Well, the New Year is upon us. Which for most of us means a few things: taking stock of the year that’s just passed, deciding what we can do better in the year to come, and putting aside holiday festivities to get back to the daily routine. It also means thinking about the coming year and what’s likely to come down the pike.
This is important of course for all technologists (since being a technologist implies, to some degree, keeping current in the first place), but it’s even more important in security specifically.
Why do I say that? Because security can be reactive. There’s never infinite budget to implement every countermeasure, so picking the most relevant and appropriate countermeasures is paramount. And since we don’t often know ahead of time what threats we’re going to encounter in advance, that choice therefore often must of necessity occur months (or years) in advance based on what attacks we think are likely.
Also, since we need to be able to respond to adverse conditions rapidly when they occur, taking advance steps is the difference between success and failure: have available the right tools and processes to support our response efforts during an event and things will go better than otherwise.
For security, our ability to be successful is to some degree dependent on our ability to understand “what’s coming next.” So with that in mind, let’s evaluate a few key areas that security practitioners should have on their radar for 2015. This is by no means all the areas of import (or even most of the areas) – however, they are areas that security practitioners might want to pay special attention to over the upcoming year given their rate of adoption and scope of impact.
Area #1 – Docker
As frequent readers of this site may already know, I think Docker is a big deal. It reduces development time while increasing allocation density in the datacenter. Either on its own would give it legs, but both together means it’s likely to ramp up very quickly. This matters for security pros for a few reasons. The security properties are different from a traditional hypervisor so they need to be addressed separately, like OS virtualization it re-introduces challenges at scale that can impact security (e.g. sprawl), and it can grow from the “grass roots”– meaning that (like was the case with cloud) by the time you hear about it, you could be knee deep in it.
Point being, chances are good that for most organizations in the mid-market or larger, somebody somewhere is looking at Docker. Security pros have a chance to get ahead of this curve by getting familiar with Docker now while it’s still small. Learning what it is, what the implications are from a security standpoint, and digging into the security of it are all good ideas to do now. Moreover, keeping an ear to the ground about where it’s being used and actively looking for it in the organization can be helpful to you to make sure you’re not caught unaware that it’s being used.
Area #2 – Embedded Computing
A lot has been said about the “Internet of Things” and the privacy/security ramifications of it. The full effect of a world of smart devices is certainly staggering, but a complete transformation like many predict is probably a good way off. That said, there are a few short-term impacts of embedded computing that security pros should have on their radar. Specifically, unexpected incorporation of network-aware devices.
Meaning, keep in mind that devices that in the past were shipped without network connectivity are now being shipped with it. This includes things your remote office locations use like smoke detectors, thermostats, appliances and automobiles.
As older devices are replaced and new devices installed, are you expecting an influx of network-attached devices? Are you prepared to keep them off your networks or secure them if you can’t? Thinking about these questions now and coming up with strategies for how to address them is more prudent than waiting until the problem hits you the face to start taking action.
Area #3 – Post-Sony Breach Impacts
Say what you want about it, the truth is that this most recent breach at Sony changed some things. First, not only did the President of the US comment explicitly on the breach (which included some unambiguous commentary about Sony’s response), but it also demonstrated that an attacker, given the right circumstances, could leverage a breach to have real-world impact on how a company conducts business.
In this case, Sony changed their release plans for “The Interview” in direct response to what started as a data breach. Are attackers likely to take notice of this and attempt to maybe get other organizations to change their business plans or tactics as a result?
I’d suggest they probably will; they’ve done it before, but the level of national attention from the Sony breach could make it a more frequent event. Eddie Schwartz, Chair of ISACA’s Cybersecurity Task Force, stressed the impact this way: “…the recent Sony breach will endure as one of the three most significant cybersecurity events of 2014 because it once again highlighted a number of critical gaps in the ability of individual organizations to defend themselves against targeted attacks.”
What can a security pro do in response? Table-top exercises can be helpful – particularly, involving senior level decision makers (think C-Level executive team) so you’ll know what their priorities are in the event of an actual scenario and you’ll know what information they’ll want ahead of time to respond to the situation. Additionally, putting some thought into incident response processes (not to mention controls to help prevent a breach in the first place) is always useful.
Again, these are not the only changes on the horizon. There are literally hundreds of new and emerging technologies, trends, and changes to the security landscape that could potentially be relevant to your business. However, by virtue of the scale of likely impact, these are at least a few that might be useful to have on your radar if they’re not there already.
Ed Moyle is Director of Emerging Business and Technology for ISACA. Prior to joining ISACA, Ed was a founding partner of the analyst firm Security Curve. In his more than 15 years in information security, Ed has held numerous practitioner and analyst positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers, and senior security analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.