2018-07-12
又到了我们回顾过去一年并展望未来一年威胁状况的时候。我花了大部分时间来分析大量的威胁数据、寻找威胁趋势并创建威胁情报,希望能够为客户提供重要的见解,帮助他们更好地应对即将到来的网络威胁。为了这一愿景,我将对2018年的网络安全情况进行预测。
1. 2018年,个人和组织将会付出惨痛的代价,个人识别信息不应该被用作验证信息。
尽管大多数组织长期以来对识别信息(identifier)和验证信息(authenticator)两个概念比较模糊,但是两者之间存在着重要的区别。作为个人识别信息的信息可以是诸如社保号、驾照号甚至地址之类的信息。验证信息可以是一个问题,当被正确回答时,能够证明你就是本人。基于知识的验证包括一系列问题,如你的高中吉祥物是什么?你的第一辆车是什么牌子?或者,这些验证可以基于信用报告数据和许多其他信息,相对于成本更高但更安全的验证方法(如双因素认证/2FA)来说,这些验证成本较低。
不幸的是,太多的组织将识别信息用作了验证信息,导致诸如Equifax这样的大规模数据泄露事件屡屡发生,在2018年这会带来更加严重的问题。Equifax存储了数百万客户的个人身份信息(PII),这些信息被攻击者窃取,导致每个人的身份信息都面临被滥用的风险,特别是在那些将识别信息用作验证信息的组织中。举例来说,你打电话给银行,他们要求你提供社保号后四位、姓名、出生日期等......所有这些都是识别信息,而不是验证信息。Equifax事件发生后,有多少黑客得到了这数百万客户的识别信息呢?在2018年,个人和组织将会再次以惨痛的代价认识到这一点。要解决这一问题,最重要的是让组织停止将识别信息用作验证信息。
2. 2018年,伙伴关系、供应链和“即服务”(as-a-service)关系将会引发更多的泄露事件。
业务越来越数字化,精明的组织正在通过伙伴关系、供应链集成和“即服务”功能扩展其业务范围并为客户提供便利。虽然这种广泛的外包正在成为日益流行的业务加速方法,但它也可能是一个危害安全的噩梦。在2017年,德勤(Deloitte)和博思艾伦(Booz Allen)都在这方面栽了跟头。明年,我们将会看到更多由于合作伙伴网络攻击引发的数据泄露事件。
在合作中,组织共享数据和品牌声誉。公司应该开发网络安全最佳实践,并要求所有伙伴遵守;应根据任何适用的监管要求拟定书面合同,在合同达成和/或续订之前,应限制与合作伙伴的业务范围。不幸的是,这可能会给采购部门带来难题。由于这些最佳实践可能会影响预算,以满足新的要求并加以执行,因此组织需要在明年建立这一要求并相应地管理成本。
3. 2018年,小型医疗机构将成为勒索软件攻击的首选目标。
勒索软件将继续作为全球黑客的一条业务线,但是其攻击目标将会更加有侧重性:防御措施不够完善的中小企业。因此,赎金金额可能会比较低,以便较小的组织有能力支付。明年,地区诊所和医院将会成为重灾区,这主要是因为很多黑客认为它们易于攻击。以最少的投入获取最高的回报是这些“商人”所追求的目标。
4. 组织会将泄露响应的优先级排在事件响应之前。
在公司认真对待数据泄露之前,我们还要收到多少来自CEO的道歉信呢?随着网络安全在各地的董事会会议上成为优先处理事项,组织意识到这不仅仅是一个技术问题。这是一个组织的优先事项,虽然公司肯定会有失误,但我们将会看到更好的泄露响应计划。
事件响应是IT运营和安全工作,旨在防止安全事件并在事件发生后进行补救。泄露响应远不止于此——它涉及整个企业如何应对影响客户数据的泄露事件,涵盖从受补救成本影响的底线数字到未来公司声誉的所有内容。泄露响应包括首席执行官、董事会、法律部门、市场营销和公关团队等的行为。
在泄露响应方面,Equifax做了最糟糕的示范。该公司在全世界的目光下,出现了一个又一个的失误。该事件为一些组织敲响了警钟,他们必须优先考虑、计划和实施泄露响应计划。
5. 机器学习技术作为一种能力将会更加清晰和成熟。
机器学习是一个流行词,对每个人来说它的意思都有些微不同,但是我认为在2018年这种能力将会变得更加清晰。机器学习技术的目的是减轻人们的负担,提高处理和理解大量数据的速度。安全技术不断进步,我们将会看到更好、更高质量的数据。我们正在改进数据处理,届时创建更智能的人类响应将成为可能。在2018年,机器学习或自动化将会继续改善,威胁情报数据的质量也将不断提高。将机器学习威胁情报功能与可以提供分析、见解和建议的人类专家相结合将是两全其美的选择。
http://www.securityweek.com/analyst-perspective-2018-cybersecurity-forecast
Adam Meyer
December 01, 2017
It’s that time of year again when we look back at the past year and try to anticipate what we can expect in the coming year. I spend most of my time analyzing vast quantities of threat data, looking for trends and creating intel that gives customers critical insights to better prepare for what cyber threats are on the horizon. With that context, here is my cybersecurity forecast for 2018.
1. In 2018, individuals and organizations will learn the hard way personal identifiers should not be used as authenticators.
Despite long-held and widespread confusion among most organizations, there is an important difference between an identifier and an authenticator. Information used as a personal identifier can be things like a social security number, a driver’s license number and even an address. An authenticator can be a question that, when answered correctly, proves you are who you say you are. Knowledge-based authentication includes questions like what is your high school mascot. What was your first car? Or, they could be based on credit report data and a multitude of other possibilities that are often used as cheap authenticators as opposed to more expensive but more secure options such as Two-Factor Authentication (2FA).
Unfortunately, too many organizations use identifiers as authenticators and massive breaches like Equifax tell us this will be an even bigger problem in 2018. Equifax stored numerous personal identifiers on millions of individuals and the theft of that information puts personally identifiable information (PII) for every one of them at risk, particularly at organizations who use identifiers as authenticators. As an example, think of when you call your bank and they ask for the last four digits of your social, name, date of birth….all of those are identifiers, not authenticators. How many hackers now have that information as a result of Equifax? In 2018, individuals and organizations alike will learn this lesson again, the hard way. The most important solution to this problem is for organizations to stop using identifiers as authenticators.
2. Partnerships, supply chain and as-a-service relationships will give rise to more breaches next year.
Business is increasingly digital and savvy organizations are extending their reach and offering customer convenience via partnerships, supply chain integration and the use of as-a-service functionality. While an increasingly popular business acceleration approach, this extensive outsourcing can also be a security nightmare. Deloitte and Booz Allen fell victim to this in 2017 and we will see more breaches that are the result of attacks via partner networks next year.
In a partnership, organizations share data and brand reputation. Companies should develop cyber hygiene best practices and expect all partners to follow them. Strong contractual language should be written, in line with any applicable regulatory requirements, and an organization should limit business with a potential partner until the contract is agreed to and/or build in new language at the time of partnership renewal. Unfortunately, this could mean tough conversations for procurement departments. Because these best practice requirements will likely impact budget both for meeting new requirements and enforcing them, organizations need to build this into the year and manage ongoing costs accordingly.
3. Small business healthcare organizations will evolve to be the preferred target of attackers using ransomware and extortion in 2018.
Ransomware will be a consistent line of business for hackers around the globe but the intended targets will become more focused to include SMBs who are less prepared to defend against the attacks. As such, ransoms may be lower in amount so smaller organizations are able to pay. Regional healthcare clinics and hospitals will be hardest hit next year, primarily because they are considered to be easy targets by so many. The least amount of effort for the highest payoff is what these ‘business people’ are after.
4. Organizations will finally begin to prioritize Breach Response over Incident Response.
How many more times do we have to see the “I’m sorry” letter from the CEO before companies look at breach response seriously? As cybersecurity climbs the priority list in boardrooms everywhere, organizations are waking up to the fact this is much more than a technical issue. It’s an organizational priority and while there will be company blunders for sure, we will start to see better breach response.
Incident response is IT operations and security working to prevent security incidents as well as remediation when something does happen. Breach response is much bigger than that – it’s how an entire organization responds to a breach that impacts customer data, from bottom line numbers impacted by remediation costs to future company reputation. Breach response involves action from the CEO, the board, the legal department, marketing and PR teams, and others.
Equifax is a prime example of how not to handle breach response. The organization made misstep after misstep in a very public spotlight. That negative attention inevitably woke up a few organizations to the reality breach response must be prioritized, planned for, and practiced.
5. Machine learning technologies will become more defined and mature as a capability.
Machine learning is a buzzword that means a little something different to everyone, but I expect to see more clarity to this capability in the coming year. The goal of machine learning technology is to lessen the burden on people and to increase the speed of processing, understanding and acting on overwhelming quantities of data. Security technology continues to advance and we will continue to see better, higher quality data as a result. We are making processing improvements and smarter human response is then possible. Machine learning or automation will continue to improve in 2018 and so will the quality of threat intelligence data. Combining machine-learning threat intelligence capabilities with human experts who can provide analysis, insights and recommendations is the best of both worlds so to speak.
附件:
微信公众号