2017 - The year in Infosec
Should I continue to call it Infosec? Or should I change with the times to call it ‘Cybersecurity’? Whatever the name, 2017 was an interesting year for information security or cybersecurity or whatever you choose to call it. Here are a few things of note that happened:
This is rather long post, so read it when you have the time. A quick set of links to the topics covered:
Data Privacy - a big leap
A flurry of activity related to data privacy
If you have read my previous post about the year 2016, I have had a completely different view of data privacy. I felt that we were apathetic towards it, and governments were doing nothing about it. Things changed for the better in 2017. With the GDPR deadline approaching (May 2018), the focus on data privacy has been phenomenal. GDPR is the new Y2K. The Indian Supreme Court declared that privacy is a fundamental right. The government released a draft paper on privacy law. The paper is impressive. You can download it on the MEITY website. Should India’s right to privacy be like the EU laws or like the American laws? EU treats privacy as a ‘fundamental right’ and as a result, is applicable to all entities collecting data, while the US treats it as privacy from government interference, thereby allowing non-government entities to freely collect data subject to certain rules. Which type of law will India adopt? Only time will tell. However, you can provide your opinion on it by the 31st January to MEITY.
Cybersecurity - Skill Gap
The more you look, the harder they are to find.
If you have trouble finding employable resources in cybersecurity, then you are aware of the tremendous skill gap in the industry. The skill gap is not restricted only in the private sector, it is present even in the government sector. The skill gap is so large that only a handful of professionals are capable enough to be directly put on the job. Most of them would require a good deal of handholding before they can actually be used for an infosec role. The skill gap is even more evident at the top. A good CISO is a very rare find. Finding the combination of infosec skills and management skills is difficult. Ask the headhunters who are looking to find a CISO for large companies. Add to that the skewed ratio of women in tech, and skew it further to get to the ratio of women in infosec, and you get a very bleak picture.
The focus, this year, and probably for the next few years should be for industry to collaborate with academia and produce employable and skilled cybersecurity professionals - who are well rounded - not straitjacketed in their skills.
Artificial Intelligence is here
And we don’t know what to do about it.
There is an AI wave going around the tech industry. People are finding various applications for AI, ranging from smart assistants like Siri and Alexa to systems that use AI to predict floods. An interesting development in 2017 was the experiment by IBM to develop a cybersecurity voice assistant - Hayvn.
The use of AI in cybersecurity is increasing. The most practical use that I can foresee is in threat intelligence. There are already a few products that claim to use AI tools for gathering threat intelligence. How different will the effort be to set up a platform for AI versus a platform for data analytics to achieve the same result remains to be seen? The use of AI in cybersecurity can only increase in 2017. I hope, we are able to pose the right questions about cybersecurity, so that AI will be able to solve.
State-sponsored cyber attacks
We know this has been going on for long, but nothing much can be done about it
It has been known for a while that cyberspace - the attack on information - is the fifth dimension of war, after land, air, water, and space. However, 2017 saw a few interesting news items related to state-sponsored cyber attacks. There was a theory that the 2016 attack on Bangladesh bank had links with North Korea. Kaspersky released a report that linked the hacker group Lazarus with North Korea. The thing, however, was that the use of Kaspersky products was banned by the US Department of homeland security citing links between Kaspersky and Russian Intelligence. Kaspersky obviously denied helping any government.
We can expect more and more state-sponsored cyber ‘incidents’, although, we may never know the truth!
The social media giants and their antics
Data is the new oil - and that makes Google, Facebook, Twitter, LinkedIn and the others the new data moguls.
Aadhar and the hullabaloo around it
Our data is centralized and we are worried
Willie Sutton robbed banks. When asked why, he said - “that is where the money is.” This soon became known as Sutton’s law. Where is all of India’s biometric data? Who would target it? UIDAI says that the Aadhar database is secure and can withstand attacks. However, they were found to be ‘leaking information’. CIS said that the information security practices are not up to the mark at UIDAI. You can have the best of technologies, but the practices and processes that you set up make the difference. I guess this also boils down to having the right team and enabling the CISO with proper people and tools, and given the state of skills available, our worry is justified. There are many forwards and memes that joke about users willing providing their data to Apple and Samsung (phone based biometrics), but creating a ruckus while giving it to our own government. The truth is that the number of APIs that connect to Aadhar are phenomenal. The data collected by Aadhar is genuine (verified). To apple or Samsung, you can sign up with any name as long as your phone number is right. Aadhar has your name, address, fingerprints and everything that is verified. I can visualise the ‘data is the new oil’ brigade salivating. The threat of an Aadhar data breach is very serious and the Indian government needs to put in better controls and processes in place.
Large Scale Data Breaches
You can expect to see more and more of these if infosec practices don’t improve
143 million US residents had their data leaked, thanks to a breach at Equifax. Again a deja vu of the data breach at Experian. The reason? An Apache Struts vulnerability that was already known since 2 months. Wherever you have a collection of data that is large and authentic, the sharks will circle. Protecting that data gets more and more difficult. Organisations that handle large volumes of verified data should redouble their efforts at cybersecurity. They should deploy correctly configured tool and more important, have the right people who will use the tools diligently.
The CISO and his team should stop being merely the gatekeepers and get their hands dirty. Don’t just audit and dole out advice. Configure those firewalls rules. Write those DLP policies. Own up the SOC operations and follow up on incidents and events reported. Identify rules to be written so that known incidents and events that did not get tracked by your SOC get tracked and get the attention they deserve.
It has been a good year in infosec. We have taken a few good steps forward. There have been a few incidents - well, expect them and prepare for them. What does 2018 have in store for us infosec professionals… err, cybersecurity professionals?
Have a good year!!