Andy Ulrich, Head of Security in the Americas for Ericsson, offered a bad news-good news assessment of security trends.
“2016 was a really bad year, for lots of reasons (including information security), and 2017 will be worse,” stated Ulrich at the outset of his keynote presentation at the 2017 Chief Information Officer Leadership Forum held in Dallas on February 9. “But don’t worry. It’s not as bad as it may seem.”
Ulrich asked, “Why are attackers always ahead of those trying to keep them out of networks? Because it’s a business—there’s competition, profit, and nation-state resources—and attackers only need to find one way in while we have to come up with all kinds of ways to keep them out. Also, attackers are eager to adopt new technology, and we tend to not be good at that because it seems like there’s so much risk.”
“Attackers are eager to adopt new technology, and we tend to not be good at that because it seems like there’s so much risk.”
Ulrich outlined these security trends:
• Attackers will continue to confound. “They’ll continue to do things we don’t expect them to.” Ulrich referenced the pervasive concerns about election hacks last year, and, instead, there was the Podesta hack.
• More nation-state involvement everywhere.
• Attribution won’t get easier because finding evidence of who’s behind a hack is really difficult. “In establishing blame, we consider opportunity, means, and motive. For a nation-state actor, opportunity is always present, the means is always present, and motive is based on geopolitical strategy and is essentially opaque.”
• IoT will increasingly be at odds with security. “The IoT threat isn’t really new; we’ve been talking about IoT as a problem for security for the past five years. There’s market pressure to create new things because of the possibility of massive revenue, and this has predicable security issues. The real problem is that networks that have your IoT-manufactured device in them are now at risk, and the device itself can be part of bot-nets and other attacks.”
• Distributed denial of service attacks will worsen. “DDOS attacks hold your ability to pass data hostage. The only thing that can reliably stop a DDOS attack is bandwidth.”
• Ransomware will worsen and is a hugely profitable model. “More businesses are finding themselves at the wrong end of ransomware and end up paying—or not paying, which translates to losing data. If you do things correctly, you can recover your data, but it will cost you, regardless.”
“More businesses are finding themselves at the wrong end of ransomware and end up paying—or not paying, which translates to losing data. If you do things correctly, you can recover your data, but it will cost you, regardless.”
“Do these trends matter?” asked Ulrich. “Of course they do, but it might not be as bad as we think it is.” Ulrich then showed graphs of five-year snapshots of the stock prices of four companies that suffered breaches during those periods and asked the audience to point out where the breach occurred in the graph. In most cases, it wasn’t obvious. “The point of this exercise," said Ulrich, "is to show there are lots of factors that influence stock prices besides security breaches. Breaches don’t have to be an existential threat. Preparedness makes the difference, and we need to focus on the fundamentals of a security program—detect, defend, diffuse. It’s tempting to focus on ‘defend,’ but unless this has been seriously neglected, consider detect and diffuse equally.” In particular:
• Is alerting alerting?
• Are plans planned?
• Will failover fail over?
• Are patches installed?
• Is access managed?
• External audits are a good measure, but be prepared to spend to address issues that are found.
In conclusion, Ulrich stated, “Training that involves making your people aware of phishing, mistakes in configuration, carelessness, etc. can be low cost and high impact.”
“Training that involves making your people aware of phishing, mistakes in configuration, carelessness, etc. can be low cost and high impact.”
ABOUT ANDY ULRICH:
As a young child, Andy Ulrich discovered and was delighted by the fact that, by simply pushing buttons on a telephone keypad, he could nearly instantly cause a random person half a world away to stand up and walk to their telephone. (His parents were not amused.) Thus began a lifelong interest in telecommunications and IT. His nearly 30 years of experience includes a career in the US Army, culminating in a role as the operations chief of NATO’s information security organization, and his most recent previous job as the CISO for MoneyGram. He currently heads the security program for Ericsson in the Americas from Plano, TX.