2011 – Review; 2012 – Forecast.
For quite a while now we’ve had a bit of an annual tradition in the run-up to the New Year festivities – every December we summarize all the security goings-on of the last 12 months, and then prophesize a bit about what’s in store in the coming year. This year we did our roundup and predictions – covering all sorts of, regrettably, frightening stuff – at a press conference in Moscow last Monday. It was a pretty stylish event – with a hospital theme as you can see from the pic below. But I won’t go over all that again here. Here’s the original text used at the press conference, and here’s a link to the pdf summary.
Here, let me outline the main points in our review/prognosis.
Just a couple of years ago cyber scoundrels were mostly robbing average home users. This year they decided not to settle for small pickings but to go after the big cheeses – large and medium-sized companies. Then of course we’ve seen governments this year become actively involved in cyber-armament. And throughout the whole year we’ve seen almost back-to-back reports in the news about serious break-ins, for example at Sony, Mitsubishi, HBGary and RSA and different governmental organizations. We rounded it all up and put it in our report… and it turns out that in 2011 cyber-attacks did not affect only 10% of companies (or maybe they just didn’t notice?)…
As regards the coming year, there will be more and more attacks on companies (especially big ones), and the attacks will become more and more successful at achieving their aims. Attacks on industrial systems (like Stuxnet) can’t be ruled out. And such attacks will become the main news items of 2012.
Here I want to expand on a couple of my other forecasts.
It’s not a rare occurrence when someone from the security industry makes an official statement and then it gets all distorted by scoop-hunting media. After our press conference this time in Moscow I was lucky to get just one “screw-up” by the local press of an idea I espoused (though it has to be said that the publication in question later made a correction). The idea was my forecast about the future of Internet access from the workplace. So here it is again, from the horse’s mouth…
Accessing the Internet from the office is here to stay. Can you imagine business without the Internet? Yeah, me neither. Though some people had me down as saying just the opposite – that in the future there’ll be no Internet access from the workplace at all. What I said was that companies and governments will introduce dedicated terminals for working with confidential data; terminals shared by employees as and when they need access to this confidential data. These terminals will be fully unplugged from the Internet and running proprietary operating systems and applications. Soon this idea will go mainstream – you watch.
Such a thing is no breakthrough – nothing terribly new; today there exist organizations where such an approach has already been introduced. But they’re not all that original either. In fact this segregation is already very, very old, and all of you will know plenty about its predecessor. It’s the system of paper, drawers, filing cabinets, archive storage and the like. Keeping things – confidential things – on paper, and only on paper. Used the world over, particularly zealously perfected in military organizations. You wanna read a super-duper secret doc? Welcome to the special archive-repository. You show your pass and sign for a file, and right there and then read it under the beady eye of the archivist. No borrowing it and perusing it in the comfort of your own home with a coffee and some mellow beats on. Oh, no. Sure, it’s tough; but hey, when state and military secrets are at stake, let’s face it, humanism and usability don’t come into it!
Anyway, there’s already something similar for electronic information. And as time passes, the more such an approach will become popular. Need to read your e-mails or the news? Use your regular laptop, with all the attendant Internet niceties and comforts. Need to work with “sanitized” information – be so kind as to sit at a dedicated, well-protected – disconnected – terminal. In an ideal situation such a terminal is not only fully disconnected from the WWW (strictly no “gateway” solutions!), but also runs a unique proprietary operating system, which comes bundled with equally unique proprietary applications.
So what is this draconian measure for?
Alas, in our incident report we see that it’s the only way governments and businesses can protect their data assets and, by extension, ensure safety on the whole.
Any connection with the Internet represents a potential threat to confidential data.
Why? First and foremost this is because absolute protection doesn’t exist. (This is made worse by today’s WWW architecture and software weakening overall protection more and more.) Second, on the other side of the barricades it’s not pimply teen cyber-thugs with delusions of grandeur any more, and not even reasonably sophisticated cybercriminals. No, the other side is now populated with very highly-organized, very highly-financed, progressive professionals supported by nation states or large competing corporations. The third reason why the Internet represents a potential threat is that the most vulnerable point of any victim – from which there’s no remedy – is the human factor. Most targeted attacks today from the technological point of view are very basic; however, they normally use clever methods of social engineering and spear phishing. Faced with this multi-threat-causing mega-weak-point – otherwise known as the Internet – clearly the best solution is to cut the whole thing off – amputate it – so it can’t spread to the other parts of the “body”. I already know of quite a few organizations that have already done this. Expect thousands more to soon follow…
Intermission! Photos from the Review/Forecast press conference in Moscow:
And now to the second topic for today – Internet passportization.
The Russian press covered this issue quite well, noting how my ideas have progressed and filled out with time :) But I’ll go over it once more, again from the horse’s mouth.
From the standpoint of personal security of users, it would be reasonable to divide Internet services into three categories. The first – red. In this category come the most critical services like online banking, electronic voting and other mission-critical services that require user authentication. Here it should be made mandatory to log on only with the use of a unique personal identifier (for example, a token – a sort of a cyber-passport) and establish a secure, authorized connection. The second category is yellow. Here we have resources requiring identification of one’s true identity via a cyber-passport to be able to use specific features. Finally there’s green – the public category. Here you can write, read, play, do anything you want (within limits of legality and decency, of course) – and completely anonymously if you want, but at your own risk. Just as what we all have now.
I admit in all of this there are many blind spots, many open questions to which I’ve no answers. But do write to me, make suggestions, ask… maybe we’ll get some clarity through discussion. All I ask is please don’t get all cynical and come up with things like: “It’ll all get hacked anyway, so why even bother,” and so on. Yes, of course there’ll be hacking! Nowhere – and nowhere more so than in infosec – can there ever be a panacea – pills against everything and forever. There’ll always be a likelihood of hacking, always be weapons against armor, good against evil… it’s the nature of the world as we know it and there’s no getting away from it.
But this shouldn’t stop us taking the initiative and having a pop back at the cyber-threats themselves. The best form of defense is after all attack. So let’s get at ’em – so they aren’t able to get up again after being knocked down! If we wait and respond only reactively to these problems as and when they arise – it just won’t work; no, more than that – it’s a recipe for disaster.
Before any battle the general has a concept – a plan. I’ve just given you mine. But will the powers listen to it? Will you?