent on the current world's social media platforms. Independence for these platforms will evolve.
Roberto Langdon, Nicolas Orlandini, KPMG: Cyberterrorism is becoming more equipped and informed, to help their objectives be carried out, no matter where or in which country it can be done. Cyberspace is the new war scenario where we are almost in a new world war. And Forensic services needs to be a must to be covered by all the Army Forces and Security Forces. If they are not self-sufficient, KPMG is ready to help, worldwide.
www.eforensicsmag.com
www.hakin9.org - 52 -
T
HREATS Will threat landscape be affected by international efforts to combat terrorism?
Gerald Peng, Mocato: Absolutely. Firstly, nation states are exploring options for tactical cyber response or offense. This adds a complexity which will impact strategies developed and resources deployed to fighting terrorism. Secondly, terrorists use mobile and social media technology to recruit, organize themselves and to intimidate others. The efforts used to combat those domestic and international threats may result in a decline in personal freedoms and an increase in investigations of citizens, thereby diluting counterterrorism resources.
Julie Herold, Kenny Herold, Odin’s Eye: Not any more than it already has been, everything is in motion already.
www.eforensicsmag.com
www.hakin9.org - 53 -
T
HREATS Will cyber security in healthcare remain a relevant topic?
Elizabeth Houser, Praesidio: Definitely. Several high profile breaches within the healthcare industry during 2015 indicate that the adoption of necessary tools and practices isn’t occurring quickly enough.
Dennis Chow, Millar, Inc: Yes, PHI is worth more than PCI data at present on the black market. Additionally, any compromise or damage of patient care based systems could potentially affect lives. There is increasing evidence of terrorism linked with cyber related crime.
Roberto Langdon, Nicolas Orlandini, KPMG: And related to healthcare information protection, this market segment was identified as one not making the necessary investment in information technology security, and most of healthcare service providers are in a high risk to be attacked. This was advised by the FBI at least three or four years ago. We are seeing the healthcare sector as one of the most illprepared to prevent, detect and respond to a cybersecurity incident, such as a data breach. Considering they store tons of sensitive information such as PII and PHI, this becomes (and it is happening right now) a perfect storm situation.
Kenneth C. Citarella, Guidepost Solutions: Cyber security in healthcare systems will be a most relevant topic to both industries. Health care networks contain all the data necessary to steal identities for economic fraud as well as to obtain unwarranted health care services by assuming the identity of an insured party. The continuing adoption of electronic health records will only contribute to this problem unless adequate security is built into the records system from the ground up. In addition, more and more medical devices will be accessible online, yet they often continue to operate with outdated and insecure software. The possibility for online tampering to target a patient’s health or life must be anticipated and addressed.
David Clarke, VCiso: Yes. Healthcare, councils and charities still top the list for breaches.
Nick Prescot, ZeroDayLab: This will grow as the implementation of the Data Protection Act will come into force.
Shay Zandani, Cytegic: Healthcare will continue to be a lucrative target for attackers, targeting PII and medical information.
www.eforensicsmag.com
www.hakin9.org - 54 -
T
HREATS Will cyber security in healthcare remain a relevant topic?
Leon Kuperman, Zenedge: Yes – It’s a critical data asset that remains exposed, exploitable and monetizable (from an attacker’s perspective).
Wade Johansen, CouriTech LLC: Absolutely, health care is a big target since records contain not only geographical data about a person, it also contains medical information which can be used to exploit benefits systems and ongoing retirement information.
BroadTech Security Team: Of course! A few hours ago I sent a mail to the CEO of a chain of hospitals asking her if she is prepared for the statistics “Cyber Attacks will compromise 1 -in -3 healthcare records next year”. Our company will be actively involved in spreading awareness in the healthcare sector and providing necessary consultation for them. Security should be a main concern for people who write health care IoT operating systems, too. Instead of starting from scratch, they should port tested and proven operating systems, like NetBSD and OpenBSD.
Mark Bennet, Blustor: Cyber security in the healthcare industry will not only remain relevant but it will grow as a major concern. Due to decades of kicking the can down the road, the healthcare infrastructure is woefully unprepared to protect itself from well equipped hackers seeking to steal patient medical records, ransoming critical healthcare data, etc. The costs of addressing these vulnerabilities mean that many healthcare organizations and medical device manufacturers will be slow to respond unless legislatures mandate a more rapid response. Unfortunately, legislatures rarely take action until AFTER a major cyber security incident forces the issue into the mainstream awareness of the voters that put them into office.
Wade Lovell, Simpatic: As long as there are trillions of dollars in healthcare and big pharma and billions of dollars in tabloids, cyber security will be relevant in healthcare.
Michael A. Goedeker, Auxilium Cyber Security: Yes, because of the lack of money and enforcement.
Mayur Agnihotri: Yes. As cyber threats in healthcare continue to skyrocket, security remains a top priority.
www.eforensicsmag.com
www.hakin9.org - 55 -
T
HREATS Will cyber security in healthcare remain a relevant topic?
Einaras Gravrock, Cujo: Next year and beyond, absolutely. These are two of the most trying challenges we’re facing in our generation.
Andrew Bagrin, My Digital Shield: Yes, it will for a long time. Patient records are a very private thing. It’s one thing to get your credit card stolen, but to steal identity or medical information is much worse.
Alina Stancu, Titania: Yes. As the use of new technologies grows in the healthcare market, the need for security and stronger regulations over use of private patient data will be more poignant. For the time being, HIPAA is the only legislation to address these issues, however the problem with HIPAA is that it is not yet properly monitored and enforced.
Gerald Peng, Mocato: Yes. Healthcare data theft and the hacking of IP-based devices present threats to the well-being of patients and institutions.
Anthony Di Bello, Guidance Software: It will be an even bigger topic next near as we hear about breaches that are occurring in 2015 as we speak. Healthcare companies are a virtual treasure trove of personal information… PII, credit card data and more!
Julie Herold, Kenny Herold, Odin’s Eye: Yes, and increasingly so; this is an area where there is a wealth of information for differing agendas attackers may have as well as the industry being a lot further behind in relation to security in comparison to other industries. Much of this will be a result of the increased utilization of SaaS and the industry’s lack of security mindset/maturity and the usual growing pains/adoption rate of industry best practices in other sectors.
Dotan Bar Noy, Re-Sec Technologies: Yes, definitely.
David Coallier, Barricade: Most definitely. We have healthcare practitioners now recommending the use of mobile apps as well as using more sophisticated and interconnected gadgetry. The combination of legislation, market uncertainty and fear as well as the need to protect the customer data has never been more prevalent.
Ondrej Krehel, LIFARS: I don’t think so. Nationstates and terrorist groups make up a small minority of breaches. It’s really people out for the money.
www.eforensicsmag.com
www.hakin9.org - 56 -
T
HREATS Will cyber security in healthcare remain a relevant topic?
Rick Blaisdell: Unfortunately, yes. In August, the FDA and the Department of Homeland Security advised health-care facilities to stop using Hospira's Symbiq infusion pump after learning that the device, which administers medication to a patient over time, is vulnerable to hackers. Mick Coady, health information privacy and security partner at PricewaterhouseCoopers, believes that this type of cybercrime will become more prevalent in 2016.
Stephan Conradin: Yes. First it is very sensitive for people. And with this kind of security we speak of human life, not only cash.
The newest threat for medical devices will be “ransomware / Stuxnet” attacks, where hackers can tap into the administrative privilege capabilities of medical devices, which are typically restricted to manufacturers or hospital administrators. We will especially see an uptick in exploitation of medical devices that have moved to more modern types of interconnectivity with mobile devices.
Craig McDonald, MailGuard: Cyber Criminals love to target healthcare records – they contain so much sensitive information all in one place. The biggest cyber security attack of 2015 – Anthem – involved the medical records of 78.8 million people. It’s difficult for IT and security professionals working in healthcare to improve data protection without impeding access to potentially life-saving patient information. At the same time, the sheer size and complexity of many hospital IT environments means that cyber security in healthcare remains a hot topic.
www.eforensicsmag.com
www.hakin9.org - 57 -
T
HREATS Will security in automotive industry keep on causing trouble?
Wade Johansen, CouriTech LLC: Cars don’t drive themselves… wait they actually do now! By using peer to peer traffic information for apps like Waze, you’ll have hackers that will take advantage. Also, as cars begin to develop capabilities to observe traffic patterns and manage the car's capability to brake even when a driver is unaware of a potential incident ahead, this technology could be used illicitly to instead push a gas pedal down instead of brake pedal.
Gerald Peng, Mocato: Yes. As cars become increasingly programmable, IPshareable and automated, the possibility of hacking a vehicle will erode consumer confidence if the auto manufacturers do not address this issue head on.
Rick Blaisdell: As more and more cars connect to the Internet for such functions as GPS, they become more vulnerable. Hackers can connect to a car over a cellular network and, conceivably, turn off the engine while the car is speeding down a crowded highway, or cut the brakes, or cause any number of nightmarish circumstances. Security researchers will continue to focus on potential exploit scenarios for connected automobile systems that fail to meet best practice security policies. IT security vendors and automakers will develop guidance, standards and technical solutions to protect attack surfaces such as vehicle access system engine control units (ECUs), engine and transmission ECUs, advanced driver assistance system ECUs, remote key systems, passive keyless entry, V2X receiver, USBs, OBD IIs, remote link type apps and smartphone access.
David Coallier, Barricade: Not unlike any other industry, the automotive industry is trying to adapt to this modern connected world and they aren't unaffected. They will need to take the same steps as everyone else to prepare themselves and be ready to respond to incidents. The only difference is cars are directly handling people's lives and will have to make a decision between convenience and safety.
BroadTech Security Team: There will be trouble here and there, but overall, things should improve and be moving towards being comfortably and sufficiently secure.
Paul Hoffman, Logical Operations: Yes, especially as we move to automation in driving.
Nick Prescot, ZeroDayLab: Yes, and the hacks will get worse.
www.eforensicsmag.com
www.hakin9.org - 58 -
T
HREATS Will security in automotive industry keep on causing trouble?
Michael A. Goedeker, Auxilium Cyber Security: Any industry or product that does not integrate security and doesn’t see security as business critical will experience problems.
Amit Serper, Cybereason: In 2015, we saw a rise in attacks using fileless malware. We expect this to continue, and believe that it is the most important thing to watch moving forward. In fact, we think 2016 will be the year of “malware-less attacks.” While Microsoft is re-architecting Windows to be more secure, it will be quite some time before those efforts will hit the mainstream. Until then, built in tools, such as WMI and Powershell, will continue to be very popular attack vectors until newer versions of Windows become more ubiquitous.
David Clarke, VCiso: Yes, but I suspect the automotive industry will respond quickly to safety issues like they did in the 60’s, partly due to Ralph Nader’s book “Unsafe at any speed”.
Additionally, we expect to see more attacks targeting the Mac platform. The more pervasive it is, the more popular target it becomes.
Mitchell Bezzina, Guidance Software: Absolutely, the growth of electronics and lack of standardization means minimal attention to security, no car buyer asks how much R&D went into ensuring the data connection installed in the car they are purchasing has been secured. It’s a secondary concern and a production cost which means minimum viable security.
2015 was also a key year in the evolution of ransomware. Not only have we seen new business models around it, such as the SaaS model we discovered with Operation Kofer, but in November, we saw the first case of Linux-based ransomware targeting websites (see Krebs’ story on it), we expect to see more new permutations of ransomware coming in 2016.
Mayur Agnihotri: According to a survey from McKinsey & Co., 45% of new-car owners are unwilling to use connected services because of privacy concerns.
Dennis Chow, Millar, Inc: Yes, kinetic attacks are on the rise and transportation like automobiles will be a prime target for whitehats and blackhats alike.
Ondrej Krehel, LIFARS: Hopefully only until self driving cars are safe.
www.eforensicsmag.com
www.hakin9.org - 59 -
T
HREATS Will security in automotive industry keep on causing trouble?
Wade Lovell, Simpatic: Absolutely! As early adopters move toward more and more automated driving features, whether it is proximity alerts or self-driving cars, the ability to commandeer controls of vehicles will be an important attack vector. Imagine going in for a safety recall and having the technician install a backdoor unwittingly, on behalf of a nation state, as part of a cyber crime ring, or any other reason.
Craig McDonald, MailGuard: Automotive cyber crime is in its infancy as is evidenced by the acceleration of the US Automobile Industry Accelerates into security, and its recent initiatives to enhance cyber Security. Cyber criminals will target vehicle access system engine control units (ECUs), engine and transmission ECUs, advanced driver assistance system ECUs, remote key systems, passive keyless entry, V2X receiver, USBs, OBD IIs, remote link type apps and smartphone access.
Leon Kuperman, Zenedge: Potentially – This falls into the category of IoT devices. Car manufacturers will need to treat security as first-class citizens as opposed to add-on technology components. As connected technology modules start influencing core driving / safety features, automotive will go through a transformation period where issues may occur.
Stephan Conradin: Perhaps not in 2016 or 2017, but it is a big concern for future as vehicles become more and more dependent on data and telecom.
Alina Stancu, Titania: The advent of IoT means that automotive, just like everything else inter-connected, is a source of worry. The responsibility of car manufacturers is perhaps higher than for many other technological gadget providers, as it must ensure the safety of its passengers. The Jeep Cherokee hacking has been an eye-opener for drivers, just as much as it was for the industry. Fiat Chrysler recalled 1.4 m vehicles to patch the vulnerability that allowed two security researchers to disable the brakes on a car and sliding it into a ditch.
Einaras Gravrock, Cujo: Well… we expect cars to increasingly integrate with other services using online technologies. When cars become computers interconnected with apps, services, and features… when cars become another IoT, they will naturally be exposed to cyber security threats. That being said, we don’t expect people to be in serious physical danger in the very near future.
www.eforensicsmag.com
www.hakin9.org - 60 -
T
HREATS Will security in automotive industry keep on causing trouble?
Kenneth C. Citarella, Guidepost Solutions: The increasing computerization of cars and their connection to the Internet of Things heralds a wide array of potential harm. Can the digital record of a car’s activities be altered to impact litigation arising from an accident, or remove evidence that might lead to a criminal charge? Can a car be remotely commandeered to threaten the life of its occupants? Such risks are highly predictable; the time for the security-related discussion and analysis is now.
Andrew Bagrin, My Digital Shield: I hope not, but I suspect that it will. It is just another IoT and won’t be taken seriously until a disaster happens.
Julie Herold, Kenny Herold, Odin’s Eye: Not in our opinion; not enough gains.
Roberto Langdon, Nicolas Orlandini, KPMG: Regarding the issues we are seeing in the automotive industry, as long as the new cars are incorporating more and more computer-based components and technology, as in any other aspect of the market, this fact is attracting not only private researchers, but also curious people and the bad guys. Hacking vehicles, to find and demonstrate their vulnerabilities and bad security designs or implementations, are only a few of the reasons for this to happen. Automakers need to invest more in assessing their internal processes in regards to cyber security for their computer components, and also to assess the components they get from their third parties. In response to this transformation process, KPMG has already created a strategic and technical Vehicle Forensics team well prepared to assist the automakers in preventing, detecting and responding to cyber security issues.
www.eforensicsmag.com
www.hakin9.org - 61 -
W
HO IS WHO Mitchell Bezzina Guidance Software Security Strategist
Anthony Di Bello Guidance Software Senior Director Security Practice
Mitchell Bezzina is a technology team leader with over 15 years' experience in information security and endpoint forensics. With hands-on experience in security and digital investigations of every kind, he has designed, developed, and implemented operational and procedural policies for digital forensics, ediscovery, and security departments to gain production efficiencies and comply with business requirements. Mitchell is now focused on security product strategy for Guidance software having previously managed forensic and e-discovery services in support of investigations centered on intellectual property theft, employee misconduct, fraud investigations, cross-border investigations, court orders, and regulatory inquiries.
Anthony Di Bello is responsible for providing in-depth insight into the advanced threat landscape for Guidance Software and its customers. Since joining the company in 2005, Di Bello has been instrumental in defining the company’s suite of security products, introducing new products and successfully driving market adoption with Fortune 500 companies and federal government agencies. Prior to joining Guidance Software, Di Bello spent seven years with Towers Perrin, a global professional services firm specializing in risk and financial management. He is a frequent speaker and quoted regularly in security industry publications.
Paul Shomo Guidance Software, Sr. Technical Manager Paul Shomo has over 15 years of R&D experience, having begun his career writing firmware for IP routers and satellite networks. Paul joined Guidance Software’s new product research group in 2006, which launched the industry’s first incident response solution. Paul has managed and architected cybersecurity and forensic products for many years. He now manages integrations with the EnCase open security platform, and in his free time works to educate the cybersecurity industry.
www.eforensicsmag.com
www.hakin9.org - 62 -
M
OBILE Which mobile phone will be the most secure one?
Chase Cunningham, Cynja: Silent Circle’s Blackphone 2 is far and away the best and most secure phone anyone can use but it isn’t for the masses. Most people will stick with what they know. The Android based phones will continue to be the preferred phones for exploitation because of how readily available exploits are for that OS in the cyber underground.
Elizabeth Houser, Praesidio: The iPhone, especially if U.S. Congress does not pass legislation requiring Apple and other phone makers to decrypt phones for law enforcement purposes.
Leon Kuperman, Zenedge: Systems that are cost closed will have the best security posture – iPhone / iOS .
Michael A. Goedeker, Auxilium Security: There is no such thing as a „secure” mobile phone. We created a secure handset with hardened OS, blocked known malware and spyware apps but we can not repair the broken communications systems like SS7 that people use to track your position. The only real „secure” phone to have would be based on its own coms system and network (regardless of what others are selling you…).
Richard De Vere,The AntiSocial Engineer: Taking a look at the recent release of prices from zerodium (0day reseller) which offers bounties of 500,000 for iOS and 100,000 for Android… It’s plain to see which phone is more secure. It’s 0days that hurt this market and with iOS 0days fetching 5 times as much as Android says it all.
Mark Bennet, Blustor: Apple IOS devices will continue to be the most secure widely used smartphone in the industry, primarily due to the more restrictive and controlling ecosystem that Apple has built around their products. While the use of niche smartphones designed for enterprises with the need for high-levels of security will continue to grow, the price and flexibility of these devices will likely keep them out of the hands of the average consumer.
Wade Johansen, CouriTech LLC: The iPhone will evolve to be the most secure phone I believe, but it will probably only be because it is hacked “less often” than Android and Windows phones.
Rajeev Chauhan: The one with cloud storage and having active app scanner.
www.eforensicsmag.com
www.hakin9.org - 63 -
M
OBILE Which mobile phone will be the most secure one?
Mayur Agnihotri: No phone will be the most secure one in my view. This is the wrong question. The right question is which mobile phone company is more concerned about its user’s security and privacy.
Anthony Di Bello, Guidance Software: BlackBerry Priv and Blackphone seem pretty well thought out from a security perspective. Only time will tell.
Julie Herold, Kenny Herold, Odin’s Eye: BlackPhone – sole purpose of the solution is for security and privacy. Other phones are catering to end users for usability as the focal point.
Roberto Langdon, Nicolas Orlandini, KPMG: We cannot identify which mobile phone will be the most secure one, due to the direct interaction and criteria of its user. And again, the factor Security Awareness comes again over the table. Almost all of the mobile phone users are going through their lives careless of what can happen to their mobile phones, and mainly with the information inside them.
Ondrej Krehel, LIFARS: One that’s turned off.
Stephan Conradin: Android? No it’s a joke, iPhone will remain the least bad.
Andrew Bagrin, My Digital Shield: The one that is properly protected. If you take all phones without any protection, probably the old flip phones or blackberry on the older RIM OS (not Android).
Wade Lovell, Simpatic: Blackphone 2.
Amber Schroader, Paraben Corporation: In looking at the security of mobile devices, there is really not one that is considered to be more secure than any other as it all depends on how you use the device. From cloud access to desktop backup, most devices have a risk associated with them when it comes to security.
Gerald Peng, Mocato: All mobile phones can be hacked with enough time and resources. Ideally, you want a phone that will protect you against casual hacks and persistent online behavioral tracking. Good options on the market are Silent Circle's Blackphone 2 or the BlackBerry Priv.
www.eforensicsmag.com
www.hakin9.org - 64 -
M
OBILE Which mobile phone will be the most secure one?
BroadTech Security Team: I have no Idea. I don’t use a smartphone (or no phone you can say).
Nick Prescot, ZeroDayLab: Blackphone Blackberry.
David Clarke, VCiso: Android with Customised for security are currently in the lead, there are no IOS customised versions for security.
Dotan Bar Noy, Re-Sec Technologies: Phone will not be more secured than your regular home computer as users are freely downloading programs, plugging the devices and connecting to random hotspots as they travel. The “PwC 2015 Information Security Breaches Study on UK Corporations” reports that 15 percent of organizations suffered from a breach caused by use of a smartphone or tablet device, more than doubling last year’s figure of 7 percent. This is a great challenge and opportunity for the industry.
Mitchell Bezzina, Guidance Software: My 1997 Nokia 6210.
www.eforensicsmag.com
www.hakin9.org - 65 -
M
OBILE What kind of vulnerabilities will affect mobile phones in 2016?
Michael A. Goedeker, Auxilium Cyber Security: The same ones as now. In addition, the false sense of security that „secure” phone manufacturers sell you will lead to more hacked phones. The system is broken, no phone would change that…
Richard De Vere, The AntiSocial Engineer: Social Engineering using the mobile telephone has seen a rise over the past few years based on the percentage of us now spending large amounts of time on our smartphones. I think criminals have paid more attention to this field. Noting phishing sites that are mobile friendly!
Mark Bennet, Blustor: As biometrics continue to grow as a mainstream security mechanism for accessing mobile devices and related applications, consumers will see an increase in malware that specifically targets biometric identity theft. The unfortunate reality is that the identities of many consumers are going to be compromised for life due to their own unawareness of how serious this issue will become over the next few years. Once your biometrics have been compromised, they can never be replaced short of visiting a plastic surgeon.
Amber Schroader, Paraben Corporation: We believe there will be an increase in security risks that come from 3rd party Apps. With a poor vetting procedure in place for 3rd party Apps, we have seen an increase in the data being collected and used by 3rd party Apps.
Rick Blaisdell: According to the mobile security firm NowSecure, 43 percent of "bring your own device" (BYOD) smartphones used by U.S. workers don't have a password, a personal identification number or pattern lock. Fifty percent use these devices to connect to unsecured Wi -Fi at least once a month, and nearly half of mobile apps on any given mobile device have at least one major security flaw. Cybercriminals can easily exploit vulnerabilities in your mobile phone to obtain private data. These vulnerabilities sometimes come from the apps you use or within your smartphone itself. Mobile phones are also vulnerable to malware, which can log keystrokes and capture screenshots.
Elizabeth Houser, Praesidio: Malware for mobile devices is on the rise especially since people habitually download free apps and use jailbroken phones.
Wade Johansen, CouriTech LLC: GPS vulnerabilities and apps that require too much permissions (already an issue) with little company security knowledge about locking apps done before publishing.
www.eforensicsmag.com
www.hakin9.org - 66 -
M
OBILE What kind of vulnerabilities will affect mobile phones in 2016?
Mayur Agnihotri: Malware because “Good Malware Never Dies”. Some underground hackers built this type of malware which does not need any type of permission (“root" or "jailbreak") to access the mobile phone to affect the mobile phone.
Wade Lovell, Simpatic: I am primarily concerned about altered variants of apps, especially games, being disseminated through legitimate app stores. I am also concerned about apps with expanded capabilities for analytics, etc. being downloaded without users paying attention to the terms and conditions.
Julie Herold, Kenny Herold, Odin’s Eye: We think there will be a breakthrough outside of the usual delivery of malware via stores. We think until an R&D department within a security company commits the time to explore this area further, there won’t be much change in the realized versus perceived attack surface and vectors for exploitation.
Gerald Peng, Mocato: As the majority of phones are Android based, my answer is confined to those devices. The vulnerabilities of the Android OS are exposure to cloning, data leakage, weak malicious application detection and ability to use the device as a microphone. These vulnerabilities facilitate identity theft and financial fraud.
Ondrej Krehel, LIFARS: Many of the same ones, from malwaretising to phishing texts/emails and unvalidated apps.
Paul Hoffman, Logical Operations: Location, financial information (Apple Pay),
Stephan Conradin: We have a great dependence on geolocation and disturbation of GPS data could be serious.
Roberto Langdon, Nicolas Orlandini, KPMG: Malware addressed to steal information, to make calls or messages deviation, to get private photos or videos, is totally easy. Think that the people are carrying all their emails, access credentials to portals, to mail servers, to home banking sites, etc. It is as easy as taking candy from a little child. Almost no one cares about this, unfortunately.
David Clarke, VCiso: Mobiles are similar to PCs 15 Years ago, almost everything is vulnerable from text and data transmission to the OS.
www.eforensicsmag.com
www.hakin9.org - 67 -
M
OBILE What kind of vulnerabilities will affect mobile phones in 2016?
BroadTech Security Team: Theo deRaadt, founder of OpenBSD and Co-founder of NetBSD, said, “Low code quality keeps haunting our entire industry. That, and sloppy programmers who don't understand the frameworks they work within. They're like plumbers high on glue.” I think everything starts there, adding to it is poor hardware design, infectable firmware, malware apps, etc. Again, user discretion and spreading security awareness, I believe, can contain a lot of problems and keep them from blowing up. Before you get a smartphone, it is good to list out what purposes it should serve you and then get just the ones that have only those features and install only necessary apps. Don’t root the phone because someone else did it. If you go feature chasing, you will end up in trouble because one day you will find that feature was a trap.
Nick Prescot, ZeroDayLab: Malware that's executed by user unluckiness.
Andrew Bagrin, My Digital Shield: I think they will be used as a method for hackers to sneak malware into companies.
www.eforensicsmag.com
www.hakin9.org - 68 -
M
OBILE
What security measures we should use to protect our mobile phones in the next year?
Chase Cunningham, Cynja: Just like your laptop, be sure that your phone is patched and your OS is always up to date. Use two-factor authentication. If you don’t need an app or don’t need a particular function…turn it off. Bottom line— don’t suck at patching.
Mark Bennet, Blustor: Consumers and enterprises alike need to separate the keys of an individual’s digital identity from the devices they require for access. One analogy is that you wouldn’t secure your car by leaving the keys in the ignition and neither should you store your biometric identity on your smartphone. While powerful devices, smartphones are inherently vulnerable to attack due to the ubiquitous and always connected nature. A better solution, such as BluStor’s CyberGate platform, that allows users to seamlessly separate the digital keys (e.g., biometrics) needed to access their phone or other mobile devices, is critical to addressing this vulnerability.
Michael A. Goedeker, Auxilium Cyber Security: Don’t use a phone for secure stuff! Limit the usage for important calls and functions, only use apps that are tested and proven backdoor and spyware free. Don’t trust any phone manufacturer, test and verify your Sim card, phone hardware, OS and Apps are secure. Recognize that the underlying communication system is flawed. Anyone and everyone can track you down, so if you don’t want that, then limit phone use. Use a computer or electronic device that can use encrypted signals and never needs the SS7 based infrastructure.
Wade Johansen, CouriTech LLC: Apps like Cerberus to encrypt phones, detect GPS locations (if on), and ability to take pics of users attempting too many passwords are a plus! Remote wipe capability is also handy.
Elizabeth Houser, Praesidio: Users need to take responsibility for the apps s/he is downloading and be aware of what exactly is being loaded onto the device. Mobile devices have been around long enough that the current usage mentality should be maturing. For most people, smart phones are now a vital, integrated tool in the daily operations of our lives and should be protected as such.
Richard De Vere,The AntiSocial Engineer: I’d like to think every last person who uses the internet should be aware of two factor authentication available for all mobile platforms, this should help form the basis of your security - But with our phones becoming the master key for all our digital lives, the need for secure 8+ digit lock screen passwords and mobile disk encryption is more so than ever.
www.eforensicsmag.com
www.hakin9.org - 69 -
M
OBILE
What security measures we should use to protect our mobile phones in the next year?
Amber Schroader, Paraben Corporation: The best security is to be aware of what your device is doing and what you have granted access to with the device use policies and with 3rd party apps. We have to find the line between being secure and being accessible.
Mayur Agnihotri: Endpoint protection software must be used on every mobile device. • Sharply analyze cloud services for their ability to resist threats and attacks. For this, we should terminate third-party security vendor conduct testing and instead, start checking the cloud provider's certificate which should indicate that third-party security vendor has already tested its applications. • When choosing a mobile phone, first check its security features. • Before you store information on your mobile phone, ask yourself “Is this TMI?” TMI – Too Much Information. • Do not "root" or "jailbreak" the mobile phone.
Rick Blaisdell: Knowing your vulnerabilities and making sure that you protect them will stand you in good stead for 2016. Other precautionary steps include: - Use strong passwords for your accounts that include numbers, lower case and capitalized letters, and are not easy to guess, e.g. password, 12345, etc. Don't open suspicious emails requesting that you reenter sensitive data - Destroy sensitive documents—Use a VPN to secure your Internet connection if you need to use public Wi-Fi—Keep your antivirus software up to date.
Roberto Langdon, Nicolas Orlandini, KPMG: Mobile phones must be protected by antivirus, firewall, intrusion prevention systems, and backup policies as well. They are IT equipment! Phishing techniques will be as frequent as during 2015, and Android is still showing a lot of security hack opportunities. By the way, a lot of people think that the mobile phone is more private than a workstation or notebook, and sometimes there are important discoveries not imagined by the people involved in a fraud.
Julie Herold, Kenny Herold, Odin’s Eye: Unfortunately, the anti-virus/antimalware maturity of software for phones is very immature. This is as a result of the lack of a need for it, we are barely into the pattern based detection on mobile programs designed to protect an end user against threats. This lack of maturity is due, in part, to the lack of realistic threat scenarios outside of the so-called “vetting” of applications before they are available in a store.
Stephan Conradin: Keep in mind it is a smart device, open and not very secure. Awareness!
www.eforensicsmag.com
www.hakin9.org - 70 -
M
OBILE
What security measures we should use to protect our mobile phones in the next year?
Ondrej Krehel, LIFARS: Be aware and read the fine print on permissions.
David Clarke, VCiso: As many security software apps as you can get on your phone. I use at least four.
Paul Hoffman, Logical Operations: Use Two Factor authentication wherever possible. Change passwords to be more secure. Use Bio where possible.
Gerald Peng, Mocato: This is a nonexhaustive list of security precautions you can take: Check your device’s security features before you buy, such as file encryption, device wiping capacity, and authentication features. • Secure the device using locking, enabling encryption and antivirus software. • Configure web accounts using encrypted connections in account options such as HTTPS or SSL. • Avoid clicking links sent in suspicious emails or text messages. • Do not reveal your mobile phone number on social networking websites.• Consider what personal information you will store on your device. • Vet applications before installing them on your phone by researching them first. • Disable Bluetooth, infrared and Wi-Fi interfaces when not in use and in public places.
Wade Lovell, Simpatic: Establish a company-wide approved apps list for “bring your own devices” (BYOD). • Have IT set up an internal app store so IT can determine whether the checksums match with the publishers’ source files, test updates before they are deployed, etc. • Turn off wi-fi outside the office and route everything through cellular data except while in the office.
Anthony Di Bello, Guidance Software: Same measures we would take with any other device. Encryption, password protection, turn off Bluetooth/wifi/gps when in questionable locations such as Defcon.
BroadTech Security Team: I will have to write a paper on it so I will let someone else answer it. What I do is simple I don’t have a smartphone ( I don’t use the old mobile phone which can only make calls and SMS unless there is a prior appointment or to call family ). In my current capacity, a smartphone is a liability and risk.
Andrew Bagrin, My Digital Shield: There isn’t much out there that is very accessible, but I think having something simple to at least identify if something is wrong or your configuration is not ideal is very necessary. Something like NowSecure.
www.eforensicsmag.com
www.hakin9.org - 71 -
M
OBILE
What security measures we should use to protect our mobile phones in the next year?
Nick Prescot, ZeroDayLab: For companies, the MDM sandboxing is a good idea but for personal users, they are safer than desktop systems.
Einaras Gravrock, Cujo: For starters, you should secure your home network. Often times, home hackers get access to our cell phones by penetrating your home network. Secondly, do not use public Internet networks.
www.eforensicsmag.com
www.hakin9.org - 72 -
M
OBILE What risks will mobile industry face in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Increased usage as a cyber war and espionage tool. Data leakage and theft.
Roberto Langdon, Nicolas Orlandini, KPMG: Using phishing techniques, the bad guys made several devices contamination oriented to steal information, mainly financials (username, PIN, credit card information, etc.), as well as personal information. All the stuff with value at the black market. Also, it cannot be left out what it is related to spy at political level or industrial secrets as well.
Wade Johansen, CouriTech LLC: Bluetooth security problems currently plague the mobile phone industry. Users who link to their cars (remote start), Pandora radios, GPS mapping, etc., are highly exploitable. Rajeev Chauhan, Cyber Oxen: Identity theft and personal data security.
Andrew Bagrin, My Digital Shield: More features means more vulnerabilities, and ability to control everything that you can control from you phone (car, house, etc.).
Einaras Gravrock, Cujo: The challenge is that companies will need to continue shifting their budgets away from features and onto security which will slow down overall product improvements as well as profitability.
David Clarke, VCiso: Marketing apps maybe too invasive, exploits exposing more personal data.
Mayur Agnihotri: Ransomware • Encrypted Penetration • No endpoint protection software • Application-Based Threats.
Wade Lovell, Simpatic: As payments move to the smartphone, so will attacks. • Biometrics, as currently implemented, are a dangerous way to validate users to devices and once a fingerprint is collected or stolen, the device and ALL FUTURE DEVICES where the user registers that fingerprint are compromised. This is disastrous for BYOD. • Nation States requiring backdoors or compromising component manufacturers.
Gerald Peng, Mocato: The increasing popularity of mobile shopping and mobile beacons will make mobile phones likelier fraud targets. The ability to fight mobile platform fraud will be influenced by innovations in data protection, intuitive security compliance protocols and user authentication.
www.eforensicsmag.com
www.hakin9.org - 73 -
M
OBILE What risks will mobile industry face in 2016?
Ondrej Krehel, LIFARS: Users. They are always the weakest link, especially in mobile.
BroadTech Security Team: I don’t know but vulnerabilities are surely going to increase rather than decrease if vendors are going to enchant people with features and jargons instead of working more on testing the quality of their product before release.
Nick Prescot, ZeroDayLab: Bluetooth jacking.
www.eforensicsmag.com
www.hakin9.org - 74 -
W
HO IS WHO
Leon Kuperman Zenedge, CTO & Co-founder
Mark W. Bennett Blustor, COO
Leon Kuperman is a successful founder and CTO of multiple ecommerce organizations with 18+ years of experience in product management, software design and development all the way through to production deployment. He is an authority on Payment Card Industry Data Security Standard (PCI DSS), ecommerce, online marketplaces / auctions, data center deployment, cloud deployment and web application architecture. He is also a holder of a patent relating to ecommerce caching systems which he worked on while at IBM.
Mark is the Chief Operating Office of BluStor PMC, Inc. and is a trailblazing executive more than 20 years of experience in the IT industry delivering strong competitive advantages through technology innovation and organizational transformation. He brings a unique perspective to the world of cyber security that is a combination of years of work in areas that require high-level of information security including the aerospace defense sector and financial services.
Mayur Agnihotri
Przemek Radzikowski Secbüro Labs Chief Security Researcher
I've done Bachelors of Engineering from Information Technology and having certifications under my belt like C|EH - Certified Ethical Hacker, Cyber Security for Industrial Control Systems, Operational Security for Control Systems, Advanced Security In The Field, Basic Security In The Field. I have 3+ years of experience and love to spend time find bugs and vulnerabilities. An Information Security Enthusiast, Who believes in Security and Not Just Compliance.
Przemek (Shem) is the Chief Security Researcher at Secbüro Labs. For over two decades he has worked on key assignments with government, military, telecommunications, banking, finance and large multinational clients across the Americas, Middle East, Africa, Europe and Asia Pacific, where he headed the technical delivery and governance of highly complex Cloud, Data Center and Security projects worth in excess of $65 million.
www.eforensicsmag.com
www.hakin9.org - 75 -
I
NTERNET OF THINGS Will IoT force the industry to change? Shay Zandani, Cytegic: The inherent interconnectivity of IoT already forces changes in the security industry, and will continue to do so. This fact demands multi-device endpoint detection tools, cross-device honeypots and much stricter MDM rules and practices in the office space.
Dennis Chow, Millar, Inc: Not alone, as history shows, it will probably require more breaches related to IoT and high visibility catastrophes before vendors will be forced to make changes.
Mitchell Bezzina, Guidance Software: Not until it’s too late. Just like all other goods, security concerns are production costs to the vendor and rarely factor in consumer buying decisions. It will take a major breach before standards are implemented across IoT manufacturers and this will be a 2020 concern.
Kenneth C. Citarella, Guidepost Solutions: The Internet of Things will not force any industry to change, not the auto industry, not the appliance industry, not the home security industry not the computer industry. A demand for security and privacy pushed jointly by consumers, the government, politicians and security experts will.
Dotan Bar Noy, Re-Sec Technologies: Yes. But it is still a long process that is in its early stages.
Stephan Conradin: Before changing the industry, understand what we can or should do with all this data from these sensors.
David Clarke, VCiso: Cyber security that can be managed will need to be built in. Paul Hoffman, Logical Operations: It already has. Gerald Peng, Mocato: Gartner Inc. has predicted that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. The increase in interconnected devices will mean that cyberattacks can be massively scaled up.
Nick Prescot, ZeroDayLab: Not really in 2016, the regulation as part of EU GDPR will make people think.
www.eforensicsmag.com
www.hakin9.org - 76 -
I
NTERNET OF THINGS Will IoT force the industry to change? Michael A. Goedeker, Auxilium Cyber Security: Yes, as in all new technology, we, for some reason, always forget to integrate security right from the start. This is a dangerous way of creating new services and products. Since IoT connects systems previously not connected, we will only get to see the „new” hacking vectors as it becomes more mainstream.
David Coallier, Barricade: The providers of security products need to understand that we have new computing capabilities available to us nowadays that allow for leaps in pattern discovery. Continuing to develop products that are doing heavy processing on the devices is no longer an option and the democratisation of computing Amazon is leading will force many incumbents to change how they do things.
Amit Serper, Cybereason: While I think IoT might have jump started a culture-shift towards security in some industries - such as automotive - for the most part, I don’t think people care enough about security to make IoT systems inherently more secure than what we have now. Unfortunately, I don’t think there will be much of a groundswell towards building secure IoT systems until people and businesses start experiencing consequences for themselves.
Mark Bennet, Blustor: Despite the efforts of many organizations to get in front of IoT related security issues, the drive to get to market first with these products is going to result in numerous vulnerabilities that can scarcely be understood yet. This means a long and painful road ahead for IoT but it will ultimately drive significant changes in the industry. Unfortunately, I suspect we have many years of learning from the “school of hard knocks” in front of us.
Roberto Langdon, Nicolas Orlandini, KPMG: IoT is becoming an amazing advantage for people’s wellness, but if we consider this with the little responsibility by mobile phone users in terms of protection and security, this will become a funny war between users and delinquents. I cannot imagine a toaster firewall but we can have security on the other side.
Andrew Bagrin, My Digital Shield: Very much so. We can no longer expect to have a security endpoint client on every piece of hardware out there that has an IP.
www.eforensicsmag.com
www.hakin9.org - 77 -
I
NTERNET OF THINGS Will IoT force the industry to change? Amber Schroader, Paraben Corporation: IoT has caused a lot of changes in how we look at digital evidence and access of digital devices in our daily life. IoT will make huge changes to where we see our information spread out to, as well as where it can be collected from.
BroadTech Security Team: YES, I wrote about a particular scenario a few months back but it was not received then but now people have started appreciating it after reality started striking. IoT is going to bring a deluge of data for processing, which traditional Big Data processing techniques, Internet bandwidth, cloud storage should be able to handle for a long time without breaking down. We will see more and more of Proximity Cloud or Intelligent Sensor Cloud that will throw away irrelevant data right from the start and send only what is needed to be processed and stores. Data Flow ( Realtime Big Data Analysis ) may not be a viable or preferable option without Intelligent Sensor Cloud ( I coined the term while researching AI ) no matter how big your infrastructure is, someday someone is going to question processing and storing all data because ultimately it all translates to cost incurred. I know I will get mocked on this but let us see :-).
Anthony Di Bello, Guidance Software: Yes, in today’s climate of privacy concerns, security will be critical to mass market adoption of IoT devices. It’s already forced the industry to change. Take a look at what Intel/McAfee is talking about lately.
Wade Lovell, Simpatic: Yes, IoT provides a new attack vector. The Internet of Things is a nightmare for security. Think of each one of those devices as a small computer transmitting personal information about you. What time are you out of the house? Did you turn on the burglar alarm? How do you remotely unlock the back door? At the moment, all that data is poorly secured.
Wade Johansen, CouriTech LLC: Will IoT force the industry to change? Yes, NEST is already making an impact. People want to be in touch with their homes, children, and PCs at all times. The world's technology industries will need to accommodate this to remain profitable.
Julie Herold, Kenny Herold, Odin’s Eye: No, this area is too new and not profitable yet as a result of the lack of presence.
www.eforensicsmag.com
www.hakin9.org - 78 -
I
NTERNET OF THINGS Will IoT force the industry to change? Craig McDonald, MailGuard: A study presented in October 2015 by the IT research company, Gartner, predicts a transformation in the world of cybersecurity within the next two years, thanks to the Internet of Things.
Ondrej Krehel, LIFARS: A bit, but not really.
Rajeev Chauhan: Yes, in a big way.
By the end of 2017, more than 20% of businesses will be using security services dedicated to protecting businesses initiatives, and that use devices and services based on the Internet of Things. Two examples: A sensor that detects and adjusts the temperature in a room automatically; another that adjusts the dosage of medication for a patient in their hospital bed according to new data on their medical records. Threat intelligence sharing among enterprises and security vendors will grow and mature. Legislative steps may be taken, making it possible for companies and governments to share threat intelligence. The development of best practices in this area will accelerate.
Einaras Gravrock, Cujo: IoT is about to magnify the issues of cyber security with billions of new devices entering the market – devices that are largely unsecured. I think it’s relatively easy to make an argument that IoT represents the biggest cyber security challenge yet. They are easy targets with potential for limitless damage.
www.eforensicsmag.com
www.hakin9.org - 79 -
I
NTERNET OF THINGS What kind of challenges will IoT face in the next year? Michael A. Goedeker, Auxilium Cyber Security: Incorporating the correct levels of security into software, menus, commands and integrating open source protection into all IoT devices from the start. At Davos, I discussed and showed how gas heaters can be turned into bombs because the lack of firewall and security verification technology in FPGA units. This is just one example, SCADA is also „still” an issue.
Craig McDonald, MailGuard: Currently, more things are connected to the Internet than people, according to technology company, Cisco, which also predicts that 25 billion devices will be connected by 2015 and 50 billion by 2020. All things that connect to the Internet expand the attack surface for hackers and enemies. A recent study released by Hewlett Packard showed that 70 percent of IoT devices contain serious vulnerabilities.
Mark Bennet, Blustor: The slow adoption of standards and commercial competitiveness will continue to challenge the IoT industry to really solve some of the more serious security vulnerabilities inherent in these devices.
Nick Prescot, ZeroDayLab: Same as mobiles.
Mayur Agnihotri: Lack of data protocol standards • There is currently no agreement/ standard on how to implement security in IoT • Upgradability And Patchability Of IoT regularly.
Irfan Shakeel, EH Academy: The security issues are expected to rise; security researchers might challenge the existing infrastructure. This will open the door for the organizations to spend on R&D, they will spend more on finding the vulnerabilities.
Wade Johansen, CouriTech LLC: Bandwidth, security and reliability. Bandwidth is already an issue, more fiber and more competition between global bvs local carriers needs to be emphasised. Security and reliability also go hand in hand, our phones, PCs, laptops, tablets, handhelds, watches, security systems, building systems, all the way up to electrical grids, require better security and protection.
Stephan Conradin: IoT should be treated in parallel with Big Data. IoT must integrate safety and security from the design.
www.eforensicsmag.com
www.hakin9.org - 80 -
I
NTERNET OF THINGS What kind of challenges will IoT face in the next year? Dennis Chow, Millar, Inc: Possibly weak passwords, backdoors, and injection based attacks.
BroadTech Security Team: I will have to write a book but here are few: (1) non standardization of hardware and software will create confusion but let us hope they all follow standard transfer formats and standard APIs for data transfer, talking of the ones with same use but from different vendors. (2) Serious security incidents are going to happen due to vulnerable hardware, firmware and software and for a long time, vendors are not going to take it seriously because they don’t understand. We have IoT startups with people who are highly creative but quite naive in security, so they are going to make highly useful stuff but insecure, thus undermining the product’s credibility.
Amber Schroader, Paraben Corporation: IoT has a lot of risk in just being new and not having the advantage of already being broken. Once technology is broken, we find better and better means to fix it. With IoT, it is giving us a completely new perspective that is causing issues in gaining access or even securing access.
Dotan Bar Noy, Re-Sec Technologies: The lack of a standard protocol and the need to incorporate many different patched systems will be the main challenge and not only for the next year. In addition, the IoT by design is built with lightweight security and relies heavily on shared libraries and a short development cycle.
Paul Hoffman, Logical Operations: Securing networks that use IoT.
Roberto Langdon, Nicolas Orlandini, KPMG: The key actions will be addressed to enter into the mobile phones, facilitated by the direct connection with the IoT.
David Coallier, Barricade: For us, the challenge isn't in security as much as it is in usability. We are a design-led security company and we spend a lot of time thinking about how to make security more accessible to businesses. Providers of IoT devices face the same challenge. Keeping a high level of convenience of use with intrinsic, transparent and non-adversarial security.
www.eforensicsmag.com
www.hakin9.org - 81 -
I
NTERNET OF THINGS What kind of challenges will IoT face in the next year? Rick Blaisdell: As we become increasingly reliant on intelligent, interconnected devices in every aspect of our lives, security is very much a central issue for the Internet of Things. Despite the opportunities of IoT, there are many risks that must be considered. Here are five of the many risks that will be essential in an Internet of Things world: Understanding the complexity - Imagine Nuclear power plants and data centers using IoT devices to automate their controls and being compromised. Understanding the complexity of vulnerabilities, and how serious of a threat they pose is going to become a huge challenge. Because these devices will have hardware platforms and software that enterprises may never have had insight into before, the types of vulnerabilities may be unlike anything organizations have dealt with previously. This is why it's critical not to underestimate the elevated risks of many IoT devices. Vulnerability management - Another big challenge for enterprises into an IoT environment will be learning how to quickly patch IoT device vulnerabilities and how to prioritize them. Because most IoT devices require a firmware update in order to patch the vulnerability, the task can be hard to accomplish in real time. Identifying security controls - In the IT world, redundancy is critical. If one product fails, another is there to take over. The concept of layered security works similarly, but we still have to see how well enterprises can layer security and redundancy to manage IoT risk. The challenge will be identifying where security controls are needed for Internet-connected devices, and then implementing effective controls. Given the diversity that will exist among these devices, organizations will need to conduct customized risk assessments, often relying on third-party expertise, to identify what the risks are and how best to contain them. Disruption and denial-of-service attacks - Disruptive cyber attacks, such as distributed denial-of-service attacks, could have bad consequences for an enterprise. If thousands of IoT devices try to access a corporate website or data service feed that isn't available, a company’s happy customers will become frustrated, resulting in revenue loss, customer dissatisfaction and potentially poor reception in the market. Capabilities for managing lost or stolen devices will also be critical for dealing with compromised IoT devices, so having an enterprise strategy in place will help mitigate the risks of corporate data ending up in the wrong hands. Security analytics capabilities - The variety of new devices connecting to the Internet will create a flood of data for enterprises to collect, process and analyze. While certainly organizations will identify new business opportunities based on this data, new risks emerge as well.
www.eforensicsmag.com
www.hakin9.org - 82 -
I
NTERNET OF THINGS What kind of challenges will IoT face in the next year? Wade Lovell, Simpatic: IoT designers will have to convert to a security-centric design methodology. So far, security has mostly been an afterthought.
Andrew Bagrin, My Digital Shield: The biggest challenge will be security.
Ondrej Krehel, LIFARS: Staying secure as they grow in capabilities. It’s all about service management and usability vs. security.
Gerald Peng, Mocato: The surge in IPconnected devices increase cyber threat risks within the corporate and domestic environments, specifically with respect to IT infrastructure and device vulnerabilities.
David Clarke, VCiso: Managing Cyber security on a large scale.
Anthony Di Bello, Guidance Software: Really the challenge of mass-market adoption, convincing the market that it is security. News of hacked Barbie Dolls and baby monitors is not helping here.
Kenneth C. Citarella, Guidepost Solutions: The greatest risk is that we will not anticipate the connections that will be made possible by the Internet of Things. One device may be designed to talk to another, but where the second one leads may only be understood once it is too late. For example, many devices can be accessed via a smartphone. If one device is compromised and that leads to vulnerability in the smartphone app, the risks for the user can escalate to involve every function and every app the phone supports.
www.eforensicsmag.com
www.hakin9.org - 83 -
I
NTERNET OF THINGS How will IoT influence cyber community? Michael A. Goedeker, Auxilium Cyber Security: We need to be faster, teach more, work on creating security products that protect everyday functions and people from dedicated and nasty attacks on whatever the IoT industry brings out. It's a new area that we need to protect fast. Time is ticking (tick-tock).
BroadTech Security Team: Will mention just one part that could be missed by others. “More Information Overload“ causing the brains to be rewired for “continuous partial attention” thus degrading the brain’s ability to reflect and contemplate and thus losing creativity. IoT devices will rule over us.
Rick Blaisdell: The Internet of Things has the potential to bring together every aspect of different networks. Therefore, security at both the device and network levels is critical to the operation of IoT. The same intelligence that enables devices to perform their tasks must also enable them to recognize and counteract threats.
David Clarke, VCiso: Another very specialist niche is developing.
Kenneth C. Citarella, Guidepost Solutions: Hopefully, the Internet of Things will galvanize the cyber community to talk about the ever growing advocacy for thorough evaluations of all aspects of security for all connected devices.
Gerald Peng, Mocato: I hope that IoT will help people think about cyber security more holistically and with an eye on proactive, forensically sound measures and protocols. Addressing IoT cyber threats by securing a single device here and there is inadequate.
Leon Kuperman, Zenedge: IoT is a top concern to most security executives, because of the massive scale and potential of the “armada” of computers out there that can affect an organization.
Nick Prescot, ZeroDayLab: The use of SSO solution and the interoperability of information.
Irfan Shakeel, EH Academy: IoT will have a great impact on Infosec community, it will be in the spotlight along with BYOD and cloud security.
www.eforensicsmag.com
www.hakin9.org - 84 -
I
NTERNET OF THINGS How will IoT influence cyber community? Wade Lovell, Simpatic: It may make the community more cautious, which would be a good thing. It certainly exposes data on previously private acts such as making love in a room with a SmartTV or temperature sensor.
Stephan Conradin: Emerging standards for communication.
Ondrej Krehel, LIFARS: It’ll take time. Once the first major breach happens, it’ll explode.
Dotan Bar Noy, Re-Sec Technologies: McKinsey estimates that the IoT has a total potential economic impact of $3.9 trillion to $11.1 trillion a year by 2025. This growth by itself has the potential to increase dramatically the security research done and create power shift to new emerging vendors.
Mayur Agnihotri: As the IoT continues to skyrocket, internet enabled devices will become a more attractive target for cyber attacks. I remember last year hackers gained access to US retail chain which led to the theft of 40 million credit card numbers. Some points why IoT will influence cyber community: IoT devices present multiple points of vulnerability. • Connected devices need to be upgraded and patched regularly. • IoT will increase complexity of the entire internet. It’s directly related to the increased complexity of the information infrastructure.
Amber Schroader, Paraben Corporation: IoT will cause a lot of changes in the review of connection in the community and how that level of cross connection can really affect the data we have on our devices. We expect to see a lot of new cases come into play with a focus on nontraditional storage devices.
Julie Herold, Kenny Herold, Odin’s Eye: Negligible, at this time it appears to be a novelty in discussion.
David Coallier, Barricade: I truly believe the industry will start realising the importance of de-expertizing the field and allowing different types of people to join the security field. We go as far as saying security shouldn't be its own discipline but normal part of operations in Barricade.
www.eforensicsmag.com
www.hakin9.org - 85 -
I
NTERNET OF THINGS How will IoT influence cyber community? Wade Johansen, CouriTech LLC: A lot of white hats will go gray, but not for all the wrong reasons! The continuous evolvement of global threats to peace and prosperity are affecting so many people that many have decided the only way to fight crime is by operating outside the framework of laws as they currently stand. Governments tend to be behind in technical advancements, and IoT is one of the things they aren’t equipped to govern yet. They are slow to tackle emerging threats, and are behind on daily advances to technology of IoT. Gray hats, on the other hand, can easily move in and out of systems without much fear, and remain anonymous while having quite a large impact without causing system disruptions. They expose and report vulnerabilities without exploiting them. It’s not about glory, it’s about getting the job done efficiently and building security around devices.
Craig McDonald, MailGuard: Information technology security experts have been warning the public about cyber threats for years, but users seem not to pay attention to these alerts -- they either don’t understand the threats or they do not care. The cybersecurity industry needs to get better at communicating. One new initiative is the Open Web Application Security Project’s (OWASP) Internet of Things Top 10 Project, which is attempting to educate users on the main facets of IoT security and help vendors make common appliances and gadgets network- and Internet-accessible. The project identifies the top 10 security problems seen with IoT devices, and discusses how to prevent them on its website. Its list is as follows: Insecure Web interface; Insufficient authentication or authorization; Insecure network services; Lack of transport encryption; Privacy concerns; Insecure cloud interface; Insecure mobile interface; Insufficient security configuration; Insecure software or firmware; Poor physical security. The Internet of Things will redraw the lines of responsibilities for the enterprise – security policies will open to different profiles of employees and updating protocols, as happened with the introduction of BYOD or cloud computing, but on a much larger scale, and with a far more visible impact. Technology research company Gartner believes that securing the IoT will be so complex that CISOs will use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security.
www.eforensicsmag.com
www.hakin9.org - 86 -
I
NTERNET OF THINGS Will we see the security for IoT emerging along new IoT solutions, or will we have to wait? Chase Cunningham, Cynja: IoT security isn’t really even a thought right now. What we are seeing is the emergence of the “next” Internet. With new protocols, communication mediums and applications but no consideration for security. Sadly, we are seeing kids become the first victims of IoT exploits. In the past few weeks, we’ve learned that Barbie isn’t just a plastic doll with a house of your dreams anymore. Instead, she’s a vector of attack that hits kids right in their own home. And parents who gave their child a Kidizoom smartwatch or a VTech InnoTab tablet may have exposed their kids to identity theft after VTech reported hackers stole the personal information of more than 6 million children. That’s why I believe we need to protect our kids in this emerging world of IoT and build systems that allow families to better control their family’s data, allow parents to see what data IoT devices are collecting and alert them when those data are stolen. What we’ve learned this year is when it comes to IoT toys, trusting a company's "reasonable measures" isn't enough. As a dad, I’m doing something about this and building better protocols for kids’ digital lives. They deserve better than what we’re using today.
Wade Johansen, CouriTech LLC: Security is already paramount, but it will not grow as quickly as IoT itself. Products often are rushed to market just to get brand recognition, this often means security is left behind. In this case, you’ll see security follow after breaches, etc., and when it becomes a regulation concern. For a while, though, it will be the wild-wild west, just like the early dot-com days.
BroadTech Security Team: Definitely, we will have to wait because as I said earlier, many new startup vendors have no idea what it is. Wait, even Lockheed Martin could not figure it out while making $37 billion fleet of littoral combat ships for US Navy. Those new to IoT especially would need some time to figure it out :-).
Gerald Peng, Mocato: I am an optimist, and with IoT developing so quickly, I believe that consumers and corporations will drive the need for increased security options and tools.
Ondrej Krehel, LIFARS: It’ll take time. Once the first major breach happens, it’ll explode.
Leon Kuperman, Zenedge: Yes, companies like CUJO are making waves by protecting both IoT and mobile devices on home and SMB networks.
www.eforensicsmag.com
www.hakin9.org - 87 -
I
NTERNET OF THINGS Will we see the security for IoT emerging along new IoT solutions, or will we have to wait? Michael A. Goedeker, Auxilium Cyber Security: We have to see security for IoT. We have answered that call by discussing existing hacks today, at Davos and any other conference we are invited to speak at. Waiting for security and processes, procedures to catch up to new tech is the same issue as previously, only now we are inviting attacks into our homes and family members. This is a totally new ball-game.
Craig McDonald, MailGuard: The cyber security industry needs to work with innovators from the get-go with partnerships that change the way products are designed.
Elizabeth Houser, Praesidio: Both. Firstattempt security for the IoT will emerge along with new IoT solutions, otherwise manufacturers won’t gain confidence and purchases from consumers. There will, of course, be vulnerabilities discovered and privacy mishaps, most likely on a large scale in some cases, and security standards will have to adapt accordingly as the IoT expands and evolves.
Mitchell Bezzina, Guidance Software: Some vendors are already making claims to be able to help with IoT security, but they have the advantage of being first-tomarket and attempting to define IoT security based on what they have to offer. While more robust tools and technologies evolve to meet the challenge, the majority of IoT security efforts in 2016 are likely to revolve around testing, testing, and more testing. Take a look at Intel/McAfee for the current leaders in IoT security thought -leadership.
Alina Stancu, Titania: It is predicted that over 200 billion devices will be connected by 2020. This sheer explosion of devices attached to the network will lead to an increased threat surface. Security monitoring will become essential and solutions will have to adapt at managing the numbers. The silver lining is that IoT is still at a young stage and it appeared in a context where users are slightly more aware of security and privacy issues. This means there are calls for the industry to secure things before it can spin out of control, which means ultimately that the framework will be safer by default.
Wade Lovell, Simpatic: Fortunately, security will emerge alongside new IoT solutions and offerings. No manufacturer wants to be in the news as the attack vector allowing the theft of confidential information or images.
www.eforensicsmag.com
www.hakin9.org - 88 -
I
NTERNET OF THINGS Will we see the security for IoT emerging along new IoT solutions, or will we have to wait? David Clarke, VCiso: IoT will move from becoming unsafe to manageable security, the technology is there already.
Stephan Conradin: We have to wait. Too many devices exist with poor security or no security at all. It’s impossible to change all devices and components very fast. Remember migration from IPv4 to IPv6, not months or years, but decades.
The industry needs to learn from its mistakes as it builds devices that connect via the Internet. Best practices security, such as using secure protocols for communication or installing the latest updates, fixes and patches, are the starting point. Innovators must consider that future security will be managed automatically by the system instead of users, and designing secure technology will require a new approach and mind-set.
Kenneth C. Citarella, Guidepost Solutions: We must include new security with new developments. Waiting is too great of a risk.
Amber Schroader, Paraben Corporation: We, as an organization, have been focusing on it for over a year now and will continue to do so. IoT is here to stay and will only grow in popularity and connectivity which causes each individual's digital fingerprint to grow. There is also a great deal of interest from governments to safeguard new connections and warn business and home users of the increased risks that arrive with connecting new devices.
David Coallier, Barricade: Most definitely. The SaaS tech-model wherein a platform that processes large amounts of data to come up with decisions will start emerging.
Irfan Shakeel, EH Academy: We will not have to wait; we will see the direct impact in the year 2016. We will see the research papers, findings /solutions, products to secure the IoT. It will change the business dynamics and the education as well.
Roberto Langdon, Nicolas Orlandini, KPMG: Again, Security Awareness is a must.
Andrew Bagrin, My Digital Shield: Usually we have to wait because we need to know what it is we are securing and what the vulnerabilities are.
www.eforensicsmag.com
www.hakin9.org - 89 -
W
HO IS WHO Amber Schroader Paraben Corporation CEO & Founder
Kenneth Citarella Guidepost Solutions Senior Managing Director
Throughout the past two decades Ms Schroader has been a driving force for innovation in digital forensics. Ms. Schroader has developed over twodozen software programs designed for the purposes of recovering digital data from mobile phones, computer hard drives, email, and live monitoring services. Ms. Schroader has taught and designed the established protocols for the seizure and processing of digital evidence that have been used by numerous organizations throughout the world. Ms. Schroader has coined the concept of the “360-degree approach to digital forensics” as well as started the momentum and push to the “Forensics of Everything-FoE” with her focus to unique problems in digital evidence and solutions.
Kenneth Citarella is a senior managing director for the Investigations and Cyber Forensics practice. He joined Guidepost Solutions in 2010 as a project manager to investigate fraudulent claims for the Gulf Coast Claims Facility in its administration of the $20 billion BP compensation fund. In that capacity, Mr. Citarella supervised 300 professionals, including more than 200 field investigators. Nearly 18,000 claims were referred for investigation; many involved the financial analysis of a claimant’s business operations, including numerous constructionrelated entities. The project team wrote thousands of fraud reports which were described by an official of the U.S. Department of Justice as the finest body of investigative work he had ever seen.
David Clarke David has experience across Finance, Telecoms, Public Sector including developing CERT on a Financial Intranet trading $3.5 Trillion a day , Managed Security Services with a $400 million dollar Global install base, including Leading edge Product Selection ,implementation and architecture. In these sectors David has built Secure operations capabilities often from scratch, developed full Cyber incident response expertise , created , maintained and improved regulatory and compliance commitments including PCI-DSS, ISO 27001.
www.eforensicsmag.com
www.hakin9.org - 90 -
T
OOLS OF THE TRADE How will tools evolve in 2016?
Michael A. Goedeker, Auxilium Cyber Security: They will become easier and faster to use. There will be more emphasis on the value a tool has to security and where it obtains that information from.
David Coallier, Barricade: Businesses deserve security that isn't adversarial, complicated and confusing. The job of a security professional shouldn't be to stare at a screen all day but rather promote and encourage good security procedures and behaviour across the organisation. Both emerging and new tools are helping in solving that problem.
Shay Zandani, Cytegic: The main evolvement will be in the cybersecurity management solutions field, due to the fact that already CISOs and other security personnel are overwhelmed with the abundance of defenses, policies and procedures, and they must have a management system that they can use as a vehicle to streamline and update operations and policies.
Wade Johansen, CouriTech LLC: More will focus on geographical information and isolation as well as virtual distribution models.
Julie Herold, Kenny Herold, Odin’s Eye: Increased reliance on existing automated tools to help companies achieve compliance to avoid financial penalties and less investment and focus on manual assessments. As a result, automated tools that typically scratched the surface will mature as the compliance and regulatory demands increase. The increase in demand will force vendors coding tools to be more and more sophisticated and accurate and easier for anyone to utilize.
Andrew Bagrin, My Digital Shield: I believe endpoint will become less effective and will eventually go away.
Dennis Chow, Millar, Inc: We will probably see more advancements in prediction vs. detection based tools with the addition of complementing tools that augment existing gaps in things like access control, social engineering attack detection, and of course, more 0-day detection.
Stephan Conradin: No real changes as tools are not designed with security at the design. We’ll have nicer interfaces and still 50 security patches per year.
Ondrej Krehel, LIFARS: They will try to make things easier, adding more usability for untrained staff.
www.eforensicsmag.com
www.hakin9.org - 91 -
T
OOLS OF THE TRADE How will tools evolve in 2016?
Alina Stancu, Titania: There will be a boost in automation, in order to keep up with the sheer amount of data. As connectivity has surpassed security, the number of vulnerabilities and back doors has increased as well. Complex, interconnected systems require complex security tools. While there is no single tool that can successfully secure everything, there are certainly an array of solutions that can be used together to minimise threats. The key is not a bulk buy of the newest consoles. The key here is an intelligent risk assessment of the risks and capabilities of individual organisations, in order to apply tools and tactics in an efficient, costeffective manner.
Mitchell Bezzina, Guidance Software: Tools will continue to diversify for customer types, in most industries there are experienced and new users who have vastly different requirements and job functions, solutions will adapt to cater for larger audiences and aim to create operational efficiency.
Roberto Langdon, Nicolas Orlandini, KPMG: Forensic technologies and Data Analytics will be the drivers to push the investigation activity all over the world. Data Analytics tools are focused on bringing more versatility to users, in order to help them optimize the information filtering, identify potential irregular patterns in huge volumes of information and select the tagged pieces of evidence, the most sustainable and specific ones. Cross information with other sources will help to obtain a wider scope to the investigators, because besides local equipment, pen drives, CDs, DVD, tablets, notebooks, and smartphones, there is a lot of information inside Cloud Services.
Wade Lovell, Simpatic: Scanning tools, e.g. NMap and ZenMap, will become even more important and move into consumer products. More tools will be deployed in real time environments. Intelligent pattern recognition will continue to develop and will be at least partially capable of stopping bad actors, e.g. shutting down ports under attack.
David Clarke, VCiso: Vendors with the most R&D budget will dominate the market place, most tools will need to be managed by 3rd parties due to complexity.
www.eforensicsmag.com
www.hakin9.org - 92 -
T
OOLS OF THE TRADE Will the trend to eliminate passwords continue?
Michael A. Goedeker, Auxilium Cyber Security: Not sure about passwords but the way we authenticate will evolve.
Andrew Bagrin, My Digital Shield: Yes, no one likes passwords, but a standard solution is needed.
Mark Bennet, Blustor: The trend to eliminate passwords will continue and will likely accelerate as more devices support biometric authentication. We will see the emergence of new two-factor authentication solutions as they incorporate the security benefits of biometrics.
Stephan Conradin: The password is often still the least bad solution and with SSO it remains comprehensible to the user without being too restrictive.
Paul Hoffman, Logical Operations: Yes, it is tough to change the habits of people and making secure passwords and changing them often is not easy. The quickest way to affect security is to have a new authentication method that is personal.
Wade Johansen, CouriTech LLC: Not yet, it is still far too common and there are not enough options to remove this as a staple method of identification and authorization. However, you will see more dual factor authentication requirements in 2016 as well as chip technology taking a strong foothold.
Mitchell Bezzina, Guidance Software: Yes, biometric scanning will be household and the use of passwords will be limited, however, the wide adoption will take years for manufacturers to standardize so that applications can make connections to hardware.
Dennis Chow, Millar, Inc Short: There will be efforts, but unfortunately, it’s not going away anytime soon. Passwords are still the most wide spread, easiest, and most affordable method of access so far.
BroadTech Security Team: I think yes, and I think we should do away with passwords altogether. It is not secure at all these days, even the conference rooms have surveillance cameras that can suck up your password. But a one size fit all parallel implementation won’t be possible.
Einaras Gravrock, Cujo: Absolutely. However, expect 2016 to be the year of new proposed solutions and not yet a solution for what will actually be adopted.
www.eforensicsmag.com
www.hakin9.org - 93 -
T
OOLS OF THE TRADE Will the trend to eliminate passwords continue?
Dotan Bar Noy, Re-Sec Technologies: I think the trend will continue but there is still a very long way before biometric measures could replace old style passwords. This is true both for large enterprises as well as for SMBs. The rise of biometrics identification measures we saw in mobiles will take a very long time before it will make the move to desktop computers.
David Clarke, VCiso: Yes. Strong authentication may need to be legislated to remove passwords.
Ondrej Krehel, LIFARS: Passwords are great. We just need more factors beyond it.
Wade Lovell, Simpatic: Yes. People are fundamentally lazy and the standard 8 character password can be cracked in ten seconds. 59% of adult users in one recent survey said they use a single password for every site. While password managers are breathing new life into passwords, they won’t stem the tide.
Julie Herold, Kenny Herold, Odin’s Eye: No, many attempts have been made to eliminate the need for passwords and most of them have failed. The only successful ones are smart cards/HSMs for nation state and the financial industry and this is too costly to implement and has a high learning curve and maintenance cost associated with it that organizations and companies will deem unnecessary as a result of the impact to end users.
www.eforensicsmag.com
www.hakin9.org - 94 -
T
OOLS OF THE TRADE What new technology will make an impact on cyber security the most?
Michael A. Goedeker, Auxilium Cyber Security: We believe ours! Dark Energy is the first framework of its kind aimed at using components from open source, being open system and not telling a customer or partner what threat feed to use, AV, ITAM, etc. It simply makes all that info and systems finally actionable. We would hope that AV companies, SIEM, VA and other security companies discuss and help us create the world's first unified threat intelligence framework!
Roberto Langdon, Nicolas Orlandini, KPMG: Organizations need to invest in the right tools, as well as the right people. They need visibility first and foremost, to know if they are being attacked. Without visibility, it’s impossible to identify holes in the security arsenal and weaknesses in infrastructure. There are organizations that have been compromised for years before they discovered the damage.
Przemek (Shem) Radzikowski, Secbüro Labs: Attackers and criminal organizations have been cooperating together for many years, and in many respects are a decade ahead of the rest in terms of their effectiveness. However, the adoption of cloud technologies has had a positive effect on our threat intelligence. By funnelling large data segments through relatively few cloud platforms, we have been able to collect valuable intelligence on the techniques, attack vectors and origin of attacks. Correlating these across regional and organizational boundaries gives us even more intelligence. This plus a push from industry players to share such intel freely, will only improve our ability to deploy proactive countermeasures.
Wade Johansen, CouriTech LLC: Encryption. It is now available to everyone for everything - so governments will no longer have the intelligence gathering capabilities they once were privy to and that will impact every person on the planet.
David Coallier, Barricade: As a company working hard on leveraging machine learning and artificial intelligence we believe large-scale analysis will play a major role in changing how the security industry works. We want to eliminate the concept of rules and integrate the concept of behaviours.
Wade Lovell, Simpatic: Simply secure communications will have the greatest impact in coming years because 91% of all hacks start with email.
BroadTech Security Team: It may not be technology but awareness and a more discerning use of available technology.
www.eforensicsmag.com
www.hakin9.org - 95 -
T
OOLS OF THE TRADE What new technology will make an impact on cyber security the most?
Andrew Bagrin, My Digital Shield: Definitely IOT.
David Clarke, VCiso: Secure mobile phones, and technologies that replace password technology.
Mitchell Bezzina, Guidance Software: Moving to a completely cloud based office where laptops only store temporary data worked on offline, or “checked-out”. This will force us to redefine all security rather than segments.
Ondrej Krehel, LIFARS: One that can take all the devices and manage them in a single place.
Rick Blaisdell: The IoT makes every "smart" device susceptible to hacks. Many of these devices will be interconnected, which will make machine-to-machine trust increasingly more important. It's not just the channel they use to communicate that needs to be trusted (TLS encryption), but also whether the devices at the other end should be trusted at all. This issue will become even more relevant when selfdriving cars begin to communicate with each other. They will need to be able to identify illogical commands or spoofed communications, and they will need to do that automatically without human intervention.
Julie Herold, Kenny Herold, Odin’s Eye: Technology that is developed to share intel across companies in different industries. The attackers are already sharing their intel for profit; we are just behind and need to adopt their methods to keep up.
Stephan Conradin: The human factor, but it is not a technology. The first line of defense should remain the intelligence of the human, his understanding of the risks, his awareness of his actions,
Rajeev Chauhan: Two factor authentication including dna matching.
Dotan Bar Noy, Re-Sec Technologies: Within enterprises big data analytics and machine learning looking for patterns will make the life of the hackers harder. Additional gate solution that can ensure content introduced to the users are free from any threats (known and unknown).
www.eforensicsmag.com
www.hakin9.org - 96 -
T
OOLS OF THE TRADE What new trends will we see on threat intelligence?
Michael A. Goedeker, Auxilium Cyber Security: It’s doing its job! There are many companies that have feeds but the question is always about value. Fancy maps are nice but what good does the information in that map do really? How is the data collection any different than using a RasberryPi2 with Snort, etc? We build our own network of sensors (Pi2’s, DMZ sensors, etc) and use this information to find differences and turn that information into actionable intel. But we also use other areas of data collection (all legal!). OSINT is something surprisingly missing in all threat intelligence feeds so we created our own system that also includes that.
Wade Johansen, CouriTech LLC: Creating virtual peer to peer networks (ready made) and selling them as being darknet ops. Continued infiltration of current botnets, and C&C centers as well as placement of compromised servers into anonymous systems.
Mark Bennet, Blustor: The continued growth and use of biometric authentication will have a profound impact on cyber security – both improving security as well as creating a new set of vulnerabilities that are not being effectively addressed by the mobile device industry.
Stephan Conradin: More collaborative work to share knowledge. Anthony Di Bello, Guidance Software: Likely a standardization of one or two formats. We will see a Betamax/VHS situation emerging between the many “standards” that currently exist such as STIX and YARA.
Dennis Chow, Millar, Inc: Possibly the inclusion of other threat vectors for true intelligence such as physical, signaling, and other disciplines that can be combined into cyber.
Mitchell Bezzina, Guidance Software: Intelligence platforms will emerge to converge threat intelligence providers into one connectivity source, cost of threat intelligence will lower due to commoditization
Shay Zandani, Cytegic: Geographic and Industry-specific trend analysis and automatic pattern recognition will be mandatory for large organizations who want to be able to take informed preemptive decisions in cybersecurity
www.eforensicsmag.com
www.hakin9.org - 97 -
T
OOLS OF THE TRADE What new trends will we see on threat intelligence?
Roberto Langdon, Nicolas Orlandini, KPMG: One way companies can expand their expertise is by bringing in security intelligence to pinpoint problems, identify anomalies and highlight unusual or suspicious activity. Intelligence can help in two ways. First, an “early-warning-as-aservice” can reduce the vulnerability threat window: the time between the detection and the remediation of an attack. Intelligence can also provide a broader picture of global threats than any one organization could gather on its own. Security is an ecosystem; organizations need to know what is going on externally as well as internally. Organizations can expand their own intelligence by using Threat Intelligence tools for consolidating, analyzing and sharing information about their own security threats with peers and competitors. While this is a sound idea in theory, sharing information with competitors is not something many organizations are willing to do—yet. Understanding the threat landscape and knowing your enemy with security intelligence is another. What you can’t prevent, you should try to detect. And what you can’t detect, you should be prepared to respond to quickly.
Ondrej Krehel, LIFARS: Better integration and multiple source management.
Wade Lovell, Simpatic: Threat modeling for real-time response will become the new norm even in small organizations.
David Clarke, VCiso: Threat Intelligence may be the catalyst to make IT safe.
Andrew Bagrin, My Digital Shield: Simplification as opposed to flexibility. Security needs to start making a stand and force software developers to start following standards when they communicate across the network.
www.eforensicsmag.com
www.hakin9.org - 98 -
W
HO IS WHO Shay Zandani Cytegic, Co-founder and CEO
Rick Blaisdell
Experienced CTO, creating technical strategies which reduce IT operational costs and improve efficiency. Rick has 20 years of product, business development and high -tech experience with Fortune 500 companies, developing innovative technology strategies, with particular expertise in cloud computing integration, delivering cost effective IT services, strategic planning and development for Information Systems, and creating innovative businesses
Shay’s entrance into cyber security was on the nationstate cyber battlefield when he founded the Information Warfare Department at the Israeli Air Force. Under his leadership, the IWD pioneered the use of data manipulation for cyber offense. He then spent more than a decade as CEO of Kesselman Global Risk Management Solutions (GRMS), a subsidiary of PwC focused on conducting risk and cyber security maturity assessments for large enterprises. Prior to PwC, Shay participated in establishing the first TTP Certificate Authority in Israel.Shay’s unique blend of private and public sector experience and deep understanding of how cyber risk evolves and impacts an organization’s bottom line helped crystallize his vision for Cytegic. He received his bachelors and masters degrees in computer science from the Open University of Israel, and his Executive MBA from Northwestern University and Tel-Aviv University, upon graduating from Mamram, the IDF (Israeli Defense Forces) technical elite unit in 1990.
Wade Lovell Simpatic, CEO Wade Lovell has founded eight companies with $200+ million in stakeholder returns. Wade began his career at Goldman Sachs and Arthur Andersen. He has an MBA from Columbia Business School and is a financial services expert. He is a CPA, former CFE, EA, and has held Series 3, 7, 63 & 24 designations.
Dotan Bar Noy Re-Sec Technologies Ltd, CEO and Co-Founder Lt. Commander Israel Navy has more than 10 years of management experience in several leading companies and startups in Israel and US.
www.eforensicsmag.com
www.hakin9.org - 99 -
A
REAS OF SECURITY What are your predictions for network security in 2016?
Michael A. Goedeker, Auxilium Cyber Security: The push for more automation will eventually happen. We have started this process by being the first company to introduce our copyrighted concept of the „Self Protecting Network”.
Wade Johansen, CouriTech LLC: It will continue to grow as a field, and businesses will be required meet new standards if they want to trade at global levels.
Wade Lovell, Simpatic: I anticipate a rise in the adoption of security appliances and air-gapped internal networks in 2016 (similar to the structure of the 1970’s and early 1980’s when each company had its own mainframe that did not communicate with the outside world).
Mark Bennet, Blustor: As more employees telecommute and the workforce continues to become more mobile, network security will continue to evolve to better support granting secure and remote access to enterprise networks. A key concern is positively identifying that a remote employee is, in fact, who they claim to be at the point of entry into the network. We will see the incorporation of biometrics as one of the key solutions. Companies will also discover that storing an employee’s biometrics in a centralized location comes with tremendous liability in the event that data ever becomes compromised. Solutions such as BluStor’s CyberGate platform are uniquely positioned to help address those types of risks.
Julie Herold, Kenny Herold, Odin’s Eye: “All your eggs in one basket” – We see SaaS, PaaS, IaaS, with many tenants becoming a target for network pivoting between organizations and/or the presence of malicious faux companies establishing presence to increase the proximity to targeted organizations.
Mitchell Bezzina, Guidance Software: Expect more breaches where organizations had detected compromise long before data theft, but mishandled the original response. This trend will continue to drive changes in incident response process, and the depth of forensic investigation.
Leon Kuperman, Zenedge: Increased DDOS attacks in both size and complexity. Increased penetration into corporate networks, where threat actors wait and stay longer without detection. New attack methods for hiding command / control communication.
www.eforensicsmag.com
www.hakin9.org - 100 -
A
REAS OF SECURITY What are your predictions for network security in 2016?
Alina Stancu, Titania: Network function virtualisation (NFV) is a rapidly evolving aspect of virtualisation which was created in an effort to speed up deployment of network services. NFV is great for streamlining specialised network tasks onto a single platform, but it is significantly more complex and makes attacks harder to identify, in its multi-layered form. Software defined networks (SDNs) have been created on campuses and developed in cloud data centres. Used in combination with NFV, they can offer greater value to existing services, making it more scalable and fully-automated. Further risks come in the shape of open source software that these new technologies are based on and larger attack surfaces. Auditing and penetration services will rise as more industryled standards become ingrained in business practices. From PCI-DSS to SANS, HIPAA or FISMA businesses are more under pressure to comply with policies specific to the country they operate in, or the industry sector they cater to.
Anthony Di Bello, Guidance Software: Attackers will remain undetected for longer as evasion methods become more complex.
Stephan Conradin: Still a lot of DDOS.
Ondrej Krehel, LIFARS: I think network taps will be more common.
Roberto Langdon, Nicolas Orlandini, KPMG: Our predictions on network security depend on the extent at which the people responsible for technological platforms, recognize all the tools, policies and procedures that must be added to the existing ones. Different surveys conclude that about 40% of the market did not implement Intrusion Prevention Systems (other vendors call them Next Generation Firewalls) to protect the application level in the OSI model. If this is true, and on the other hand the Top 10 OWASP recommendations are not followed and assured in the organizations, the cyber delinquents still have a lot of work to do.
David Clarke, VCiso: Software defined networks, legislation and password technology replacement.
Andrew Bagrin, My Digital Shield: I predict that there will be more pre-filter, trying to deliver a prescrubbed internet service, as opposed to giving more tools to try and scrub it themselves.
Paul Shomo, Guidance Software: Variants of malware will increase to limit the ability for indicators of compromise being easily defined.
www.eforensicsmag.com
www.hakin9.org - 101 -
A
REAS OF SECURITY What are your predictions for software security in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Secure coding will continue to be a vital part of any security methodology. OS’s with integrated spyware will be less and less acceptable and will see business revenue drop. This will push Open Source OS’s for the second time.
Mitchell Bezzina, Guidance Software: Endpoint technologies will be the main focus for 2016, redefining the replacement for antivirus. This allows networks to be understood and secured from the inside out and provides a means of detection and response to all threats.
Einaras Gravrock, Cujo: We will see many new solutions focused on network traffic patterns, big data, and machine learning.
Stephan Conradin: Still 50 security patches per year for each software because software have no security by design, OWASP will continue their very good job of explaining how to avoid SQL Injection and we’ll see SQL injection
Julie Herold, Kenny Herold, Odin’s Eye: The heavier we move code reliance on the client for storage and processing, the more attacks that will be developed in server response and client-side code tampering versus the more traditional and more secure server side attacks in client requests.
Paul Hoffman, Logical Operations: Move to secure coding. Patching holes before launching software.
Rick Blaisdell: Backup and recovery will become synonymous with security. With the explosive growth of structured and unstructured data, improving backup and recovery time will be a big hurdle for the enterprise. Vendors will rely on automated tiered solutions and data deduplication to address the challenges of heterogeneity of technology. Encrypted data backups and agentless cloud-based replication will become the norm for data security.
Ondrej Krehel, LIFARS: Hopefully, the SDLC will include more security, hopefully being sent to a security specialist and not a dev.
Wade Johansen, CouriTech LLC: Much of it will become platform independent and include focus on mobility and portability. Dennis Chow, Millar, Inc Short: More focus and demand in SSL/TLS based decryption.
www.eforensicsmag.com
www.hakin9.org - 102 -
A
REAS OF SECURITY What are your predictions for software security in 2016?
David Clarke, VCiso: Self contained security in software, vulnerability management designed in as part of software maintenance, password technology replacement.
Wade Lovell, Simpatic: Apps – corporations will start controlling the approved and therefore available apps on BYODs. Antivirus – consumer antivirus programs will move up market in order to remain viable. AVG, for example, is struggling under the weight of its free model and has moved to freemium offerings and addons.
Andrew Bagrin, My Digital Shield: It will continue to struggle to keep up. I’m assuming this is referring to endpoint.
www.eforensicsmag.com
www.hakin9.org - 103 -
A
REAS OF SECURITY What are your predictions for hardware security in 2016?
Michael A. Goedeker, Auxilium Cyber Security: We already train our partners and customers in „hardware hacking”. Many instances have shown that hardware and the associated firmware is a valid attacking vector. We are no longer just dealing with software viruses and malware, we are also dealing with firmware, side channels and newer aversion techniques to hide protocols and suspicious traffic and activities.
Wade Lovell, Simpatic: Manufacturers will continue to be plagued by their own errors and government demands for backdoors. They will also be compelled to offer economic incentives for successful hacks against their hardware, e.g. Cisco routers, in order to attract a real mining effort on the part of the white hat community.
Einaras Gravrock, Cujo: We will see an increasing amount of hardware makers who will rely on third party platforms to build software for their hardware. Those third party platforms, a combination of hardware security and software security, will help IoT makers build less vulnerable devices.
Julie Herold, Kenny Herold, Odin’s Eye: We think there will be an increased focus on uncovering intentionally placed holes/ gaps within the hardware space that are baked into the solution at low levels.
Ondrej Krehel, LIFARS: More 2+ factor tools for access.
David Clarke, VCiso: Hardware security appliances may make a comeback as virtualisation may still be very vulnerable to skill shortages and software exposures.
Stephan Conradin: Perhaps more concerns with corrupted devices by firmware, and questions like How to trust manufacturers.
Paul Hoffman, Logical Operations: More use of built-in BIO security.
Andrew Bagrin, My Digital Shield: Hardware security is fine, but it doesn’t need to be on specialized hardware. For 2016, I don’t believe there will be much change.
Wade Johansen, CouriTech LLC: TPM will make a larger impact, and we will continue to make smaller, faster IOPs capable data devices for the data center.
www.eforensicsmag.com
www.hakin9.org - 104 -
A
REAS OF SECURITY What are your predictions for cloud security in 2016?
Michael A. Goedeker, Auxilium Cyber Security: National and International Privacy will continue to shape this industry and how products are hosted to international customers and partners. As more services and resources are put into the cloud, so too will the regulations and audits needed to verify compliance evolve. As more services are hosted in the cloud, it then becomes an even bigger target.
Rajeev Chauhan, Cyber Oxen: IOT will dictate the security in cyber space scenario including all the areas of security mentioned above. The boundaries between hardware and software security will merge.
Wade Johansen, CouriTech LLC: AWS and Azure will make cloud security a priority this year. There appears to be a lull in the adoption of more cloud based services, and in large part, it’s because the security has been behind. That will be rectified this year.
Ondrej Krehel, LIFARS: I hope the providers will be more secure in their deployments.
Mark Bennet, Blustor: There is an interesting growth trend in the number of whitepapers and articles that have been published over the past year that espouse the increased security of cloud based solutions. While these claims are partially true, a close examination of many of the articles reveals that they are often sponsored by companies that provide cloud based solutions or related services. The reality is that the cyber security in the cloud is still largely immature, unproven, and there are ample examples of failures. Like the growth of mobile devices, the cloud is a tremendously powerful tool but carries with it the risks of what is still a young and rapidly evolving industry. Enterprises need to carefully examine how access to cloud based data and applications are effectively controlled.
Leon Kuperman, Zenedge: Cloud is an area where the industry is behind. There are no solid security standards for multicloud deployments / implementations. New solutions will need to be introduced to close the gap between on-prem (mature) security and cloud infrastructure.
Wade Lovell, Simpatic: More companies will move to universal two factor authentication. True secure end to end encrypted email and chat will start replacing insecure desktop and mobile email in particular. Companies will force https connections to all web sites accessed from within their organization and eventually move to white lists.
www.eforensicsmag.com
www.hakin9.org - 105 -
A
REAS OF SECURITY What are your predictions for cloud security in 2016?
David Coallier, Barricade: Huge year for cloud security. More companies are becoming aware that "the cloud" is not a silver bullet but also not completely insecure. Tools who are born on the cloud will prevail as it is clear that incumbents who are retroactively adapting their tools for cloud products are simply not good at it. The pricing models for the security industry, which has traditionally been contract -based, has to change to reflect how people use the cloud. The SaaS model for security will grow.
Stephan Conradin: With cloud we delegate our security without strong controls. Sooner or later, there will be a serious incident.
Dennis Chow, Millar, Inc: Many more vendors and startups coming to complement access controls and data discovery/data control.
Mitchell Bezzina, Guidance Software: Large Cloud Vendors will be forced to make virtual machines of computer systems available to security teams for incident response investigations in response to new data breach notification regulations. Without access to full machines, response teams are limited in their ability to acquire all data quickly, this may also affect SaaS providers and will likely lead to instrumental case between a breached organization and its cloud provider.
Paul Hoffman, Logical Operations: More security controls.
Andrew Bagrin, My Digital Shield: Security in the cloud and securing the cloud are two different things. I believe there will be a much bigger move to providing security in the cloud (pre-scrubbing).
Julie Herold, Kenny Herold, Odin’s Eye: We think technologies like Chef, Puppet, Ansible, SaltStack and Docker will be targeted by attackers to proliferate backdoors, misconfigurations with the intention of abuse, and malware. Of course, this would also include any other patch management, centralized security appliances/solutions etc.
Rick Blaisdell: Cloud security will increase in scale, and decrease in complexity. In 2016, we’ll see cloud security evolve into simpler, virtualized controls and solutions that will have embedded security processes to help map current IT systems. Heavy protective layers that have difficulty scaling in the cloud will stay behind, and next year will have lighter, scalable cloud security solutions.
www.eforensicsmag.com
www.hakin9.org - 106 -
A
REAS OF SECURITY What are your predictions for cloud security in 2016?
Craig McDonald, MailGuard: 2016 will be the first year cloud services will be chosen because of their enhanced security. People are at risk of physical harm as nextgeneration technologies are targeted. Cyber attackers will fund unpatched vulnerabilities in smart-connected home devices as a way to stage a full-blown attack. There are no signs of a wide scale attack coming but this scenario is highly probable. Attacks on next generation payment methods – from EMV credit cards to mobile wallets – will increase. Mobile malware is expected to grow exponentially with much of this originating in China. Hacktivists will use data breaches to systematically destroy their targets. Businesses will also fall for elaborate tricks that use new social engineering lures. Expect a big increase in ploys that persuade employees to transfer money to cybercriminalcontrolled bank accounts. Their first step is to become familiar with the target’s ongoing business activities, so their malicious schemes are camouflage. This is typically done by intercepting communications between business partners.
David Clarke, VCiso: Cloud availability and a minimum of dual (maybe internet and private) connectivity. Cloud services will help mitigate skills shortage in cyber security.
Irfan Shakeel, EH Academy: Cloud security will face new challenges; hackers are more likely to exploit the human vulnerabilities. Organizations have to invest in training programs; the certification providers will also create the cloud specific certificate and training to capture the market need. Over all, the business will grow.
www.eforensicsmag.com
www.hakin9.org - 107 -
W
HO IS WHO Ondrej Krehel Lifars, CEO and Founder
Julie Herold Odin’s Eye Senior Security Consultant
He is the CEO and Founder of LIFARS LLC, an international Cybersecurity Intelligence, Digital Forensics, and Incident Response firm. Ondrej also leads the Digital Forensics team at LIFARS. He’s the former Chief Information Security Officer of Identity Theft 911, the nation’s premier identity theft recovery and data breach management service. He previously conducted forensics investigations and cyber security consulting at Stroz Friedberg. With two decades of experience in computer security and forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, massive deletions, defragmentation, file carvings, anti-money laundering, financial fraud, mathematical modeling and computer hacking. Ondrej’s experience also includes advanced network penetration testing using various tools and technologies, database security testing, physical security assessments, logical security audits, wireless network penetration testing, and providing recommendations for operational efficiency of approaches.
Strong eleven year development background for a Fortune 10 company and 2 years of penetration
Kenny Herold Odin’s Eye Principal Security Consultant 4 years of experience as a service lead for anti-spam/anti-malware/ anti-virus working for a Fortune 10 company at a global scale as well as 2 years of general application security background and 5 years of penetration testing in aforementioned company and an additional 2 years of penetration testing for Odin’s Eye, LLC.
Alina Stancu Titania Marketing Coordinator She is Marketing Coordinator at Titania and has spent the past two years, learning, talking and writing about information security. She is also a contributor to The Analogies Project.
www.eforensicsmag.com
www.hakin9.org - 108 -
T
HE INDUSTRY Will 2016 belong to start-ups or big cyber security corporations?
Chase Cunningham, Cynja: Startups will continue to be the real infosec innovators. I predict large companies will pick up their pace of acquisition of these smaller firms. From where I sit, the large companies aren’t concerned or even working towards much innovation in the space as it is cheaper to simply buy the little guys out. This “trend” is basically leading to the establishment of a market wherein anyone can start a company, come up with something 1% better than someone else and get bought for a lot of money, then go off and do it again.
Irfan Shakeel, EH Academy: 2016 will belong to the start-ups of the infosec companies. Startups will focus on vulnerability research, threat intelligence & monitoring tools. The infosec service sector will likely to grow, as more organizations are looking for services.
Leon Kuperman, Zenedge: Disruptive Startups.
Einaras Gravrock, Cujo: The tide’s going to be growing for all types of companies. New sectors within cyber security will create new giants from startups. Overall, this is growing so fast… with such a huge demand for products and sectors within cyber security the space will continue booming in 2016 and beyond.
Michael A. Goedeker, Auxilium Cyber Security: Hard to say really. Start-ups will happen, the question is if big cyber corps will start to get more pressure to think dynamically like start-ups do.
Wade Johansen, CouriTech LLC: Startups will be less of an influence in 2016 as the market becomes more global, they just don’t have the capability of tapping worldwide systems for the intelligence gathering in an increasingly hostile environment.
Mark Bennet, Blustor: In 2016, the growth of IoT, increased public awareness of cyber security issues, and the global expansion of Internet access will provide tremendous opportunities for cyber security start-ups. As typical of most industries, disruptive innovation is largely driven by small start-ups. We will see continued innovation in the cyber security space as well as consolidation as larger companies acquire start-ups with promising technology.
Elizabeth Houser, Praesidio: Startups. Larger cybersecurity corporations don’t offer the agility or innovation that startups bring to table.
www.eforensicsmag.com
www.hakin9.org - 109 -
T
HE INDUSTRY Will 2016 belong to start-ups or big cyber security corporations?
David Coallier, Barricade: Startups. The tech world moves so fast that the incumbents are stuck in the innovator's dilemma and only the smaller, more agile companies are able to move at the pace at which the security industry should be operating.
Stephan Conradin: Neither one nor the other. Good ideas are emerging in small entities but great entities have the ability to act. They have to collaborate.
Wade Lovell, Simpatic: 2016 is a year for start-ups to show their agility. Alina Stancu, Titania: Mergers and acquisitions in the industry will continue to take place. Small cyber security boutique-style companies, which have the flexibility to develop innovative solutions at a fast pace, will be acquired by bigger, more established companies. Something which big enterprises find more difficult. However, as demand for more than one solution addressing different needs increases, big corporations choose to increase their portfolio of in-house solutions.
Craig McDonald, MailGuard: The big security players are at risk of being disrupted by agile emerging competitors. Their challenge is to start delivering the next generation of security solutions for the cloud, where they lag behind. Expect to see the big players courting and buying small vendors – unless they can finally achieve some innovation in their current product offerings. As Microsoft’s Azure and AWS compete for business, they will focus on new and improved security features, in particular, helping customers to have greater control and visibility into their cloud. As they reach ‘feature parity’ in the IaaS (Infrastructure-as-a-Service) space, rich security capabilities will become their differentiators, either through additional platform features or third-party offerings.
Paul Hoffman, Logical Operations: There is room for both. The big companies’ will have it easier because they already have customers, but startups will have innovative technology that will make them relevant.
Ondrej Krehel, LIFARS: New players will always be great, but they can be bought out.
Rajeev Chauhan: There is ample space for startups as not all industries can afford highly expensive services of corporations.
www.eforensicsmag.com
www.hakin9.org - 110 -
T
HE INDUSTRY Will 2016 belong to start-ups or big cyber security corporations?
Dotan Bar Noy, Re-Sec Technologies: We are at time where the big vendors dominate the more conservative solution and reinventing themselves by acquiring innovative new technologies. The startups are the ones that will introduce the disruptive technologies that will be necessary in order to combat new types of malware.
Nick Prescot, ZeroDayLab: Clients are looking for the right company to do the right job, the benefits won't change.
David Clarke, VCiso: Both as the bigger ones will buy the start-ups.
Gerald Peng, Mocato: Start-ups. In the first half of 2015, venture firms invested $1.2 billion into cybersecurity start-ups (CB Insights). Corporate customers want to avoid destructive attacks that can hurt their brand names and consumers are trying to protect their private information. These firms are finding innovative ways to capitalize on that need.
Anthony Di Bello, Guidance Software: I think the question is more will 2016 belong to broad security vendors (such as Palo Alto, McAfee) or niche best-of-breed vendors (such as Blue Coat, Guidance software). I believe we will see a focus on integrated best-of-breed solutions, the mix of which being different at each enterprise based on their unique environment and threat types.
Andrew Bagrin, My Digital Shield: Definitely startups! BroadTech Security Team: Nothing will hinder startups though some will fail. Many of the products of cyber security corporations will become a public disgrace.
Julie Herold, Kenny Herold, Odin’s Eye: Larger security corporations because of the increased demand, lack of consumer knowledge in what they need as far as breadth and depth for defensive or proactive offensive testing and mitigation and/or remediation advice.
www.eforensicsmag.com
www.hakin9.org - 111 -
T
HE INDUSTRY
Will cyber security events (like BlackHat or DEFCON) remain an important part of influencing the development of cyber community and companies? Chase Cunningham, Cynja: The larger CONS are already basically viewed by most security operations personnel as not much more than a reason to go to Vegas and perhaps participate in shenanigans. It’s smaller CONS where really interesting and really innovative solutions are being shown. The large CONS will continue but are slowly becoming nothing more than a giant sales convention for companies to network and pitch things.
Ondrej Krehel, LIFARS: I think the focus is changing from them. They’ve grown too big.
Michael A. Goedeker, Auxilium Cyber Security: It’s getting to the point where the investment for attending and the value are starting to be questioned for some conferences. In my opinion, events like Bsides are becoming more important and attended by more people due to the lower costs involved with attending. I am by no means saying Blackhat is not valuable but people are starting to feel real pain when paying thousands of dollars or euros to attend a conference in the US. There has to be a balance and not a „we are talking all the money from all sides” just so you attend our show. Security lives from teaching and not being so egotistical with conferences.
Rajeev Chauhan: Yes, they may become prominent as recruiters for govt agencies as well as “Contract Agreement” hunting ground.
Leon Kuperman, Zenedge: These events are overly commercialized at this point and used as announcement platforms for the most part.
Stephan Conradin: Yes. Experts should meet experts to share knowledges.
Julie Herold, Kenny Herold, Odin’s Eye: We think these events are becoming more and more about networking and vendors which will continue on the upward trend.
Paul Hoffman, Logical Operations: Yes, for a while.
BroadTech Security Team: Yes, of course, such events are the life and blood of cyber security. There will be many more such local events, too, which may not get much press.
www.eforensicsmag.com
www.hakin9.org - 112 -
T
HE INDUSTRY
Will cyber security events (like BlackHat or DEFCON) remain an important part of influencing the development of cyber community and companies? Craig McDonald, MailGuard: Yes, and there will be more of them. Education and communication is a key priority in 2016. Cybersecurity can no longer be seen by businesses as optional, nor half-baked solutions accepted.
Wade Johansen, CouriTech LLC: Yes, unfortunately they still will not be a target of many companies for sending their cyber employees, as it’s still seen by too many as a non-essential training experience.
Andrew Bagrin, My Digital Shield: Yes, that is where all is exposed.
Anthony Di Bello, Guidance Software: Certainly. They should (and are) be leveraged as recruitment events. In addition I think we will see more involvement by industry in collegiate cyber security events such as www.nationalccdc.org and niche security events such as guidancesoftware.com/ enfuse, bringing together like specialist communities to a common cause.
Dotan Bar Noy, Re-Sec Technologies: Yes. It is harder to get noticed at those events due to the overall noise. But those events play a significant opportunity to meet professionals, exchange ideas and meet decision makers.
Wade Lovell, Simpatic: Yes, if they don’t get too expensive for small bleeding edge companies to justify attending and if they keep attracting new talented speakers.
www.eforensicsmag.com
www.hakin9.org - 113 -
T
HE INDUSTRY Will we see more state-level cooperation in 2016?
Chase Cunningham, Cynja: Local and state governments in the U.S. are so far behind the curve in cyberspace they don’t even have an idea on how to get involved. Without a coalition that can guide local and regional entities and help them gain traction in solving their own specific cyber problems, they will continue to lag and exploits will rapidly expand.
Andrew Bagrin, My Digital Shield: Less cooperation and more regulation I think, which is a mistake, but that is how our government thinks when it comes to security.
Rick Blaisdell: 2016 will be a very significant year for both sides of the cybercrime equation. Governments and enterprises will begin to see the benefit of cybersecurity foresight, with changes in legislation and the increasing addition of cybersecurity officers within enterprises. In addition, as users become more aware of online threats, attackers will react by developing sophisticated, personalized schemes to target individuals and corporations alike.
Dennis Chow, Millar, Inc: We will see more attempts at information sharing and incident response assistance.
Michael A. Goedeker, Auxilium Cyber Security: Certainly and this is a good thing! We need to discuss privacy, protecting people, critical infrastructure.
Paul Hoffman, Logical Operations: Yes they will have to. Leon Kuperman, Zenedge: Yes, it’s a musthave shift. Julie Herold, Kenny Herold, Odin’s Eye: No, there is too much on their plate to be able to assist the private sector unless it is in the best interest of the state or nation. Funding for security on the lowest levels of defense is lower in government agencies than the private sector. If anything, threat intel shared from the private sector, which is capitalist driven, may assist at the state or national level.
Wade Johansen, CouriTech LLC: Yes and No? As the world becomes smaller electronically, states are beginning to realize that being part of larger and slower government system can be crippling, but when it comes to sharing data about its citizens or immigrants then I think yes, they’ll share a lot more this year than last year?
www.eforensicsmag.com
www.hakin9.org - 114 -
T
HE INDUSTRY Will we see more state-level cooperation in 2016?
Anthony Di Bello, Guidance Software: To some degree. Will it be effective? Depends on the degree of sharing, accuracy of what is being shared, and the controls various states will demand on the data they are sharing.
BroadTech Security Team: Yes, but each state taking into its own national interest first.
Stephan Conradin: I hope. We are in cyberwar and some aliens are always welcome.
Einaras Gravrock, Cujo: We are seeing it already. For example, the recently announced Department of Homeland Security initiative to secure IoT devices. We can expect many more initiatives like that simply because the government alone cannot combat this problem.
David Clarke, VCiso: Yes already happening, and needs to be at a business level.
Wade Lovell, Simpatic: No. Nation states have their own agendas and huge budgets as well as some of the brightest minds in white hats. The so-called cooperation we have seen so far has allowed them to tamper with standards and implementations down to the level of the NSA allegedly recommending elliptic curves it has the means to break.
www.eforensicsmag.com
www.hakin9.org - 115 -
T
HE INDUSTRY In which industry will we observe the biggest demand for cyber security services?
Michael A. Goedeker, Auxilium Cyber Security: Critical Infrastructure, Defense and anything Big Data.
Przemek (Shem) Radzikowski, Secbüro Labs: Akami’s statistics for 2015 show that Media & Entertainment (48%), High Technology (11%), Retail (9%) and Public Sector (5%) collectively accounted for 65% of attacks. I’d put my money on this trend and say that these four segments will drive demand.
Mark Bennet, Blustor: The healthcare and related industries are already under tremendous pressure to address the tremendous vulnerabilities in their legacy infrastructure, medical devices, and data protection solutions. This is an area that is gaining public awareness and will drive the demand for innovative solutions that can help solve some of the industry problems without breaking the bank.
Kenneth C. Citarella, Guidepost Solutions: Government, banking and healthcare will fuel the demand for cyber security. Andrew Bagrin, My Digital Shield: Probably retail and healthcare.
Wade Johansen, CouriTech LLC: Travel and immigration services such as VISA programs.
Wade Lovell, Simpatic: The security spent in healthcare is expected to rise more than 20% but I think the biggest demand will be among money center banks. (Symphony, which serves a coalition of 19 banks, just raised another $100 million this Fall.)
David Coallier, Barricade: Strange answer to this one but fashion and e-commerce to us have strong signs of interest and growth. Many companies in these industries do not traditionally have a strong security culture and new products will come in and help them achieve that, grow with security awareness at the very least. Mayur Agnihotri: Cyber security services / solution is one of the alarming concerns in many critical industryies, such as BFSI: aerospace, defense, and intelligence, because the biggest challenges of cyber security are education and training in 2015.
Roberto Langdon, Nicolas Orlandini, KPMG: Cyber Security is a challenge for the entire “Government-Private Corporations, SMB organizations, and professionals” ecosystem. It requires to stay informed, well equipped, conscious about the subject, and with policies and procedures to let the people know how to do the things right, and how to react to a security issue or incident.
www.eforensicsmag.com
www.hakin9.org - 116 -
T
HE INDUSTRY In which industry will we observe the biggest demand for cyber security services?
Alina Stancu, Titania: Possibly healthcare. Although the financial sector, as well as various governments, are stepping up security efforts, due to the threat levels. Financial crime is not disappearing, though it is becoming more targeted, while state-sponsored attacks, through their complexity and persistence, require significant resources and a wide range of specialised skills. The most stealthy attack campaigns known to date (Stuxnet, Duqu, Flame, The Mask) have been from statesponsored actors.
Anthony Di Bello, Guidance Software: Healthcare, retail, government and finance. A problem here is financial and consulting (PWC, ATOS, Optiv, etc) industries have the cash to corner much of the existing talent.
Gerald Peng, Mocato: Retail, healthcare, finance, and device manufacturing. The first two will demand it due to the IP, consumer data and communications they want to protect. Companies that process electronic payments or produce IP-sharing devices will also want protection against cyber threats in order to maintain consumer confidence and brand reputation.
Stephan Conradin: SCADA, critical infrastructures.
Dotan Bar Noy, Re-Sec Technologies: According to the “Banking & Financial Services Cybersecurity: U.S. Market 2015-2020 Report”, by Homeland Security Research Corp. (HSRC), the 2015 U.S. financial services cybersecurity market will reach $9.5 billion, making it the largest nongovernment cybersecurity market. In addition, the report concludes that this market will be the fastest growing nongovernment cybersecurity market, exceeding $77 billion in cumulative 2015-2020 revenues. This is driven by an increase in regulation and the demand for zero breaches, shutdown time and information leak systems.
David Clarke, VCiso: Demand is big, the ability to pay isn’t, government, finance, pharmaceutical, legal.
BroadTech Security Team: Defence, health care, power...
Paul Hoffman, Logical Operations: Healthcare, they are so far behind. It will take years to get them off this list.
www.eforensicsmag.com
www.hakin9.org - 117 -
T
HE INDUSTRY In which industry will we observe the biggest demand for cyber security services?
Leon Kuperman, Zenedge: Banking, Insurance, Financial, Health Care, Retail.
Julie Herold, Kenny Herold, Odin’s Eye: The health industry as a result of the upward trend in data breaches and the lack of security maturity in this space.
Ondrej Krehel, LIFARS: Manufacturing.
www.eforensicsmag.com
www.hakin9.org - 118 -
T
HE INDUSTRY What do you think will change in the cyber security market in your country?
Michael A. Goedeker, Auxilium Cyber Security, Germany: I hope that there will be better rates for experienced security people. Right now many big customers pay little for much, this is unbalanced and really unfair as „cyber” security experts do a lot of learning and gain experience that is not paid. This experience „SHOULD” be paid but currently isn’t. At some point, we will refuse to be undersold and not work for minimal wages comparable to low paid jobs that do not require special training, certifications or degrees in addition to real world experience.
Wade Johansen, CouriTech LLC, US: The push for BYOD will drastically drop this year in the US because of inherently insecure devices that are not corporate controlled, which could compromise entire networks. Dennis Chow, Millar, Inc Short: Advances in Threat Intelligence and Automatic Response in Systems.
Alina Stancu, Titania, UK: UK remains a hotspot for disruption and advancements in technology. But where recent years have been explosive with new start-ups and cutting-edge developments, 2016 is converging towards a more consolidated, mature market. More defined classifications of security services are starting to emerge. Export was a priority to the UK government in 2015 and that was illustrated best with the visit of Prime Minister David Cameron to US at the beginning of this year, where he invited a trade delegation of cyber security companies.
Andrew Bagrin, My Digital Shield, US: More complexity and higher process.
Dotan Bar Noy, Re-Sec Technologies, Israel: The latest data from Israel’s National Cyber Bureau indicates cyber exports increased from $3 billion (USD) in 2013 to $6 billion in 2014, that constitutes about 10 percent of the global cyber market. Israel is second only to the United States as the largest exporter of cyber products. This is made possible by the increasing amount of highly skilled professionals. Israel’s unique security needs created a focus on cyber security education in schools, army service, and dedicated collages. Hopefully, we will see additional Israeli vendors take their place as world leaders, such as Check Point, CyberArk, etc.
Julie Herold, Kenny Herold, Odin’s Eye, US: We think the days of charging absurd amounts of money for IT Security services will be controlled as a result of the number of competitors and it will put an end to the exorbitant and unfair pricing many of the leading IT Security companies charge.
www.eforensicsmag.com
www.hakin9.org - 119 -
T
HE INDUSTRY What do you think will change in the cyber security market in your country?
Mayur Agnihotri, India: Yes, one of the biggest changes because of Prime Minister’s vision for India to take leadership in this critical and emerging space. Indian digital security market to grow at 8.3% to $1.1 bn in 2015, says Gartner, Indian IT security market reaches 1.2 billion next year I expect. Main components contributing to the growth of the Indian cyber security market include: increased penetration testing of IT services in the telecom, banking and insurance industries; the vulnerability of Indian IT infrastructure to hackers; National Association of Software and Services Companies (NASSCOM) and Data Security Council of India launch the NASSCOM Cyber Security Task Force that aims to build India as a global hub for providing cyber security solutions, developing cyber security R&D.
Anthony Di Bello, Guidance Software, US: Tough one to answer, depends on what the next high-profile breaches have to offer.
Wade Lovell, Simpatic, US: In the United States, there is a decent chance the federal government will weaken encryption, leaving a broader attack surface.
Roberto Langdon, Nicolas Orlandini, KPMG, Argentina: Checking really quickly the site http://map.norsecorp.com/ and then you can see the online status of cyber-attacks around the globe in real time. What are we waiting to put our hands on to just leave to be an observer, and be a protagonist?
David Clarke, VCiso, UK: Legislation as per other industries.
Gerald Peng, Mocato, Canada: Proliferation of fraudulent electronic payments, in conjunction with an increasing number of public corporate security breaches.
BroadTech Security Team, India: People will be willing to pay external agencies to conduct security audits and not just blindly leave it to network/system administrators.
www.eforensicsmag.com
www.hakin9.org - 120 -
W
HO IS WHO Craig McDonald
David Coallier
MailGuard, CEO and Founder
Barricade, CEO David Coallier is the chief executive officer of Barricade. David is a technologist, an avid learner, and a serial entrepreneur with a passion for artificial intelligence.
In 2001 I started MailGuard Pty Ltd (MailGuard). I saw a world where online security was going to be a growing concern. A key to solving that problem was the need for a simple and inexpensive way to manage unwanted email and website content. MailGuard, in response to that need, has pioneered a range of cloud security solutions to provide complete protection against online threats such as malware, spyware, viruses and spam. My key focus for the moment is to support businesses who continue to struggle with IT security. I want to continue growing through technology and allied partnerships.
Nick Prescot ZeroDayLab Senior Information Security Manager As Head of GRC and incident response , I am responsible for the development and delivery of these services to our clients. Whether you need an assessment, review, audit and/or a consultation with your people,policies, procedures and processes ZeroDayLab's award winning consulting services can ensure that you are protected with the very best advice; if you are unfortunate to be at the receiving end of a breach, you can be assured that the very best people in the business are there to keep the hackers at
Stephan Conradin I am an independant consultant with more than 30 years of activities in information security as well as information systems. I have hold CISSP, CISM, CRISC, ISO 27001, COBIT and ITIL certifications and a Master in Information Security.
www.eforensicsmag.com
www.hakin9.org - 121 -
C
YBER SECURITY AWARENESS
Will the cyber community influence the level of cyber security awareness?
Chase Cunningham, Cynja: How can we work towards improving cyber security awareness in 2016? Cyberspace isn’t the Magic Kingdom. It’s the Wild West—only worse, as it’s a place where it’s really difficult to observe people as they make choices and experience the consequences. So corporate social responsibility programs try to drive a consciousness-raising dialogue among young people to fill the void. Sadly, what they deliver is often hopelessly lame and condescending. They miss that creating cybersecurity awareness, especially among kids, takes serious effort—and that in the case of our digital lives today, one that has to be backed by the creative vision necessary to set out and define this new frontier. This is something new— something we never experienced before. Instead, many large companies who have the revenues to do this simply don’t. They justify their limited efforts by claiming to only have a “limited budget” for guiding kids on how to protect their future. Some corporations just want to tick a box to show that they are “helping the children” and move on. And so kids are shown silly dogs, flying saucers, or the occasional cyber kitty—accompanied by bullet point guidance more suitable for corporate PowerPoint presentations. Seriously, how are we as an industry going to inspire kids to want to make smart choices online with PowerPoint and clip art? Our kids and our children’s children are going to be the ones who will see new technologies and methods of compromise we haven’t even considered. As an industry, we must take this responsibility seriously rather than treat it like an optional line item to be squeezed by our finance departments. We need to educate and train kids to be cyber smart and involve more kids in our industry. Today, too many companies focus on the now, rather than the later. That behavior simply means our industry is shorting an entire generation of children’s digital future. It’s very sad to watch.
Mark Bennet, Blustor: The cyber community can have a tremendous influence on public awareness by evangelizing and working with the media to bring serious issues to surface. This requires a level and style of communication that “mere mortals” can understand and using examples that clearly show the potential consequences. As a community, we need to encourage and support cyber security experts to share their stories, concerns, and potential solutions with the rest of the world.
Ondrej Krehel, LIFARS: Lawmakers and corporations are the big movers. Money makes people do things.
Elizabeth Houser, Praesidio: Yes, but in a reactive manner. The level of cybersecurity awareness is most greatly influenced by the publicizing of breaches and litigious actions that follow.
www.eforensicsmag.com
www.hakin9.org - 122 -
C
YBER SECURITY AWARENESS
Will the cyber community influence the level of cyber security awareness?
Richard De Vere,The AntiSocial Engineer: In the UK, we are starting to form smaller clusters of computer security experts, this is designed to give smaller businesses around us access to good sound advice. Soon, all the UK will have a network of talent to lean upon.
Roberto Langdon, Nicolas Orlandini, KPMG: Awareness is one of the most important (if not the most) topics the corporations need to address. Cybersecurity is a process, not a product or a department within the company. This needs to be addressed using a top-down-top approach. Needs to reach the entire organization.
Einaras Gravrock, Cujo: Absolutely. I think cyber security researchers, as well as ethical hackers have been very vocal for years about security issues and finally they are being heard. We have reached the point where a significant dialogue is happening around the world and cyber security experts are a big part of that dialogue.
Francisco Amato, Infobyte: I don't think so, it depends a lot on the culture and the country, but in general people start to grasp cyber security threats posed to them more from problems or news that happen in companies on a daily basis than from warnings from IT sec professionals. To give an example, people for quite a few years have known that they need to do backups for security reasons, for normal problems with hard discs that break, etc. Today, with attacks done with Ransomware, we can see now that simple backups don't always get the job done. It is possible that this type of attack ends up raising awareness about the importance of safeguarding one's information, because not only is there the chance of your hard disc breaking but when a Ransomware is able to capture all your information and extort money from you in order for it be returned. The same kind of things happen when almost weekly a new company has their information compromised and people seeing this in the news start to ask themselves how they can protect themselves and their organization.
Amit Serper, Cybereason: Absolutely - all the recent data breaches have thrust cyber security into the spotlight. Now that it’s on it, Cyber security leaders will also “cross the chasm” and become much more visible as cybersecurity champions and evangelists.
Wade Johansen, CouriTech LLC: Yes, it’s a key factor in getting needed information out to the public quickly so actions can be taken immediately as needed. If you wait for the news to report it, then chances are it’s already old news to the cyber community.
www.eforensicsmag.com
www.hakin9.org - 123 -
C
YBER SECURITY AWARENESS
Will the cyber community influence the level of cyber security awareness?
Kenneth C. Citarella, Guidepost Solutions: Cyber security awareness must develop within the user community at all levels. No matter what security experts say, unless the need for security is well understood and adopted as a policy and a practice, we cannot become more secure.
Andrew Bagrin, My Digital Shield: Yes, they are doing it already and will continue to improve.
David Clarke, VCiso: No, awareness plus strategy and technology will.
Julie Herold, Kenny Herold, Odin’s Eye: No, the topics are too complex and therefore not palatable for anyone that is not IT savvy as well as IT Security savvy.
Leon Kuperman, Zenedge: Yes, the trend will continue.
Wade Lovell, Simpatic: Yes, those of us who cried “Wolf!” are now seen as wellinformed instead of paranoid. “Your mind is working at its best when you're being paranoid. You explore every avenue and possibility of your situation at high speed with total clarity.” ― Banksy, Banging Your Head Against a Brick Wall.
Anthony Di Bello, Guidance Software: Certainly, and already are doing so through things like national cyber security awareness month (October).
Nick Prescot, ZeroDayLab: Yes, because of the legislative drive that is happening but it will become more of a business issue. Stephan Conradin: Yes. We must influence because we are in front line. Alina Stancu, Titania: Yes, the security community is the only one to drive awareness among the non-technical public. While there is an argument to be made regarding scaremongering by some vendors, there are genuine businesses in the industry that wish to inform and educate as well as develop a thriving business and support economic growth.
Michael A. Goedeker, Auxilium Cyber Security: That is our (its) responsibility. We must continue as an industry to teach and make aware but in ways that are different than before. Its cool and hip to be secure, it's a way of life that everyone should have.
www.eforensicsmag.com
www.hakin9.org - 124 -
C
YBER SECURITY AWARENESS
How can we work towards improving cyber security awareness in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Talk, present at Bsides and other security conventions, boycott the selling of speaker slots (for money) by sales companies.
Dennis Chow, Millar, Inc: Add gamification theory to the community which will encourage active participation in improving security awareness as a whole.
Amit Serper, Cybereason: Start cyber security education and awareness training in elementary school.
Elizabeth Houser, Praesidio: Fund and make mandatory cybersecurity training for users.
David Coallier, Barricade: The only way we can work towards improving cyber security awareness is by building tools that are not exclusively made for security experts. We are very bullish on the concept of bottom-up security. Traditionally, security has been mandated from the top-down. A C-Level would push for the security standards to be put in place and it would become more a chore to the people who are actually managing the day-to-day operations, developing the online applications, etc. Many new products, such as Barricade, empower the developers and operations teams first, then they allow the organisation to grow with it. Engineers by nature want their work to be better. New products allowing developers to produce better code and allowing the operations teams to deploy and manage their infrastructure with confidence are required. Security is rarely at the top of the priority list for most SMBs and it shouldn't change. What should change are the products those companies use in order to manage their security.
Richard De Vere,The AntiSocial Engineer: We should all stop bashing people over the head with cyber security. It’s time we turn our expertise to our family and friends. The big corporates will always be responsible for their own security but the common person in the street is at risk daily from preventable attacks.
Stephan Conradin: Communicate, collaborate, explain again and again.
Wade Johansen, CouriTech LLC: Social awareness. There is a stigma that goes with being the one to say something, and then maybe being contested by others. Standing up for making any improvements in security is hard because it’s essentially non-conformist in nature. However, it's a critical part of moving any society forward when we speak about raising security awareness.
www.eforensicsmag.com
www.hakin9.org - 125 -
C
YBER SECURITY AWARENESS
How can we work towards improving cyber security awareness in 2016?
Mayur Agnihotri: Some points which are first clear for audience and trainers are: Don’t confuse cyber awareness programs with security training; • Include posters, newsletters, email tips, blogs and reminders; • Cyber security awareness improves by changing culture (changing behaviors {Relate cyber awareness to personal life, family, home and corporate }) • Creating a Culture of Cybersecurity at Work / organization • Cyber security events must be started at small and medium size companies, schools, colleges and society.
Ondrej Krehel, LIFARS: Make it law to have cybersecurity guards just as they have regular security guards.
Wade Lovell, Simpatic: Launch meaningful social media campaigns with star collaborators. • Buy a Guy Fawkes mask and help take down ISIS or contribute to Anonymous in other ways.
Paul Hoffman, Logical Operations: Just keep the message out there. The hackers are helping by creating News. Kenneth C. Citarella, Guidepost Solutions: Government leaders at all levels must engage in a protracted and serious discussion of issues about cyber security. Some have begun that effort, but it must be more widespread and focused on specific efforts to be undertaken by government, business and private individuals.
Gerald Peng, Mocato: I believe that too often, awareness happens when there is a cyber disaster like Target or Ashley Madison. Part of the problem is the highly specialised nature of cyber security. I believe that to keep cyber security top of mind, the discussion has to become proactive and accessible by non-industry people.
Julie Herold, Kenny Herold, Odin’s Eye: Continue to have breaches, spamming initiatives, malware campaigns whether targeted or not, successful take downs for illegal activities, and other information regarding cybercrime activity and reduction being advertised for the sake of awareness. If non-IT savvy end users do not have a direct impact to them personally, we will not see improvement.
Rajeev Chauhan: The weakest link in the chain of cybersecurity is the lack of awareness amongst the users at all levels, starting from home users to corporate users. Concentrated efforts to create awareness has to be undertaken by schools, colleges, communities and corporates.
www.eforensicsmag.com
www.hakin9.org - 126 -
C
YBER SECURITY AWARENESS
How can we work towards improving cyber security awareness in 2016?
BroadTech Security Team: Making cyber security mandatory in curriculum. • Short interesting articles in print and visual/ cyber media, etc., are what our organization does in collaborating with the state police. • Conduct workshops.
David Clarke, VCiso: Security should be at board level, and legislated for.
Andrew Bagrin, My Digital Shield: We need to separate myth and reality. The reason awareness is taken with a grain of salt is because something is always trying to be sold.
Nick Prescot, ZeroDayLab: There won't be a magic wand to deliver, it's an education strategy.
Anthony Di Bello, Guidance Software: Doing what we can to make it a mainstream issue. Part of which involves being able to speak in everyday terms and with relatable examples to folks outside our industry.
Alina Stancu, Titania: We can demand for better legislation to reflect the concerns of individuals and businesses. There is, of course, the danger of over-regulation and crippling costs of compliance can be discouraging to small businesses. That is why the security industry can cooperate to develop helpful, free tools to support even firms on small budgets to achieve a basic level of security. If we raise the bar step by step, we can then focus on innovating more, collaborating better and living safer.
www.eforensicsmag.com
www.hakin9.org - 127 -
C
YBER SECURITY AWARENESS
What obstacle in awareness will remain unsolved? Mark Bennet, Blustor: Many cyber security risks are shrouded in complexity that is difficult for the general public to fully grasp. The cyber security community and the media need to work closely together to simplify and distill these risks into everyday terms that the public and our legislatures can better understand.
Leon Kuperman, Zenedge: The fundamental miscommunication and misunderstanding of how technology works and what is vulnerable.
Wade Johansen, CouriTech LLC: The realization of what firewalls and cryptography can really do for protection, and the importance of retaining offline backups.
Michael A. Goedeker, Auxilium Cyber Security: That people listen and change their habits. This can only be done by experiencing the pain of breaches (or so it seems).
Dennis Chow, Millar, Inc: Resources, not enough time and or money for polished programs at all the various entities from small to large.
Richard De Vere,The AntiSocial Engineer: I think awareness and perception to cyber crime is a hard battle, people can’t see most attacks, they have a tendency to ignore issues and hope it will be OK. With more and more breaches hitting the media in 2015, people are starting to be more aware - but have a long way to go!
Kenneth C. Citarella, Guidepost Solutions: The biggest obstacle will be personal conduct. Everyone likes to push cyber security off to the firewall, the system operators, the programmers or anyone else they can. We all must recognize that how we use whatever computer we are on, just like we drive a car, is critical to our safety.
Alina Stancu, Titania: The industry is still ridden with technical jargon. To the “uninitiated” public, this can be offputting and impenetrable. There is a perceived lack of interest even regarding the steady reports of breaches and cybercrime. Perhaps it is time to learn how to translate the industry in practical business terms.
Elizabeth Houser, Praesidio: The precise formula of situational awareness, motivation, and behavior modification to increase user participation in routine cybersecurity.
www.eforensicsmag.com
www.hakin9.org - 128 -
C
YBER SECURITY AWARENESS
What obstacle in awareness will remain unsolved? Ondrej Krehel, LIFARS: Having a security professional and not just “security aware” staff.
BroadTech Security Team: Rapport. People don’t understand the InfoSec languages and jargon. So things have to be simplified while spreading awareness.
Stephan Conradin: The ability of people to understand they are a big part of security. Julie Herold, Kenny Herold, Odin’s Eye: There is no magic bullet to educate the average end user. Paul Hoffman, Logical Operations: Training v. production. We can’t stop production for training. So we are having to squeeze training in as minimally as possible is the mindset for most companies. David Clarke, VCiso: Board level buy in, companies have legal, finance components they are there for compliance and legal reasons, cyber needs to be there as well.
Nick Prescot, ZeroDayLab: It won't happen to them so they won't worry about it.
Wade Lovell, Simpatic: Inertia. It is a powerful force. “The vis insita, or innate force of matter, is a power of resisting by which every body, as much as in it lies, endeavours to preserve its present state, whether it be of rest or of moving uniformly forward in a straight line.” Isaac Newton.
Andrew Bagrin, My Digital Shield: The trust, because cybersecurity is a complex thing to understand and trust someone about.
Anthony Di Bello, Guidance Software: The human factor can only be mitigated, not solved. Even with the best security awareness program, 1/100 people will still click that well-crafted phishing email.
www.eforensicsmag.com
www.hakin9.org - 129 -
C
YBER SECURITY AWARENESS
What role will awareness play in corporate cyber security? Michael A. Goedeker, Auxilium Cyber Security: A big one. Awareness pays many dividends to any company that invests in them. There are neutral statistics that prove that awareness campaign training decreases successful password hacking and social engineering attacks (two of the most difficult attack vectors to secure because of human nature vulnerabilities).
Kenneth C. Citarella, Guidepost Solutions: Security awareness is the key to our security, ultimately. This is true for individuals, as well as businesses and governmental agencies of all sizes. We must know our weaknesses, understand what the attackers do and remove practices that create vulnerabilities.
Wade Johansen, CouriTech LLC: Realization of the threat landscape which evolves daily is a technical cyber security challenge and often a nightmare. True awareness requires many things, including social media integration, which often is blocked on most corporate networks - accurate reporting from real-time systems which often display false positives - and knowledge by the technical staff to be able to interpret the data when anomalies are encountered. Target is an example of a breach where the systems were pointing to an event in progress, and it was repeatedly ignored as an anomaly that wasn’t a danger.
Andrew Bagrin, My Digital Shield: More training and testing of social engineering.
Elizabeth Houser, Praesidio: The lack of user awareness and inattentiveness will continue to pose a threat to corporate cybersecurity infrastructure.
Julie Herold, Kenny Herold, Odin’s Eye: We think there will have to be tighter controls given the BYOD policies many companies and organizations are implementing and deploying within their organizations to protect the end users from themselves.
Richard De Vere, The AntiSocial Engineer: Awareness and a good understanding of the nefarious people that we can all encounter online is the main objective. You can’t expect people to care about their digital security if they don’t have the perception of what's out there today.
Ondrej Krehel, LIFARS: It helps but you really need a professional. No one says to a secprof you should be accounting aware so we don’t need accountants, so why the other way?
www.eforensicsmag.com
www.hakin9.org - 130 -
C
YBER SECURITY AWARENESS
What role will awareness play in corporate cyber security? Paul Hoffman, Logical Operations: It will play the biggest role. No software or hardware can make up for an unaware employee clicking, or not changing a password, or any number of things that leave the cyber door wide open.
Gerald Peng, Mocato: Awareness will positively impact corporate cyber security by facilitating support and investment in cyber security protocols and tools.
Stephan Conradin: Crucial, employees must understand that cyber security if not a black box like a firewall, it is a continuous process and they are involved.
BroadTech Security Team: In many startups, there are no firewalls and the laptops are connected directly to internet through WiFi. In such cases, end point security is of prime importance and users should be made aware. In most corporates, awareness training is given, I suppose, and their focus should be on making people compliant to the security instructions. Nick Prescot, ZeroDayLab: Users are becoming more aware and this will be a constant education exercise.
David Clarke, VCiso: The awareness is there, it’s the incentive to implement that isn’t.
David Coallier, Barricade: This is going to be immense. For corporate awareness to kick in, security needs to be implemented bottom-up as a cycle rather than topdown as a mandate.
Wade Lovell, Simpatic: Maybe, just maybe 2016 is the year cyber security becomes a Board issue rather than an IT issue.
Dennis Chow, Millar, Inc: Eventually, it will become standard as part of other policies and procedures signed like an AUP. Anthony Di Bello, Guidance Software: A large role, many organizations already have some form of cyber awareness program. If nothing else it will help minimize the risk of social engineering attacks, which are leveraged extensively in the first phase of most compromises.
Mayur Agnihotri: Organization’s people have a key role to play in effective cyber security.
www.eforensicsmag.com
www.hakin9.org - 131 -
W
HO IS WHO Nicolas Orlandini
Gerald Peng
KMPG Director Forensic Services
Mocato, Founder
He is a Director of KPMG’s Cyber practice and a member of the Forensic Technology team, specializing in digital response services and cyber investigations. He is specialized in identification, preservation and collection of electronic stored information (ESI ), data leak prevention and detection, information protection and incident response, and information security audits. He also has a strong background across the electronic evidence acquisition protocols and chain of custody regarding eDiscovery matters or internal investigations. He developed and leaded the Forensic Technology Lab in KPMG Buenos Aires – Argentina office for many years, providing evidence collection, processing and hosting to companies and law firms located across Latin America, including clients located in Argentina, Brazil, Chile, Uruguay, Paraguay, Bolivia, Peru, Venezuela, Ecuador, Colombia, Panama, Curacao and Costa Rica.
Gerald Peng is the founder of Mocato Inc., a consulting firm that specializes in digital forensics, E-Discovery and data analytics. In the last 12 years, Gerald has provided services in computer forensics, incident management and information security. He has worked closely with financial institutions, law firms and government to perform computer forensic investigations and fraud analysis. Gerald is a certified computer forensic examiner (EnCE, GCFE), Certified Fraud Examiner (CFE), Certified Information Systems Security Professional (CISSP), and Certified EDiscovery Specialist (CEDS). He is also a member of the High Technology Crime Investigation Association (HTCIA), and a graduate of McMaster University’s Computer Engineering and Management program.
Francisco Amato Infobyte, CEO He is a researcher and computer security consultant who works in the area of vulnerability Development, blackbox testing and reverse engineering. He is CEO of Infobyte Security Research (Infobyte LLC) www.infobytesec.com, from where he published his developments in audit tools and vulnerabilities in products from companies like Novell, IBM, Sun Microsystems, Apple, Microsoft. His last work was evilgrade a modular framework that allows the user to take advantage of an upgrade process from different applications, compromising the system by injecting custom payloads. Founder and organizer of ekoparty south america security conference.
www.eforensicsmag.com
www.hakin9.org - 132 -
M
ISCELLANEOUS LogRhythm’s Predictions for Cybersecurity
An uptick in all-in-one home surveillance systems. We are seeing more motion sensing/camera/ recording devices in the home that can be managed through personal devices. This type of technology will continue to expand, and with this expansion, hackers will try to exploit them or cause chaos.
A rise in the use of mobile wallet apps. Like having virtual money and an ID in one’s pocket, mobile wallet apps are at the intersection of marketing and payments. And although a mobile wallet is convenient, it is directly tied to one’s mobile phone which is a critical access vector for cyber threats.
New model of what to protect. Instead of a mandate to “protect everything on the network,” IT staffs must work more like a unit, centralizing and protecting the most critical resources. This approach moves defense-in-depth to the most critical business components of the organization.
Identity access management: The unsung hero. Companies will be investing more money and R&D resources in behavior-based modeling, analytics and identity access management to track behaviors. More customers are asking about it, which will motivate the rest of the industry to follow.
The next big attack target: Education. This industry has a plethora of data that cyber criminals want - credit reports, personally identifiable information (PII), donor money, tuition money. And these institutions are not doing an adequate job of securing all their systems. Add to that the myriad “customer” – namely professors, student, parents, administrators – and you have magnified the attack vectors exponentially.
Emergence of hacking for good. More organizations, like Anonymous, will be leaving the dark side and hacking for the public good. They are more motivated by the notoriety and publicity on social media than for financial gain. Teens are learning to program on their own; high schools are introducing technology and coding to get this generation aware of and more proficient in this industry. Younger generations are finding coding and programming cool. This is the next gen workforce that we hope will continue to want to positively impact society.
Security is in a renaissance. Security is a hot space. And the fact that CISOs are getting a seat in the Boardroom is another indication of the importance of this industry for all organizations, regardless of the vertical market. Many companies still don’t have adequate security infrastructures, awareness or training to defend themselves. There will also be consolidation. Companies will either “get it” or not, and governments will start ramping up regulations.
www.eforensicsmag.com
www.hakin9.org - 133 -
M
ISCELLANEOUS LogRhythm’s Predictions for Cybersecurity
Next steps for CISA, open sharing of threat intelligence. Critical infrastructure will emerge as more companies in various sectors, such as energy, financial and healthcare, join in. The principle and the intention behind the creation of a more collaborative community for the open sharing of threat intelligence is grand, with two distinct sides of the political aisle. We will either see a big push or nothing happen at all.
Ransomware gaining ground. The ransomware-style of attack is powerful and expanding into Macs and mobile devices, making it easier to target consumers. Criminals can gain big profit by locking down an entire system; victims have no choice but to pay. Although consumers are ripe for the picking, businesses are not immune to this approach.
Vendors need to step up – Despite the running list of breaches, many companies still do not have an adequate security infrastructure to defend itself against cyber criminals. And we cannot rely on consumers to know how to protect home systems. It is up to the security vendors to build better software, systems and patching mechanisms, as well as offer training and services to protect people, companies and their assets.
www.eforensicsmag.com
www.hakin9.org - 134 -
M
ISCELLANEOUS IBM’s Predictions for Cybersecurity
Bob Stasio, senior product manager for cyber threat analysis, i2 Safer Planet: The market for behavioral analytics and threat detection offerings will continue unabated • Large financial organizations will continue divesting themselves of managed security services to create their own fusion centers • “Big X” consulting firms will offer their customers cyberintelligence-as-a-service consulting options • Companies and government agencies will begin using block-chain encryption to protect against cyberthreats • Private organizations will increase their visibility into the dark web to become more proactive about cyberthreats than ever before.
Shahid Shah, CEO, Netspectives Communication: The market for behavioral analytics and threat detection offerings will continue unabated • Vulnerability curators will become increasingly prevalent as companies learn to share breach data • Companies will begin properly inventorying digital assets and data as part of their risk management strategies, heightening understanding of threat surfaces and ways of minimizing them • Third-party libraries and software components will increasingly gain attention as CIOs and CISOs realize how many vulnerabilities they create.
Todd Rosenblum, senior executive for worldwide big data, i2 Safer Planet Auditability and managed access of US citizens’ personal data will be an increasingly important requirement for US national security agencies • The international community will create safe zones in Syria to stem the mass migration to Europe, and big data analytics will play an integral role in enforcing identity resolution and border security in those safe zones.
Andrew Borene, federal manager, i2 Safer Planet Continued cybersecurity breaches and state-sponsored cyber espionage will lead to spikes in cybersecurity spending on both workforce and software solutions • New data sources arising from the Internet of Things and biometrics will lead to a renewed government interest in using big data to prevent terrorism.
www.eforensicsmag.com
www.hakin9.org - 135 -
M
ISCELLANEOUS
Kenneth C. Citarella, Guidepost Solutions: Every year we learn about new intrusions and new breaches until we have almost become numb from the relentless reports. It will not change in 2016 unless there is serious cooperation among all levels of government, the computer industry and network owners, coupled with serious diplomatic pressure from the U.S. government on the international front.
David Clarke, VCiso: Cyber Security Vendors who can spend the most on R & D and who have market positions now will dominate the Information Security Marketplace. • The CISO role will need to change from being part of IT and report to either directly to the CEO or at least to Legal or Finance board members. • Legislation or pressure from Cyber Insurance, will enforce that certain cyber security components are mandated, eg strong authentication. Other industries such as the car industry, aero, nuclear and building have many mandated safeguards already, seat belts, vehicle checks, crash standards. An unsafe vehicle cannot be put on the roads, unsafe aircraft in the air, thus unsafe IT would not be permitted on the electronic highways.• Governments may need to provide assistance on protecting information superhighways similar to the way the road systems and airspace is protected. • Cyber Security will need to become an outsourced function due to complexity, rapidly evolving cyber technology, huge amount of Data to be processed and analysed, intricate threats, and exponential skills shortage.
Richard De Vere,The AntiSocial Engineer: The industry hasn’t taken the large steps it needs yet to focus on security first and profit second. Finance still leads most businesses security implementations in 2015 and for our selfish greed in this matter, we will see security breaches and online crime rise like it has done every other year previous. This is good for business in the short term yes, but the industry should seek to help people reduce crime before our business model collapses on itself.
Wade Johansen, CouriTech LLC: Organizational hacking will become a normal course of business and defense, if botnet time and crypto ransomware services can be bought for as little as $50 for an account, I believe you will see similar services being more readily available for purchase such as hackers for hire.
Irfan Shakeel, EH Academy: The importance of incident handling and digital forensics will increase. The community will invest their time and resources to develop and create the effective work-process to solve hacking cases.
www.eforensicsmag.com
www.hakin9.org - 136 -
M
ISCELLANEOUS
Kris Rides, Tiro Security: I think we will see more attacks coming through small vendors to larger companies. Many high tech vendors who are providing niche services have little or no security posture making them an easy way to get at the real target. We are already seeing SMB’s increasing their spend on security as they realize it can be a differentiator when it comes to winning new business against competitors.
www.eforensicsmag.com
www.hakin9.org - 137 -
W
HO IS WHO James Carder LogRhythm
Greg Foss LogRhythm
CISO & VP
Security Operations Team Lead
He has over 18 years of experience working in corporate IT security and consulting for the Fortune 500 and U.S. Government. At LogRhythm, he develops and maintains the company’s security governance model and risk strategies, protects the confiden`tiality, integrity and availability of information assets, oversees threat and vulnerability management and the Security Operations Center. He also directs the mission and strategic vision for the LogRhythm Labs machine data intelligence, threat research, compliance research, incident response, and threat intelligence teams. He holds a Bachelor of Science degree in Computer Information Systems from Walden University and is a Certified Information Systems Security Professional.
He is LogRhythm’s Security Operations Team Lead and a senior researcher with Labs, where he is tasked with leading both offensive and defensive aspects of corporate security. He has just under a decade of experience in the Information Security industry with an extensive background in Security Operations, focusing on Penetration Testing and Web Application Security. Greg holds multiple industry certifications including the OSCP, GAWN, GPEN, GWAPT, GCIH, and C|EH, among others. He has presented at national security conferences such as DerbyCon, AppSecUSA, BSidesLV, and is a very active member of the Denver security community.
Dennis Chow Millar Inc, Security Manager, Incident Response He is a security practitioner that has over 10 years of combined IT and Information Security experience. Dennis currently leads Information Security efforts at Millar, Inc. as their Network Security Manager. In addition management and practitioner experience, Dennis has consulted for various clients within Oil and Gas, Healthcare, Defense, and other critical infrastructure industries. Dennis also holds several industry known certifications including the GCFA, GCIH, GCIA, GPPA, CISSP, E|CSA, C|EH, and L|PT and is currently the Program Manager for a collaborative Cyber Threat Information Sharing Grant by the Department of U.S. Health and Human Services.
www.eforensicsmag.com
www.hakin9.org - 138 -
W
HO IS WHO Andrew Borene Federal manager, i2 Safer Planet
Bob Stasio Senior Product Manager of Cyber Analysis at IBM i2 Safer Planet Bob Stasio is the He brings nearly 14 years of rare expertise fighting top tier malicious actors through his work in the intelligence community, the U.S. Military, NSA and commercial sector. Bob served on the initial staff of US Cyber Command. Serving in Iraq during “The Surge,” Bob’s intelligence unit supported the detainment of over 450 high-value targets.
Andrew Borene provides executive leadership for IBM’s i2 Safer Planet Federal business team. He served as Associate Deputy General Counsel at the U.S. Department of Defense and is a former U.S. Marine Corps military intelligence officer. Prior to joining IBM, Mr. Borene was a Counselor to the international law firm of Steptoe & Johnson LLP. His career includes leading corporate development at a microrobotics startup and U.S. intelligence community program management for a publicly-held big data company. He is active within leading public-private initiatives for improved U.S. national security, global leadership and technology growth.
Todd M. Rosenblum Senior executive for worldwide big data, i2 Safer Planet
Todd M. Rosenblum joins IBM as a Senior Executive for Global Business Development. He is responsible for identifying market engagement opportunities for IBM’s Safer Planet, Enterprise Insight Analysis suite of capabilities. Todd focuses especially closely on deepening collaborative partnerships with senior executives in the United States Government, U.S. State, local and private sector companies, as well as worldwide defense, intelligence and law enforcement institutions.
Shahid Shah CEO, Netspective Communications He is an award-winning Government 2.0, Health IT, Bio IT & digital Medical Device Inventor & CTO with over 25 years of technology strategy, architecture, engineering, entrepreneurship, speaking, and writing experience. He is the chair of the #HealthIMPACT Forum.
www.eforensicsmag.com
www.hakin9.org - 139 -
A
DVICE
What advice would you give to fellow cybersecurity professionals going into 2016?
Mark Bennet, Blustor: Cyber security professionals and the industry need to challenge our current paradigms that often involve centralizing and attempting to control every element of data flowing in and out of the systems under our protection. We are in a leaky ship and bailing the water out faster isn’t really solving the problem. We need to look closer at the underlying root issues, which include things like immutable human behavior and the inherent weakness of outdated security mechanisms such as usernames, passwords, and PINs. Until we do that, at best we are just keeping our heads above water.
Rajeev Chauhan, Cyber Oxen: Be suspicious, but don’t be paranoid about security, the best approach is having preventive measures in place.
Kenneth C. Citarella, Guidepost Solutions: Be patient when reminding others, be vigilant, and hold on tight.
David Coallier, Barricade: If you have to go to one conference this year, go to a conference that's NOT about security. Maybe a software or cloud conference. Talk to people about security and note their eye-roll/ exasperation reactions. Security is scary, and it's adversarial. Let's break down the barrier and make security something more natural.
Amber Schroader, Paraben Corporation: Vigilance to where we are leaving our digital identities. We are expanding out to more and more layers that hold information tied to who we are and not thinking how to protect and secure each of those layers. We need to focus on knowing what is where as we look at a cyber future with devices tied to ourselves at every corner.
Mayur Agnihotri: “Keep seeking out new things to learn and master what you know.”
Wade Johansen, CouriTech LLC: You will never be right 100% of the time, don’t let it stop you from being right 1% of the time. Also, if you have a one-in-a-million idea to improve something, then there are 8,000 other people on this planet thinking the exact same thing as you... be the first to say it out loud.
Nick Prescot, ZeroDayLab: Talk security as a business issue and not an IT issue. IT creates the systems that process data, the business are the ones that process the data and the operations teams are the ones that are responsible for the data.
www.eforensicsmag.com
www.hakin9.org - 140 -
A
DVICE
What advice would you give to fellow cybersecurity professionals going into 2016?
Mitchell Bezzina, Guidance Software: The “assumption of compromise” mindset has been gaining notoriety within Security teams, it takes the active defense approach where security teams consciously hunt for organization threats rather than rely on technology to alert. The personnel problem does not help this cause but building teams from parallel skillsets is the only way to ensure there are more security professionals, and don’t concern yourself with a flooded market – there will never be enough skilled cybersecurity specialists.
Alina Stancu, Titania: Keep on top of compliance, as that will remain important in ensuring baseline security. Certification against governmental or business accreditations will travel down the supply chain as more suppliers demand that businesses present some form of security assurance of their product and services.
Gerald Peng, Mocato: Your role is more broad and important that you may imagine. Protecting the public from cyberattacks on their IT infrastructure and devices will help deter cybercriminals from their spheres of activity. Our focus must extend past our employers and clients. We must collaborate to secure our data sovereignty, and reduce any weak points in our systems.
Roberto Langdon, Nicolas Orlandini, KPMG: Our vision of what will be going in 2016, is that there have been several cases where the forensic investigation helped to discard false hypothesis, false conclusions, and these aspects are showing the importance of this discipline to be used strongly each time, and so on in the future. As the forensics doctors said “a dead body can still tell information regarding to resolve a murder”, the information technology recipients or devices can bring more than we can imagine, in order to resolve frauds or criminal cases.
Paul Hoffman, Logical Operations: Jump in with both feet.
Dotan Bar Noy, Re-Sec Technologies: We live in exciting challenging times and are receiving public attention as well as enterprises boards. We need to make sure the advice and solutions we are offering are not just adding layers of more of the same, but substantially improve the overall enterprise security while keeping organization productivity untouched.
Stephan Conradin: Learn, understand, have global view, learn again, understand again.
www.eforensicsmag.com
www.hakin9.org - 141 -
A
DVICE
What advice would you give to fellow cybersecurity professionals going into 2016?
Michael A. Goedeker, Auxilium Cyber Security: LEARN HOW TO HACK THINGS, Be curious, always continue to learn new things and technology. Stay informed and aware, assume every OS, Application and piece of hardware can spy on you, has weaknesses and needs to be verified. Security is a business process just as much as it is a technological one, never EVER forget this. Security protects IP, revenue and the business. Be creative, think outside the box.
David Clarke, VCiso: Keep Going. Keep the Passion.
BroadTech Security Team: Stop hype. Learn your stuff. Know what you are talking about. Keep yourself updated daily & share your knowledge with others. Stop using jargon and fancy words and explain things clearly to people. Our job is to keep things secure and not to show off our knowledge or expertise. One more prediction. Once Hammer2 is feature complete, DragonFLYBSD implements single sign on and redundancy using CARP, etc. The way of doing cloud computing will take a new turn.
Craig McDonald, MailGuard: The number one tip is to plan a 360 degree approach to cyber security. Understand all your businesses attack vectors and how these can be infiltrated by cyber criminals. Blocking threats through the use of cloud security services such as email and web filtering should be the first line of defence – protecting the organization’s network.
www.eforensicsmag.com
www.hakin9.org - 142 -
C
ONTRIBUTING COMPANIES
www.eforensicsmag.com
www.hakin9.org - 143 -
www.eforensicsmag.com
www.hakin9.org - 144 -
www.eforensicsmag.com
www.hakin9.org - 145 -
www.eforensicsmag.com
www.hakin9.org - 146 -
www.eforensicsmag.com
www.hakin9.org - 147 -
