Subido por ganasoxse

Predictions for cyber security in 2016

Anuncio
Dear readers,
TEAM:
Editor-in-Chief:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
Editors:
Marta Sienicka
sienicka.marta@hakin9.com
Marta Strzelec
marta.strzelec@eforensicsmag.com
Marta Ziemianowicz
marta.ziemianowicz@eforensicamag.com
Senior Consultant/Publisher:
Paweł Marciniak
CEO:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
Marketing Director:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
DTP:
Marta Strzelec
marta.strzelec@eforensicsmag.com
Cover design:
Marta Sienicka
sienicka.marta@hakin9.org
Art used on the cover by Jack Moreh
Publisher
Software Press Sp. z o.o.
02-676 Warszawa
ul. Postępu 17D
Phone: 1 917 338 3631
www.eforensicsmag.com
www.hakin9.org
All trademarks, trade names, or logos
mentioned or used are the property of
their respective owners.
The techniques described in our articles
may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or
consequent data loss.
We are approaching the end of the year, so it is time to think
about the future and the year ahead. We are pleased to present
you our very special project created by joint forces of eForensics
and Hakin9 Magazines – “Predictions for cyber security in 2016”.
This special edition was based on interviews with representatives
of companies that had agreed to participate in our project.
We would like to give our most sincere thanks to all the participants of this project. You made this possible and without you
we wouldn’t be able to make this unique edition.
Additional and very special thanks to the Proofreaders who
helped with this issue. Your involvement and support of the
creation of this magazine is invaluable. Thank you.
The cyber security field is evolving at a rapid pace, constantly
changing and influencing our lives unnoticed. Will year 2016
be revolutionary for cyber security? How will recruitment in IT
change, what new threats will appear in the new year, will
Internet of Things influence cyber community? In search of
answers to these questions, our guests went on an unexpected
journey through thirteen different sections. Armed only with their
own experience, they confront the most difficult questions
tormenting experts on cyber security.
Do you want to find out if they succeeded? Uncover secrets
of cyber security and prepare yourself to face new year! Read our
new issue and get all the answers you were looking for!
As this is our last issue in 2015, we would like to thank all of our
readers for their continuous support for both our projects.
Without you we wouldn’t be here, doing all this amazing work to
bring you the best content we can. We hope we will be able to be
even better in 2016, and with that we wish you all the best in the
coming year.
Thank you for all the support.
eForensics and Hakin9 Teams
t
able of contents
Page
Section
Questions
6
Top 2015 events
 What were the most important things that happened this year?
14
Recruitment
 What will change in the talent pool?
 Will talent shortage in the industry continue to grow?
 What new challenges will recruiters have to face in 2016?
 What new challenges will people looking for work in cyber security have to face?
29
Training
 What role will formal education play in 2016?
 Will certification keep its role as the main tool to confirm skill and expertise?
 Will we see a more unified standardization of education and skills?
 Will online courses influence the level of education in security field?
40
Threats
 What threats that emerged in 2015 will remain relevant in the next year?
 Which threat group will see the biggest growth in 2016?
 Can you see any old and forgotten threat coming back in the next year?
 Will threat landscape be affected by international efforts to combat terrorism?
 Will cyber security in healthcare remain a relevant topic?
 Will security in automotive industry keep on causing trouble?
63
Mobile
 Which mobile phone will be the most secure one?
 What kind of vulnerabilities will affect mobile phones in 2016?
 What security measures we should use to protect our mobile phones in the next
year?
 What risks will mobile industry face in 2016?
76
Internet of Things
 Will IoT force the industry to change?
 What kind of challenges will IoT face in the next year?
 How will IoT influence cyber community?
 Will we see the security for IoT emerging along new IoT solutions, or will we have
to wait?
91
Tools of the trade
 How will tools evolve in 2016?
 Will the trend to eliminate passwords continue?
 What new technology will make an impact on cyber security the most?
 What new trends will we see on threat intelligence?
www.hakin9.org
www.eforensicsmag.com
t
able of contents
Page
Section
100
Areas of security
Questions
 What are your predictions for network security in 2016?
 What are your predictions for software security in 2016?
 What are your predictions for hardware security in 2016?
 What are your predictions for cloud security in 2016?
109
Industry
 Will 2016 belong to start-ups or big cyber security corporations?
 Will cyber security events remain an important part of influencing the deve-
lopment of cyber community and companies?
 Will we see more state-level cooperation in 2016?
 In which industry will we observe the biggest demand for cyber security services?
 What do you think will change in the cyber security market in your country?
122
Cyber security awareness
 Will the cyber community influence the level of cyber security awareness?
 How can we work towards improving cyber security awareness in 2016?
 What obstacle in awareness will remain unsolved?
 What role will awareness play in corporate cyber security?
133
Miscellaneous
 Predictions for cybersecurity
140
Advice
 What advice would you give to fellow cybersecurity professionals going into 2016?
143
Contributing companies
www.hakin9.org
www.eforensicsmag.com
C
YBERSECURITY
2015 TOP EVENTS
What were the most important things
that happened this year?
Wade Johansen, CouriTech LLC: C&C Botnets go public - DorkBot and the like have become a business model; they cost only $50 to buy in • The Anthem and EBay hacks - along with Target, Home Depot, JP Morgan,
etc. • The implementation of private peer-to-peer social networking clouds with unbreakable encryption •
TOR has 5% or more of the exit nodes hacked and infiltrated by the NSA • VTechs hack - stealing children’s
identities. C`mon ? This will have consequences we can’t even measure yet.
Amit Serper, Cybereason: We’ve been seeing massive data breaches pretty consistently for the past few
years, so really, 2015 was just more of the same. However, if I had to pick specific breaches that stand out,
the ones that come to mind are, first and foremost, the Hacking Team breach • Aside from the irony of a
“surveillance” company getting hacked (and learning how lax their own internal security was), the fact that
State-of-the-Art hacking tools and several Zero Day attacks were released into the wild have and will continue to have long term consequences. One of the Zero Days effectively killed Flash, and of course, having
all these resources available for consumption lowered the (technical) skills bar for potential cyber criminals
to enter into the game • Next comes the Ashley Madison hack - aside from it being one of the highest profile ransomware attacks, it shows the impact that a data breach can have on people's lives - suicides occurred, jobs were lost, families and reputations were ruined. Most companies approach cyber security
from a cost-benefit perspective - is it cheaper to fix the security problem or deal with the fallout from it? In
this case, how do you quantify the damage done to Ashley Madison customers? Is that something you can
even attach a number to?
Mark Bennet, Blustor: The U.S. Office of Personnel Management (OPM) lost nearly 5.6 million fingerprint
records in a cyber security attack in 2015. While this event went largely unnoticed by the general public, it
highlighted the tremendous risks associated with biometric security when an individual’s biometric templates are not properly protected. For the unfortunate employees impacted by this incident, they can never replace their fingerprints • Just recently reaching the awareness of the mainstream media, hospitals and
medical device manufacturers are being shown to be woefully unprepared. A recent article in Bloomberg
Business, entitled “It’s Way Too Easy to Hack the Hospital”, is one of many articles emerging in recent
months that tells a rather bleak and frightening story related to the vulnerability of medical devices to remote hacking. It is clear that there is a high potential for catastrophic incidences that are likely to result in
serious injury as well as large scale identity theft.
Paul Shomo, Guidance Software: RATs Ran Rampant: (Remote Access Trojans) evolved and proliferated to
the point that they were seen in forensic investigations of some of the most high-profile hacks of the year,
including the Office of Personnel Management (OPM).
www.hakin9.org
www.eforensicsmag.com
-6-
C
YBERSECURITY
2015 TOP EVENTS
What were the most important things
that happened this year?
Leon Kuperman, Zenedge: 2015 RSA Conference where we introduced ZENEDGE to the world •
www.newbingobilly.ag - longest running DDOS campaign that we are aware of, lasting for almost one year;
the attacker has failed at bringing down the site but continues to try on almost a daily basis • ZENEDGE introduces RapidBGP, which allows for sub 60-second DDOS mitigation in the cloud for network protection •
ZENEDGE launches Toronto Mitigation center, the first large scale mitigation center in Canada for customer
adoption • Complex multi-vector attack by Armada Collective, hitting many companies with DDoS for ransom Bitcoin. Our customer was hit with seven attacks in a one day period in Q4, key shopping season including: Chargen, UDP Flood, SSDP Amplification, NTP Amplification and Layer 7 application attacks. We
have now seen Armada Collective on five separate occasions.
Shay Zandani, Cytegic: The OPM breach – because of the consequences to its management and the fact
that it was a direct and public hit on a government entity • Anthem Breach (alongside Premera and BlueCross Blue-Shield) – because of the scale of the attack and how it emphasized the forecasted trend of PII
and medical data theft • Ashley Madison Breach – because it is perhaps the most significant internal
breach since Snowden – it emphasized the importance of the internal threat • The “Cyber-War” between
Iran and Saudi-Arabia over Yemen – because it showed very clearly the correlation between physical wars
and cyber wars, and the mobilization of hackers to support their governments • The US Military Kills the
ISIS Hacker and Recruiter that Attacked Them – because it emphasized the fact that cyber-warriors are valid targets for physical attacks and that they are an integral part of the war.
Mitchell Bezzina, Guidance Software: The Human Perimeter Remained Too Permeable: Human error opens
more doors to hackers than technical shortcomings. Whether clicking on a phishing email, failing to install
security patches on a regular basis, or leaving a laptop with patient healthcare records in a place where it
can be easily stolen, humans regularly hand over the keys to the data kingdom—or leave them lying
around where they can be readily obtained • Following suit is Australia, releasing a draft of the Privacy
Amendment (Notification of Serious Data Breaches) Bill 2015 in December that affects any domestic or foreign organization that deals directly with Australian consumers
Richard De Vere, The AntiSocial Engineer: The TalkTalk Breach! (and discovering it) helped place cyber security on the radar for the average person. Infosec left the boardrooms and had free reign of the TV • Old
issues making a comeback - Crossdomain Abuse, SQLi • BSIDES in London was my favourite event/con •
Software - The release of Kali 2.0 hasn’t changed the world but it’s nice to see the GUI updates • SETOOLKIT - Mr Robot Edition (In fact, Mr Robot was the highlight of my year).
www.hakin9.org
www.eforensicsmag.com
-7-
C
YBERSECURITY
2015 TOP EVENTS
What were the most important things
that happened this year?
Irfan Shakeel, EH Academy: Helped more
than 3000 people to become effective computer forensics examiners; training, certification and relationship with the industry have
been provided to them.
Rajeev Chauhan, Cyber Oxen: Sony Hack and
Retaliation • OPG Hack • Cryptolocker malware • Identity Theft • Cyber Espionage.
Dennis Chow, Millar, Inc : Blue Cross Blue
Shield Anthem Data Breach • New Cyber
Threat Intelligence initiatives • WITCHCOVEN Campaign • Remote Jeep Hack • FTC enforcement of Cyber Security to companies.
Francisco Amato, Infobyte: ekoparty •
troopers • kiwicon • shakacon • chaos communication congress.
Nick Prescot, ZeroDayLab: Talk Talk breach –
an obvious choice, but perhaps more than
any other • Safe Harbour re-alignment • EU
General Data Protection Regulation • Ashley
Madison (mainly for the impact) • Sony Pictures.
BroadTech Security Team: A bit difficult to
limit to five. Google Deceptively Tracks Students’ Internet Browsing • Pentagon Cyber
Attack • Kaspersky Security Breach • Hacking
Team Breach • $1 Billion theft from banks •
Ship Data Records Vulnerability • Kaspersky,
McAfee, AVG vulnerabilities • Industrial System Control Gateway vulnerabilities.
David Clarke, VCiso: Talk Talk Breach • Ransomware • School Breaches • Mobile Vulnerabilities • Mobile Security.
Stephan Conradin: Theft of sensitive data •
Privacy concerns with Windows 10.
Amber Schroader, Paraben Corporation: EnFuse 2016 • PFIC 2016 • Techno • HTCIA
2016.
Przemek (Shem) Radzikowski, Secbüro: Labs:
Ashley Madison Hack • Black Hat USA • First
400+ Gbps NTP reflection DDoS attack •
APT28 • TalkTalk hack by 15yo.
www.hakin9.org
Paul Hoffman, Logical Operations: Two Steps
Ahead - Rochester. December 8th, 2015 •
ISSA Conference, October 2015 • Dispelled
Rumor of MAC OS being safe, as it accounted for the largest proportion of vulnerabilities in first quarter 2015 • The State Dept. is
breached by Russian hackers.
www.eforensicsmag.com
-8-
C
YBERSECURITY
2015 TOP EVENTS
What were the most important things
that happened this year?
Roberto Langdon, Nicolas Orlandini, KPMG: As part of our Security Services to customers, we were dealing
with networks with unappropriated protection, the Internet of Things is leaving really black holes in the
information management and information gathering, people working so far from the existing standards
such as ISO 27001 and ISO 27002 mainly, and the lack of security awareness implemented as a continuous
process inside the organizations. Most of them are still reactive instead of being preventive. And most of
them know nothing about ISO 270037 • Technology considerably helped the business and mainly the users
interacting with it, and as one of the key issues is privacy, it is almost more frequent to find ethics codes
violation and frauds carried out by people who understand that the digital equipment that they use can
“protect” them against these types of investigations. Neither workstations nor smartphones are outside
the scope of investigations, and they have key valuable information. • Increase in amount and depth of
data breaches • Dark web, Mobile forensic, data encryption and IoT as challenges for forensic teams •
Cloud data collections • Black-Hat 2015 Las Vegas • Lack of Cyber Security/Cyber Forensic Investigators
personnel.
Craig McDonald, MailGuard: Anthem. In March, this health insurance company suffered an attack that
compromised 78.8 million customers’ records from December 2014 onwards. Data affected: names, dates
of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data. The data was not encrypted, according to reports • Although
smaller than the Anthem attack, the attack on 21.5 million records in the database of the US Office of Personnel Management (OPM) is significant because of the type of data accessed – personal information,
background checks, names and addresses and a million fingerprints of US Government employees. It is believed that Chinese hackers were responsible • UK telecom company, TalkTalk, suffered an attack that compromised four million records, estimated to be the seventh largest attack (to September 2015), apparently
through a third party call centre in India • Australian Bureau of Meteorology breach reported publicly in
December this year. There is no clear picture yet how much the breach will cost to fix or how long it will
take – but insiders estimate years and hundreds of millions of dollars. And the critical nature of the bureau's services means its systems cannot be switched off for repair.
Michael A. Goedeker, Auxilium Cyber Security: OPM Breach • DEASH (ISIL-whatever) using social media for
targeting soldiers • Ukraine Hacks (our story on the „Fire Sale” hack) • The fight for balancing surveillance
and privacy • The Beginning of IoT as mainstream (and additional security holes and lack of it) • Increasing
vulnerabilities and attacks on global and national critical infrastructure
www.hakin9.org
www.eforensicsmag.com
-9-
C
YBERSECURITY
2015 TOP EVENTS
What were the most important things
that happened this year?
Rick Blaisdell: Kaspersky Lab revealed in June that it had discovered an infiltration in several of its internal
systems. The attack, also named Duqu 2.0, was believed to be a nation-state-sponsored attack, whose other victims included events and venues with links to world power meetings, including negotiations for an
Iran nuclear deal. The Moscow-based security vendor said the compromise included information on the
company's newest technologies, such as Kaspersky’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services • LastPass got hacked - LastPass is a
very well known provider of cloud-based single sign-on and password manager. Enterprise administrators
around the globe use it to manage and secure passwords across their infrastructure. However, in June,
LastPass CEO Joe Siegrist admitted in a blog post that a network compromise resulted in the theft of customer email addresses and password reminders. Even though the passwords were encrypted, and there
was no evidence of customer data being exposed, LastPass required all customers to change their master
passwords the next time they logged in • Pentagon failed to offer small firms cyber security resources - The
US Department of Defense (DOD)’s Office of Small Business Programs (OSBP) has failed to offer cyber security options to protect the companies it does business with, according to a report from the US Government
Accountability Office (GAO). Small businesses, including those that conduct business with DOD, are vulnerable to cyber threats and may have fewer resources, such as robust cyber security systems, than larger
businesses to counter cyber threats • The breach at Harvard University, following in the footsteps of eight
other education breaches this year, highlighted growing security concerns around the higher-education
market. The breach affected as many as eight schools and administrative offices, though it remains unclear
what information was accessed by the hackers • When it comes to the health-care industry, health insurer
Anthem revealed a breach in February that exposed an astonishing 80 million patient and employee records. Anthem said the breach occurred over several weeks, beginning in December 2014, and could have
exposed names, date of birth, Social Security numbers, health-care ID numbers, home addresses, email
addresses, employment information, income data and more. It said it did not believe banking information
was taken. The Wall Street Journal reported that Anthem had not encrypted the data that was accessed by
hackers.
Kenneth C. Citarella, Guidepost Solutions: In no particular order, we cite these as the most significant cyber
security events in 2015: The Office of Personnel Management intrusion • Cyber security talks between the
U.S. and China, including China’s arrest of several men alleged to have intruded into U.S.-based systems at
the request of the U.S. government • The Third Circuit Court of Appeals upholding the authority of the Federal Trade Commission to sue over cyber security failures under its consumer protection powers. A company may be engaged in an unfair trade practice if it does not live up to its cyber security promises • The beginning of regulatory efforts to mandate cyber security standards in certain industries • Known weaknesses
and poor security habits continue to be major attack vectors.
www.hakin9.org
www.eforensicsmag.com
- 10 -
C
YBERSECURITY
2015 TOP EVENTS
What were the most important things
that happened this year?
Anthony Di Bello, Guidance Software: Breaches Abounded: Almost 90 million healthcare records were
breached causing $272 million worth of losses to leading United States healthcare organizations. The lesson learned is that healthcare records are extremely valuable to cybercriminals • Emergence of Endpoint
Detection and Response (EDR) security technology category — while technologies focused on providing
security visibility and incident response capabilities for endpoint have existed for some time, 2015 marked
a critical mass in both the need for and emergence of several start-up technologies focused on these capabilities. These vendors span established EDR players, such as Guidance Software, legacy security vendors
coming into the space through acquisition, such as Palo Alto, and start up technologies, such as Cylance.
These offerings fill a critical gap at the endpoint left by older technologies, such as anti-virus and hostbased IPS • Data Notification Requirements – The US Government began the first steps in creating one Federal breach notification law with the Data Security and Breach Notification Act of 2015 which received both
public backing and some initial opposition. The US is not alone, the EU Council found common ground with
Members of the European Parliament and put an end to fragmented requirements for minimum security
measures and breach notification requirements across critical service organizations in resources, transport,
finance, and health. This comes after the heavily publicized advancements in the EU General Data Protection Regulation to enhance data protection rights of EU consumers for any organization, worldwide, storing
personal data.
David Coallier, Barricade: VTech's data leak • Ashley Madison's data leak • The iCloud leak • The rise of the
internet of things and the internet of vulnerabilities • Ransomware and boot kits.
There were plenty more very important leaks, during this last year. What we find interesting is most of the
attacks fall into common categories, such as people still using insecure passwords and executives that do
not understand the current technological landscape.
The rise of ransomware and their exponential growth is interesting as it allows us to witness the evolution
of computer viruses and criminal groups in near real-time. A new player in town, the boot kit, is promising
an interesting turn of events for 2016 • Meanwhile, the Internet of Things is left very vulnerable because
efficiency and simplicity of use took priority over security, leaving a lot of early and late majority of the tech
adopters at risk. The so-called advanced persistent threat is still the industry's poster child and as statesponsored attacks and cyber-espionage grows, we'll probably keep hearing a lot about APT in the next year
alongside it's lack of security workforce.
www.hakin9.org
www.eforensicsmag.com
- 11 -
C
YBERSECURITY
2015 TOP EVENTS
What were the most important things
that happened this year?
Wade Lovell, Simpatic: Revenge Porn – Hunter Moore “who operated the Internet’s best-known ‘revenge
porn’ website was sentenced to 30 months in federal prison for hiring another man to hack into e-mail accounts to steal nude photos that were later posted on his website.” This seems a little like sentencing Al
Capone on tax evasion charges, satisfying but incomplete link • Angler is an extremely capable and readily
available exploit kit used by criminals to run choice cuts of the latest Flash, Java, and browser exploits targeting un-patched users. Hackers add exploit kit to article asking 'Is cyber crime out of control? “Hackers
have hosed an article published by The Guardian using the world's nastiest exploit kit Angler to pop the
machines of exposed readers. The attack firmly answers the article's headline, positing the question 'is cybercrime out of control', based on arguments in a book by one Misha Glenny.” link • VTech Breach – accounts of 2.9 million kids hacked. This is the type of hack no one seems to talk about because it doesn’t
directly involve credit card and social security numbers • Georgia’s Secretary of State released confidential
information to a dozen entities on 6 million Georgia voters, including driver’s license information, Social
Security numbers and dates of birth, and didn’t notify anyone, according to a lawsuit. “The Georgia Secretary of State, Brian Kemp’s office is being sued by two Georgia women who claim that the Secretary's office
released personal information that involves 6 million Georgia voters. Mr. Kemp’s office has communicated
that … due to what they are calling a "clerical" error, individual voters personal information was included in
these files… According to the lawsuit, Mr. Kemp’s office never notified individuals regarding the breach,
nor did they contact the consumer reporting agencies.” link • Organized Criminal Hackers stealing $1 billion
directly from banks. “… a gang of international hackers have stolen as much as $1 billion from 100 banks
across 30 countries by installing malware that allowed them to take control of the banks' internal operations link.
Gerald Peng, Mocato: Anonymous taking down ISIS social media profiles, November - December 2015 •
Ashley Madison hack, July - August 2015 • In June 2015, US Office of Personnel Management (OPM) discovered that the background investigation records of current, former, and prospective Federal employees and
contractors had been stolen. OPM and the interagency incident response team have concluded with high
confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases • Stagefright Bug (all versions) for Android
phones, July 2015 • International Conference on Cybersecurity, January 5 - 8, 2015, New York City, NY,
United States.
www.hakin9.org
www.eforensicsmag.com
- 12 -
W
HO IS
WHO
Amit Serper
Cybereason Lead Mac OS X security
researcher
Michael A. Goedeker
Auxilium Cyber Security
CEO and Founder
Amit is an Information security researcher specializing in embedded
Linux devices. His role at Cybereason is to develop novel methodologies for identifying complex hacking operations. For over a decade
he led security projects for a
government agency in Israel, specializing in the security of embedded systems. Amit is known as for
his "out of the box" thinking and is
renown for his shell popping abilities on embedded devices such as
routers, IP cameras and even home
irrigation systems. He has won
several Blackhat pen-testing challenges.
I am passionate about technology,
teaching and people! My interests,
passion and research includes:
Cyber Security, Operations, Leadership and Training up to DoD/Mil
level (includes every aspect of IT).
Author and researcher at the front
end of Cyber Warfare, Espionage
and Crime, researching in Academia, Press and Security Professionals Globally. Entrepreneur with
solid operations and financial background. Easy to work with, people
person that sees talent, develops it
and can establish rapport with almost anyone.
Irfan Shakeel
EH Academy
CEO and Founder
The founder & CEO of ehacking
group. An engineer, penetration
tester and a security researcher.
He specializes in Network, VoIP
Penetration testing and digital forensics. With more than 7 years of
professional work experience, he is
creating new Infosec ventures and
businesses around the globe.
Richard De Vere
The AntiSocial Engineer Ltd,
Principal Consultant
Richard is the Principal Consultant for The AntiSocial
Engineer Ltd, has an extensive background in penetration testing and social engineering, including
„red team” exercises and information gathering assessments.
www.eforensicsmag.com
www.hakin9.org
- 13 -
R
ECRUITMENT
What will change in the talent pool?
Richard De Vere,The AntiSocial Engineer:
As more and more people fill the shortage
we have across the world for well trained
and experienced security vendors and
testers, we will start to see the number of
inexperienced testers rise.
Kris Rides, Tiro Security: I think we will see
larger companies moving internally / hiring people in alternative IT positions and
cross training them into Security. So
expect to see hiring of Infrastructure and
Development staff to increase further.
Michael A. Goedeker, Auxilium Cyber Security: Skills needed and the way we look
for people for „cyber” security space. Cyber security is dynamic, so we are looking
for people that can think outside the box
and make complex things simple.
Chase Cunningham, Cynja: Unfortunately,
nothing. There will continue to be a vast
lack of resources with respect to real cyber security operations personnel. This
will continue for at least the next five years, probably much longer.
That’s why it’s important to encourage
kids to be safe online and learn about
technology. My hope is that if we start
inspiring kids to join us in fighting the criminals online, that shortage will be nonexistent by the time our kids move out of
the house. Looking 20 years down the
road, if one person says to me they chose
cybersecurity as a profession because of
me, then mission accomplished.
Elizabeth Houser, Praesidio: As more people become aware of the ongoing trends
in cybersecurity and the increasing
opportunities the industry offers, we’ll see
an uptick in people desiring a career shift.
This will especially become noticeable as
expansion of the IoT requires input from
experts in other fields.
Dennis Chow, Millar, Inc: There will be
increased requirements for new skills to
help defend against modern attackers.
Certifications and skills considered
‘advanced’ now will soon become standard in the future, such as malware reverse engineering and exploit creation capabilities.
Wade Johansen, CouriTech LLC: Virtualization skills and multitasking abilities are
(and will continue to be) a „must-have”
talent. The days of specialization in one
service domain alone seem to be rapidly
coming to an end. Mobile device management and maintenance is also a skill every
tech should start getting familiar with.
www.eforensicsmag.com
www.hakin9.org
- 14 -
R
ECRUITMENT
What will change in the talent pool?
Rick Blaisdell: The increasing volume and
detail of information captured by enterprises, the rise of multimedia, social media, and the Internet of Things will fuel
exponential growth in data for the foreseeable future. At the same time, the rising
demand for data scientists and the resulting pressure on the analytics labor market is increasing the need for analytics
talent as more companies with more data
to sift through discover they are trying to
hire the same workers.
Roberto Langdon, Nicolas Orlandini,
KPMG: There is a shortage of professionals who can meet the specific requirements to be an investigator. This will
require professional knowledge about
networking, security, IT infrastructure,
plus “life” experience. And all of the
above, under strictest ethical codes and
confidentiality. A forensic investigator
must be hungry for investigation.
In order to build qualified professionals, it
is required to make more disclosures and
training courses to motivate the IT security professionals to enter in this amazing
world.
Mayur Agnihotri: Talent pool constrained
on cyber security recruitment as cyber
security (Information Security) budgets
expand
rapidly.
“Cyber
security
(Information Security) industry is facing a
new threat: hiring” - Worldwide situation.
Company
faces
cyber
security
(information security) talent costs more
than other IT positions.
Przemek (Shem) Radzikowski, Secbüro
Labs: Given the immediate requirement
for cyber security professionals, many
people will try to reskill and transfer from
their existing professions to fill the gap.
Julie Herold, Kenny Herold-Odin’s Eye:
Colleges are recognizing the value of IT
Security Professionals; eventually we will
see a drastic increase in the number of
qualified personnel. Although there is a
strong belief that acclimation to this type
of profession in the field, it is worrisome
at best.
Andrew Bagrin, My Digital Shield: There is
already a lot of very average security talent in the industry and very few great
talent. We are running this industry somewhat handicapped. I predict it will only
get worse as more talent is desperately
needed and great talent is very hard to
find.
www.eforensicsmag.com
www.hakin9.org
- 15 -
R
ECRUITMENT
What will change in the talent pool?
Paul Hoffman, Logical Operations: As breaches get more serious, companies will
start to pay more for skilled people.
Paul Shomo, Guidance Software: Talent
availability will increase, but be outweighed by demand. Closely related careers,
like computer forensic examiners and network specialists, will seek opportunities
in Security as methodology, concepts and
practices are closely related, however,
they will require in-depth training and
time to gather experience. We’ve seen
this in other high velocity emerging markets and cyber security is still three to six
years away from having a “normal” ratio
of availability vs demand.
Wade Lovell, Simpatic: Some undergraduate programs have picked up the baton
and are offering an emphasis in cyber security. As students matriculate from these
programs, the talent pool will increase at
a pace slightly ahead of the churn rate.
Mitchell Bezzina, Guidance Software: Information security leaders will begin to
see a new generation of fully mobile workers coming into the workplace who have
an instinctive understanding of privacy
issues because of social-media hacks and
problems they’ve all encountered, but
who are not used to being restricted in
their practices within large organizations.
Dotan Bar Noy, Re-Sec Technologies: Cybersecurity workforce shortage is expected to reach 1.5 million by 2019 according
to Michael Brown, Symantec CEO. While
the growth in the need for talented
experts in all sectors will drive an increase
in professionals in the long run, we are
still going to struggle in the next few years.
Einaras Gravrock, Cujo: The demand will
continue to outstretch the supply. An increasing number of IT specialists will repurpose themselves to fit the demand.
Amit Serper, Cybereason: In 2016, the
shortage of skilled security pros will result
in a more diverse workforce.
David Clarke, VCiso: Audit will take a higher priority as more and more cyber services are outsourced.
BroadTech Security Team: More people
are going to go after certification rather
than acquiring necessary knowledge and
skill in hyped up technologies, especially.
www.eforensicsmag.com
www.hakin9.org
- 16 -
R
ECRUITMENT
What will change in the talent pool?
Anthony Di Bello, Guidance Software:
Vendors and industry experts need to
support the efforts of universities to create and deliver the required curriculum for
success in the ever-changing information
security landscape. Through the provisioning of software, assistance in curriculum
development, and support through industry events and competitions the community can give back, and help create the
next generation of infosec pros.
Ondrej Krehel, LIFARS: More talented
people, as well as people going for the
name. Overall, I see a dilution in talent as
companies do not want to spend money
on good resources.
Stephan Conradin: Security becomes more complex because business and technologies change very fast, so real talent pool
will become shorter.
Nick Prescot, ZeroDayLab: Existing consultants • New consultants will start on a
different track-level, following the new
known trends and identifying others in
the emerging world of Internet of Things.
www.eforensicsmag.com
www.hakin9.org
- 17 -
R
ECRUITMENT
Will talent shortage in the industry
continue to grow?
Michael A. Goedeker, Auxilium Cyber Security: I don’t see a talent shortage, just
prices being ruined by big companies that
overcharge for bad work. This does not
allow smaller companies to earn enough
to attract good people because for some
illogical reason, customers „trust” big names without verifying them (bad for security in general).
Elizabeth Houser, Praesidio: Absolutely.
The field is experiencing the same personnel shortage as the medical industry continues to face. Not only is there limited
space in training programs but disparity
also exists in the quality of these programs. Also, a disconnect remains between what IT managers need and what HR is
requiring in job candidates.
Richard De Vere,The AntiSocial Engineer: I
think for the foreseeable future we will
not meet the demand for information security professionals. The need for these
testers is clearly documented with global
rises in cyber crime but we have been
slow with training, especially in youth sectors.
Kris Rides, Tiro Security: I think we will see
an increase in requirements and if the
industry doesn’t make changes to how it
is currently recruiting, then the shortage
will grow.
Wade Johansen, CouriTech LLC : Yes! Recruitment is starting early because there
aren’t enough coders to go around, so
schools that offer it are seeing benefits for
their students.Unfortunately, there is a
shortage of strong teachers, so this is causing a shortage of classes, and students.
This is the case with a lot of technology
fields and not just coding.
Irfan Shakeel, EH Academy: The shortage
of skillful people will increase, because
the community failed to produce skillful
professionals. Organizations are lacking in
terms of training & development programs. It will have a direct impact on security; we will witness the rise of hacking
attacks.
Dennis Chow, Millar, Inc: Yes, even with
new talent graduating with new Information Security focused degrees; many will
lack the skills and experience that positions are in demand will need.
Einaras Gravrock, Cujo: Yes, absolutely.
Given that inventory is growing by multidigit CAGR, it will take a business cycle for
the supply to meet the new demand.
www.eforensicsmag.com
www.hakin9.org
- 18 -
R
ECRUITMENT
Will talent shortage in the industry
continue to grow?
Francisco Amato, Infobyte: I personally
think that there is always talent floating
around, but companies need to go out
and find talented people in different environments, not just in traditional places.
There are a lot of capable people, but it is
necessary to properly promote and nurture them. One interesting way to find young blood is with competitions or challenges like CTFs, which are done in different
events worldwide. Also, the rise of the
hackerspace movement for me is an ideal
training ground to find people with a lot
of skills. Of course, one of the biggest
things for these kinds of people is keeping
them motivated. If IT sec professionals are
only in it for the money and are not really
passionate about what they are doing,
they probably are going to find it hard to
stand out in an intelligent and talented
industry where you have extremely bright
people (who love what they are doing)
and these passionate people are the ones
that are always going to be a step ahead.
Przemek (Shem) Radzikowski, Secbüro
Labs: For the foreseeable future, the talent shortage will continue to grow for
another two to three years (the average
length of an undergraduate degree). Unfortunately, the ripple effect from the
shortage may persist for a longer period
while professionals gain industry experience.
Mayur Agnihotri: Yes, talent shortage in
the industry continues to grow, demand is
high and supply is low. Companies needs
to attract and retain cyber security talent.
Some elements for attract and retain cyber security talent • Provide training for
staff on emerging technology • Companies
must participate in different events, like
hackathons and open-source community
platforms • Companies must collaborate
with universities / colleges in emerging
technology, as well as cyber security talent.
Anthony Di Bello, Guidance Software: The
talent shortage is expected to grow unless
a top-down effort is made to create and
stimulate interest in information security
fields early on in a student’s education.
Mitchell Bezzina, Guidance Software: Yes,
due to the demand generated by the unusual amount of potential business risk associated with failed cyber security practices, the proliferation of media attention,
and time it takes to train security specialists. The talent shortage will continue
until the emergence of the next generation of qualified cyber security specialists.
David Clarke, VCiso: Yes, almost certainly,
as more and more skills other than cyber
technical skills are required.
www.eforensicsmag.com
www.hakin9.org
- 19 -
R
ECRUITMENT
Will talent shortage in the industry
continue to grow?
Andrew Bagrin, My Digital Shield: Great
talent shortage will, but we will see a
bunch of new people in the industry. There are schools now trying to get people in
the industry.
Stephan Conradin: Of course. More complexity, more needs, fewer people with
wide knowledge.
Amit Serper, Cybereason: Yes, but will be
offset by better and more automated
tools.
Dotan Bar Noy, Re-Sec Technologies: Yes,
in the short term we will still have a talent
shortage, and even more important is
attracting the exceptional experts that are
becoming very rare.
Rick Blaisdell: Unfortunately, yes. More
than 209,000 cybersecurity jobs in the
U.S. are unfilled, and postings are up 74%
over the past five years, according to a
Peninsula Press (a project of the Stanford
University Journalism Program) analysis of
numbers from the Bureau of Labor Statistics. The demand for information security
professionals is expected to grow by 53
percent through 2018. According to
a recent report from the job board Dice,
the demand for the (cybersecurity)
workforce is expected to rise to 6 million
(globally) by 2019, with a projected
shortfall of 1.5 million.
Paul Hoffman, Logical Operations: Yes,
there will be a shortage for three to five
more years, as people are trained in the
industry.
BroadTech Security Team: There will be a
shortage of usable people. Talent alone is
not enough. Skill and Experience are also
needed, which needs time to be acquired.
Technology disruption and information
overload is happening in such a rapid rate
that time needed to understand, assimilate, gain skill and experience is getting
even more limited.
At the same time, according to a 451 Research recent study, based on responses
from more than 1,000 IT professionals,
primarily in North America and EMEA,
security managers reported significant
obstacles in implementing desired security projects due to lack of staff expertise
(34.5%) and inadequate staffing (26.4%).
Given this challenge, only 24% of enterprises have 24×7 monitoring in place using
internal resources.
Ondrej Krehel, LIFARS: I believe so. Until
companies become aware they need talent and reward it, I believe people may
not want to enter the field.
www.eforensicsmag.com
www.hakin9.org
- 20 -
R
ECRUITMENT
Will talent shortage in the industry
continue to grow?
Wade Lovell, Simpatic: Yes, while the talent pool is expanding slightly ahead of
the churn rate, the demand continues to
grow.
Nick Prescot, ZeroDayLab: It depends
what talent you’re looking for. Information Security continues to be both.
www.eforensicsmag.com
www.hakin9.org
- 21 -
R
ECRUITMENT
What new challenges will recruiters
have to face in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Becoming more knowledgeable in
what makes a successful „cyber” security
person. Understanding exactly what the
value of certs and experience is. Paying
the right money for demanded positions
instead of pushing them down.
Kris Rides, Tiro Security: Larger companies
will look to hire more niche candidates as
they break down their teams into further
specialties. This will mean your average
generalist IT agency will find it tougher to
fill these people as they will need to be
focused 100% in this area to build relationships. Medium sized businesses will
continue to have to a lot of competition
with companies for their Security people. They will need to show the kind of
flexibility on job requirements and benefits to really differentiate themselves and
allow recruiters to fill their most urgent
requirements. Recruitment companies
will find it even tougher to supply contractors in Cyber Security. High permanent
salaries and the kind of benefits these
people will be offered, matched with (at
least in the US) the high cost of healthcare
mean the benefits of being a contractor
will no longer be worth the risk.
Richard De Vere, The AntiSocial Engineer:
I think sorting the good from the bad will
be harder than ever over the next year.
Recruiters have to step up their game and
rely more on personal bonds and careful
research of their candidates and not just
point and click recruiting.
Irfan Shakeel, EH Academy: The recruiters
will get confused because of the formal
education, infosec certifications without
any central governance body and the
skills. The recruiters have to develop a
methodology to capture the right candidate based on the skills, rather than a piece of paper.
Wade Johansen, CouriTech LLC: There is a
large pool of jobs and many of them just
don’t pay enough, particularly the
Government sectors. There are not
enough highly skilled workers to meet the
demand and private industry pays far
better. Unfortunately, having a good benefits plan isn’t enough now - workers
want work at home VPN options, higher
salaries and employers that provide ongoing training benefits and perks.
Dennis Chow, Millar, Inc Short: Being able
to distinguish ‘paper certified’ professionals compared to ones with true hands-on
experience that happen to have those
same certifications.
www.eforensicsmag.com
www.hakin9.org
- 22 -
R
ECRUITMENT
What new challenges will recruiters
have to face in 2016?
Chase Cunningham, Cynja: The continued
lack of talent will increase the demand for
real cyber operators and the starting salaries for those individuals will continue to
rise. The men and women who are coming out of the military and intelligence
communities will have their pick of private sector jobs and roles and recruiters will
have to outbid each other to win those
candidates.
Ondrej Krehel, LIFARS: They will have to
deal with larger pools of applicants and
finding talent among them.
Stephan Conradin: First; they should see
and understand this growing complexity.
Second: they have to reintroduce good
sense when finding talent, not only check
for some words in CV.
Amit Serper, Cybereason: Having to find
the right soft skills, which will be just as
important as the right technical skills.
Paul Hoffman, Logical Operations: Differentiating between actually skilled workers and ones with puffed-up resumes,
but they may not care as anyone willing to
fight cyber attackers is better than no one.
Rajeev Chauhan: The vanishing line between ethical and unethical behavior in
the infosec community will be a matter of
growing concern.
Wade Lovell, Simpatic: A growing percentage of entrants into the security talent
pool will have absolutely no relevant job
experience.
Mayur Agnihotri : Nothing new recruiters
fail to attract and retain cyber security
talent.
Andrew Bagrin, My Digital Shield: Separating the true talent from the rest.
Przemek (Shem) Radzikowski, Secbüro
Labs: Recruiters will find it tough to sift
through a torrent of opportunistic but
relatively unskilled candidates who want
to jump aboard the rise in pay commanded by quality security experts.
Nick Prescot, ZeroDayLab: Availability of
experienced consultants because none of
them are available.
www.eforensicsmag.com
www.hakin9.org
- 23 -
R
ECRUITMENT
What new challenges will recruiters
have to face in 2016?
Anthony Di Bello, Guidance Software: A
lack of practical experience. While education certainly provides an understanding
of systems and how to secure them, all
bets are off when they experience their
first live cyber-attack.
Dotan Bar Noy, Re-Sec Technologies:
Costs of talents will continue to increase
as demand is high and companies are recruiting less experienced talents and will
need to invest in training etc. According to
a recent report from DICE, a leading IT job
board, the top five IT security salaries are:
No. 1 – lead software security engineer at
$233,333; No. 2 – chief security officer at
$225,000; No. 3 – global information security director at $200,000; No. 4 – chief
information security officer at $192,500;
and No. 5 – director of security at
$178,333.
Mitchell Bezzina, Guidance Software: Those looking to place experienced cyber security specialists will find it difficult moving an individual into a new organization
with career development or ancillary benefits being part of the decision process.
It may well be easier to relocate teams
who have an understanding of each other
and efficient workflows. When looking to
place candidates transitioning into cybersecurity as a solution to talent shortage, a
more rigorous culling process will need to
be defined to ensure there is a great
rapport between manager and the new
candidate, this ensures a faster, more successful transition.
BroadTech Security Team: I cannot say for
large companies. Startups like ours take
freshers guide and train them.
David Clarke, VCiso: Recruitment is a vulnerable 3rd party and they will need to
apply cyber standards, as well as find the
appropriate resources.
Elizabeth Houser, Praesidio: The realities
of the field versus how popular culture
continues to influence the perception of
cybersecurity will continue to be an issue.
CSI:Cyber isn’t likely to have the same
impact on job candidates to the extent
the CSI effect has impacted average citizens but there will be a definite ripple,
regardless of size.
Rick Blaisdell: The need for more cyberworkers also explains why info security is
considered one of the best jobs out there
- for the next seven years. U.S. News and
World Report ranked a career in information security analysis eighth on its list of
the 100 best jobs for 2015. They state the
profession is growing at a rate of 36.5 percent through 2022.
www.eforensicsmag.com
www.hakin9.org
- 24 -
R
ECRUITMENT
What new challenges will people looking
for work in cyber security have to face?
Michael A. Goedeker, Auxilium Cyber Security: Payment expectations vs. reality.
Either you get more money working for a
big company that likely uses you up, or
you work for a startup and gain experience and knowledge to grow. Become lifelong learners or look for another job.
Przemek (Shem) Radzikowski, Secbüro
Labs: There is no substitute for experience. Be prepared to work hard and learn
fast because the security ecosystem is
changing far more quickly than other sectors.
Kris Rides, Tiro Security: It will still be
tough to stand out from the crowd, adverts will attract the masses meaning a
good quality experienced candidates resume will be in the middle of a pile of people trying to move into cyber security.
Expect to see plenty of counter offers, it’s
not a new challenge but there will be a
distinct rise so it’s important to ensure
you have tried your utmost to get the
changes you require in your current job
before you start your search. If it takes
you to get another job before they give
you what you are looking for, you are
working for the wrong company.
It will also be important for candidates to
weigh all the benefits of job offers, expect
to see some good salary increases but
remember, there is a lot more to a job
than that. As Richard Branson was recently quoted, “Time is the new money.”
Richard De Vere,The AntiSocial Engineer:
People new to the industry or people looking to find that new role will have to
strengthen their knowledge of computing
in general and not rely so heavily on automated tools.
Irfan Shakeel, EH Academy: The hiring
criteria, people are more likely to get confused and they will focus on gaining the
certifications rather studying and practicing. This will get them hired but at the
end, the organization will suffer the consequences.
Amit Serper, Cybereason: Not only are
threats and the external landscape changing, but given the rate of technology innovation, security teams need to rethink
how they structure their processes and
activities because perimeter based approaches are obsolete, and penetration is
inevitable.
Anthony Di Bello, Guidance Software: Certainly not a lack of competition in the job
market.
www.eforensicsmag.com
www.hakin9.org
- 25 -
R
ECRUITMENT
What new challenges will people looking
for work in cyber security have to face?
Andrew Bagrin, My Digital Shield: How to
defend against the new threats, how to
simplify and at the same time reduce cost.
We can’t continuously keep spending more and more money on security.
Dotan Bar Noy, Re-Sec Technologies: For
the next few years not much. They need
to keep up-to-date with industry development and solutions.
Julie Herold, Kenny Herold, Odin’s Eye:
Eventually a shortage of jobs and declining wages; cookie cutter vulnerability
assessments and penetration testing
(which really isn’t penetration testing).
We refer to it as hitting the big green “go”
button with automated web application
or vulnerability scanning tools and removing false positives and calling it a penetration test. As a result of this stance
from most IT Security companies, there
will be a lack of opportunities to grow in
this space with breadth and depth of
knowledge and offering additional value
to engagements.
Paul Hoffman, Logical Operations: It is not
new, but on-going; it is defending against
those things that you don’t know. Reducing risk and exposure in areas that are
unknown. Hackers are constantly looking
for new ways to breach security and companies are just trying to patch those
known areas.
Wade Lovell, Simpatic: Entrants will likely
find themselves in the security silo without many non-entrepreneurial opportunities to move to other parts of engineering
and development.
Stephan Conradin: They must open their
eyes and have great interest on what
happens just in left or right of them. We
could not have only one specialization, we
must have several and/or have a generalistic view.
BroadTech Security Team: There are so
many tools and using them is very easy.
But understanding the underlying technology is something lacking in people even
with certifications. People will need to
have more than certification if they need
to get work. People who do not have certification will have to show their experience and credibility in some tangible way.
Ondrej Krehel, LIFARS: New threats and
budgetary challenges as technology emerges.
www.eforensicsmag.com
www.hakin9.org
- 26 -
R
ECRUITMENT
What new challenges will people looking
for work in cyber security have to face?
Nick Prescot, ZeroDayLab: The balance of
qualifications vs. experience. There are
many consultants who are experienced
but don’t have the level of qualifications
and others who are well qualified but
don’t have the experience.
Mitchell Bezzina, Guidance Software: Proving their skillset can easily transition into
cybersecurity would be the main challenge. For those in developing careers, there
will be a steep learning curve which may
involve odd hours and be prepared to
“roll up the sleeves”, as with growing industries, managers rarely manage people
but must also take on work tasks and assist in day-to-day activities.
David Clarke, VCiso: A Cyber Role is a journey and the role has to match where the
client is their cyber maturity and position
it no longer a “finger in the leaking dyke”.
Dennis Chow, Millar, Inc Short: The problem of finding well-paying local security
positions as opposed to ones that require
relocation to high cost of living areas.
Wade Johansen, CouriTech LLC: Employers who look for talent often don’t understand just how talented an individual really is from a resume. Because every resume is filtered through an HR dept, often
by keyword - great prospects are skipped
over. Keyword resume searching has become the norm, often when you do get an
HR person who calls, they don’t understand the technical abilities of the prospective employee, and so they are often
overlooked when in reality they may be a
perfect fit. This is a challenge because IT
techs often are the worst at describing
what they know and do on a daily basis.
www.eforensicsmag.com
www.hakin9.org
- 27 -
W
HO IS
WHO
Kris Rides
TiroSec, CEO and Founder
Elizabeth Houser
Praesidio Security
Engineer
Kris believes that there is no substitute for building long term relationships with clients and you do
that by providing them a great service. This is his 16th year in the
recruitment industry and he has
built and managed both permanent and contract teams over multiple disciplines in both the UK and
all over the USA. Kris is passionate
about recruitment and still keeps in
touch with both people he placed
when he first started his career and
clients he worked with. He has
spent almost all of his working career in Tech recruitment and he
understands his candidates needs
as well as the difficulties clients
have in some of these niche areas.
Security Engineer for Praesidio and
focuses on vulnerability assessments, incident response, and digital forensics. She is a graduate of
the University of Washington and
lives in Seattle. Her additional interests include malware analysis as
well as cyber threat intelligence
and serves on the Computer Information Systems (CIS) Advisory
Committee for Edmonds Community College in Lynnwood, WA.
Roberto Langdon
KPMG Sr Manager,
Forensic Technology
Services Risk Consulting
He has a wide experience in the
Information Security market, as
well as in the Forensic Practices
and Technology. He has 35 years
of experience previous to his position at KPMG, within
national and multinational companies, from IT & Telecomm sector, and 15 years of experience in Information
Security, Physical Security and Urban Security specialization.
Einaras Gravrock
Cujo, CEO
12 years digital commerce experience. Founded / built Modnique.com to $50M in annual sales. Named one of Goldman Sacs
100 most intriguing entrepreneurs
in 2014.
www.eforensicsmag.com
www.hakin9.org
- 28 -
T
RAINING
What role will formal education play in 2016?
Michael A. Goedeker, Auxilium Cyber Security: It always plays an important role in
research based jobs. Teaches how to do
research and work within specific requirements and times. Certification will never
replace a degree (IMHO). A degree is also
not everything either.
Wade Lovell, Simpatic: As the industry
matures, degrees and certifications will
play more of a role. This is a mistake.
Having held a number of certifications
myself, including the CFE (Certified Fraud
Examiner), I have little respect for their
ability to help practitioners stay up to date
and see them more as a gate preventing
some experts, especially young ones without corporate CPE and dues sponsorship, from appearing as competent as some of the corporate dinosaurs.
Irfan Shakeel, EH Academy: Formal education should play an effective role and we
need to make little tweaks in the formal
education. But, the formal education without the required amendments will not
play any notable role.
Chase Cunningham, Cynja: The more education that cyber operations personnel
can attain before they go looking for
work, the higher initial salary they can
garner. Thanks to increased specialized
training in the military and intelligence
communities, the need for actual degrees
is not completely necessary. However,
surveys show that the gap in starting pay
for those with advanced degrees is much
greater, by up to 40%, compared to those
with similar cyber skills but no formal education. In short—it pays to go to school.
Elizabeth Houser, Praesidio: Formal education will continue to be sought after but
the availability of online (especially free)
training resources will increasingly augment the education of individuals at all
skill levels.
Roberto Langdon, Nicolas Orlandini,
KPMG: The education will be very important in 2016, because we need to incorporate already skilled people for this activity
that can be very effective from the very
beginning of his/her job.
Nick Prescot, ZeroDayLab: Education will
become more formalised in 2016 where it
will be a training requirements.
www.eforensicsmag.com
www.hakin9.org
- 29 -
T
RAINING
What role will formal education play in 2016?
Dennis Chow, Millar, Inc Short: There will
be an increase in positions requiring an
undergraduate degree to even apply. However, I do not believe there will be a large increase in requirements for ‘security’
specific degrees. Certification need will
also increase, as well, that teaches handson skills rather than conceptual only.
Stephan Conradin: Crucial, more education for more ability to work with complexity.
Paul Hoffman, Logical Operations: Formal
education will have to step up in some
capacity and in 2016 you will see some do
just that. But it will take time. Those institutions do not move very fast.
Amber Schroader, Paraben Corporation:
We have seen a change in a need for a
base training and understanding of the
principles associated with examination
that comes through formal education.
However, we see a deficiency when it comes to the ethics that are required to be
able to function in the field when it comes
to formal training.
Rajeev Chauhan: There can be no substitute for formal education, the formal
education provides the base for future.
However, exceptions can not be ruled out.
Ondrej Krehel, LIFARS: It’ll be more important, as curriculums are getting better, but
still not where it should be.
BroadTech Security Team: It will be an
important factor but not a deterministic
factor. Skill, experience & passion will win
over nonchalant formal education.
Anthony Di Bello, Guidance Software: This
depends on the ability for universities to
find qualified instructors and develop meaningful curriculum. Given the salaries
associated with skilled cyber pros, I can
see how attracting qualified educators in
the field will be challenging. Perhaps
universities can turn to their own internal
information security teams for assistance
in this area. Universities that offer meaningful cyber programs can be expected
to play a big role.
Wade Johansen, CouriTech LLC: In the U.S.
it is starting to gain more ground now. The
federal Govt has started giving grants to
more colleges to develop Cyber Technology and Security programs and degrees.
For many colleges, this is the first time
they’ve ever had real Cisco or cyber security labs and not just textbooks and desktops. It’s a big leap forward.
www.eforensicsmag.com
www.hakin9.org
- 30 -
T
RAINING
What role will formal education play in 2016?
Andrew Bagrin, My Digital Shield: Just adding head count in the industry. The security industry requires experience and
knowledge about hacking, networking and
coding.
Przemek (Shem) Radzikowski, Secbüro
Labs: It is difficult to see formal education
disappearing completely, but in general, it
has been slow to incorporate cybersecurity trends within their curricula. It’s not
uncommon for university curricula to remain static for many years because of
their reliance on published textbooks.
David Clarke, VCiso: Education needs to
start in schools, the gap between schools
and IT is getting bigger, Cyber Security is
misunderstood.
Julie Herold, Kenny Herold, Odin’s Eye:
We think, based on the previous answers,
we won’t quite yet see the results this
year.
www.eforensicsmag.com
www.hakin9.org
- 31 -
T
RAINING
Will certification keep its role as the main
tool to confirm skill and expertise?
Michael A. Goedeker, Auxilium Cyber Security: They are important but experience
is more important. Certs don’t guarantee
success but combined with experience
through using taught concepts in projects
is an indicator.
Wade Johansen, CouriTech LLC: For now,
yes! Because most college degrees don’t
prove skills in the field, or because the
requirements of the degree may use
outdated resources, there is a tendency
now to look for certified professionals
such as VCP, CCNA, MCSA, C|EH, etc.,
which shows the skills are currently relevant to an architecture or model.
Rick Blaisdell: Yes, that’s for sure. The
2015 CompTIA study HR Perceptions of IT
Training and Certification revealed that:
65 percent of employers use IT certifications to differentiate between equally qualified candidates • 72 percent of employers use IT certifications as a requirement
for certain job roles • 60 percent of organizations often use IT certifications to confirm a candidate's subject matter
knowledge or expertise • 66 percent of
employers consider IT certifications to be
very valuable - a dramatic increase from
the 30 percent in 2011.
Przemek (Shem) Radzikowski, Secbüro
Labs: I’ve met many highly-certified people who have turned out to know very
little. All too frequently, certifications
only test knowledge but not the candidate’s ability to apply the concepts in real
world situations.
Dennis Chow, Millar, Inc: Yes, certifications will complement and evolve to help
maintain the attestation of a certain level
of skill. However, we will see more interviews and other candidate requirements
to prove hands-on experience through
‘practical’ assignments.
Dotan Bar Noy, Re-Sec Technologies: Certification plays an important role ensuring
your team is up to speed with new solutions and encounters other professional
to share ideas and feedbacks on the different solutions.
David Clarke, VCiso: The idea that a five
day training course means we have cyber
skills, anymore than learning to drive from
multimedia training course is valid, we
need the equivalent of medical interns,
Barristers Pupilage.
Rajeev Chauhan: To some extent, certifications are benchmarks for judging capabilities, but there is no substitution for
hands on skills.
www.eforensicsmag.com
www.hakin9.org
- 32 -
T
RAINING
Will certification keep its role as the main
tool to confirm skill and expertise?
Amber Schroader, Paraben Corporation:
Yes, certifications are a necessity as they
allow for the specialization in the industry
that can only be done through specific
certifications.
Paul Hoffman, Logical Operations: Certification will continue to play the primary
role in confirming expertise.
Ondrej Krehel, LIFARS: I think work experience is the real key, certs are more of a
minimum knowledge.
Andrew Bagrin, My Digital Shield: I think
certification has already dated itself and it
won’t get any better. Accomplishments
and understanding of core principles is
what I look at.
Anthony Di Bello, Guidance Software:
I hope not. I believe practical experience
and red/blue team exercises should be
the main tool to confirm skill and expertise in this field.
Stephan Conradin: Yes, but certification
will have to adapt to new complexity.
When I got my CISSP, I had a question
about the height of the fences, It is always
a good question but now our data is more
in the cloud and less protected by fences.
Elizabeth Houser, Praesidio: Likely yes, as
the desire for certifications has been consistent over the years and most people
are comfortable with that benchmark.
Wade Lovell, Simpatic: I hope not. I prefer
directly testing candidates and reviewing
their code and thought process.
Roberto Langdon, Nicolas Orlandini,
KPMG: Certification is a must to provide
calm and confidence to the clients, that
the people involved in the investigations
and data acquisitions, are recognized professionals to do that, keeping the security
triad CIA (Confidentiality, Integrity and
Availability) of all the information gathered and processed.
BroadTech Security Team: Certification
even now is not the main tool to confirm
skill and expertise for CEOs & HRs who
care about business. But vendors will push
for certification since it is another recurring revenue generation market due its
expiry date.
www.eforensicsmag.com
www.hakin9.org
- 33 -
T
RAINING
Will certification keep its role as the main
tool to confirm skill and expertise?
Chase Cunningham, Cynja: New certifications, like those from ISACA’s CSX program, will start to slowly replace some of the “cookie-cutter” certifications that have typically garnered more interest. Recruiters are
hiring personnel and senior managers with active performance based certifications at a higher rate than
before. The old paradigm of studying for a certification and passing it will start to go away. If one can’t actually conduct the task then they won’t get certified. Another way to put it, people prefer doctors who have
practiced their medical skills on patients rather than simply reading books and passing exams. The same is
true in cybersecurity.
Julie Herold, Kenny Herold, Odin’s Eye: We’ve always been jaded with regards to an acronym that states
you can memorize information so we feel that any answer would be biased. Your work experience and end
product should be the proof of your level of expertise as well as your ability to convince your client that A.)
You know what you are talking about and B.) You can execute at that level. For clients that rely on the certifications as a compass to navigate through the many vendors with these types of services, they do have
their place.
www.eforensicsmag.com
www.hakin9.org
- 34 -
T
RAINING
Will we see a more unified
standardization of education and skills?
Michael A. Goedeker, Auxilium Cyber Security: I hope so, everyone has their
„own” standard and it's very hard to judge
one cert from another. However „Cyber”
and security, in general, are very dynamic
which makes standardization extremely
hard to achieve.
Wade Lovell, Simpatic: Yes, but it won’t be
helpful for the reasons discussed above
and because graduates of the new degrees in cyber security seem to be primarily
learning Java and have little time on the
keyboard with other languages.
Przemek (Shem) Radzikowski, Secbüro
Labs: The security ecosystem is becoming
highly specialized and new niche areas are
emerging each year. If anything, we will
see further fragmentation of education.
Stephan Conradin: Not sure. Standardization doesn’t mean quality. We need big
certifications, like those of ISACA or (ISC)2
but we need to use very specific certifications very close to technologies.
David Clarke, VCiso: No, unfortunately,
not for long time.
Julie Herold, Kenny Herold, Odin’s Eye:
We foresee, with the increase in demand,
that education will start at lower stages of
the education systems which would standardize and unify approach and delivery.
Andrew Bagrin, My Digital Shield: I doubt
it. Security changes too often because the
threats continuously change. So it will be
hard to have a standard training that will
last.
Nick Prescot, ZeroDayLab: Not in 2016 but
as a growing trend over the years.
Mitchell Bezzina, Guidance Software: Yes,
as industries mature, standards will emerge across disparate training and larger
cybersecurity training organizations will
devote time to university course curriculum.
Paul Hoffman, Logical Operations: I don’t
believe we will see standardization beyond the NIST and NICE efforts for a while.
Once those standards take hold, we will
move to the next level.
www.eforensicsmag.com
www.hakin9.org
- 35 -
T
RAINING
Will we see a more unified
standardization of education and skills?
BroadTech Security Team: In information
security, it is important to have ground
work in standardization of education to
eliminate gaps in topics. But once the foundation is made, standardization of skills
would be stupid because hackers don't
attack your standard way nor can you ask
a hacker to be certified before he attacks.
Hackers are ( I mean the good ones ) creative ( kaspersky breach ) and after the
standardization of education on fundamentals, InfoSec professionals should be
able to think creatively in order to counter
non standard attacks.
Wade Johansen, CouriTech LLC: Yes, this is
already happening today in the U.S. As the
federal Govt is standardizing its own networks, the skills they are looking for in
high tech field employees has evolved.
Because there has been a lack of qualified
candidates, they have begun to fund colleges and universities to develop those necessary skills in students or offer continuing education courses for workers who
are looking to enhance or upgrade their
skills.
Ondrej Krehel, LIFARS: I think so, but
diversity isn’t bad either.
www.eforensicsmag.com
www.hakin9.org
- 36 -
T
RAINING
Will online courses influence the level of
education in security field?
Michael A. Goedeker, Auxilium Cyber Security: Online courses will grow in importance as we see companies limit travel
expenses. Online training will also let people learn at their own pace.
Paul Hoffman, Logical Operations: To some degree, of course.
Ondrej Krehel, LIFARS: I believe they will
dilute the talent pool. As people who
would go remote could just learn on their
own.
Irfan Shakeel, EH Academy: Yes, online
courses are the rich source to get the basic training & education. Online courses
will influence the infosec education.
Stephan Conradin: Online course are more adapted to time of life, it is easier to
find time to learn online. But presential
courses are important to share with other
professionals.
Wade Johansen, CouriTech LLC: They already are. Most students I know are already
taking online courses. It opens up a world
of opportunity. You can now also get an
accredited degree completely online and
the adoption rate of this model is growing
quickly.
Wade Lovell, Simpatic: Only if there is a
complete change in the way course content is created, curated, and sold. For
example, Cisco or Microsoft could be incredibly influential in the level of education in the security field had they not made education and certification profit centers.
Przemek (Shem) Radzikowski, Secbüro
Labs: Although I have a number of formal
credentials, I think online courses provide
a tremendous service to the industry by
making security education easily and
cheaply obtainable to anyone who wants
it. That’s a positive. The negative aspect
of online courses lies with their clumsy
way of proving that the student has passed the material – it still hinges on an honours system.
Andrew Bagrin, My Digital Shield: Yes it
will, but not the quality of people. The
same reason as above. Security is not something on its own, but security needs to
be applied in all areas. (networking, development, process, etc.)
www.eforensicsmag.com
www.hakin9.org
- 37 -
T
RAINING
Will online courses influence the level of
education in security field?
BroadTech Security Team: Yes, especially
free online courses are going to play a big
part.
Mitchell Bezzina, Guidance Software: Yes,
the base level of knowledge should increase.
Nick Prescot, ZeroDayLab: Not really.
Julie Herold, Kenny Herold, Odin’s Eye:
Yes, as traditional colleges begin to move
more towards the “trade” skill fields, the
hands on training will inevitably be supplemented with online courses.
www.eforensicsmag.com
www.hakin9.org
- 38 -
W
HO IS
WHO
Wade Johansen
CouriTech LL, CEO and Founder
Andrew Bagrin
My Digital Shield (MDS)
Founder and CEO
I’ve worked in the IT industry since
1982 and have been a high level
systems engineer for more than 10
of those years. I also taught as an
IT course instructor for 8 years.
I currently hold CISSP, HCISPP,
C|EH, CHIT, WG-WCSP, CCSP but
have also held over 25 certifications lifetime such as MCSE, CNA,
Server+, Net+, Sec+, SCP, SCNA and
more. I spend much of my time
integrating and merging business
domains and large scale environments, and improving network security. My specialities are Active
Directory migrations for healthcare, banking, and various other industry verticals.
Andrew Bagrin is the Founder and
Chief Executive Officer of My Digital
Shield (MDS), a leading provider of
Security-as-a-Service (SECaaS) for
small businesses. With more than
18 years of experience in the IT security industry, Andrew started
MDS in 2013 to bring cloud-based,
enterprise-level security technology
to small businesses at an affordable
price. Prior to founding MDS,
Andrew served as the Director of
Service Provider Business Development at Fortinet, a network security provider. He held the position from 2008 until 2013, focusing
on new security offerings as well as
gaps in the security market.
Andrew’s career in IT security began in 1997, working for several
network security consulting companies. From 2000 to 2004, he served
as the Director of Network and Security with Regal.
Chase Cunningham
Cynja, CTO
Chase Cunningham serves as CTO
and fights bad guys in cyberspace.
He began his Cynja training serving
in the U.S. Navy, where he worked
as an analyst in the Department of
Defense’s network exploitation
program. He lives in Texas with his
two young cyber warriors Callie
and Caelyn. He earned a B.S. from
the American Military University,
and an M.S. and a Ph.D. in information systems security from Colorado Tech University.
Rajeev Chauhan
C|HFI, C|EH, BSc, BTech IT & Comn, MS Cyber Law and
Cyber Security. Cybersecurity enthusiast, Independent
Researcher, trainer, consultant and blogger at Cyberoxen. Loves golden oldies.
www.eforensicsmag.com
www.hakin9.org
- 39 -
T
HREATS
What threats that emerged in 2015 will
remain relevant in the next year?
Leon Kuperman, Zenedge: Targeted, advanced threats focused on specific organizations (called ATP’s) – threat actors are
well funded, patient and utilize a combination of techniques to infiltrate an organization (including physical, social engineering and standard network and cyber
attacks) • Advanced botnets, using Layer 7
DDOS attacks over HTTPS (hard to mitigate) – this trend will continue in 2016 and
we will see the next iteration of weaponized zombies with near-browser like capabilities. • IoT – Connected devices with
OS’s running on them, with vulnerabilities
exposed at an unprecedented rate. •
DDOS attacks for Bitcoin.
Shay Zandani, Cytegic: Attacks to steal PII,
medical data and sensitive information
will continue to be a major concern – not
only for the “usual” targets but also for
“new types” of targets, such as municipalities, online gaming platforms, tier-2 retailers, production lines, etc. • SCADA and
ICS attacks will continue to grow and become a major threat to critical infrastructure, but also for plants, production lines.
• Ransomware is likely to continue to
evolve and remain mainly a nuisance.
Rajeev Chauhan: Zero-day vunerabilities,
clickjacking and ransomware.
Einaras Gravrock, Cujo: IoT. It’s going to
get worse before it gets better. IoT penetration is growing at a high multi-digit rate
and device makers continue to be unprepared for security challenges.
Michael A. Goedeker, Auxilium Cyber
Security: „Cyber” Espionage, Warfare and
their influence on new technology in
„Cyber” Crime. Increased attacks on personal data in government, increased
attacks on critical infrastructure, increased
corp espionage by nation states, lack of
actionable intel in threat intelligence products
Kris Rides, Tiro Security: As more companies move towards cloud services, the
attack surface is increasing. I think we will
see more sophisticated attacks targeting
cloud service providers. I also think the
assumption made by many companies
that moving to the cloud pushes security
issues to these services providers, alongside with companies running hybrid systems, will leave gaps in their security posture.
Dennis Chow, Millar, Inc: Phishing and
Social Engineering based attacks combined with insider threat based breaches.
www.eforensicsmag.com
www.hakin9.org
- 40 -
T
HREATS
What threats that emerged in 2015 will
remain relevant in the next year?
Mayur Agnihotri: Good Malware Never
Dies, Fidelis in a recent report as a
"reincarnation" of previous malware. Not
only can Java-based JSocket control Linux,
Mac and Windows PC systems remotely,
but the malicious code is also able to
affect mobile devices.
David Clarke, VCiso: Security personnel
reporting lines reporting to IT, Cyber Security is there to protect against bad things
happening, surely this should report to
the highest level.
David Coallier, Barricade: Whilst ransomware will probably continue to be used (as
they are wildly successful for criminals), I
am bullish on the new threat landscape
around the Internet of Things. There are a
lot of devices which access vast amounts
of personal and private information, as
well, becoming more intrinsic to your everyday life (i.e. connected cars) and yet, the
security of most of these devices is fickle
at best.
Dotan Bar Noy, Re-Sec Technologies: Unfortunately, enterprises are still not protected from 2015 threats to worry about
2016 ones. We will still see content based
attacks containing APT, Phishing, Ransomware and many more zero-days. Threats
will continue to use sophisticated delivery
mechanisms that will allow them to perform updates and evolve over time.
Paul Shomo, Guidance Software: Malware
designed primarily for long term command-and-control, such as Remote Access
Trojans (RATs), will continue to be the
bane of incident responders’ existence in
2016. It’s such a simple matter to create a
new version of a RAT in minutes and they
offer the advantage of being unique and
therefore bypass signature and policy based detection methods, relying heavily on
technologies with deep endpoint visibility.
These tools will form the cornerstone of
incident response and security alert triage
and validation.
Rick Blaisdell: Wearables - Although most
wearable devices store a relatively small
amount of personal information, wearable platforms could be targeted by cyber
criminals working to compromise the
smartphones used to manage them. The
industry will work to protect potential
attack surfaces, such as operating system
kernels, networking and Wi-Fi software,
user interfaces, memory, local files and
storage systems, virtual machines, web
apps, and access control and security software.
www.eforensicsmag.com
www.hakin9.org
- 41 -
T
HREATS
What threats that emerged in 2015 will
remain relevant in the next year?
BroadTech Security Team: Threats in the
IoT sector, Compromising Anti-virus to
take over systems, Rogue drone causing
damage. SSL vulnerabilities until OpenSSL
is fully replaced by LibreSSL..
Roberto Langdon, Nicolas Orlandini,
KPMG: Although the Banking and Financing sector is a common practice to search
for suspicious operations, in order to detect money laundering, frauds, etc., in the
rest of the market segments there are no
special organisms with the same responsibility, so the corporate and government
organizations need to find a confident
advisor to help them in this arena. Frauds
are not exclusive for Banking and Financing institutions.
Nick Prescot, ZeroDayLab: As with the MTrends Report, the main APT groups around hacktivism, state-sponsored actors
and organised cybercrime aren’t going to
go away any time soon. The re-publishing
and distribution of open source hacking
tools is a lucrative market for amateur and
veteran threat actors alike, with organised
cybercrime groups utilising younger individuals as smokescreens for larger-scale, indepth attacks (i.e. Talk Talk, Oct. 2015).
Przemek (Shem) Radzikowski, Secbüro
Labs: We saw some interesting reflection
and amplification DDoS attacks this year,
in particular those using Simple Service
Discovery Protocol (SSDP). The SSDP
attack vector was possible as a result of
millions of unsecured home-based Internet-connected devices which use Universal Plug and Play (UPnP). These were
used as SSDP reflectors. Their sheer scale
of numbers and passive availability will
likely continue through 2016.
Andrew Bagrin, My Digital Shield: APT didn’t emerge in 2015 but they will continue
to grow and get worse, and they will start
to overlap with IoT threats as IoT grows.
Kenneth C. Citarella, Guidepost Solutions:
Every threat that emerged in 2015 will
remain relevant. Unless known security
weaknesses are corrected, we will continue to be victimized by the same techniques that have worked previously.
Stephan Conradin: Cybercrime did not
really emerge in 2015 but is is clear now
we are in cyberwar, with a lot of enemies
and no more aliens.
www.eforensicsmag.com
www.hakin9.org
- 42 -
T
HREATS
What threats that emerged in 2015 will
remain relevant in the next year?
Craig McDonald, MailGuard: Ransomware. In 2016, inexperienced cyber criminals will jump onto the ransomware-as-a-service offerings, and accelerate the growth of ransomware. Anonymizing networks and payment methods will continue to fuel ransomware’s rapid growth path • Cloud services. Weak or ignored
corporate security policies make cloud services easy targets for cyber criminals. The payoffs are big -- confidential business information, customer data, organizational business strategies, company portfolio strategies, next-generation innovations, financials, acquisition and divestiture plans, employee data and other
data • Attacks through employee systems. When organizations do improve their security, attackers shift
their focus to their employees, especially insecure home systems, to gain access to corporate networks •
Warehouses of stolen data. Stolen personally identifiable information sets are linked together in big-data
warehouses; combined records are more valuable to cyber attackers. Watch the dark market for stolen personally identifiable information and usernames and passwords boom in the coming year • Hardware. Attacks on all types of hardware and firmware will continue. The market for tools that make them possible will expand and grow. Virtual machines could be targeted with system firmware rootkits • Wearables. Most wearable devices store a small amount of personal information, but they are desirable targets
because of the smartphones used to manage them • Cars. Connected automobile systems that fail to meet
best practice security policies in areas are tempting targets. These include vehicle access system engine
control units (ECUs), engine and transmission ECUs, advanced driver assistance system ECUs, remote key
systems, passive keyless entry, V2X receiver, USBs, OBD IIs, remote link type apps and smartphone access.
Julie Herold, Kenny Herold, Odin’s Eye:
Continued focus on previous assumptions
of lower level security in protocol stacks;
as the theoretical attacks are becoming
more and more probable and exploitable
for nation states and other organizations
with computational power exceeding the
norm. Continued focus on open source
code and taking advantage of a lack of
review on said code.
Gerald Peng, Mocato: Personal Information hacking, Cyberterrorism against
private and public entities, Cloud computing vulnerabilities, Mobile device exploitation, Credit card fraud via card-notpresent (CNP) technology, Phishing, Malware, Ransomware, Connected device
hacking (e.g. medical equipment, cars),
State sponsored hacking, Mobile phone
vulnerabilities.
Ondrej Krehel, LIFARS: Better ransomware.
Wade Lovell, Simpatic: Ransomware, Wire Fraud, Hacking into databases and
offering customized searches on Personally Identifiable Information as one Vietnamese national did who had access to data
on 200 million U.S. Citizens.
Wade Johansen, CouriTech LLC: Botnets & CryptoLocker.
www.eforensicsmag.com
www.hakin9.org
- 43 -
T
HREATS
Which threat group will see
the biggest growth in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Cybercrime that works with nation
states for corp espionage and warfare
(even though it is cyber war and espionage, nations will (hide) behind cyber crime). In addition, depending on how we
resolve terrorism, we could also see Cyber
Terrorism growth as well.
Roberto Langdon, Nicolas Orlandini,
KPMG: The global erosion of values, morals, and responsibility, are affecting
strongly the organizations who suffered
frauds, money deviation, information
theft, manipulation of information in order to obtain personal benefits against
the organization objectives, taking advantage of higher hierarchies or powered positions inside the company.
Dotan Bar Noy, Re-Sec Technologies: Guessing from the past year, ransomware
and specifically cryptolocker are the ones
most of us will encounter this upcoming
year. We will see and hear more about
new targets such as cars, etc.
The dream of easy money is driving people without loyalty and moral values to
take advantage of these “opportunities”.
Seeing packets of 50,000 credit cards stolen information on the Dark Web on sale
for two or three thousand dollars is just
an example.
Besides that, as in some organizations, the
information gathering and storage is not
well addressed when it comes to accomplishing security policies, the rest of the
delinquent eco-system is ready to participate.
Shay Zandani, Cytegic: The tier-2 financial
hacker groups, which now are able to buy
“off the shelf” exploit kits and advanced
attack methods, will continue to evolve.
As such, the proliferation of advanced
tools will continue this year.
Przemek (Shem) Radzikowski, Secbüro
Labs: I think it’s worth keeping in mind
that 300+ Gbps DDoS attacks will become
the norm and may start to see sustained
500+ Gbps attacks. We should also be prepared to see a rise in DDoS attacks which
act as a smokescreen for the “real” or
“secondary” attack and ultimate exfiltration of data.
Rick Blaisdell: I personally worry about the
possibility of U.S. infrastructure becoming
the next major target of cybercriminals.
Attacks on all types of hardware and
firmware will likely continue, and the market for tools that make them possible will
expand and grow. Virtual machines could
be targeted with system firmware
rootkits.
www.eforensicsmag.com
www.hakin9.org
- 44 -
T
HREATS
Which threat group will see
the biggest growth in 2016?
Kenneth C. Citarella, Guidepost Solutions:
It is impossible to predict which threat
group will be most prominent in 2016.
There are too many variables, such as
“who” they target, what vulnerabilities
that target has and what kind of data is
accessed. But the sophistication of many
attackers is steadily growing, so we should
not be surprised by continuing reports of
successful intrusions.
Craig McDonald, MailGuard: Spear phishing. Targeted, specific email phishing
scams whereby the sender is impersonated, rendering the email content to be
more compelling to the recipient who
knows the ‘purported’ sender. Staff within
an organisation will wire transfer large
sums of money for instance, believing the
CEO or CFO has asked directly for this
transaction to occur.
Integrity attacks. Stealthy, selective compromises to the integrity of systems and
data are on the rise. Attackers seize and
modify transactions or data for their own
purposes, such as changing a victim’s direct deposit settings and having their paycheck deposited into a different account.
BroadTech Security Team: IoT in health
care, oil plants, power grids, nuclear facilities, etc.
Wade Johansen, CouriTech LLC: Mobile
device security.
Andrew Bagrin, My Digital Shield: IOT because the industry is really growing without any defenses.
Julie Herold, Kenny Herold, Odin’s Eye:
Divulgers of dox attacks or pro-privacy
groups based on anti-government, anticorporation, anti-organization, anti-X motivations for smear campaigns or proprivacy groups.
Gerald Peng, Mocato: I believe that personal information, especially located on
mobile phones and social media channels,
will continue to be the main targets for
cyber attack and cyber fraud.
Nick Prescot, ZeroDayLab: Phishing and
malware.
Stephan Conradin: Theft of sensitive data.
www.eforensicsmag.com
www.hakin9.org
- 45 -
T
HREATS
Which threat group will see
the biggest growth in 2016?
Wade Lovell, Simpatic: Spear phishing,
which is an email phishing attack customized with your information so that it appears legitimate.
Paul Hoffman, Logical Operations: Health
Care. Vital records about a person that
never change are the most valuable information being sold.
Ondrej Krehel, LIFARS: As always, phishing.
Leon Kuperman, Zenedge: IoT Device Vulnerabilities.
David Clarke, VCiso: The threat group that
is the biggest already is inadvertent human error “PWC” 95% of all incidents.
www.eforensicsmag.com
www.hakin9.org
- 46 -
T
HREATS
Can you see any old and forgotten
threat coming back in the next year?
Michael A. Goedeker, Auxilium Cyber Security: Always, many attacks come back
after people forget them, or they are repurposed and updated.
Stephan Conradin: We have cloud, IoT,
BYOD questions and people are thinking
the virus front is safe now, but they are
still there, more and more polymorphics
and hard to detect.
Leon Kuperman, Zenedge: Potentially; for
example, there are still many implementations of SSLV3 running, and those are susceptible to POODLE. Old attacks could
come back in a slightly modified form.
Craig McDonald, MailGuard: New malware but the same old tactics Social engineering and malware infection are the most
common tactics used by cyber criminals.
Survey scams on social networking sites,
phishing and spear phishing emails for
corporate employees, and fake links on
search results are successful at the moment.
Cybercriminals are constantly
morphing their malware and their social
tricks – faster than victims can identify
them and protect themselves.
Rick Blaisdell: Phishing is not new, but it
remains a top threat in the coming year.
The Global Phishing Survey of the AntiPhishing Working Group (APWG) found
that in the last six months of 2014 alone,
there were approximately 124,000 unique
phishing attacks worldwide, which occurred on more than 95,000 unique domain
names.
Dotan Bar Noy, Re-Sec Technologies: No.
I believe traditional security measures
offer a sufficient protection from old threats. The challenge will be to battle new
types of malware and techniques.
Alina Stancu, Titania: Heartbleed, Poodle
and other critical vulnerabilities will resurface as recycled code is being used in
other applications.
Mayur Agnihotri: HACKTIVISM with more
dangerous faces, and in the present scenario, we see most of the attacks are under Hacktivism, like LulzSec and one more
name is added #ISIS.
Dennis Chow, Millar, Inc: Stego and Covert
Channel Signaling.
www.eforensicsmag.com
www.hakin9.org
- 47 -
T
HREATS
Can you see any old and forgotten
threat coming back in the next year?
Przemek (Shem) Radzikowski, Secbüro
Labs: Brute force attacks have virtually
disappeared, but with the proliferation of
cloud applications, “Low and Slow” Brute
Force attacks have been gaining popularity. The dispersed nature and scale of
cloud resources makes possible their use
to launch distributed “low and slow” brute force attacks without triggering alert
thresholds.
Mitchell Bezzina, Guidance Software: Physical attacks will make a come-back in
2017, where a combination of physical
presence will be the easiest entry into an
organization. 2016 will focus on individual
awareness and closing gaps in cybersecurity strategies.
Wade Johansen, CouriTech LLC: PKI trusts
- inherently trusted and ultimately insecure.
Richard De Vere, The AntiSocial Engineer:
Without doubt, the largest rise will be seen in social engineering techniques. A lot
of security has evolved now to the point
that only the very smartest and determined criminals hack anything worth hacking. Social engineering techniques will
help criminals to get the access they desire.
Anthony Di Bello, Guidance Software: Certainly. There are already old and forgotten
threats still prolific throughout the world;
see Conficker. The cybersecurity industry
ebbs and flows with technology from both
the attackers and defenders, this year saw
proliferation in POS intrusions and Phishing, while these attack types remain
“easy”, they will continue, however, new
defense technologies of these attack types will force attackers to pivot and define
other entry types.
Ondrej Krehel, LIFARS: I don’t think there
are any really forgotten techniques, as
hackers keep a large toolbelt. Maybe more into COBOL and Fortran as NASA put it
back into the limelight.
Wade Lovell, Simpatic: Yes, EXE injections, for example, are making a comeback and many advanced persistent threats likely remain undiscovered. Macro
malware in MS Office documents attached
to emails are also on the rise as an attack
vector.
Einaras Gravrock, Cujo: The nature of
threats has not changed over the last couple of decades; devices and networks
have. We will continue seeing old attack
methods aimed at new device types.
www.eforensicsmag.com
www.hakin9.org
- 48 -
T
HREATS
Can you see any old and forgotten
threat coming back in the next year?
Andrew Bagrin, My Digital Shield: I don’t
think so. I think the threats have grown up
quite a bit.
David Clarke, VCiso: Yes. Inadvertent human error, been around for ever, Enigma
was cracked because of this.
www.eforensicsmag.com
www.hakin9.org
- 49 -
T
HREATS
Will threat landscape be affected
by international efforts to combat terrorism?
Mark Bennet, Blustor: The debate between the need for intelligence agencies to
decrypt data being communicated between potential terrorists and the public’s
right to privacy will continue to rage.
Overreaching government agencies have
abused their ability to collect data on citizens with little oversight by legislatures or
the judiciary. Restricting the transfer or
development of encryption technology
will have little impact on a terrorist organization to illegally obtain those capabilities but it will significantly restrict the ability of law abiding citizens to protect their
own privacy. The proposed “backdoors”
that some officials are calling for to enable
intelligence agencies to covertly access
encrypted communications will also make
those same devices vulnerable to hackers.
There is no such thing as a “backdoor”
that only the good guys can use.
Nick Prescot, ZeroDayLab: Governmental
supervision via traffic analysis, etc., has
become more prevalent in the public eye,
and – as with recent proposed surveillance legislation – may only continue to further public perception of ‘state snooping’
of their online activities. As such, encrypted / obfuscated networks such as The
Onion Router (TOR) may be utilised more
by the general public who may not know
the ramifications of using such tools, making them vulnerable to malware attacks
and vulnerabilities as yet unknown to signature-based anti-virus systems (i.e.
OnionDuke).
Dotan Bar Noy, Re-Sec Technologies: Cyber terrorism becomes the new frontier
and terror organizations. The growing impact of cyber space on recruitment and
public opinion will mean that much of the
war against terrorism will take place in
the cyber space.
Einaras Gravrock, Cujo: Yes. I think
governments all over the world have made cyber security among their top priorities. Their funding has trickled down to
the private sector. This sort of positive
attention from the government will fuel
the private sector.
Leon Kuperman, Zenedge: Yes, terrorists
will use all means possible to achieve their
objectives, including cyber-security vulnerabilities. Right now, terrorists are focused
on physical targets for the most part,
using technology as an enabler. In 2016
and forward, targets will include cyberassets as the primary goal of terrorist
campaigns.
Stephan Conradin: I think the war is already here and due to our growing cyberdependencies, it is clear cyberterrorism is
a good weapon.
www.eforensicsmag.com
www.hakin9.org
- 50 -
T
HREATS
Will threat landscape be affected
by international efforts to combat terrorism?
Craig McDonald, MailGuard: Although
this was a hot topic two or three years
ago, it’s no longer attracting a lot of attention. The internet and social media are
used as a recruitment tool and a weapons
development training ground. Two key
areas of cybercrime will be affected by the
war on terror: • A market for false identities • Criminals use stolen or false identities to perpetrate frauds and establish
business structures and companies to
launder money. Identity crime is also used
to commit welfare, tax and other fraud
against government agencies, to gain
unauthorised access to sensitive information or facilities, to conceal other criminal
activities such as drug trafficking and procuring child exploitation material, and
even to facilitate the commission of terrorist acts. • Rise of data mining • Increasing
commercialisation of data from Twitter,
Facebook and LinkedIn for data miners for
all purposes including terrorism.
Ondrej Krehel, LIFARS: I don’t think so.
Nationstates and terrorist groups make up
a small minority of breaches. It’s really
people out for the money.
Alina Stancu, Titania: If legislation is passed in the wake of terrorist provoked tragedies, there will be significant changes in
how future threats will be delivered. It will
probably drive the criminals underground
and there will be more channelling
through Virtual Private Networks, proxy
servers, and Tor.
Michael A. Goedeker, Auxilium Cyber Security: Yes, they will likely increase hacktivism and cyber terrorism before they
reduce them. Terrorism will show the weaknesses of How? When groups do not
work in a coordinated way, they will be
disorganized and this disorganization
could be used to hack certain countries. In
addition, we could see the dawn of a new
job title Anti-Cyber Terrorism Consultant/
Analyst. Weaknesses in the way security
people are trained will show here as we
will see a need for more hacking skills in
all computer security related jobs in the
future. Security teams can only protect
what they know will be attacked and how
it will be attacked.
David Clarke, VCiso: Yes it may speed up
legislation to make IT Safe.
BroadTech Security Team: The international effort to combat terrorism will be controlled by politics, fear, greed and national
interests. So how the landscape will change is not predictable. More than technology, the above mentioned factors will
dominate in shaping it.
www.eforensicsmag.com
www.hakin9.org
- 51 -
T
HREATS
Will threat landscape be affected
by international efforts to combat terrorism?
Kenneth C. Citarella, Guidepost Solutions:
Terrorist attacks and counter-terrorism
will continue to engage in cyberspace.
Terrorists will try hard to move past mere
website defacing and to create the same
type of physical harm through compromising systems that they attempt through
kinetic attacks. We cannot assume they
will lack the initiative or capabilities to
attempt infrastructure intrusions, especially if they are not succeeding through
conventional efforts.
Shay Zandani, Cytegic: Yes, the international efforts to combat terrorism and cyberterrorism is equivalent to a “whack-amole” game – with every hit, the attackers
pop back in a different location. The
efforts to control encryption and to hunt
down terrorists will demand innovation
on the terrorist and hacker side, as we see
these days.
Wade Lovell, Simpatic: Yes, it will. Nation
States are becoming bigger players in cybercrime, although they call it something
else. Under “the ends justifies the means”
argument, countries have recorded all
content, required they be allowed top
level certificates, etc. If countries cooperate in their data gathering and analysis,
there could be a decrease in terrorism
funding and mobility while the freedom of
the non-terrorists are eroded in lockstep.
Andrew Bagrin, My Digital Shield: I believe
so. In any type of battle, resources such as
communications and supplies are always
hit first to reduce the power of the enemy. Misinformation is also a strategy.
Wade Johansen, CouriTech LLC: Definitely,
the landscape evolves to new levels every
day. How? Anonymity is still a key. Terrorist networks no longer require social media from the typical resources to operate
efficiently, although recruitment will continue to happen across these mediums.
Once an individual is involved in the social
aspect, they will be able to use a completely new private version of Facebook,
Twitter, etc., which is non-dependent on
the current world's social media
platforms. Independence for these
platforms will evolve.
Roberto Langdon, Nicolas Orlandini,
KPMG: Cyberterrorism is becoming more
equipped and informed, to help their objectives be carried out, no matter where
or in which country it can be done. Cyberspace is the new war scenario where we
are almost in a new world war. And Forensic services needs to be a must to be
covered by all the Army Forces and Security Forces. If they are not self-sufficient,
KPMG is ready to help, worldwide.
www.eforensicsmag.com
www.hakin9.org
- 52 -
T
HREATS
Will threat landscape be affected
by international efforts to combat terrorism?
Gerald Peng, Mocato: Absolutely. Firstly,
nation states are exploring options for
tactical cyber response or offense. This
adds a complexity which will impact strategies developed and resources deployed
to fighting terrorism. Secondly, terrorists
use mobile and social media technology
to recruit, organize themselves and to
intimidate others. The efforts used to
combat those domestic and international
threats may result in a decline in personal
freedoms and an increase in investigations of citizens, thereby diluting counterterrorism resources.
Julie Herold, Kenny Herold, Odin’s Eye:
Not any more than it already has been,
everything is in motion already.
www.eforensicsmag.com
www.hakin9.org
- 53 -
T
HREATS
Will cyber security in healthcare
remain a relevant topic?
Elizabeth Houser, Praesidio: Definitely.
Several high profile breaches within the
healthcare industry during 2015 indicate
that the adoption of necessary tools and
practices isn’t occurring quickly enough.
Dennis Chow, Millar, Inc: Yes, PHI is worth
more than PCI data at present on the
black market. Additionally, any compromise or damage of patient care based systems could potentially affect lives. There
is increasing evidence of terrorism linked
with cyber related crime.
Roberto Langdon, Nicolas Orlandini,
KPMG: And related to healthcare information protection, this market segment was
identified as one not making the necessary investment in information technology
security, and most of healthcare service
providers are in a high risk to be attacked.
This was advised by the FBI at least three
or four years ago. We are seeing the healthcare sector as one of the most illprepared to prevent, detect and respond
to a cybersecurity incident, such as a data
breach. Considering they store tons of
sensitive information such as PII and PHI,
this becomes (and it is happening right
now) a perfect storm situation.
Kenneth C. Citarella, Guidepost Solutions:
Cyber security in healthcare systems will
be a most relevant topic to both industries. Health care networks contain all
the data necessary to steal identities for
economic fraud as well as to obtain unwarranted health care services by assuming the identity of an insured party. The
continuing adoption of electronic health
records will only contribute to this problem unless adequate security is built into
the records system from the ground up.
In addition, more and more medical devices will be accessible online, yet they
often continue to operate with outdated
and insecure software. The possibility for
online tampering to target a patient’s health or life must be anticipated and addressed.
David Clarke, VCiso: Yes. Healthcare, councils and charities still top the list for
breaches.
Nick Prescot, ZeroDayLab: This will grow
as the implementation of the Data Protection Act will come into force.
Shay Zandani, Cytegic: Healthcare will
continue to be a lucrative target for attackers, targeting PII and medical information.
www.eforensicsmag.com
www.hakin9.org
- 54 -
T
HREATS
Will cyber security in healthcare
remain a relevant topic?
Leon Kuperman, Zenedge: Yes – It’s a critical data asset that remains exposed,
exploitable and monetizable (from an
attacker’s perspective).
Wade Johansen, CouriTech LLC: Absolutely, health care is a big target since records
contain not only geographical data about
a person, it also contains medical information which can be used to exploit benefits
systems and ongoing retirement information.
BroadTech Security Team: Of course! A
few hours ago I sent a mail to the CEO of a
chain of hospitals asking her if she is prepared for the statistics “Cyber Attacks will
compromise 1 -in -3 healthcare records
next year”. Our company will be actively
involved in spreading awareness in the
healthcare sector and providing necessary
consultation for them. Security should be
a main concern for people who write health care IoT operating systems, too. Instead of starting from scratch, they should
port tested and proven operating systems,
like NetBSD and OpenBSD.
Mark Bennet, Blustor: Cyber security in
the healthcare industry will not only remain relevant but it will grow as a major
concern. Due to decades of kicking the
can down the road, the healthcare infrastructure is woefully unprepared to protect itself from well equipped hackers seeking to steal patient medical records, ransoming critical healthcare data, etc. The
costs of addressing these vulnerabilities
mean that many healthcare organizations
and medical device manufacturers will be
slow to respond unless legislatures mandate a more rapid response. Unfortunately, legislatures rarely take action until
AFTER a major cyber security incident forces the issue into the mainstream awareness of the voters that put them into office.
Wade Lovell, Simpatic: As long as there
are trillions of dollars in healthcare and
big pharma and billions of dollars in tabloids, cyber security will be relevant in healthcare.
Michael A. Goedeker, Auxilium Cyber Security: Yes, because of the lack of money
and enforcement.
Mayur Agnihotri: Yes. As cyber threats in
healthcare continue to skyrocket, security
remains a top priority.
www.eforensicsmag.com
www.hakin9.org
- 55 -
T
HREATS
Will cyber security in healthcare
remain a relevant topic?
Einaras Gravrock, Cujo: Next year and
beyond, absolutely. These are two of the
most trying challenges we’re facing in our
generation.
Andrew Bagrin, My Digital Shield: Yes, it
will for a long time. Patient records are a
very private thing. It’s one thing to get
your credit card stolen, but to steal identity or medical information is much worse.
Alina Stancu, Titania: Yes. As the use of
new technologies grows in the healthcare
market, the need for security and stronger
regulations over use of private patient
data will be more poignant. For the time
being, HIPAA is the only legislation to address these issues, however the problem
with HIPAA is that it is not yet properly
monitored and enforced.
Gerald Peng, Mocato: Yes. Healthcare data theft and the hacking of IP-based devices present threats to the well-being of
patients and institutions.
Anthony Di Bello, Guidance Software: It
will be an even bigger topic next near as
we hear about breaches that are occurring in 2015 as we speak. Healthcare companies are a virtual treasure trove of personal information… PII, credit card data
and more!
Julie Herold, Kenny Herold, Odin’s Eye:
Yes, and increasingly so; this is an area
where there is a wealth of information for
differing agendas attackers may have as
well as the industry being a lot further
behind in relation to security in comparison to other industries. Much of this will
be a result of the increased utilization of
SaaS and the industry’s lack of security
mindset/maturity and the usual growing
pains/adoption rate of industry best practices in other sectors.
Dotan Bar Noy, Re-Sec Technologies: Yes,
definitely.
David Coallier, Barricade: Most definitely.
We have healthcare practitioners now
recommending the use of mobile apps as
well as using more sophisticated and interconnected gadgetry. The combination
of legislation, market uncertainty and fear
as well as the need to protect the customer data has never been more prevalent.
Ondrej Krehel, LIFARS: I don’t think so.
Nationstates and terrorist groups make up
a small minority of breaches. It’s really
people out for the money.
www.eforensicsmag.com
www.hakin9.org
- 56 -
T
HREATS
Will cyber security in healthcare
remain a relevant topic?
Rick Blaisdell: Unfortunately, yes. In August, the FDA and the Department of Homeland Security advised health-care facilities to stop using Hospira's Symbiq infusion pump after learning that the device,
which administers medication to a patient
over time, is vulnerable to hackers. Mick
Coady, health information privacy and
security partner at PricewaterhouseCoopers, believes that this type of cybercrime
will become more prevalent in 2016.
Stephan Conradin: Yes. First it is very sensitive for people. And with this kind of security we speak of human life, not only
cash.
The newest threat for medical devices will
be “ransomware / Stuxnet” attacks, where
hackers can tap into the administrative
privilege capabilities of medical devices,
which are typically restricted to manufacturers or hospital administrators. We will
especially see an uptick in exploitation of
medical devices that have moved to more
modern types of interconnectivity with
mobile devices.
Craig McDonald, MailGuard: Cyber Criminals love to target healthcare records –
they contain so much sensitive information all in one place. The biggest cyber
security attack of 2015 – Anthem –
involved the medical records of 78.8 million people. It’s difficult for IT and security
professionals working in healthcare to
improve data protection without impeding access to potentially life-saving patient information. At the same time, the
sheer size and complexity of many hospital IT environments means that cyber security in healthcare remains a hot topic.
www.eforensicsmag.com
www.hakin9.org
- 57 -
T
HREATS
Will security in automotive industry
keep on causing trouble?
Wade Johansen, CouriTech LLC: Cars don’t
drive themselves… wait they actually do
now! By using peer to peer traffic information for apps like Waze, you’ll have
hackers that will take advantage. Also, as
cars begin to develop capabilities to observe traffic patterns and manage the car's
capability to brake even when a driver is
unaware of a potential incident ahead,
this technology could be used illicitly to
instead push a gas pedal down instead of
brake pedal.
Gerald Peng, Mocato: Yes. As cars become increasingly programmable, IPshareable and automated, the possibility
of hacking a vehicle will erode consumer
confidence if the auto manufacturers do
not address this issue head on.
Rick Blaisdell: As more and more cars connect to the Internet for such functions as
GPS, they become more vulnerable. Hackers can connect to a car over a cellular
network and, conceivably, turn off the
engine while the car is speeding down a
crowded highway, or cut the brakes, or
cause any number of nightmarish
circumstances.
Security researchers will continue to focus
on potential exploit scenarios for connected automobile systems that fail to meet
best practice security policies. IT security
vendors and automakers will develop guidance, standards and technical solutions
to protect attack surfaces such as vehicle
access system engine control units (ECUs),
engine and transmission ECUs, advanced
driver assistance system ECUs, remote key
systems, passive keyless entry, V2X receiver, USBs, OBD IIs, remote link type
apps and smartphone access.
David Coallier, Barricade: Not unlike any
other industry, the automotive industry is
trying to adapt to this modern connected
world and they aren't unaffected. They
will need to take the same steps as everyone else to prepare themselves and be
ready to respond to incidents. The only
difference is cars are directly handling
people's lives and will have to make a decision between convenience and safety.
BroadTech Security Team: There will be
trouble here and there, but overall, things
should improve and be moving towards
being comfortably and sufficiently secure.
Paul Hoffman, Logical Operations: Yes,
especially as we move to automation in
driving.
Nick Prescot, ZeroDayLab: Yes, and the
hacks will get worse.
www.eforensicsmag.com
www.hakin9.org
- 58 -
T
HREATS
Will security in automotive industry
keep on causing trouble?
Michael A. Goedeker, Auxilium Cyber Security: Any industry or product that does
not integrate security and doesn’t see security as business critical will experience
problems.
Amit Serper, Cybereason: In 2015, we saw
a rise in attacks using fileless malware.
We expect this to continue, and believe
that it is the most important thing to watch moving forward. In fact, we think 2016
will be the year of “malware-less attacks.”
While Microsoft is re-architecting Windows to be more secure, it will be quite
some time before those efforts will hit the
mainstream. Until then, built in tools,
such as WMI and Powershell, will continue to be very popular attack vectors until
newer versions of Windows become more
ubiquitous.
David Clarke, VCiso: Yes, but I suspect the
automotive industry will respond quickly
to safety issues like they did in the 60’s,
partly due to
Ralph Nader’s book
“Unsafe at any speed”.
Additionally, we expect to see more
attacks targeting the Mac platform. The
more pervasive it is, the more popular
target it becomes.
Mitchell Bezzina, Guidance Software: Absolutely, the growth of electronics and
lack of standardization means minimal
attention to security, no car buyer asks
how much R&D went into ensuring the
data connection installed in the car they
are purchasing has been secured. It’s a
secondary concern and a production cost
which means minimum viable security.
2015 was also a key year in the evolution
of ransomware. Not only have we seen
new business models around it, such as
the SaaS model we discovered with Operation Kofer, but in November, we saw
the first case of Linux-based ransomware
targeting websites (see Krebs’ story on it),
we expect to see more new permutations
of ransomware coming in 2016.
Mayur Agnihotri: According to a survey
from McKinsey & Co., 45% of new-car owners are unwilling to use connected services because of privacy concerns.
Dennis Chow, Millar, Inc: Yes, kinetic
attacks are on the rise and transportation
like automobiles will be a prime target for
whitehats and blackhats alike.
Ondrej Krehel, LIFARS: Hopefully only until
self driving cars are safe.
www.eforensicsmag.com
www.hakin9.org
- 59 -
T
HREATS
Will security in automotive industry
keep on causing trouble?
Wade Lovell, Simpatic: Absolutely! As
early adopters move toward more and
more automated driving features, whether it is proximity alerts or self-driving
cars, the ability to commandeer controls
of vehicles will be an important attack
vector. Imagine going in for a safety recall
and having the technician install a backdoor unwittingly, on behalf of a nation
state, as part of a cyber crime ring, or any
other reason.
Craig McDonald, MailGuard: Automotive
cyber crime is in its infancy as is evidenced
by the acceleration of the US Automobile
Industry Accelerates into security, and its
recent initiatives to enhance cyber Security.
Cyber criminals will target vehicle access
system engine control units (ECUs), engine and transmission ECUs, advanced
driver assistance system ECUs, remote key
systems, passive keyless entry, V2X receiver, USBs, OBD IIs, remote link type
apps and smartphone access.
Leon Kuperman, Zenedge: Potentially –
This falls into the category of IoT devices.
Car manufacturers will need to treat security as first-class citizens as opposed to
add-on technology components. As connected technology modules start influencing core driving / safety features, automotive will go through a transformation
period where issues may occur.
Stephan Conradin: Perhaps not in 2016 or
2017, but it is a big concern for future as
vehicles become more and more dependent on data and telecom.
Alina Stancu, Titania: The advent of IoT
means that automotive, just like everything else inter-connected, is a source of
worry. The responsibility of car manufacturers is perhaps higher than for many
other technological gadget providers, as it
must ensure the safety of its passengers.
The Jeep Cherokee hacking has been an
eye-opener for drivers, just as much as it
was for the industry. Fiat Chrysler recalled
1.4 m vehicles to patch the vulnerability
that allowed two security researchers to
disable the brakes on a car and sliding it
into a ditch.
Einaras Gravrock, Cujo: Well… we expect
cars to increasingly integrate with other
services using online technologies. When
cars become computers interconnected
with apps, services, and features… when
cars become another IoT, they will naturally be exposed to cyber security threats.
That being said, we don’t expect people to
be in serious physical danger in the very
near future.
www.eforensicsmag.com
www.hakin9.org
- 60 -
T
HREATS
Will security in automotive industry
keep on causing trouble?
Kenneth C. Citarella, Guidepost Solutions:
The increasing computerization of cars
and their connection to the Internet of
Things heralds a wide array of potential
harm. Can the digital record of a car’s
activities be altered to impact litigation
arising from an accident, or remove evidence that might lead to a criminal charge? Can a car be remotely commandeered to threaten the life of its occupants?
Such risks are highly predictable; the time
for the security-related discussion and
analysis is now.
Andrew Bagrin, My Digital Shield: I hope
not, but I suspect that it will. It is just
another IoT and won’t be taken seriously
until a disaster happens.
Julie Herold, Kenny Herold, Odin’s Eye:
Not in our opinion; not enough gains.
Roberto Langdon, Nicolas Orlandini,
KPMG: Regarding the issues we are seeing
in the automotive industry, as long as the
new cars are incorporating more and more computer-based components and technology, as in any other aspect of the market, this fact is attracting not only private
researchers, but also curious people and
the bad guys. Hacking vehicles, to find
and demonstrate their vulnerabilities and
bad security designs or implementations,
are only a few of the reasons for this to
happen. Automakers need to invest more
in assessing their internal processes in
regards to cyber security for their computer components, and also to assess the
components they get from their third parties. In response to this transformation
process, KPMG has already created a strategic and technical Vehicle Forensics team
well prepared to assist the automakers in
preventing, detecting and responding to
cyber security issues.
www.eforensicsmag.com
www.hakin9.org
- 61 -
W
HO IS
WHO
Mitchell Bezzina
Guidance Software
Security Strategist
Anthony Di Bello
Guidance Software
Senior Director
Security Practice
Mitchell Bezzina is a technology team leader with over 15
years' experience in information security and endpoint
forensics. With hands-on
experience in security and
digital investigations of every
kind, he has designed, developed, and implemented operational and procedural policies for digital forensics, ediscovery, and security departments to gain production
efficiencies and comply with
business requirements. Mitchell is now focused on security product strategy for Guidance software having
previously managed forensic and e-discovery services in
support of investigations centered on intellectual property theft, employee misconduct, fraud investigations,
cross-border investigations, court orders, and regulatory inquiries.
Anthony Di Bello is
responsible for providing in-depth insight
into the advanced
threat landscape for
Guidance
Software
and its customers. Since joining the company in 2005, Di Bello
has been instrumental
in defining the company’s suite of security
products, introducing
new products and successfully driving market adoption with Fortune 500
companies and federal government agencies. Prior to
joining Guidance Software, Di Bello spent seven years
with Towers Perrin, a global professional services firm
specializing in risk and financial management. He is a
frequent speaker and quoted regularly in security industry publications.
Paul Shomo
Guidance Software, Sr. Technical Manager
Paul Shomo has over 15 years of R&D experience, having begun his career writing firmware for IP routers and satellite networks. Paul joined Guidance Software’s new product research group in 2006, which launched the industry’s
first incident response solution. Paul has managed and architected cybersecurity and forensic products for many years. He now manages integrations with
the EnCase open security platform, and in his free time works to educate the
cybersecurity industry.
www.eforensicsmag.com
www.hakin9.org
- 62 -
M
OBILE
Which mobile phone will be
the most secure one?
Chase Cunningham, Cynja: Silent Circle’s
Blackphone 2 is far and away the best and
most secure phone anyone can use but it
isn’t for the masses. Most people will stick
with what they know. The Android based
phones will continue to be the preferred
phones for exploitation because of how
readily available exploits are for that OS in
the cyber underground.
Elizabeth Houser, Praesidio: The iPhone,
especially if U.S. Congress does not pass
legislation requiring Apple and other phone makers to decrypt phones for law enforcement purposes.
Leon Kuperman, Zenedge: Systems that
are cost closed will have the best security
posture – iPhone / iOS .
Michael A. Goedeker, Auxilium Security:
There is no such thing as a „secure” mobile phone. We created a secure handset
with hardened OS, blocked known malware and spyware apps but we can not repair the broken communications systems
like SS7 that people use to track your position. The only real „secure” phone to
have would be based on its own coms
system and network (regardless of what
others are selling you…).
Richard De Vere,The AntiSocial Engineer:
Taking a look at the recent release of prices from zerodium (0day reseller) which
offers bounties of 500,000 for iOS and
100,000 for Android… It’s plain to see
which phone is more secure. It’s 0days
that hurt this market and with iOS 0days
fetching 5 times as much as Android says
it all.
Mark Bennet, Blustor: Apple IOS devices
will continue to be the most secure widely
used smartphone in the industry, primarily due to the more restrictive and controlling ecosystem that Apple has built around their products. While the use of niche
smartphones designed for enterprises
with the need for high-levels of security
will continue to grow, the price and flexibility of these devices will likely keep
them out of the hands of the average consumer.
Wade Johansen, CouriTech LLC: The iPhone will evolve to be the most secure phone I believe, but it will probably only be
because it is hacked “less often” than Android and Windows phones.
Rajeev Chauhan: The one with cloud storage and having active app scanner.
www.eforensicsmag.com
www.hakin9.org
- 63 -
M
OBILE
Which mobile phone will be
the most secure one?
Mayur Agnihotri: No phone will be the
most secure one in my view. This is the
wrong question. The right question is
which mobile phone company is more
concerned about its user’s security and
privacy.
Anthony Di Bello, Guidance Software:
BlackBerry Priv and Blackphone seem
pretty well thought out from a security
perspective. Only time will tell.
Julie Herold, Kenny Herold, Odin’s Eye:
BlackPhone – sole purpose of the solution
is for security and privacy. Other phones
are catering to end users for usability as
the focal point.
Roberto Langdon, Nicolas Orlandini,
KPMG: We cannot identify which mobile
phone will be the most secure one, due to
the direct interaction and criteria of its
user. And again, the factor Security Awareness comes again over the table. Almost
all of the mobile phone users are going
through their lives careless of what can
happen to their mobile phones, and mainly with the information inside them.
Ondrej Krehel, LIFARS: One that’s turned
off.
Stephan Conradin: Android? No it’s a joke,
iPhone will remain the least bad.
Andrew Bagrin, My Digital Shield: The one
that is properly protected. If you take all
phones without any protection, probably
the old flip phones or blackberry on the
older RIM OS (not Android).
Wade Lovell, Simpatic: Blackphone 2.
Amber Schroader, Paraben Corporation:
In looking at the security of mobile devices, there is really not one that is considered to be more secure than any other as it
all depends on how you use the device.
From cloud access to desktop backup,
most devices have a risk associated with
them when it comes to security.
Gerald Peng, Mocato: All mobile phones
can be hacked with enough time and resources. Ideally, you want a phone that
will protect you against casual hacks and
persistent online behavioral tracking. Good options on the market are Silent Circle's Blackphone 2 or the BlackBerry Priv.
www.eforensicsmag.com
www.hakin9.org
- 64 -
M
OBILE
Which mobile phone will be
the most secure one?
BroadTech Security Team: I have no Idea.
I don’t use a smartphone (or no phone
you can say).
Nick Prescot, ZeroDayLab: Blackphone
Blackberry.
David Clarke, VCiso: Android with Customised for security are currently in the lead, there are no IOS customised versions
for security.
Dotan Bar Noy, Re-Sec Technologies: Phone will not be more secured than your
regular home computer as users are freely downloading programs, plugging the
devices and connecting to random hotspots as they travel. The “PwC 2015 Information Security Breaches Study on UK
Corporations” reports that 15 percent of
organizations suffered from a breach caused by use of a smartphone or tablet device, more than doubling last year’s figure
of 7 percent. This is a great challenge and
opportunity for the industry.
Mitchell Bezzina, Guidance Software: My
1997 Nokia 6210.
www.eforensicsmag.com
www.hakin9.org
- 65 -
M
OBILE
What kind of vulnerabilities will affect
mobile phones in 2016?
Michael A. Goedeker, Auxilium Cyber Security: The same ones as now. In addition,
the false sense of security that „secure”
phone manufacturers sell you will lead to
more hacked phones. The system is broken, no phone would change that…
Richard De Vere, The AntiSocial Engineer:
Social Engineering using the mobile telephone has seen a rise over the past few
years based on the percentage of us now
spending large amounts of time on our
smartphones. I think criminals have paid
more attention to this field. Noting phishing sites that are mobile friendly!
Mark Bennet, Blustor: As biometrics continue to grow as a mainstream security mechanism for accessing mobile devices and
related applications, consumers will see
an increase in malware that specifically
targets biometric identity theft. The unfortunate reality is that the identities of
many consumers are going to be compromised for life due to their own unawareness of how serious this issue will become
over the next few years. Once your biometrics have been compromised, they can
never be replaced short of visiting a plastic surgeon.
Amber Schroader, Paraben Corporation:
We believe there will be an increase in
security risks that come from 3rd party
Apps. With a poor vetting procedure in
place for 3rd party Apps, we have seen an
increase in the data being collected and
used by 3rd party Apps.
Rick Blaisdell: According to the mobile
security firm NowSecure, 43 percent of
"bring your own device" (BYOD)
smartphones used by U.S. workers don't
have a password, a personal identification
number or pattern lock. Fifty percent use
these devices to connect to unsecured Wi
-Fi at least once a month, and nearly half
of mobile apps on any given mobile device have at least one major security flaw.
Cybercriminals can easily exploit vulnerabilities in your mobile phone to obtain
private data. These vulnerabilities sometimes come from the apps you use or
within your smartphone itself. Mobile
phones are also vulnerable to malware,
which can log keystrokes and capture
screenshots.
Elizabeth Houser, Praesidio: Malware for
mobile devices is on the rise especially
since people habitually download free
apps and use jailbroken phones.
Wade Johansen, CouriTech LLC: GPS vulnerabilities and apps that require too
much permissions (already an issue) with
little company security knowledge about
locking apps done before publishing.
www.eforensicsmag.com
www.hakin9.org
- 66 -
M
OBILE
What kind of vulnerabilities will affect
mobile phones in 2016?
Mayur Agnihotri: Malware because “Good
Malware Never Dies”. Some underground
hackers built this type of malware which
does not need any type of permission
(“root" or "jailbreak") to access the mobile phone to affect the mobile phone.
Wade Lovell, Simpatic: I am primarily concerned about altered variants of apps,
especially games, being disseminated
through legitimate app stores. I am also
concerned about apps with expanded capabilities for analytics, etc. being downloaded without users paying attention to
the terms and conditions.
Julie Herold, Kenny Herold, Odin’s Eye:
We think there will be a breakthrough
outside of the usual delivery of malware
via stores. We think until an R&D department within a security company commits
the time to explore this area further, there won’t be much change in the realized
versus perceived attack surface and vectors for exploitation.
Gerald Peng, Mocato: As the majority of
phones are Android based, my answer is
confined to those devices. The vulnerabilities of the Android OS are exposure to
cloning, data leakage, weak malicious application detection and ability to use the
device as a microphone. These vulnerabilities facilitate identity theft and financial
fraud.
Ondrej Krehel, LIFARS: Many of the same
ones, from malwaretising to phishing
texts/emails and unvalidated apps.
Paul Hoffman, Logical Operations: Location, financial information (Apple Pay),
Stephan Conradin: We have a great dependence on geolocation and disturbation
of GPS data could be serious.
Roberto Langdon, Nicolas Orlandini,
KPMG: Malware addressed to steal information, to make calls or messages deviation, to get private photos or videos, is
totally easy. Think that the people are
carrying all their emails, access credentials
to portals, to mail servers, to home banking sites, etc. It is as easy as taking candy
from a little child. Almost no one cares
about this, unfortunately.
David Clarke, VCiso: Mobiles are similar to
PCs 15 Years ago, almost everything is
vulnerable from text and data transmission to the OS.
www.eforensicsmag.com
www.hakin9.org
- 67 -
M
OBILE
What kind of vulnerabilities will affect
mobile phones in 2016?
BroadTech Security Team: Theo deRaadt,
founder of OpenBSD and Co-founder of
NetBSD, said, “Low code quality keeps
haunting our entire industry. That, and
sloppy programmers who don't understand the frameworks they work within.
They're like plumbers high on glue.” I
think everything starts there, adding to it
is poor hardware design, infectable
firmware, malware apps, etc. Again, user
discretion and spreading security awareness, I believe, can contain a lot of problems and keep them from blowing up.
Before you get a smartphone, it is good to
list out what purposes it should serve you
and then get just the ones that have only
those features and install only necessary
apps. Don’t root the phone because someone else did it. If you go feature chasing, you will end up in trouble because
one day you will find that feature was a
trap.
Nick Prescot, ZeroDayLab: Malware that's
executed by user unluckiness.
Andrew Bagrin, My Digital Shield: I think
they will be used as a method for hackers
to sneak malware into companies.
www.eforensicsmag.com
www.hakin9.org
- 68 -
M
OBILE
What security measures we should use to protect
our mobile phones in the next year?
Chase Cunningham, Cynja: Just like your
laptop, be sure that your phone is patched and your OS is always up to date.
Use two-factor authentication. If you
don’t need an app or don’t need a particular function…turn it off. Bottom line—
don’t suck at patching.
Mark Bennet, Blustor: Consumers and
enterprises alike need to separate the
keys of an individual’s digital identity from
the devices they require for access. One
analogy is that you wouldn’t secure your
car by leaving the keys in the ignition and
neither should you store your biometric
identity on your smartphone. While powerful devices, smartphones are inherently vulnerable to attack due to the ubiquitous and always connected nature. A
better solution, such as BluStor’s CyberGate platform, that allows users to seamlessly separate the digital keys (e.g., biometrics) needed to access their phone or
other mobile devices, is critical to addressing this vulnerability.
Michael A. Goedeker, Auxilium Cyber Security: Don’t use a phone for secure stuff!
Limit the usage for important calls and
functions, only use apps that are tested
and proven backdoor and spyware free.
Don’t trust any phone manufacturer, test
and verify your Sim card, phone hardware, OS and Apps are secure. Recognize
that the underlying communication system is flawed. Anyone and everyone can
track you down, so if you don’t want that,
then limit phone use. Use a computer or
electronic device that can use encrypted
signals and never needs the SS7 based
infrastructure.
Wade Johansen, CouriTech LLC: Apps like
Cerberus to encrypt phones, detect GPS
locations (if on), and ability to take pics of
users attempting too many passwords are
a plus! Remote wipe capability is also handy.
Elizabeth Houser, Praesidio: Users need to
take responsibility for the apps s/he is
downloading and be aware of what
exactly is being loaded onto the device.
Mobile devices have been around long
enough that the current usage mentality
should be maturing. For most people,
smart phones are now a vital, integrated
tool in the daily operations of our lives
and should be protected as such.
Richard De Vere,The AntiSocial Engineer:
I’d like to think every last person who
uses the internet should be aware of two
factor authentication available for all mobile platforms, this should help form the
basis of your security - But with our phones becoming the master key for all our
digital lives, the need for secure 8+ digit
lock screen passwords and mobile disk
encryption is more so than ever.
www.eforensicsmag.com
www.hakin9.org
- 69 -
M
OBILE
What security measures we should use to protect
our mobile phones in the next year?
Amber Schroader, Paraben Corporation:
The best security is to be aware of what
your device is doing and what you have
granted access to with the device use policies and with 3rd party apps. We have to
find the line between being secure and
being accessible.
Mayur Agnihotri: Endpoint protection software must be used on every mobile
device. • Sharply analyze cloud services
for their ability to resist threats and
attacks. For this, we should terminate
third-party security vendor conduct
testing and instead, start checking the
cloud provider's certificate which should
indicate that third-party security vendor
has already tested its applications. •
When choosing a mobile phone, first
check its security features. • Before you
store information on your mobile phone,
ask yourself “Is this TMI?” TMI – Too
Much Information. • Do not "root" or
"jailbreak" the mobile phone.
Rick Blaisdell: Knowing your vulnerabilities and making sure that you protect
them will stand you in good stead for
2016. Other precautionary steps include:
- Use strong passwords for your accounts
that include numbers, lower case and capitalized letters, and are not easy to guess, e.g. password, 12345, etc. Don't open
suspicious emails requesting that you reenter sensitive data - Destroy sensitive
documents—Use a VPN to secure your
Internet connection if you need to use
public Wi-Fi—Keep your antivirus software up to date.
Roberto Langdon, Nicolas Orlandini,
KPMG: Mobile phones must be protected
by antivirus, firewall, intrusion prevention
systems, and backup policies as well. They
are IT equipment! Phishing techniques
will be as frequent as during 2015, and
Android is still showing a lot of security
hack opportunities.
By the way, a lot of people think that the
mobile phone is more private than a
workstation or notebook, and sometimes
there are important discoveries not imagined by the people involved in a fraud.
Julie Herold, Kenny Herold, Odin’s Eye:
Unfortunately,
the
anti-virus/antimalware maturity of software for phones
is very immature. This is as a result of the
lack of a need for it, we are barely into the
pattern based detection on mobile programs designed to protect an end user
against threats. This lack of maturity is
due, in part, to the lack of realistic threat
scenarios outside of the so-called
“vetting” of applications before they are
available in a store.
Stephan Conradin: Keep in mind it is a
smart device, open and not very secure.
Awareness!
www.eforensicsmag.com
www.hakin9.org
- 70 -
M
OBILE
What security measures we should use to protect
our mobile phones in the next year?
Ondrej Krehel, LIFARS: Be aware and read
the fine print on permissions.
David Clarke, VCiso: As many security software apps as you can get on your phone. I use at least four.
Paul Hoffman, Logical Operations: Use
Two Factor authentication wherever possible. Change passwords to be more secure. Use Bio where possible.
Gerald Peng, Mocato: This is a nonexhaustive list of security precautions you
can take: Check your device’s security features before you buy, such as file encryption, device wiping capacity, and authentication features. • Secure the device
using locking, enabling encryption and
antivirus software. • Configure web accounts using encrypted connections in account options such as HTTPS or SSL. • Avoid
clicking links sent in suspicious emails or
text messages. • Do not reveal your mobile phone number on social networking
websites.• Consider what personal information you will store on your device. •
Vet applications before installing them on
your phone by researching them first. •
Disable Bluetooth, infrared and Wi-Fi interfaces when not in use and in public
places.
Wade Lovell, Simpatic: Establish a company-wide approved apps list for “bring your
own devices” (BYOD). • Have IT set up an
internal app store so IT can determine
whether the checksums match with the
publishers’ source files, test updates before they are deployed, etc. • Turn off wi-fi
outside the office and route everything
through cellular data except while in the
office.
Anthony Di Bello, Guidance Software: Same measures we would take with any
other device. Encryption, password protection, turn off Bluetooth/wifi/gps when
in questionable locations such as Defcon.
BroadTech Security Team: I will have to
write a paper on it so I will let someone
else answer it. What I do is simple I don’t
have a smartphone ( I don’t use the old
mobile phone which can only make calls
and SMS unless there is a prior appointment or to call family ). In my current capacity, a smartphone is a liability and risk.
Andrew Bagrin, My Digital Shield: There
isn’t much out there that is very accessible, but I think having something simple
to at least identify if something is wrong
or your configuration is not ideal is very
necessary. Something like NowSecure.
www.eforensicsmag.com
www.hakin9.org
- 71 -
M
OBILE
What security measures we should use to protect
our mobile phones in the next year?
Nick Prescot, ZeroDayLab: For companies,
the MDM sandboxing is a good idea but
for personal users, they are safer than
desktop systems.
Einaras Gravrock, Cujo: For starters, you
should secure your home network. Often
times, home hackers get access to our cell
phones by penetrating your home network. Secondly, do not use public Internet networks.
www.eforensicsmag.com
www.hakin9.org
- 72 -
M
OBILE
What risks will mobile industry face in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Increased usage as a cyber war and
espionage tool. Data leakage and theft.
Roberto Langdon, Nicolas Orlandini,
KPMG: Using phishing techniques, the bad
guys made several devices contamination
oriented to steal information, mainly financials (username, PIN, credit card information, etc.), as well as personal information. All the stuff with value at the black
market. Also, it cannot be left out what it
is related to spy at political level or industrial secrets as well.
Wade Johansen, CouriTech LLC: Bluetooth
security problems currently plague the
mobile phone industry. Users who link to
their cars (remote start), Pandora radios,
GPS mapping, etc., are highly exploitable.
Rajeev Chauhan, Cyber Oxen: Identity
theft and personal data security.
Andrew Bagrin, My Digital Shield: More
features means more vulnerabilities, and
ability to control everything that you can
control from you phone (car, house, etc.).
Einaras Gravrock, Cujo: The challenge is
that companies will need to continue shifting their budgets away from features
and onto security which will slow down
overall product improvements as well as
profitability.
David Clarke, VCiso: Marketing apps maybe too invasive, exploits exposing more
personal data.
Mayur Agnihotri: Ransomware • Encrypted Penetration • No endpoint protection
software • Application-Based Threats.
Wade Lovell, Simpatic: As payments move
to the smartphone, so will attacks. • Biometrics, as currently implemented, are a
dangerous way to validate users to devices and once a fingerprint is collected or
stolen, the device and ALL FUTURE DEVICES where the user registers that fingerprint are compromised. This is disastrous
for BYOD. • Nation States requiring backdoors or compromising component manufacturers.
Gerald Peng, Mocato: The increasing popularity of mobile shopping and mobile
beacons will make mobile phones likelier
fraud targets. The ability to fight mobile
platform fraud will be influenced by innovations in data protection, intuitive security compliance protocols and user authentication.
www.eforensicsmag.com
www.hakin9.org
- 73 -
M
OBILE
What risks will mobile industry face in 2016?
Ondrej Krehel, LIFARS: Users. They are
always the weakest link, especially in mobile.
BroadTech Security Team: I don’t know
but vulnerabilities are surely going to increase rather than decrease if vendors are
going to enchant people with features
and jargons instead of working more on
testing the quality of their product before
release.
Nick Prescot, ZeroDayLab: Bluetooth jacking.
www.eforensicsmag.com
www.hakin9.org
- 74 -
W
HO IS
WHO
Leon Kuperman
Zenedge, CTO & Co-founder
Mark W. Bennett
Blustor, COO
Leon Kuperman is a successful founder and CTO of multiple ecommerce organizations with 18+
years of experience in product management, software design and
development all the way through to
production deployment. He is an
authority on Payment Card Industry
Data Security Standard (PCI DSS), ecommerce, online marketplaces /
auctions, data center deployment,
cloud deployment and web application architecture. He is also a
holder of a patent relating to ecommerce caching systems which
he worked on while at IBM.
Mark is the Chief Operating
Office of BluStor PMC, Inc.
and is a trailblazing executive more than 20 years of
experience in the IT industry
delivering strong competitive advantages through
technology innovation and
organizational transformation. He brings a unique perspective to the world of cyber security that is a combination of years of work in areas that require high-level
of information security including the aerospace defense
sector and financial services.
Mayur Agnihotri
Przemek Radzikowski
Secbüro Labs
Chief Security Researcher
I've done Bachelors of Engineering
from Information Technology and
having certifications under my belt
like C|EH - Certified Ethical Hacker,
Cyber Security for Industrial Control Systems, Operational Security
for Control Systems, Advanced Security In The Field, Basic Security In
The Field. I have 3+ years of experience and love to spend time find
bugs and vulnerabilities.
An Information Security Enthusiast,
Who believes in Security and Not
Just Compliance.
Przemek (Shem) is the Chief Security Researcher at Secbüro Labs. For
over two decades he has worked
on key assignments with government, military, telecommunications, banking, finance and large
multinational clients across the
Americas, Middle East, Africa, Europe and Asia Pacific, where he
headed the technical delivery and
governance of highly complex
Cloud, Data Center and Security
projects worth in excess of $65
million.
www.eforensicsmag.com
www.hakin9.org
- 75 -
I
NTERNET OF THINGS
Will IoT force the industry
to change?
Shay Zandani, Cytegic: The inherent interconnectivity of IoT already forces changes
in the security industry, and will continue
to do so. This fact demands multi-device
endpoint detection tools, cross-device
honeypots and much stricter MDM rules
and practices in the office space.
Dennis Chow, Millar, Inc: Not alone, as
history shows, it will probably require more breaches related to IoT and high visibility catastrophes before vendors will be
forced to make changes.
Mitchell Bezzina, Guidance Software: Not
until it’s too late. Just like all other goods,
security concerns are production costs to
the vendor and rarely factor in consumer
buying decisions. It will take a major breach before standards are implemented
across IoT manufacturers and this will be
a 2020 concern.
Kenneth C. Citarella, Guidepost Solutions:
The Internet of Things will not force any
industry to change, not the auto industry,
not the appliance industry, not the home
security industry not the computer industry. A demand for security and privacy
pushed jointly by consumers, the government, politicians and security experts will.
Dotan Bar Noy, Re-Sec Technologies: Yes.
But it is still a long process that is in its
early stages.
Stephan Conradin: Before changing the
industry, understand what we can or
should do with all this data from these
sensors.
David Clarke, VCiso: Cyber security that
can be managed will need to be built in.
Paul Hoffman, Logical Operations: It already has.
Gerald Peng, Mocato: Gartner Inc. has
predicted that 6.4 billion connected things
will be in use worldwide in 2016, up 30
percent from 2015, and will reach 20.8
billion by 2020. The increase in interconnected devices will mean that cyberattacks can be massively scaled up.
Nick Prescot, ZeroDayLab: Not really in
2016, the regulation as part of EU GDPR
will make people think.
www.eforensicsmag.com
www.hakin9.org
- 76 -
I
NTERNET OF THINGS
Will IoT force the industry
to change?
Michael A. Goedeker, Auxilium Cyber Security: Yes, as in all new technology, we,
for some reason, always forget to integrate security right from the start. This is a
dangerous way of creating new services
and products. Since IoT connects systems
previously not connected, we will only get
to see the „new” hacking vectors as it becomes more mainstream.
David Coallier, Barricade: The providers of
security products need to understand that
we have new computing capabilities available to us nowadays that allow for leaps
in pattern discovery. Continuing to develop products that are doing heavy processing on the devices is no longer an
option and the democratisation of computing Amazon is leading will force many
incumbents to change how they do things.
Amit Serper, Cybereason: While I think IoT
might have jump started a culture-shift
towards security in some industries - such
as automotive - for the most part, I don’t
think people care enough about security
to make IoT systems inherently more secure than what we have now. Unfortunately, I don’t think there will be much of a
groundswell towards building secure IoT
systems until people and businesses start
experiencing consequences for themselves.
Mark Bennet, Blustor: Despite the efforts
of many organizations to get in front of
IoT related security issues, the drive to get
to market first with these products is going to result in numerous vulnerabilities
that can scarcely be understood yet. This
means a long and painful road ahead for
IoT but it will ultimately drive significant
changes in the industry. Unfortunately, I
suspect we have many years of learning
from the “school of hard knocks” in front
of us.
Roberto Langdon, Nicolas Orlandini,
KPMG: IoT is becoming an amazing advantage for people’s wellness, but if we consider this with the little responsibility by
mobile phone users in terms of protection
and security, this will become a funny war
between users and delinquents. I cannot
imagine a toaster firewall but we can have
security on the other side.
Andrew Bagrin, My Digital Shield: Very
much so. We can no longer expect to have
a security endpoint client on every piece
of hardware out there that has an IP.
www.eforensicsmag.com
www.hakin9.org
- 77 -
I
NTERNET OF THINGS
Will IoT force the industry
to change?
Amber Schroader, Paraben Corporation:
IoT has caused a lot of changes in how we
look at digital evidence and access of digital devices in our daily life. IoT will make
huge changes to where we see our information spread out to, as well as where it
can be collected from.
BroadTech Security Team: YES, I wrote
about a particular scenario a few months
back but it was not received then but now
people have started appreciating it after
reality started striking. IoT is going to
bring a deluge of data for processing,
which traditional Big Data processing
techniques, Internet bandwidth, cloud
storage should be able to handle for a
long time without breaking down. We will
see more and more of Proximity Cloud or
Intelligent Sensor Cloud that will throw
away irrelevant data right from the start
and send only what is needed to be processed and stores. Data Flow ( Realtime
Big Data Analysis ) may not be a viable or
preferable option without Intelligent Sensor Cloud ( I coined the term while researching AI ) no matter how big your infrastructure is, someday someone is going to
question processing and storing all data
because ultimately it all translates to cost
incurred. I know I will get mocked on this
but let us see :-).
Anthony Di Bello, Guidance Software: Yes,
in today’s climate of privacy concerns,
security will be critical to mass market
adoption of IoT devices. It’s already forced
the industry to change. Take a look at
what Intel/McAfee is talking about lately.
Wade Lovell, Simpatic: Yes, IoT provides a
new attack vector. The Internet of Things
is a nightmare for security. Think of each
one of those devices as a small computer
transmitting personal information about
you. What time are you out of the house?
Did you turn on the burglar alarm? How
do you remotely unlock the back door? At
the moment, all that data is poorly secured.
Wade Johansen, CouriTech LLC: Will IoT
force the industry to change? Yes, NEST is
already making an impact. People want to
be in touch with their homes, children,
and PCs at all times. The world's technology industries will need to accommodate
this to remain profitable.
Julie Herold, Kenny Herold, Odin’s Eye:
No, this area is too new and not profitable
yet as a result of the lack of presence.
www.eforensicsmag.com
www.hakin9.org
- 78 -
I
NTERNET OF THINGS
Will IoT force the industry
to change?
Craig McDonald, MailGuard: A study presented in October 2015 by the IT research
company, Gartner, predicts a transformation in the world of cybersecurity within
the next two years, thanks to the Internet
of Things.
Ondrej Krehel, LIFARS: A bit, but not really.
Rajeev Chauhan: Yes, in a big way.
By the end of 2017, more than 20% of businesses will be using security services
dedicated to protecting businesses initiatives, and that use devices and services
based on the Internet of Things.
Two examples: A sensor that detects and
adjusts the temperature in a room automatically; another that adjusts the dosage
of medication for a patient in their hospital bed according to new data on their
medical records.
Threat intelligence sharing among enterprises and security vendors will grow and
mature. Legislative steps may be taken,
making it possible for companies and
governments to share threat intelligence.
The development of best practices in this
area will accelerate.
Einaras Gravrock, Cujo: IoT is about to
magnify the issues of cyber security with
billions of new devices entering the market – devices that are largely unsecured. I
think it’s relatively easy to make an argument that IoT represents the biggest cyber security challenge yet. They are easy
targets with potential for limitless damage.
www.eforensicsmag.com
www.hakin9.org
- 79 -
I
NTERNET OF THINGS
What kind of challenges will
IoT face in the next year?
Michael A. Goedeker, Auxilium Cyber Security: Incorporating the correct levels of
security into software, menus, commands
and integrating open source protection
into all IoT devices from the start. At
Davos, I discussed and showed how gas
heaters can be turned into bombs because the lack of firewall and security verification technology in FPGA units. This is just
one example, SCADA is also „still” an issue.
Craig McDonald, MailGuard: Currently,
more things are connected to the Internet
than people, according to technology
company, Cisco, which also predicts that
25 billion devices will be connected by
2015 and 50 billion by 2020. All things
that connect to the Internet expand the
attack surface for hackers and enemies. A
recent study released by Hewlett Packard showed that 70 percent of IoT devices contain serious vulnerabilities.
Mark Bennet, Blustor: The slow adoption
of standards and commercial competitiveness will continue to challenge the IoT
industry to really solve some of the more
serious security vulnerabilities inherent in
these devices.
Nick Prescot, ZeroDayLab: Same as mobiles.
Mayur Agnihotri: Lack of data protocol
standards • There is currently no agreement/ standard on how to implement security in IoT • Upgradability And Patchability Of IoT regularly.
Irfan Shakeel, EH Academy: The security
issues are expected to rise; security researchers might challenge the existing infrastructure. This will open the door for the
organizations to spend on R&D, they will
spend more on finding the vulnerabilities.
Wade Johansen, CouriTech LLC: Bandwidth, security and reliability. Bandwidth
is already an issue, more fiber and more
competition between global bvs local carriers needs to be emphasised. Security
and reliability also go hand in hand, our
phones, PCs, laptops, tablets, handhelds,
watches, security systems, building systems, all the way up to electrical grids,
require better security and protection.
Stephan Conradin: IoT should be treated
in parallel with Big Data. IoT must integrate safety and security from the design.
www.eforensicsmag.com
www.hakin9.org
- 80 -
I
NTERNET OF THINGS
What kind of challenges will
IoT face in the next year?
Dennis Chow, Millar, Inc: Possibly weak
passwords, backdoors, and injection based attacks.
BroadTech Security Team: I will have to
write a book but here are few: (1) non
standardization of hardware and software
will create confusion but let us hope they
all follow standard transfer formats and
standard APIs for data transfer, talking of
the ones with same use but from different
vendors. (2) Serious security incidents are
going to happen due to vulnerable hardware, firmware and software and for a
long time, vendors are not going to take it
seriously because they don’t understand.
We have IoT startups with people who are
highly creative but quite naive in security,
so they are going to make highly useful
stuff but insecure, thus undermining the
product’s credibility.
Amber Schroader, Paraben Corporation:
IoT has a lot of risk in just being new and
not having the advantage of already being
broken. Once technology is broken, we
find better and better means to fix it. With
IoT, it is giving us a completely new perspective that is causing issues in gaining
access or even securing access.
Dotan Bar Noy, Re-Sec Technologies: The
lack of a standard protocol and the need
to incorporate many different patched
systems will be the main challenge and
not only for the next year. In addition, the
IoT by design is built with lightweight security and relies heavily on shared libraries and a short development cycle.
Paul Hoffman, Logical Operations: Securing networks that use IoT.
Roberto Langdon, Nicolas Orlandini,
KPMG: The key actions will be addressed
to enter into the mobile phones, facilitated by the direct connection with the IoT.
David Coallier, Barricade: For us, the challenge isn't in security as much as it is in
usability. We are a design-led security
company and we spend a lot of time thinking about how to make security more
accessible to businesses. Providers of IoT
devices face the same challenge. Keeping
a high level of convenience of use with
intrinsic, transparent and non-adversarial
security.
www.eforensicsmag.com
www.hakin9.org
- 81 -
I
NTERNET OF THINGS
What kind of challenges will
IoT face in the next year?
Rick Blaisdell: As we become increasingly reliant on intelligent, interconnected devices in every aspect of
our lives, security is very much a central issue for the Internet of Things. Despite the opportunities of IoT,
there are many risks that must be considered. Here are five of the many risks that will be essential in an
Internet of Things world:
Understanding the complexity - Imagine Nuclear power plants and data centers using IoT devices to automate their controls and being compromised. Understanding the complexity of vulnerabilities, and how serious of a threat they pose is going to become a huge challenge. Because these devices will have hardware
platforms and software that enterprises may never have had insight into before, the types of vulnerabilities
may be unlike anything organizations have dealt with previously. This is why it's critical not to underestimate the elevated risks of many IoT devices.
Vulnerability management - Another big challenge for enterprises into an IoT environment will be learning
how to quickly patch IoT device vulnerabilities and how to prioritize them. Because most IoT devices require a firmware update in order to patch the vulnerability, the task can be hard to accomplish in real time.
Identifying security controls - In the IT world, redundancy is critical. If one product fails, another is there to
take over. The concept of layered security works similarly, but we still have to see how well enterprises can
layer security and redundancy to manage IoT risk. The challenge will be identifying where security controls
are needed for Internet-connected devices, and then implementing effective controls. Given the diversity
that will exist among these devices, organizations will need to conduct customized risk assessments, often
relying on third-party expertise, to identify what the risks are and how best to contain them.
Disruption and denial-of-service attacks - Disruptive cyber attacks, such as distributed denial-of-service
attacks, could have bad consequences for an enterprise. If thousands of IoT devices try to access a corporate website or data service feed that isn't available, a company’s happy customers will become frustrated,
resulting in revenue loss, customer dissatisfaction and potentially poor reception in the market. Capabilities
for managing lost or stolen devices will also be critical for dealing with compromised IoT devices, so having
an enterprise strategy in place will help mitigate the risks of corporate data ending up in the wrong hands.
Security analytics capabilities - The variety of new devices connecting to the Internet will create a flood of
data for enterprises to collect, process and analyze. While certainly organizations will identify new business
opportunities based on this data, new risks emerge as well.
www.eforensicsmag.com
www.hakin9.org
- 82 -
I
NTERNET OF THINGS
What kind of challenges will
IoT face in the next year?
Wade Lovell, Simpatic: IoT designers will
have to convert to a security-centric design methodology. So far, security has mostly been an afterthought.
Andrew Bagrin, My Digital Shield: The biggest challenge will be security.
Ondrej Krehel, LIFARS: Staying secure as
they grow in capabilities. It’s all about service management and usability vs. security.
Gerald Peng, Mocato: The surge in IPconnected devices increase cyber threat
risks within the corporate and domestic
environments, specifically with respect to
IT infrastructure and device vulnerabilities.
David Clarke, VCiso: Managing Cyber security on a large scale.
Anthony Di Bello, Guidance Software: Really the challenge of mass-market adoption, convincing the market that it is security. News of hacked Barbie Dolls and baby monitors is not helping here.
Kenneth C. Citarella, Guidepost Solutions:
The greatest risk is that we will not anticipate the connections that will be made
possible by the Internet of Things. One
device may be designed to talk to
another, but where the second one leads
may only be understood once it is too late. For example, many devices can be
accessed via a smartphone. If one device
is compromised and that leads to vulnerability in the smartphone app, the risks for
the user can escalate to involve every
function and every app the phone
supports.
www.eforensicsmag.com
www.hakin9.org
- 83 -
I
NTERNET OF THINGS
How will IoT influence
cyber community?
Michael A. Goedeker, Auxilium Cyber Security: We need to be faster, teach more,
work on creating security products that
protect everyday functions and people
from dedicated and nasty attacks on whatever the IoT industry brings out. It's a
new area that we need to protect fast.
Time is ticking (tick-tock).
BroadTech Security Team: Will mention
just one part that could be missed by
others. “More Information Overload“ causing the brains to be rewired for
“continuous partial attention” thus degrading the brain’s ability to reflect and contemplate and thus losing creativity. IoT
devices will rule over us.
Rick Blaisdell: The Internet of Things has
the potential to bring together every
aspect of different networks. Therefore,
security at both the device and network
levels is critical to the operation of IoT.
The same intelligence that enables devices to perform their tasks must also enable them to recognize and counteract
threats.
David Clarke, VCiso: Another very specialist niche is developing.
Kenneth C. Citarella, Guidepost Solutions:
Hopefully, the Internet of Things will galvanize the cyber community to talk about
the ever growing advocacy for thorough
evaluations of all aspects of security for all
connected devices.
Gerald Peng, Mocato: I hope that IoT will
help people think about cyber security
more holistically and with an eye on proactive, forensically sound measures and
protocols. Addressing IoT cyber threats by
securing a single device here and there is
inadequate.
Leon Kuperman, Zenedge: IoT is a top
concern to most security executives, because of the massive scale and potential
of the “armada” of computers out there
that can affect an organization.
Nick Prescot, ZeroDayLab: The use of SSO
solution and the interoperability of information.
Irfan Shakeel, EH Academy: IoT will have a
great impact on Infosec community, it will
be in the spotlight along with BYOD and
cloud security.
www.eforensicsmag.com
www.hakin9.org
- 84 -
I
NTERNET OF THINGS
How will IoT influence
cyber community?
Wade Lovell, Simpatic: It may make the
community more cautious, which would
be a good thing. It certainly exposes data
on previously private acts such as making
love in a room with a SmartTV or temperature sensor.
Stephan Conradin: Emerging standards for
communication.
Ondrej Krehel, LIFARS: It’ll take time. Once
the first major breach happens, it’ll explode.
Dotan Bar Noy, Re-Sec Technologies:
McKinsey estimates that the IoT has a total potential economic impact of $3.9 trillion to $11.1 trillion a year by 2025. This
growth by itself has the potential to increase dramatically the security research done and create power shift to new emerging vendors.
Mayur Agnihotri: As the IoT continues to
skyrocket, internet enabled devices will
become a more attractive target for cyber
attacks. I remember last year hackers gained access to US retail chain which led to
the theft of 40 million credit card numbers. Some points why IoT will influence
cyber community: IoT devices present
multiple points of vulnerability. • Connected devices need to be upgraded and patched regularly. • IoT will increase complexity of the entire internet. It’s directly
related to the increased complexity of the
information infrastructure.
Amber Schroader, Paraben Corporation:
IoT will cause a lot of changes in the
review of connection in the community
and how that level of cross connection
can really affect the data we have on our
devices. We expect to see a lot of new
cases come into play with a focus on nontraditional storage devices.
Julie Herold, Kenny Herold, Odin’s Eye:
Negligible, at this time it appears to be a
novelty in discussion.
David Coallier, Barricade: I truly believe
the industry will start realising the importance of de-expertizing the field and allowing different types of people to join the
security field. We go as far as saying security shouldn't be its own discipline but
normal part of operations in Barricade.
www.eforensicsmag.com
www.hakin9.org
- 85 -
I
NTERNET OF THINGS
How will IoT influence
cyber community?
Wade Johansen, CouriTech LLC: A lot of white hats will go gray, but not for all the wrong reasons! The continuous evolvement of global threats to peace and prosperity are affecting so many people that many have
decided the only way to fight crime is by operating outside the framework of laws as they currently stand.
Governments tend to be behind in technical advancements, and IoT is one of the things they aren’t
equipped to govern yet. They are slow to tackle emerging threats, and are behind on daily advances to
technology of IoT. Gray hats, on the other hand, can easily move in and out of systems without much fear,
and remain anonymous while having quite a large impact without causing system disruptions. They expose
and report vulnerabilities without exploiting them. It’s not about glory, it’s about getting the job done efficiently and building security around devices.
Craig McDonald, MailGuard: Information technology security experts have been warning the public about
cyber threats for years, but users seem not to pay attention to these alerts -- they either don’t understand
the threats or they do not care.
The cybersecurity industry needs to get better at communicating.
One new initiative is the Open Web Application Security Project’s (OWASP) Internet of Things Top 10 Project, which is attempting to educate users on the main facets of IoT security and help vendors make common appliances and gadgets network- and Internet-accessible. The project identifies the top 10 security
problems seen with IoT devices, and discusses how to prevent them on its website. Its list is as follows: Insecure Web interface; Insufficient authentication or authorization; Insecure network services; Lack of transport encryption; Privacy concerns; Insecure cloud interface; Insecure mobile interface; Insufficient security
configuration; Insecure software or firmware; Poor physical security.
The Internet of Things will redraw the lines of responsibilities for the enterprise – security policies will open
to different profiles of employees and updating protocols, as happened with the introduction of BYOD
or cloud computing, but on a much larger scale, and with a far more visible impact.
Technology research company Gartner believes that securing the IoT will be so complex that CISOs will use
a blend of approaches from mobile and cloud architectures, combined with industrial control, automation
and physical security.
www.eforensicsmag.com
www.hakin9.org
- 86 -
I
NTERNET OF THINGS
Will we see the security for IoT emerging
along new IoT solutions, or will we have to wait?
Chase Cunningham, Cynja: IoT security
isn’t really even a thought right now.
What we are seeing is the emergence of
the “next” Internet. With new protocols,
communication mediums and applications
but no consideration for security. Sadly,
we are seeing kids become the first victims of IoT exploits. In the past few weeks,
we’ve learned that Barbie isn’t just a plastic doll with a house of your dreams anymore. Instead, she’s a vector of attack
that hits kids right in their own home. And
parents who gave their child a Kidizoom
smartwatch or a VTech InnoTab tablet
may have exposed their kids to identity
theft after VTech reported hackers stole
the personal information of more than 6
million children. That’s why I believe we
need to protect our kids in this emerging
world of IoT and build systems that allow
families to better control their family’s
data, allow parents to see what data IoT
devices are collecting and alert them
when those data are stolen. What we’ve
learned this year is when it comes to IoT
toys, trusting a company's "reasonable
measures" isn't enough. As a dad, I’m doing something about this and building
better protocols for kids’ digital lives. They
deserve better than what we’re using today.
Wade Johansen, CouriTech LLC: Security is
already paramount, but it will not grow as
quickly as IoT itself. Products often are
rushed to market just to get brand recognition, this often means security is left
behind. In this case, you’ll see security
follow after breaches, etc., and when it
becomes a regulation concern. For a while, though, it will be the wild-wild west,
just like the early dot-com days.
BroadTech Security Team: Definitely, we
will have to wait because as I said earlier,
many new startup vendors have no idea
what it is. Wait, even Lockheed Martin
could not figure it out while making $37
billion fleet of littoral combat ships for US
Navy. Those new to IoT especially would
need some time to figure it out :-).
Gerald Peng, Mocato: I am an optimist,
and with IoT developing so quickly, I believe that consumers and corporations will
drive the need for increased security
options and tools.
Ondrej Krehel, LIFARS: It’ll take time. Once
the first major breach happens, it’ll explode.
Leon Kuperman, Zenedge: Yes, companies
like CUJO are making waves by protecting
both IoT and mobile devices on home and
SMB networks.
www.eforensicsmag.com
www.hakin9.org
- 87 -
I
NTERNET OF THINGS
Will we see the security for IoT emerging
along new IoT solutions, or will we have to wait?
Michael A. Goedeker, Auxilium Cyber Security: We have to see security for IoT. We
have answered that call by discussing existing hacks today, at Davos and any other
conference we are invited to speak at.
Waiting for security and processes, procedures to catch up to new tech is the same
issue as previously, only now we are inviting attacks into our homes and family
members. This is a totally new ball-game.
Craig McDonald, MailGuard: The cyber
security industry needs to work with innovators from the get-go with partnerships that change the way products are
designed.
Elizabeth Houser, Praesidio: Both. Firstattempt security for the IoT will emerge
along with new IoT solutions, otherwise
manufacturers won’t gain confidence and
purchases from consumers. There will, of
course, be vulnerabilities discovered and
privacy mishaps, most likely on a large
scale in some cases, and security standards will have to adapt accordingly as the
IoT expands and evolves.
Mitchell Bezzina, Guidance Software: Some vendors are already making claims to
be able to help with IoT security, but they
have the advantage of being first-tomarket and attempting to define IoT security based on what they have to offer.
While more robust tools and technologies
evolve to meet the challenge, the majority
of IoT security efforts in 2016 are likely to
revolve around testing, testing, and more
testing. Take a look at Intel/McAfee for
the current leaders in IoT security thought
-leadership.
Alina Stancu, Titania: It is predicted that
over 200 billion devices will be connected
by 2020. This sheer explosion of devices
attached to the network will lead to an
increased threat surface. Security monitoring will become essential and solutions
will have to adapt at managing the numbers. The silver lining is that IoT is still at a
young stage and it appeared in a context
where users are slightly more aware of
security and privacy issues. This means
there are calls for the industry to secure
things before it can spin out of control,
which means ultimately that the framework will be safer by default.
Wade Lovell, Simpatic: Fortunately, security will emerge alongside new IoT solutions and offerings. No manufacturer
wants to be in the news as the attack vector allowing the theft of confidential information or images.
www.eforensicsmag.com
www.hakin9.org
- 88 -
I
NTERNET OF THINGS
Will we see the security for IoT emerging
along new IoT solutions, or will we have to wait?
David Clarke, VCiso: IoT will move from
becoming unsafe to manageable security,
the technology is there already.
Stephan Conradin: We have to wait. Too
many devices exist with poor security or
no security at all. It’s impossible to change
all devices and components very fast. Remember migration from IPv4 to IPv6, not
months or years, but decades.
The industry needs to learn from its mistakes as it builds devices that connect via
the Internet. Best practices security, such
as using secure protocols for communication or installing the latest updates, fixes
and patches, are the starting point. Innovators must consider that future security will be managed automatically by the
system instead of users, and designing
secure technology will require a new
approach and mind-set.
Kenneth C. Citarella, Guidepost Solutions:
We must include new security with new
developments. Waiting is too great of a
risk.
Amber Schroader, Paraben Corporation:
We, as an organization, have been focusing on it for over a year now and will continue to do so. IoT is here to stay and will
only grow in popularity and connectivity
which causes each individual's digital fingerprint to grow. There is also a great
deal of interest from governments to safeguard new connections and warn business
and home users of the increased risks that
arrive with connecting new devices.
David Coallier, Barricade: Most definitely.
The SaaS tech-model wherein a platform
that processes large amounts of data to
come up with decisions will start emerging.
Irfan Shakeel, EH Academy: We will not
have to wait; we will see the direct impact
in the year 2016. We will see the research
papers, findings /solutions, products to
secure the IoT. It will change the business
dynamics and the education as well.
Roberto Langdon, Nicolas Orlandini,
KPMG: Again, Security Awareness is a
must.
Andrew Bagrin, My Digital Shield: Usually
we have to wait because we need to know
what it is we are securing and what the
vulnerabilities are.
www.eforensicsmag.com
www.hakin9.org
- 89 -
W
HO IS
WHO
Amber Schroader
Paraben Corporation
CEO & Founder
Kenneth Citarella
Guidepost Solutions
Senior Managing Director
Throughout the past two
decades Ms Schroader
has been a driving force
for innovation in digital
forensics. Ms. Schroader
has developed over twodozen software programs
designed for the purposes
of recovering digital data
from mobile phones, computer hard drives, email,
and live monitoring services. Ms. Schroader has
taught and designed the
established protocols for the seizure and processing of
digital evidence that have been used by numerous organizations throughout the world. Ms. Schroader has
coined the concept of the “360-degree approach to digital forensics” as well as started the momentum and
push to the “Forensics of Everything-FoE” with her focus to unique problems in digital evidence and solutions.
Kenneth Citarella is a senior managing director
for the Investigations and
Cyber Forensics practice.
He joined Guidepost Solutions in 2010 as a project manager to investigate fraudulent claims
for the Gulf Coast Claims
Facility in its administration of the $20 billion BP
compensation fund. In
that capacity, Mr. Citarella supervised 300 professionals, including more than 200 field investigators.
Nearly 18,000 claims were referred for investigation;
many involved the financial analysis of a claimant’s business operations, including numerous constructionrelated entities. The project team wrote thousands of
fraud reports which were described by an official of the
U.S. Department of Justice as the finest body of investigative work he had ever seen.
David Clarke
David has experience across Finance, Telecoms, Public Sector including developing CERT on a Financial Intranet trading $3.5 Trillion a day , Managed Security
Services with a $400 million dollar Global install base, including Leading edge
Product Selection ,implementation and architecture. In these sectors David
has built Secure operations capabilities often from scratch, developed full Cyber incident response expertise , created , maintained and improved regulatory and compliance commitments including PCI-DSS, ISO 27001.
www.eforensicsmag.com
www.hakin9.org
- 90 -
T
OOLS OF THE TRADE
How will tools evolve in 2016?
Michael A. Goedeker, Auxilium Cyber Security: They will become easier and faster
to use. There will be more emphasis on
the value a tool has to security and where
it obtains that information from.
David Coallier, Barricade: Businesses deserve security that isn't adversarial, complicated and confusing. The job of a security professional shouldn't be to stare at a
screen all day but rather promote and
encourage good security procedures and
behaviour across the organisation. Both
emerging and new tools are helping in
solving that problem.
Shay Zandani, Cytegic: The main evolvement will be in the cybersecurity management solutions field, due to the fact that
already CISOs and other security personnel are overwhelmed with the abundance
of defenses, policies and procedures, and
they must have a management system
that they can use as a vehicle to streamline and update operations and policies.
Wade Johansen, CouriTech LLC: More will
focus on geographical information and
isolation as well as virtual distribution models.
Julie Herold, Kenny Herold, Odin’s Eye:
Increased reliance on existing automated
tools to help companies achieve compliance to avoid financial penalties and
less investment and focus on manual assessments. As a result, automated tools
that typically scratched the surface will
mature as the compliance and regulatory
demands increase. The increase in demand will force vendors coding tools to
be more and more sophisticated and accurate and easier for anyone to utilize.
Andrew Bagrin, My Digital Shield: I believe
endpoint will become less effective and
will eventually go away.
Dennis Chow, Millar, Inc: We will probably
see more advancements in prediction vs.
detection based tools with the addition of
complementing tools that augment existing gaps in things like access control,
social engineering attack detection, and of
course, more 0-day detection.
Stephan Conradin: No real changes as
tools are not designed with security at the
design. We’ll have nicer interfaces and
still 50 security patches per year.
Ondrej Krehel, LIFARS: They will try to make things easier, adding more usability for
untrained staff.
www.eforensicsmag.com
www.hakin9.org
- 91 -
T
OOLS OF THE TRADE
How will tools evolve in 2016?
Alina Stancu, Titania: There will be a boost
in automation, in order to keep up with
the sheer amount of data. As connectivity
has surpassed security, the number of
vulnerabilities and back doors has increased as well. Complex, interconnected systems require complex security tools. While there is no single tool that can successfully secure everything, there are certainly an array of solutions that can be
used together to minimise threats. The
key is not a bulk buy of the newest consoles. The key here is an intelligent risk assessment of the risks and capabilities of
individual organisations, in order to apply
tools and tactics in an efficient, costeffective manner.
Mitchell Bezzina, Guidance Software:
Tools will continue to diversify for customer types, in most industries there are
experienced and new users who have vastly different requirements and job functions, solutions will adapt to cater for larger audiences and aim to create operational efficiency.
Roberto Langdon, Nicolas Orlandini,
KPMG: Forensic technologies and Data
Analytics will be the drivers to push the
investigation activity all over the world.
Data Analytics tools are focused on bringing more versatility to users, in order to
help them optimize the information filtering, identify potential irregular patterns in
huge volumes of information and select
the tagged pieces of evidence, the most
sustainable and specific ones. Cross information with other sources will help to
obtain a wider scope to the investigators,
because besides local equipment, pen
drives, CDs, DVD, tablets, notebooks, and
smartphones, there is a lot of information
inside Cloud Services.
Wade Lovell, Simpatic: Scanning tools, e.g.
NMap and ZenMap, will become even
more important and move into consumer
products. More tools will be deployed in
real time environments. Intelligent
pattern recognition will continue to develop and will be at least partially capable of
stopping bad actors, e.g. shutting down
ports under attack.
David Clarke, VCiso: Vendors with the
most R&D budget will dominate the market place, most tools will need to be managed by 3rd parties due to complexity.
www.eforensicsmag.com
www.hakin9.org
- 92 -
T
OOLS OF THE TRADE
Will the trend to eliminate passwords continue?
Michael A. Goedeker, Auxilium Cyber Security: Not sure about passwords but the
way we authenticate will evolve.
Andrew Bagrin, My Digital Shield: Yes, no
one likes passwords, but a standard solution is needed.
Mark Bennet, Blustor: The trend to eliminate passwords will continue and will likely accelerate as more devices support biometric authentication. We will see the
emergence of new two-factor authentication solutions as they incorporate the security benefits of biometrics.
Stephan Conradin: The password is often
still the least bad solution and with SSO it
remains comprehensible to the user without being too restrictive.
Paul Hoffman, Logical Operations: Yes, it
is tough to change the habits of people
and making secure passwords and changing them often is not easy. The quickest
way to affect security is to have a new
authentication method that is personal.
Wade Johansen, CouriTech LLC: Not yet, it
is still far too common and there are not
enough options to remove this as a staple
method of identification and authorization. However, you will see more dual factor authentication requirements in 2016
as well as chip technology taking a strong
foothold.
Mitchell Bezzina, Guidance Software: Yes,
biometric scanning will be household and
the use of passwords will be limited, however, the wide adoption will take years
for manufacturers to standardize so that
applications can make connections to hardware.
Dennis Chow, Millar, Inc Short: There will
be efforts, but unfortunately, it’s not going away anytime soon. Passwords are
still the most wide spread, easiest, and
most affordable method of access so far.
BroadTech Security Team: I think yes, and
I think we should do away with passwords
altogether. It is not secure at all these
days, even the conference rooms have
surveillance cameras that can suck up your password. But a one size fit all parallel
implementation won’t be possible.
Einaras Gravrock, Cujo: Absolutely. However, expect 2016 to be the year of new
proposed solutions and not yet a solution
for what will actually be adopted.
www.eforensicsmag.com
www.hakin9.org
- 93 -
T
OOLS OF THE TRADE
Will the trend to eliminate passwords continue?
Dotan Bar Noy, Re-Sec Technologies: I
think the trend will continue but there is
still a very long way before biometric measures could replace old style passwords.
This is true both for large enterprises as
well as for SMBs. The rise of biometrics
identification measures we saw in mobiles
will take a very long time before it will
make the move to desktop computers.
David Clarke, VCiso: Yes. Strong authentication may need to be legislated to remove passwords.
Ondrej Krehel, LIFARS: Passwords are great. We just need more factors beyond it.
Wade Lovell, Simpatic: Yes. People are
fundamentally lazy and the standard 8
character password can be cracked in ten
seconds. 59% of adult users in one recent
survey said they use a single password for
every site. While password managers are
breathing new life into passwords, they
won’t stem the tide.
Julie Herold, Kenny Herold, Odin’s Eye:
No, many attempts have been made to
eliminate the need for passwords and
most of them have failed. The only successful ones are smart cards/HSMs for
nation state and the financial industry and
this is too costly to implement and has a
high learning curve and maintenance cost
associated with it that organizations and
companies will deem unnecessary as a
result of the impact to end users.
www.eforensicsmag.com
www.hakin9.org
- 94 -
T
OOLS OF THE TRADE
What new technology will make an impact
on cyber security the most?
Michael A. Goedeker, Auxilium Cyber Security: We believe ours! Dark Energy is
the first framework of its kind aimed at
using components from open source,
being open system and not telling a customer or partner what threat feed to use,
AV, ITAM, etc. It simply makes all that info
and systems finally actionable. We would
hope that AV companies, SIEM, VA and
other security companies discuss and help
us create the world's first unified threat
intelligence framework!
Roberto Langdon, Nicolas Orlandini,
KPMG: Organizations need to invest in the
right tools, as well as the right people.
They need visibility first and foremost, to
know if they are being attacked. Without
visibility, it’s impossible to identify holes
in the security arsenal and weaknesses in
infrastructure. There are organizations
that have been compromised for years
before they discovered the damage.
Przemek (Shem) Radzikowski, Secbüro
Labs: Attackers and criminal organizations
have been cooperating together for many
years, and in many respects are a decade
ahead of the rest in terms of their effectiveness. However, the adoption of cloud
technologies has had a positive effect on
our threat intelligence. By funnelling large
data segments through relatively few
cloud platforms, we have been able to
collect valuable intelligence on the techniques, attack vectors and origin of
attacks. Correlating these across regional
and organizational boundaries gives us
even more intelligence. This plus a push
from industry players to share such intel
freely, will only improve our ability to deploy proactive countermeasures.
Wade Johansen, CouriTech LLC:
Encryption. It is now available to everyone
for everything - so governments will no
longer have the intelligence gathering
capabilities they once were privy to and
that will impact every person on the planet.
David Coallier, Barricade: As a company
working hard on leveraging machine learning and artificial intelligence we believe
large-scale analysis will play a major role
in changing how the security industry
works. We want to eliminate the concept
of rules and integrate the concept of behaviours.
Wade Lovell, Simpatic:
Simply secure
communications will have the greatest
impact in coming years because 91% of all
hacks start with email.
BroadTech Security Team: It may not be
technology but awareness and a more
discerning use of available technology.
www.eforensicsmag.com
www.hakin9.org
- 95 -
T
OOLS OF THE TRADE
What new technology will make an impact
on cyber security the most?
Andrew Bagrin, My Digital Shield: Definitely IOT.
David Clarke, VCiso: Secure mobile phones, and technologies that replace password technology.
Mitchell Bezzina, Guidance Software: Moving to a completely cloud based office
where laptops only store temporary data
worked on offline, or “checked-out”. This
will force us to redefine all security rather
than segments.
Ondrej Krehel, LIFARS: One that can take
all the devices and manage them in a single place.
Rick Blaisdell: The IoT makes every
"smart" device susceptible to hacks. Many
of these devices will be interconnected,
which will make machine-to-machine
trust increasingly more important. It's not
just the channel they use to communicate
that needs to be trusted (TLS encryption),
but also whether the devices at the other
end should be trusted at all. This issue will
become even more relevant when selfdriving cars begin to communicate with
each other. They will need to be able to
identify illogical commands or spoofed
communications, and they will need to do
that automatically without human intervention.
Julie Herold, Kenny Herold, Odin’s Eye:
Technology that is developed to share
intel across companies in different industries. The attackers are already sharing
their intel for profit; we are just behind
and need to adopt their methods to keep
up.
Stephan Conradin: The human factor, but
it is not a technology. The first line of defense should remain the intelligence of
the human, his understanding of the risks,
his awareness of his actions,
Rajeev Chauhan: Two factor authentication including dna matching.
Dotan Bar Noy, Re-Sec Technologies:
Within enterprises big data analytics and
machine learning looking for patterns will
make the life of the hackers harder. Additional gate solution that can ensure content introduced to the users are free from
any threats (known and unknown).
www.eforensicsmag.com
www.hakin9.org
- 96 -
T
OOLS OF THE TRADE
What new trends will we see on threat
intelligence?
Michael A. Goedeker, Auxilium Cyber Security: It’s doing its job! There are many
companies that have feeds but the question is always about value. Fancy maps
are nice but what good does the information in that map do really? How is the data collection any different than using a
RasberryPi2 with Snort, etc? We build our
own network of sensors (Pi2’s, DMZ sensors, etc) and use this information to find
differences and turn that information into
actionable intel. But we also use other
areas of data collection (all legal!). OSINT
is something surprisingly missing in all
threat intelligence feeds so we created
our own system that also includes that.
Wade Johansen, CouriTech LLC: Creating
virtual peer to peer networks (ready made) and selling them as being darknet ops.
Continued infiltration of current botnets,
and C&C centers as well as placement of
compromised servers into anonymous
systems.
Mark Bennet, Blustor: The continued
growth and use of biometric authentication will have a profound impact on cyber
security – both improving security as well
as creating a new set of vulnerabilities
that are not being effectively addressed
by the mobile device industry.
Stephan Conradin: More collaborative
work to share knowledge.
Anthony Di Bello, Guidance Software: Likely a standardization of one or two formats. We will see a Betamax/VHS situation emerging between the many
“standards” that currently exist such as
STIX and YARA.
Dennis Chow, Millar, Inc: Possibly the inclusion of other threat vectors for true intelligence such as physical, signaling, and
other disciplines that can be combined
into cyber.
Mitchell Bezzina, Guidance Software: Intelligence platforms will emerge to
converge threat intelligence providers
into one connectivity source, cost of threat intelligence will lower due to commoditization
Shay Zandani, Cytegic: Geographic and
Industry-specific trend analysis and automatic pattern recognition will be mandatory for large organizations who want to
be able to take informed preemptive decisions in cybersecurity
www.eforensicsmag.com
www.hakin9.org
- 97 -
T
OOLS OF THE TRADE
What new trends will we see on threat
intelligence?
Roberto Langdon, Nicolas Orlandini,
KPMG: One way companies can expand
their expertise is by bringing in security
intelligence to pinpoint problems, identify
anomalies and highlight unusual or suspicious activity. Intelligence can help in two
ways. First, an “early-warning-as-aservice” can reduce the vulnerability threat window: the time between the detection and the remediation of an attack.
Intelligence can also provide a broader
picture of global threats than any one organization could gather on its own. Security is an ecosystem; organizations need
to know what is going on externally as
well as internally. Organizations can
expand their own intelligence by using
Threat Intelligence tools for consolidating,
analyzing and sharing information about
their own security threats with peers and
competitors. While this is a sound idea in
theory, sharing information with competitors is not something many organizations
are willing to do—yet. Understanding the
threat landscape and knowing your enemy with security intelligence is another.
What you can’t prevent, you should try to
detect. And what you can’t detect, you
should be prepared to respond to quickly.
Ondrej Krehel, LIFARS: Better integration
and multiple source management.
Wade Lovell, Simpatic: Threat modeling
for real-time response will become the
new norm even in small organizations.
David Clarke, VCiso: Threat Intelligence
may be the catalyst to make IT safe.
Andrew Bagrin, My Digital Shield: Simplification as opposed to flexibility. Security
needs to start making a stand and force
software developers to start following
standards when they communicate across
the network.
www.eforensicsmag.com
www.hakin9.org
- 98 -
W
HO IS
WHO
Shay Zandani
Cytegic, Co-founder and
CEO
Rick Blaisdell
Experienced CTO, creating
technical strategies which
reduce IT operational costs
and improve efficiency. Rick
has 20 years of product, business development and high
-tech experience with Fortune 500 companies, developing innovative technology
strategies, with particular
expertise in cloud computing integration, delivering
cost effective IT services, strategic planning and development for Information Systems, and creating innovative businesses
Shay’s entrance into cyber
security was on the nationstate cyber battlefield
when he founded the Information Warfare Department at the Israeli Air Force. Under his leadership,
the IWD pioneered the use
of data manipulation for
cyber offense. He then
spent more than a decade
as CEO of Kesselman Global Risk Management Solutions (GRMS), a subsidiary
of PwC focused on conducting risk and cyber security
maturity assessments for
large enterprises. Prior to
PwC, Shay participated in
establishing the first TTP Certificate Authority in Israel.Shay’s unique blend of private and public sector
experience and deep understanding of how cyber risk
evolves and impacts an organization’s bottom line helped crystallize his vision for Cytegic. He received his
bachelors and masters degrees in computer science
from the Open University of Israel, and his Executive
MBA from Northwestern University and Tel-Aviv
University, upon graduating from Mamram, the IDF
(Israeli Defense Forces) technical elite unit in 1990.
Wade Lovell
Simpatic, CEO
Wade Lovell has founded
eight companies with $200+
million in stakeholder returns. Wade began his career at Goldman Sachs and
Arthur Andersen. He has an
MBA from Columbia Business School and is a financial services expert. He is a
CPA, former CFE, EA, and has held Series 3, 7, 63 & 24
designations.
Dotan Bar Noy
Re-Sec Technologies Ltd, CEO and Co-Founder
Lt. Commander Israel Navy has more than 10 years of management experience in several leading
companies and startups in Israel and US.
www.eforensicsmag.com
www.hakin9.org
- 99 -
A
REAS OF SECURITY
What are your predictions
for network security in 2016?
Michael A. Goedeker, Auxilium Cyber Security: The push for more automation will
eventually happen. We have started this
process by being the first company to introduce our copyrighted concept of the
„Self Protecting Network”.
Wade Johansen, CouriTech LLC: It will
continue to grow as a field, and businesses will be required meet new standards if
they want to trade at global levels.
Wade Lovell, Simpatic: I anticipate a rise
in the adoption of security appliances and
air-gapped internal networks in 2016
(similar to the structure of the 1970’s and
early 1980’s when each company had its
own mainframe that did not communicate with the outside world).
Mark Bennet, Blustor: As more employees
telecommute and the workforce continues to become more mobile, network security will continue to evolve to better
support granting secure and remote access to enterprise networks. A key concern is positively identifying that a remote
employee is, in fact, who they claim to be
at the point of entry into the network. We
will see the incorporation of biometrics as
one of the key solutions. Companies will
also discover that storing an employee’s
biometrics in a centralized location comes
with tremendous liability in the event that
data ever becomes compromised. Solutions such as BluStor’s CyberGate
platform are uniquely positioned to help
address those types of risks.
Julie Herold, Kenny Herold, Odin’s Eye:
“All your eggs in one basket” – We see
SaaS, PaaS, IaaS, with many tenants becoming a target for network pivoting between organizations and/or the presence of
malicious faux companies establishing
presence to increase the proximity to targeted organizations.
Mitchell Bezzina, Guidance Software:
Expect more breaches where organizations had detected compromise long before data theft, but mishandled the original response. This trend will continue to
drive changes in incident response process, and the depth of forensic investigation.
Leon Kuperman, Zenedge: Increased
DDOS attacks in both size and complexity.
Increased penetration into corporate networks, where threat actors wait and stay
longer without detection. New attack
methods for hiding command / control
communication.
www.eforensicsmag.com
www.hakin9.org
- 100 -
A
REAS OF SECURITY
What are your predictions
for network security in 2016?
Alina Stancu, Titania: Network function
virtualisation (NFV) is a rapidly evolving
aspect of virtualisation which was created
in an effort to speed up deployment of
network services. NFV is great for streamlining specialised network tasks onto a
single platform, but it is significantly more
complex and makes attacks harder to
identify, in its multi-layered form. Software defined networks (SDNs) have been
created on campuses and developed in
cloud data centres. Used in combination
with NFV, they can offer greater value to
existing services, making it more scalable
and fully-automated. Further risks come
in the shape of open source software that
these new technologies are based on and
larger attack surfaces. Auditing and penetration services will rise as more industryled standards become ingrained in business practices. From PCI-DSS to SANS, HIPAA or FISMA businesses are more under
pressure to comply with policies specific
to the country they operate in, or the industry sector they cater to.
Anthony Di Bello, Guidance Software:
Attackers will remain undetected for longer as evasion methods become more
complex.
Stephan Conradin: Still a lot of DDOS.
Ondrej Krehel, LIFARS: I think network
taps will be more common.
Roberto Langdon, Nicolas Orlandini,
KPMG: Our predictions on network security depend on the extent at which the
people responsible for technological
platforms, recognize all the tools, policies
and procedures that must be added to the
existing ones. Different surveys conclude
that about 40% of the market did not implement Intrusion Prevention Systems
(other vendors call them Next Generation
Firewalls) to protect the application level
in the OSI model. If this is true, and on the
other hand the Top 10 OWASP recommendations are not followed and assured
in the organizations, the cyber delinquents still have a lot of work to do.
David Clarke, VCiso: Software defined networks, legislation and password technology replacement.
Andrew Bagrin, My Digital Shield: I predict that there will be more pre-filter, trying to deliver a prescrubbed internet service, as opposed to giving more tools to
try and scrub it themselves.
Paul Shomo, Guidance Software: Variants
of malware will increase to limit the ability for indicators of compromise being easily defined.
www.eforensicsmag.com
www.hakin9.org
- 101 -
A
REAS OF SECURITY
What are your predictions
for software security in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Secure coding will continue to be a
vital part of any security methodology.
OS’s with integrated spyware will be less
and less acceptable and will see business
revenue drop. This will push Open Source
OS’s for the second time.
Mitchell Bezzina, Guidance Software:
Endpoint technologies will be the main
focus for 2016, redefining the replacement for antivirus. This allows networks
to be understood and secured from the
inside out and provides a means of detection and response to all threats.
Einaras Gravrock, Cujo: We will see many
new solutions focused on network traffic
patterns, big data, and machine learning.
Stephan Conradin: Still 50 security patches per year for each software because
software have no security by design,
OWASP will continue their very good job
of explaining how to avoid SQL Injection
and we’ll see SQL injection
Julie Herold, Kenny Herold, Odin’s Eye:
The heavier we move code reliance on the
client for storage and processing, the more attacks that will be developed in server
response and client-side code tampering
versus the more traditional and more secure server side attacks in client requests.
Paul Hoffman, Logical Operations: Move
to secure coding. Patching holes before
launching software.
Rick Blaisdell: Backup and recovery will
become synonymous with security. With
the explosive growth of structured and
unstructured data, improving backup and
recovery time will be a big hurdle for the
enterprise. Vendors will rely on automated tiered solutions and data deduplication to address the challenges of
heterogeneity of technology. Encrypted
data backups and agentless cloud-based
replication will become the norm for data
security.
Ondrej Krehel, LIFARS: Hopefully, the
SDLC will include more security, hopefully
being sent to a security specialist and not
a dev.
Wade Johansen, CouriTech LLC: Much of
it will become platform independent and
include focus on mobility and portability.
Dennis Chow, Millar, Inc Short: More focus and demand in SSL/TLS based decryption.
www.eforensicsmag.com
www.hakin9.org
- 102 -
A
REAS OF SECURITY
What are your predictions
for software security in 2016?
David Clarke, VCiso: Self contained security in software, vulnerability management
designed in as part of software maintenance, password technology replacement.
Wade Lovell, Simpatic: Apps – corporations will start controlling the approved
and therefore available apps on BYODs.
Antivirus – consumer antivirus programs
will move up market in order to remain
viable. AVG, for example, is struggling under the weight of its free model and has
moved to freemium offerings and addons.
Andrew Bagrin, My Digital Shield: It will
continue to struggle to keep up. I’m assuming this is referring to endpoint.
www.eforensicsmag.com
www.hakin9.org
- 103 -
A
REAS OF SECURITY
What are your predictions
for hardware security in 2016?
Michael A. Goedeker, Auxilium Cyber Security: We already train our partners and
customers in „hardware hacking”. Many
instances have shown that hardware and
the associated firmware is a valid attacking vector. We are no longer just dealing
with software viruses and malware, we
are also dealing with firmware, side channels and newer aversion techniques to
hide protocols and suspicious traffic and
activities.
Wade Lovell, Simpatic: Manufacturers
will continue to be plagued by their own
errors and government demands for backdoors. They will also be compelled to offer
economic incentives for successful hacks
against their hardware, e.g. Cisco routers,
in order to attract a real mining effort on
the part of the white hat community.
Einaras Gravrock, Cujo: We will see an
increasing amount of hardware makers
who will rely on third party platforms to
build software for their hardware. Those
third party platforms, a combination of
hardware security and software security,
will help IoT makers build less vulnerable
devices.
Julie Herold, Kenny Herold, Odin’s Eye:
We think there will be an increased focus
on uncovering intentionally placed holes/
gaps within the hardware space that are
baked into the solution at low levels.
Ondrej Krehel, LIFARS: More 2+ factor
tools for access.
David Clarke, VCiso: Hardware security
appliances may make a comeback as virtualisation may still be very vulnerable to
skill shortages and software exposures.
Stephan Conradin: Perhaps more concerns with corrupted devices by firmware,
and questions like How to trust manufacturers.
Paul Hoffman, Logical Operations: More
use of built-in BIO security.
Andrew Bagrin, My Digital Shield: Hardware security is fine, but it doesn’t need
to be on specialized hardware. For 2016, I
don’t believe there will be much change.
Wade Johansen, CouriTech LLC: TPM will
make a larger impact, and we will continue to make smaller, faster IOPs capable
data devices for the data center.
www.eforensicsmag.com
www.hakin9.org
- 104 -
A
REAS OF SECURITY
What are your predictions
for cloud security in 2016?
Michael A. Goedeker, Auxilium Cyber Security: National and International Privacy
will continue to shape this industry and
how products are hosted to international
customers and partners. As more services
and resources are put into the cloud, so
too will the regulations and audits needed
to verify compliance evolve. As more services are hosted in the cloud, it then becomes an even bigger target.
Rajeev Chauhan, Cyber Oxen: IOT will
dictate the security in cyber space scenario including all the areas of security mentioned above. The boundaries between
hardware and software security will merge.
Wade Johansen, CouriTech LLC: AWS and
Azure will make cloud security a priority
this year. There appears to be a lull in the
adoption of more cloud based services,
and in large part, it’s because the security
has been behind. That will be rectified this
year.
Ondrej Krehel, LIFARS: I hope the providers will be more secure in their deployments.
Mark Bennet, Blustor: There is an interesting growth trend in the number of
whitepapers and articles that have been
published over the past year that espouse
the increased security of cloud based solutions. While these claims are partially
true, a close examination of many of the
articles reveals that they are often sponsored by companies that provide cloud
based solutions or related services. The
reality is that the cyber security in the
cloud is still largely immature, unproven,
and there are ample examples of failures.
Like the growth of mobile devices, the
cloud is a tremendously powerful tool but
carries with it the risks of what is still a
young and rapidly evolving industry. Enterprises need to carefully examine how
access to cloud based data and applications are effectively controlled.
Leon Kuperman, Zenedge: Cloud is an
area where the industry is behind. There
are no solid security standards for multicloud deployments / implementations.
New solutions will need to be introduced
to close the gap between on-prem
(mature) security and cloud infrastructure.
Wade Lovell, Simpatic: More companies
will move to universal two factor authentication. True secure end to end encrypted email and chat will start replacing insecure desktop and mobile email in particular. Companies will force https connections to all web sites accessed from within
their organization and eventually move to
white lists.
www.eforensicsmag.com
www.hakin9.org
- 105 -
A
REAS OF SECURITY
What are your predictions
for cloud security in 2016?
David Coallier, Barricade: Huge year for
cloud security. More companies are becoming aware that "the cloud" is not a silver
bullet but also not completely insecure.
Tools who are born on the cloud will
prevail as it is clear that incumbents who
are retroactively adapting their tools for
cloud products are simply not good at it.
The pricing models for the security industry, which has traditionally been contract
-based, has to change to reflect how people use the cloud. The SaaS model for security will grow.
Stephan Conradin: With cloud we delegate our security without strong controls.
Sooner or later, there will be a serious
incident.
Dennis Chow, Millar, Inc: Many more vendors and startups coming to complement
access controls and data discovery/data
control.
Mitchell Bezzina, Guidance Software: Large Cloud Vendors will be forced to make
virtual machines of computer systems
available to security teams for incident
response investigations in response to
new data breach notification regulations.
Without access to full machines, response
teams are limited in their ability to acquire all data quickly, this may also affect
SaaS providers and will likely lead to instrumental case between a breached organization and its cloud provider.
Paul Hoffman, Logical Operations: More
security controls.
Andrew Bagrin, My Digital Shield: Security
in the cloud and securing the cloud are
two different things. I believe there will be
a much bigger move to providing security
in the cloud (pre-scrubbing).
Julie Herold, Kenny Herold, Odin’s Eye:
We think technologies like Chef, Puppet,
Ansible, SaltStack and Docker will be targeted by attackers to proliferate backdoors, misconfigurations with the intention of abuse, and malware. Of course,
this would also include any other patch
management, centralized security appliances/solutions etc.
Rick Blaisdell: Cloud security will increase
in scale, and decrease in complexity. In
2016, we’ll see cloud security evolve into
simpler, virtualized controls and solutions
that will have embedded security processes to help map current IT systems. Heavy
protective layers that have difficulty scaling in the cloud will stay behind, and next
year will have lighter, scalable cloud security solutions.
www.eforensicsmag.com
www.hakin9.org
- 106 -
A
REAS OF SECURITY
What are your predictions
for cloud security in 2016?
Craig McDonald, MailGuard: 2016 will be
the first year cloud services will be chosen
because of their enhanced security. People are at risk of physical harm as nextgeneration technologies are targeted. Cyber attackers will fund unpatched vulnerabilities in smart-connected home devices
as a way to stage a full-blown attack. There are no signs of a wide scale attack coming but this scenario is highly probable.
Attacks on next generation payment methods – from EMV credit cards to mobile
wallets – will increase. Mobile malware is
expected to grow exponentially with
much of this originating in China. Hacktivists will use data breaches to systematically destroy their targets. Businesses will
also fall for elaborate tricks that use new
social engineering lures. Expect a big increase in ploys that persuade employees
to transfer money to cybercriminalcontrolled bank accounts. Their first step
is to become familiar with the target’s
ongoing business activities, so their malicious schemes are camouflage. This is typically done by intercepting communications between business partners.
David Clarke, VCiso: Cloud availability and
a minimum of dual (maybe internet and
private) connectivity. Cloud services will
help mitigate skills shortage in cyber security.
Irfan Shakeel, EH Academy: Cloud security
will face new challenges; hackers are more likely to exploit the human vulnerabilities. Organizations have to invest in training programs; the certification providers
will also create the cloud specific certificate and training to capture the market need. Over all, the business will grow.
www.eforensicsmag.com
www.hakin9.org
- 107 -
W
HO IS
WHO
Ondrej Krehel
Lifars, CEO and Founder
Julie Herold
Odin’s Eye
Senior Security Consultant
He is the CEO and Founder of LIFARS LLC, an
international Cybersecurity Intelligence, Digital
Forensics, and Incident
Response firm. Ondrej
also leads the Digital
Forensics team at LIFARS. He’s the former
Chief Information Security Officer of Identity
Theft 911, the nation’s
premier identity theft
recovery and data breach management service. He previously conducted forensics investigations and cyber security consulting at Stroz
Friedberg. With two decades of experience in
computer security and forensics, he conducted a wide
range of investigations, including data breached
through computer intrusions, theft of intellectual property, massive deletions, defragmentation, file carvings,
anti-money laundering, financial fraud, mathematical
modeling and computer hacking. Ondrej’s experience
also includes advanced network penetration testing using various tools and technologies, database security
testing, physical security assessments, logical security
audits, wireless network penetration testing, and providing recommendations for operational efficiency of
approaches.
Strong eleven year development
background for a Fortune 10 company and 2 years of penetration
Kenny Herold
Odin’s Eye
Principal Security Consultant
4 years of experience as a service
lead for anti-spam/anti-malware/
anti-virus working for a Fortune 10
company at a global scale as well
as 2 years of general application
security background and 5 years of
penetration testing in aforementioned company and an additional 2 years of penetration
testing for Odin’s Eye, LLC.
Alina Stancu
Titania Marketing Coordinator
She is Marketing Coordinator at
Titania and has spent the past two
years, learning, talking and writing
about information security. She is
also a contributor to The Analogies
Project.
www.eforensicsmag.com
www.hakin9.org
- 108 -
T
HE INDUSTRY
Will 2016 belong to start-ups or big cyber security
corporations?
Chase Cunningham, Cynja: Startups will
continue to be the real infosec innovators.
I predict large companies will pick up their
pace of acquisition of these smaller firms.
From where I sit, the large companies
aren’t concerned or even working towards much innovation in the space as it
is cheaper to simply buy the little guys
out. This “trend” is basically leading to the
establishment of a market wherein anyone can start a company, come up with
something 1% better than someone else
and get bought for a lot of money, then
go off and do it again.
Irfan Shakeel, EH Academy: 2016 will belong to the start-ups of the infosec companies. Startups will focus on vulnerability
research, threat intelligence & monitoring
tools. The infosec service sector will likely
to grow, as more organizations are looking for services.
Leon Kuperman, Zenedge: Disruptive Startups.
Einaras Gravrock, Cujo: The tide’s going to
be growing for all types of companies.
New sectors within cyber security will create new giants from startups. Overall, this
is growing so fast… with such a huge demand for products and sectors within cyber security the space will continue booming in 2016 and beyond.
Michael A. Goedeker, Auxilium Cyber Security: Hard to say really. Start-ups will
happen, the question is if big cyber corps
will start to get more pressure to think
dynamically like start-ups do.
Wade Johansen, CouriTech LLC: Startups
will be less of an influence in 2016 as the
market becomes more global, they just
don’t have the capability of tapping
worldwide systems for the intelligence
gathering in an increasingly hostile environment.
Mark Bennet, Blustor: In 2016, the growth
of IoT, increased public awareness of cyber security issues, and the global expansion of Internet access will provide tremendous opportunities for cyber security
start-ups. As typical of most industries,
disruptive innovation is largely driven by
small start-ups. We will see continued
innovation in the cyber security space as
well as consolidation as larger companies
acquire start-ups with promising technology.
Elizabeth Houser, Praesidio: Startups. Larger cybersecurity corporations don’t offer
the agility or innovation that startups
bring to table.
www.eforensicsmag.com
www.hakin9.org
- 109 -
T
HE INDUSTRY
Will 2016 belong to start-ups or big cyber security
corporations?
David Coallier, Barricade: Startups. The
tech world moves so fast that the incumbents are stuck in the innovator's dilemma and only the smaller, more agile companies are able to move at the pace at
which the security industry should be
operating.
Stephan Conradin: Neither one nor the
other. Good ideas are emerging in small
entities but great entities have the ability
to act. They have to collaborate.
Wade Lovell, Simpatic: 2016 is a year for
start-ups to show their agility.
Alina Stancu, Titania: Mergers and acquisitions in the industry will continue to take
place. Small cyber security boutique-style
companies, which have the flexibility to
develop innovative solutions at a fast pace, will be acquired by bigger, more established companies. Something which big
enterprises find more difficult. However,
as demand for more than one solution
addressing different needs increases, big
corporations choose to increase their
portfolio of in-house solutions.
Craig McDonald, MailGuard: The big security players are at risk of being disrupted by agile emerging competitors.
Their challenge is to start delivering the
next generation of security solutions for
the cloud, where they lag behind. Expect
to see the big players courting and buying
small vendors – unless they can finally
achieve some innovation in their current
product offerings. As Microsoft’s Azure and AWS compete for business, they
will focus on new and improved security
features, in particular, helping customers
to have greater control and visibility into their cloud. As they reach ‘feature parity’ in the IaaS (Infrastructure-as-a-Service)
space, rich security capabilities will become their differentiators, either through
additional platform features or third-party
offerings.
Paul Hoffman, Logical Operations: There is
room for both. The big companies’ will
have it easier because they already have
customers, but startups will have innovative technology that will make them
relevant.
Ondrej Krehel, LIFARS: New players will
always be great, but they can be bought
out.
Rajeev Chauhan: There is ample space for
startups as not all industries can afford
highly expensive services of corporations.
www.eforensicsmag.com
www.hakin9.org
- 110 -
T
HE INDUSTRY
Will 2016 belong to start-ups or big cyber security
corporations?
Dotan Bar Noy, Re-Sec Technologies: We
are at time where the big vendors dominate the more conservative solution and
reinventing themselves by acquiring innovative new technologies. The startups
are the ones that will introduce the disruptive technologies that will be necessary in order to combat new types of malware.
Nick Prescot, ZeroDayLab: Clients are looking for the right company to do the right
job, the benefits won't change.
David Clarke, VCiso: Both as the bigger
ones will buy the start-ups.
Gerald Peng, Mocato: Start-ups. In the
first half of 2015, venture firms invested
$1.2 billion into cybersecurity start-ups
(CB Insights). Corporate customers want
to avoid destructive attacks that can hurt
their brand names and consumers are
trying to protect their private information.
These firms are finding innovative ways to
capitalize on that need.
Anthony Di Bello, Guidance Software: I
think the question is more will 2016 belong to broad security vendors (such as
Palo Alto, McAfee) or niche best-of-breed
vendors (such as Blue Coat, Guidance software). I believe we will see a focus on
integrated best-of-breed solutions, the
mix of which being different at each enterprise based on their unique environment and threat types.
Andrew Bagrin, My Digital Shield: Definitely startups!
BroadTech Security Team: Nothing will
hinder startups though some will fail. Many of the products of cyber security corporations will become a public disgrace.
Julie Herold, Kenny Herold, Odin’s Eye:
Larger security corporations because of
the increased demand, lack of consumer
knowledge in what they need as far as
breadth and depth for defensive or proactive offensive testing and mitigation
and/or remediation advice.
www.eforensicsmag.com
www.hakin9.org
- 111 -
T
HE INDUSTRY
Will cyber security events (like BlackHat or
DEFCON) remain an important part of influencing
the development of cyber community and companies?
Chase Cunningham, Cynja: The larger
CONS are already basically viewed by
most security operations personnel as not
much more than a reason to go to Vegas
and perhaps participate in shenanigans.
It’s smaller CONS where really interesting
and really innovative solutions are being
shown. The large CONS will continue but
are slowly becoming nothing more than a
giant sales convention for companies to
network and pitch things.
Ondrej Krehel, LIFARS: I think the focus is
changing from them. They’ve grown too
big.
Michael A. Goedeker, Auxilium Cyber Security: It’s getting to the point where the
investment for attending and the value
are starting to be questioned for some
conferences. In my opinion, events like
Bsides are becoming more important and
attended by more people due to the lower costs involved with attending. I am by
no means saying Blackhat is not valuable
but people are starting to feel real pain
when paying thousands of dollars or euros to attend a conference in the US. There has to be a balance and not a „we are
talking all the money from all sides” just
so you attend our show. Security lives
from teaching and not being so egotistical
with conferences.
Rajeev Chauhan: Yes, they may become
prominent as recruiters for govt agencies
as well as “Contract Agreement” hunting
ground.
Leon Kuperman, Zenedge: These events
are overly commercialized at this point
and used as announcement platforms for
the most part.
Stephan Conradin: Yes. Experts should
meet experts to share knowledges.
Julie Herold, Kenny Herold, Odin’s Eye:
We think these events are becoming more and more about networking and vendors which will continue on the upward
trend.
Paul Hoffman, Logical Operations: Yes, for
a while.
BroadTech Security Team: Yes, of course,
such events are the life and blood of cyber security. There will be many more
such local events, too, which may not get
much press.
www.eforensicsmag.com
www.hakin9.org
- 112 -
T
HE INDUSTRY
Will cyber security events (like BlackHat or
DEFCON) remain an important part of influencing
the development of cyber community and companies?
Craig McDonald, MailGuard: Yes, and there will be more of them. Education and
communication is a key priority in 2016.
Cybersecurity can no longer be seen by
businesses as optional, nor half-baked
solutions accepted.
Wade Johansen, CouriTech LLC: Yes, unfortunately they still will not be a target of
many companies for sending their cyber
employees, as it’s still seen by too many
as a non-essential training experience.
Andrew Bagrin, My Digital Shield: Yes,
that is where all is exposed.
Anthony Di Bello, Guidance Software: Certainly. They should (and are) be leveraged
as recruitment events. In addition I think
we will see more involvement by industry
in collegiate cyber security events such as
www.nationalccdc.org and niche security
events such as guidancesoftware.com/
enfuse, bringing together like specialist
communities to a common cause.
Dotan Bar Noy, Re-Sec Technologies: Yes.
It is harder to get noticed at those events
due to the overall noise. But those events
play a significant opportunity to meet professionals, exchange ideas and meet decision makers.
Wade Lovell, Simpatic: Yes, if they don’t
get too expensive for small bleeding edge
companies to justify attending and if they
keep attracting new talented speakers.
www.eforensicsmag.com
www.hakin9.org
- 113 -
T
HE INDUSTRY
Will we see more state-level cooperation in 2016?
Chase Cunningham, Cynja: Local and state
governments in the U.S. are so far behind
the curve in cyberspace they don’t even
have an idea on how to get involved. Without a coalition that can guide local and
regional entities and help them gain traction in solving their own specific cyber
problems, they will continue to lag and
exploits will rapidly expand.
Andrew Bagrin, My Digital Shield: Less
cooperation and more regulation I think,
which is a mistake, but that is how our
government thinks when it comes to security.
Rick Blaisdell: 2016 will be a very significant year for both sides of the cybercrime
equation. Governments and enterprises
will begin to see the benefit of cybersecurity foresight, with changes in legislation
and the increasing addition of cybersecurity officers within enterprises. In addition, as users become more aware of online threats, attackers will react by developing sophisticated, personalized schemes
to target individuals and corporations alike.
Dennis Chow, Millar, Inc: We will see more attempts at information sharing and
incident response assistance.
Michael A. Goedeker, Auxilium Cyber Security: Certainly and this is a good thing!
We need to discuss privacy, protecting
people, critical infrastructure.
Paul Hoffman, Logical Operations: Yes
they will have to.
Leon Kuperman, Zenedge: Yes, it’s a musthave shift.
Julie Herold, Kenny Herold, Odin’s Eye:
No, there is too much on their plate to be
able to assist the private sector unless it is
in the best interest of the state or nation.
Funding for security on the lowest levels
of defense is lower in government agencies than the private sector. If anything,
threat intel shared from the private sector, which is capitalist driven, may assist
at the state or national level.
Wade Johansen, CouriTech LLC: Yes and
No? As the world becomes smaller electronically, states are beginning to realize
that being part of larger and slower
government system can be crippling, but
when it comes to sharing data about its
citizens or immigrants then I think yes,
they’ll share a lot more this year than last
year?
www.eforensicsmag.com
www.hakin9.org
- 114 -
T
HE INDUSTRY
Will we see more state-level cooperation in 2016?
Anthony Di Bello, Guidance Software: To
some degree. Will it be effective? Depends on the degree of sharing, accuracy
of what is being shared, and the controls
various states will demand on the data
they are sharing.
BroadTech Security Team: Yes, but each
state taking into its own national interest
first.
Stephan Conradin: I hope. We are in cyberwar and some aliens are always welcome.
Einaras Gravrock, Cujo: We are seeing it
already. For example, the recently announced Department of Homeland Security
initiative to secure IoT devices. We can
expect many more initiatives like that simply because the government alone cannot
combat this problem.
David Clarke, VCiso: Yes already happening, and needs to be at a business level.
Wade Lovell, Simpatic: No. Nation states
have their own agendas and huge budgets
as well as some of the brightest minds in
white hats. The so-called cooperation we
have seen so far has allowed them to
tamper with standards and implementations down to the level of the NSA allegedly recommending elliptic curves it has
the means to break.
www.eforensicsmag.com
www.hakin9.org
- 115 -
T
HE INDUSTRY
In which industry will we observe the biggest
demand for cyber security services?
Michael A. Goedeker, Auxilium Cyber Security: Critical Infrastructure, Defense and
anything Big Data.
Przemek (Shem) Radzikowski, Secbüro
Labs: Akami’s statistics for 2015 show that
Media & Entertainment (48%), High Technology (11%), Retail (9%) and Public Sector (5%) collectively accounted for 65% of
attacks. I’d put my money on this trend
and say that these four segments will
drive demand.
Mark Bennet, Blustor: The healthcare and
related industries are already under tremendous pressure to address the tremendous vulnerabilities in their legacy infrastructure, medical devices, and data protection solutions. This is an area that is
gaining public awareness and will drive
the demand for innovative solutions that
can help solve some of the industry problems without breaking the bank.
Kenneth C. Citarella, Guidepost Solutions:
Government, banking and healthcare will
fuel the demand for cyber security.
Andrew Bagrin, My Digital Shield: Probably retail and healthcare.
Wade Johansen, CouriTech LLC: Travel
and immigration services such as VISA
programs.
Wade Lovell, Simpatic: The security spent
in healthcare is expected to rise more
than 20% but I think the biggest demand
will be among money center banks.
(Symphony, which serves a coalition of 19
banks, just raised another $100 million
this Fall.)
David Coallier, Barricade: Strange answer
to this one but fashion and e-commerce
to us have strong signs of interest and
growth. Many companies in these industries do not traditionally have a strong
security culture and new products will
come in and help them achieve that, grow
with security awareness at the very least.
Mayur Agnihotri: Cyber security services /
solution is one of the alarming concerns in
many critical industryies, such as BFSI:
aerospace, defense, and intelligence, because the biggest challenges of cyber security are education and training in 2015.
Roberto Langdon, Nicolas Orlandini,
KPMG: Cyber Security is a challenge for
the entire “Government-Private Corporations, SMB organizations, and professionals” ecosystem. It requires to stay informed, well equipped, conscious about the
subject, and with policies and procedures
to let the people know how to do the
things right, and how to react to a security
issue or incident.
www.eforensicsmag.com
www.hakin9.org
- 116 -
T
HE INDUSTRY
In which industry will we observe the biggest
demand for cyber security services?
Alina Stancu, Titania: Possibly healthcare.
Although the financial sector, as well as
various governments, are stepping up security efforts, due to the threat levels.
Financial crime is not disappearing,
though it is becoming more targeted, while state-sponsored attacks, through their
complexity and persistence, require significant resources and a wide range of specialised skills. The most stealthy attack
campaigns known to date (Stuxnet, Duqu,
Flame, The Mask) have been from statesponsored actors.
Anthony Di Bello, Guidance Software: Healthcare, retail, government and finance.
A problem here is financial and consulting
(PWC, ATOS, Optiv, etc) industries have
the cash to corner much of the existing
talent.
Gerald Peng, Mocato: Retail, healthcare,
finance, and device manufacturing. The
first two will demand it due to the IP, consumer data and communications they
want to protect. Companies that process
electronic payments or produce IP-sharing
devices will also want protection against
cyber threats in order to maintain consumer confidence and brand reputation.
Stephan Conradin: SCADA, critical infrastructures.
Dotan Bar Noy, Re-Sec Technologies: According to the “Banking & Financial Services Cybersecurity: U.S. Market 2015-2020
Report”, by Homeland Security Research
Corp. (HSRC), the 2015 U.S. financial services cybersecurity market will reach $9.5
billion, making it the largest nongovernment cybersecurity market. In addition, the report concludes that this market will be the fastest growing nongovernment cybersecurity market, exceeding $77 billion in cumulative 2015-2020
revenues. This is driven by an increase in
regulation and the demand for zero breaches, shutdown time and information leak
systems.
David Clarke, VCiso: Demand is big, the
ability to pay isn’t, government, finance,
pharmaceutical, legal.
BroadTech Security Team: Defence, health care, power...
Paul Hoffman, Logical Operations: Healthcare, they are so far behind. It will take
years to get them off this list.
www.eforensicsmag.com
www.hakin9.org
- 117 -
T
HE INDUSTRY
In which industry will we observe the biggest
demand for cyber security services?
Leon Kuperman, Zenedge: Banking, Insurance, Financial, Health Care, Retail.
Julie Herold, Kenny Herold, Odin’s Eye:
The health industry as a result of the
upward trend in data breaches and the
lack of security maturity in this space.
Ondrej Krehel, LIFARS: Manufacturing.
www.eforensicsmag.com
www.hakin9.org
- 118 -
T
HE INDUSTRY
What do you think will change in the cyber
security market in your country?
Michael A. Goedeker, Auxilium Cyber Security, Germany: I hope that there will be
better rates for experienced security people. Right now many big customers pay
little for much, this is unbalanced and really unfair as „cyber” security experts do a
lot of learning and gain experience that is
not paid. This experience „SHOULD” be
paid but currently isn’t. At some point, we
will refuse to be undersold and not work
for minimal wages comparable to low paid jobs that do not require special training, certifications or degrees in addition
to real world experience.
Wade Johansen, CouriTech LLC, US: The
push for BYOD will drastically drop this
year in the US because of inherently insecure devices that are not corporate controlled, which could compromise entire
networks.
Dennis Chow, Millar, Inc Short: Advances
in Threat Intelligence and Automatic Response in Systems.
Alina Stancu, Titania, UK: UK remains a
hotspot for disruption and advancements
in technology. But where recent years
have been explosive with new start-ups
and cutting-edge developments, 2016 is
converging towards a more consolidated,
mature market. More defined classifications of security services are starting to
emerge. Export was a priority to the UK
government in 2015 and that was illustrated best with the visit of Prime Minister
David Cameron to US at the beginning of
this year, where he invited a trade delegation of cyber security companies.
Andrew Bagrin, My Digital Shield, US: More complexity and higher process.
Dotan Bar Noy, Re-Sec Technologies, Israel: The latest data from Israel’s National
Cyber Bureau indicates cyber exports increased from $3 billion (USD) in 2013 to
$6 billion in 2014, that constitutes about
10 percent of the global cyber market.
Israel is second only to the United States
as the largest exporter of cyber products.
This is made possible by the increasing
amount of highly skilled professionals.
Israel’s unique security needs created a
focus on cyber security education in
schools, army service, and dedicated collages. Hopefully, we will see additional
Israeli vendors take their place as world
leaders, such as Check Point, CyberArk,
etc.
Julie Herold, Kenny Herold, Odin’s Eye,
US: We think the days of charging absurd
amounts of money for IT Security services
will be controlled as a result of the number of competitors and it will put an end
to the exorbitant and unfair pricing many
of the leading IT Security companies charge.
www.eforensicsmag.com
www.hakin9.org
- 119 -
T
HE INDUSTRY
What do you think will change in the cyber
security market in your country?
Mayur Agnihotri, India: Yes, one of the
biggest changes because of Prime Minister’s vision for India to take leadership in
this critical and emerging space. Indian
digital security market to grow at 8.3% to
$1.1 bn in 2015, says Gartner, Indian IT
security market reaches 1.2 billion next
year I expect. Main components contributing to the growth of the Indian cyber security market include: increased penetration testing of IT services in the telecom,
banking and insurance industries; the vulnerability of Indian IT infrastructure to
hackers; National Association of Software
and Services Companies (NASSCOM) and
Data Security Council of India launch the
NASSCOM Cyber Security Task Force that
aims to build India as a global hub for providing cyber security solutions, developing
cyber security R&D.
Anthony Di Bello, Guidance Software, US:
Tough one to answer, depends on what
the next high-profile breaches have to
offer.
Wade Lovell, Simpatic, US: In the United
States, there is a decent chance the federal government will weaken encryption,
leaving a broader attack surface.
Roberto Langdon, Nicolas Orlandini,
KPMG, Argentina: Checking really quickly
the site http://map.norsecorp.com/ and
then you can see the online status of cyber-attacks around the globe in real time.
What are we waiting to put our hands on
to just leave to be an observer, and be a
protagonist?
David Clarke, VCiso, UK: Legislation as per
other industries.
Gerald Peng, Mocato, Canada: Proliferation of fraudulent electronic payments, in
conjunction with an increasing number of
public corporate security breaches.
BroadTech Security Team, India: People
will be willing to pay external agencies to
conduct security audits and not just blindly leave it to network/system administrators.
www.eforensicsmag.com
www.hakin9.org
- 120 -
W
HO IS
WHO
Craig McDonald
David Coallier
MailGuard, CEO and Founder
Barricade, CEO
David Coallier is the chief executive
officer of Barricade. David is a technologist, an avid learner, and a serial entrepreneur with a passion for
artificial intelligence.
In 2001 I started MailGuard
Pty Ltd (MailGuard). I saw a
world where online security
was going to be a growing
concern. A key to solving
that problem was the need
for a simple and inexpensive way to manage unwanted
email and website content. MailGuard, in response to
that need, has pioneered a range of cloud security solutions to provide complete protection against online
threats such as malware, spyware, viruses and spam.
My key focus for the moment is to support businesses
who continue to struggle with IT security. I want to continue growing through technology and allied partnerships.
Nick Prescot
ZeroDayLab
Senior Information
Security Manager
As Head of GRC and incident response , I am responsible for the
development and delivery of these
services to our clients. Whether
you need an assessment, review, audit and/or a consultation with your people,policies, procedures and processes ZeroDayLab's award winning consulting services
can ensure that you are protected with the very best
advice; if you are unfortunate to be at the receiving
end of a breach, you can be assured that the very best
people in the business are there to keep the hackers at
Stephan Conradin
I am an independant consultant with more than 30 years of activities in information security as well as information systems. I have hold CISSP, CISM, CRISC, ISO
27001, COBIT and ITIL certifications and a Master in
Information Security.
www.eforensicsmag.com
www.hakin9.org
- 121 -
C
YBER SECURITY
AWARENESS
Will the cyber community influence the level
of cyber security awareness?
Chase Cunningham, Cynja: How can we work towards improving cyber security awareness in 2016? Cyberspace isn’t the Magic Kingdom. It’s the Wild West—only worse, as it’s a place where it’s really difficult to
observe people as they make choices and experience the consequences. So corporate social responsibility
programs try to drive a consciousness-raising dialogue among young people to fill the void. Sadly, what
they deliver is often hopelessly lame and condescending. They miss that creating cybersecurity awareness,
especially among kids, takes serious effort—and that in the case of our digital lives today, one that has to
be backed by the creative vision necessary to set out and define this new frontier. This is something new—
something we never experienced before.
Instead, many large companies who have the revenues to do this simply don’t. They justify their limited
efforts by claiming to only have a “limited budget” for guiding kids on how to protect their future. Some
corporations just want to tick a box to show that they are “helping the children” and move on. And so kids
are shown silly dogs, flying saucers, or the occasional cyber kitty—accompanied by bullet point guidance
more suitable for corporate PowerPoint presentations. Seriously, how are we as an industry going to inspire kids to want to make smart choices online with PowerPoint and clip art?
Our kids and our children’s children are going to be the ones who will see new technologies and methods
of compromise we haven’t even considered. As an industry, we must take this responsibility seriously rather than treat it like an optional line item to be squeezed by our finance departments. We need to educate and train kids to be cyber smart and involve more kids in our industry. Today, too many companies focus
on the now, rather than the later. That behavior simply means our industry is shorting an entire generation
of children’s digital future. It’s very sad to watch.
Mark Bennet, Blustor: The cyber community can have a tremendous influence on
public awareness by evangelizing and
working with the media to bring serious
issues to surface. This requires a level and
style of communication that “mere mortals” can understand and using examples
that clearly show the potential consequences. As a community, we need to encourage and support cyber security experts
to share their stories, concerns, and potential solutions with the rest of the
world.
Ondrej Krehel, LIFARS: Lawmakers and
corporations are the big movers. Money
makes people do things.
Elizabeth Houser, Praesidio: Yes, but in a
reactive manner. The level of cybersecurity awareness is most greatly influenced by
the publicizing of breaches and litigious
actions that follow.
www.eforensicsmag.com
www.hakin9.org
- 122 -
C
YBER SECURITY
AWARENESS
Will the cyber community influence the level
of cyber security awareness?
Richard De Vere,The AntiSocial Engineer:
In the UK, we are starting to form smaller
clusters of computer security experts, this
is designed to give smaller businesses around us access to good sound advice. Soon,
all the UK will have a network of talent to
lean upon.
Roberto Langdon, Nicolas Orlandini,
KPMG: Awareness is one of the most important (if not the most) topics the corporations need to address. Cybersecurity is a
process, not a product or a department
within the company. This needs to be
addressed using a top-down-top approach. Needs to reach the entire organization.
Einaras Gravrock, Cujo: Absolutely. I think
cyber security researchers, as well as ethical hackers have been very vocal for years
about security issues and finally they are
being heard. We have reached the point
where a significant dialogue is happening
around the world and cyber security
experts are a big part of that dialogue.
Francisco Amato, Infobyte: I don't think
so, it depends a lot on the culture and the
country, but in general people start to
grasp cyber security threats posed to
them more from problems or news that
happen in companies on a daily basis than
from warnings from IT sec professionals.
To give an example, people for quite a
few years have known that they need to
do backups for security reasons, for normal problems with hard discs that break,
etc. Today, with attacks done with Ransomware, we can see now that simple
backups don't always get the job done. It
is possible that this type of attack ends up
raising awareness about the importance
of safeguarding one's information, because not only is there the chance of your
hard disc breaking but when a Ransomware is able to capture all your information
and extort money from you in order for it
be returned. The same kind of things
happen when almost weekly a new company has their information compromised
and people seeing this in the news start to
ask themselves how they can protect
themselves and their organization.
Amit Serper, Cybereason: Absolutely - all
the recent data breaches have thrust cyber security into the spotlight. Now that
it’s on it, Cyber security leaders will also
“cross the chasm” and become much more visible as cybersecurity champions and
evangelists.
Wade Johansen, CouriTech LLC: Yes, it’s a
key factor in getting needed information
out to the public quickly so actions can be
taken immediately as needed. If you wait
for the news to report it, then chances are
it’s already old news to the cyber community.
www.eforensicsmag.com
www.hakin9.org
- 123 -
C
YBER SECURITY
AWARENESS
Will the cyber community influence the level
of cyber security awareness?
Kenneth C. Citarella, Guidepost Solutions:
Cyber security awareness must develop
within the user community at all levels.
No matter what security experts say, unless the need for security is well understood and adopted as a policy and a practice,
we cannot become more secure.
Andrew Bagrin, My Digital Shield: Yes,
they are doing it already and will continue
to improve.
David Clarke, VCiso: No, awareness plus
strategy and technology will.
Julie Herold, Kenny Herold, Odin’s Eye:
No, the topics are too complex and therefore not palatable for anyone that is not
IT savvy as well as IT Security savvy.
Leon Kuperman, Zenedge: Yes, the trend
will continue.
Wade Lovell, Simpatic: Yes, those of us
who cried “Wolf!” are now seen as wellinformed instead of paranoid. “Your mind
is working at its best when you're being
paranoid. You explore every avenue and
possibility of your situation at high speed
with total clarity.” ― Banksy, Banging Your Head Against a Brick Wall.
Anthony Di Bello, Guidance Software: Certainly, and already are doing so through
things like national cyber security awareness month (October).
Nick Prescot, ZeroDayLab: Yes, because of
the legislative drive that is happening but
it will become more of a business issue.
Stephan Conradin: Yes. We must influence
because we are in front line.
Alina Stancu, Titania: Yes, the security
community is the only one to drive awareness among the non-technical public.
While there is an argument to be made
regarding scaremongering by some vendors, there are genuine businesses in the
industry that wish to inform and educate
as well as develop a thriving business and
support economic growth.
Michael A. Goedeker, Auxilium Cyber Security: That is our (its) responsibility. We
must continue as an industry to teach and
make aware but in ways that are different
than before. Its cool and hip to be secure,
it's a way of life that everyone should
have.
www.eforensicsmag.com
www.hakin9.org
- 124 -
C
YBER SECURITY
AWARENESS
How can we work towards improving
cyber security awareness in 2016?
Michael A. Goedeker, Auxilium Cyber Security: Talk, present at Bsides and other
security conventions, boycott the selling
of speaker slots (for money) by sales companies.
Dennis Chow, Millar, Inc: Add gamification theory to the community which will
encourage active participation in improving security awareness as a whole.
Amit Serper, Cybereason: Start cyber security education and awareness training in
elementary school.
Elizabeth Houser, Praesidio: Fund and make mandatory cybersecurity training for
users.
David Coallier, Barricade: The only way we
can work towards improving cyber security awareness is by building tools that are
not exclusively made for security experts.
We are very bullish on the concept of
bottom-up security. Traditionally, security
has been mandated from the top-down.
A C-Level would push for the security
standards to be put in place and it would
become more a chore to the people who
are actually managing the day-to-day operations, developing the online applications, etc. Many new products, such as
Barricade, empower the developers and
operations teams first, then they allow
the organisation to grow with it. Engineers by nature want their work to be
better. New products allowing developers
to produce better code and allowing the
operations teams to deploy and manage
their infrastructure with confidence are
required. Security is rarely at the top of
the priority list for most SMBs and it
shouldn't change. What should change
are the products those companies use in
order to manage their security.
Richard De Vere,The AntiSocial Engineer:
We should all stop bashing people over
the head with cyber security. It’s time we
turn our expertise to our family and
friends. The big corporates will always be
responsible for their own security but the
common person in the street is at risk daily from preventable attacks.
Stephan Conradin: Communicate, collaborate, explain again and again.
Wade Johansen, CouriTech LLC: Social
awareness. There is a stigma that goes
with being the one to say something, and
then maybe being contested by others.
Standing up for making any improvements
in security is hard because it’s essentially
non-conformist in nature. However, it's a
critical part of moving any society forward
when we speak about raising security
awareness.
www.eforensicsmag.com
www.hakin9.org
- 125 -
C
YBER SECURITY
AWARENESS
How can we work towards improving
cyber security awareness in 2016?
Mayur Agnihotri: Some points which are
first clear for audience and trainers are:
Don’t confuse cyber awareness programs
with security training; • Include posters,
newsletters, email tips, blogs and reminders; • Cyber security awareness improves by changing culture (changing behaviors {Relate cyber awareness to personal life, family, home and corporate }) •
Creating a Culture of Cybersecurity at
Work / organization • Cyber security
events must be started at small and medium size companies, schools, colleges
and society.
Ondrej Krehel, LIFARS: Make it law to
have cybersecurity guards just as they
have regular security guards.
Wade Lovell, Simpatic: Launch meaningful
social media campaigns with star collaborators. • Buy a Guy Fawkes mask and help
take down ISIS or contribute to Anonymous in other ways.
Paul Hoffman, Logical Operations: Just
keep the message out there. The hackers
are helping by creating News.
Kenneth C. Citarella, Guidepost Solutions:
Government leaders at all levels must engage in a protracted and serious discussion of issues about cyber security. Some
have begun that effort, but it must be more widespread and focused on specific
efforts to be undertaken by government,
business and private individuals.
Gerald Peng, Mocato: I believe that too
often, awareness happens when there is a
cyber disaster like Target or Ashley Madison. Part of the problem is the highly specialised nature of cyber security. I believe
that to keep cyber security top of mind,
the discussion has to become proactive
and accessible by non-industry people.
Julie Herold, Kenny Herold, Odin’s Eye:
Continue to have breaches, spamming
initiatives, malware campaigns whether
targeted or not, successful take downs for
illegal activities, and other information
regarding cybercrime activity and reduction being advertised for the sake of awareness. If non-IT savvy end users do not
have a direct impact to them personally,
we will not see improvement.
Rajeev Chauhan: The weakest link in the
chain of cybersecurity is the lack of awareness amongst the users at all levels,
starting from home users to corporate
users. Concentrated efforts to create awareness has to be undertaken by schools,
colleges, communities and corporates.
www.eforensicsmag.com
www.hakin9.org
- 126 -
C
YBER SECURITY
AWARENESS
How can we work towards improving
cyber security awareness in 2016?
BroadTech Security Team: Making cyber
security mandatory in curriculum. • Short
interesting articles in print and visual/
cyber media, etc., are what our organization does in collaborating with the state
police. • Conduct workshops.
David Clarke, VCiso: Security should be at
board level, and legislated for.
Andrew Bagrin, My Digital Shield: We need to separate myth and reality. The reason awareness is taken with a grain of salt
is because something is always trying to
be sold.
Nick Prescot, ZeroDayLab: There won't be
a magic wand to deliver, it's an education
strategy.
Anthony Di Bello, Guidance Software: Doing what we can to make it a mainstream
issue. Part of which involves being able to
speak in everyday terms and with relatable examples to folks outside our industry.
Alina Stancu, Titania: We can demand for
better legislation to reflect the concerns
of individuals and businesses. There is, of
course, the danger of over-regulation and
crippling costs of compliance can be discouraging to small businesses. That is
why the security industry can cooperate
to develop helpful, free tools to support
even firms on small budgets to achieve a
basic level of security. If we raise the bar
step by step, we can then focus on innovating more, collaborating better and
living safer.
www.eforensicsmag.com
www.hakin9.org
- 127 -
C
YBER SECURITY
AWARENESS
What obstacle in awareness will remain unsolved?
Mark Bennet, Blustor: Many cyber security risks are shrouded in complexity that is
difficult for the general public to fully
grasp. The cyber security community and
the media need to work closely together
to simplify and distill these risks into everyday terms that the public and our legislatures can better understand.
Leon Kuperman, Zenedge: The fundamental miscommunication and misunderstanding of how technology works and what is
vulnerable.
Wade Johansen, CouriTech LLC: The realization of what firewalls and cryptography
can really do for protection, and the importance of retaining offline backups.
Michael A. Goedeker, Auxilium Cyber Security: That people listen and change
their habits. This can only be done by
experiencing the pain of breaches (or so it
seems).
Dennis Chow, Millar, Inc: Resources, not
enough time and or money for polished
programs at all the various entities from
small to large.
Richard De Vere,The AntiSocial Engineer:
I think awareness and perception to cyber
crime is a hard battle, people can’t see
most attacks, they have a tendency to
ignore issues and hope it will be OK. With
more and more breaches hitting the media in 2015, people are starting to be more aware - but have a long way to go!
Kenneth C. Citarella, Guidepost Solutions:
The biggest obstacle will be personal conduct. Everyone likes to push cyber security off to the firewall, the system operators, the programmers or anyone else
they can. We all must recognize that how
we use whatever computer we are on,
just like we drive a car, is critical to our
safety.
Alina Stancu, Titania: The industry is still
ridden with technical jargon. To the
“uninitiated” public, this can be offputting and impenetrable. There is a perceived lack of interest even regarding the
steady reports of breaches and cybercrime. Perhaps it is time to learn how to
translate the industry in practical business
terms.
Elizabeth Houser, Praesidio: The precise
formula of situational awareness, motivation, and behavior modification to increase user participation in routine cybersecurity.
www.eforensicsmag.com
www.hakin9.org
- 128 -
C
YBER SECURITY
AWARENESS
What obstacle in awareness will remain unsolved?
Ondrej Krehel, LIFARS: Having a security
professional and not just “security aware”
staff.
BroadTech Security Team: Rapport. People don’t understand the InfoSec languages and jargon. So things have to be simplified while spreading awareness.
Stephan Conradin: The ability of people to
understand they are a big part of security.
Julie Herold, Kenny Herold, Odin’s Eye:
There is no magic bullet to educate the
average end user.
Paul Hoffman, Logical Operations: Training v. production. We can’t stop production for training. So we are having to
squeeze training in as minimally as possible is the mindset for most companies.
David Clarke, VCiso: Board level buy in,
companies have legal, finance components they are there for compliance and
legal reasons, cyber needs to be there as
well.
Nick Prescot, ZeroDayLab: It won't happen
to them so they won't worry about it.
Wade Lovell, Simpatic: Inertia. It is a powerful force. “The vis insita, or innate force of matter, is a power of resisting by
which every body, as much as in it lies,
endeavours to preserve its present state,
whether it be of rest or of moving uniformly forward in a straight line.” Isaac
Newton.
Andrew Bagrin, My Digital Shield: The
trust, because cybersecurity is a complex
thing to understand and trust someone
about.
Anthony Di Bello, Guidance Software: The
human factor can only be mitigated, not
solved. Even with the best security awareness program, 1/100 people will still click
that well-crafted phishing email.
www.eforensicsmag.com
www.hakin9.org
- 129 -
C
YBER SECURITY
AWARENESS
What role will awareness play in corporate cyber security?
Michael A. Goedeker, Auxilium Cyber Security: A big one. Awareness pays many
dividends to any company that invests in
them. There are neutral statistics that
prove that awareness campaign training
decreases successful password hacking
and social engineering attacks (two of the
most difficult attack vectors to secure because of human nature vulnerabilities).
Kenneth C. Citarella, Guidepost Solutions:
Security awareness is the key to our security, ultimately. This is true for individuals, as well as businesses and governmental agencies of all sizes. We must know
our weaknesses, understand what the
attackers do and remove practices that
create vulnerabilities.
Wade Johansen, CouriTech LLC: Realization of the threat landscape which evolves
daily is a technical cyber security challenge and often a nightmare. True awareness
requires many things, including social media integration, which often is blocked on
most corporate networks - accurate reporting from real-time systems which
often display false positives - and
knowledge by the technical staff to be
able to interpret the data when anomalies
are encountered. Target is an example of
a breach where the systems were pointing
to an event in progress, and it was repeatedly ignored as an anomaly that wasn’t a
danger.
Andrew Bagrin, My Digital Shield: More
training and testing of social engineering.
Elizabeth Houser, Praesidio: The lack of
user awareness and inattentiveness will
continue to pose a threat to corporate
cybersecurity infrastructure.
Julie Herold, Kenny Herold, Odin’s Eye:
We think there will have to be tighter controls given the BYOD policies many companies and organizations are implementing and deploying within their organizations to protect the end users from themselves.
Richard De Vere, The AntiSocial Engineer:
Awareness and a good understanding of
the nefarious people that we can all encounter online is the main objective. You
can’t expect people to care about their
digital security if they don’t have the perception of what's out there today.
Ondrej Krehel, LIFARS: It helps but you
really need a professional. No one says to
a secprof you should be accounting aware
so we don’t need accountants, so why the
other way?
www.eforensicsmag.com
www.hakin9.org
- 130 -
C
YBER SECURITY
AWARENESS
What role will awareness play in corporate cyber security?
Paul Hoffman, Logical Operations: It will
play the biggest role. No software or hardware can make up for an unaware employee clicking, or not changing a password, or any number of things that leave
the cyber door wide open.
Gerald Peng, Mocato: Awareness will positively impact corporate cyber security by
facilitating support and investment in cyber security protocols and tools.
Stephan Conradin: Crucial, employees
must understand that cyber security if not
a black box like a firewall, it is a continuous process and they are involved.
BroadTech Security Team: In many startups, there are no firewalls and the laptops are connected directly to internet
through WiFi. In such cases, end point
security is of prime importance and users
should be made aware. In most corporates, awareness training is given, I suppose,
and their focus should be on making people compliant to the security instructions.
Nick Prescot, ZeroDayLab: Users are becoming more aware and this will be a constant education exercise.
David Clarke, VCiso: The awareness is there, it’s the incentive to implement that
isn’t.
David Coallier, Barricade: This is going to
be immense. For corporate awareness to
kick in, security needs to be implemented
bottom-up as a cycle rather than topdown as a mandate.
Wade Lovell, Simpatic: Maybe, just maybe 2016 is the year cyber security becomes a Board issue rather than an IT issue.
Dennis Chow, Millar, Inc: Eventually, it
will become standard as part of other policies and procedures signed like an AUP.
Anthony Di Bello, Guidance Software: A
large role, many organizations already
have some form of cyber awareness program. If nothing else it will help minimize
the risk of social engineering attacks,
which are leveraged extensively in the
first phase of most compromises.
Mayur Agnihotri: Organization’s people
have a key role to play in effective cyber
security.
www.eforensicsmag.com
www.hakin9.org
- 131 -
W
HO IS
WHO
Nicolas Orlandini
Gerald Peng
KMPG
Director Forensic Services
Mocato, Founder
He is a Director of KPMG’s Cyber
practice and a member of the
Forensic Technology team, specializing in digital response services and cyber investigations. He
is specialized in identification,
preservation and collection of
electronic stored information
(ESI ), data leak prevention and
detection, information protection and incident response, and information security audits. He also has a
strong background across the electronic evidence
acquisition protocols and chain of custody regarding
eDiscovery matters or internal investigations. He developed and leaded the Forensic Technology Lab in KPMG
Buenos Aires – Argentina office for many years, providing evidence collection, processing and hosting to
companies and law firms located across Latin America,
including clients located in Argentina, Brazil, Chile, Uruguay, Paraguay, Bolivia, Peru, Venezuela, Ecuador, Colombia, Panama, Curacao and Costa Rica.
Gerald Peng is the founder of
Mocato Inc., a consulting firm
that specializes in digital forensics, E-Discovery and data analytics. In the last 12 years, Gerald has provided services in
computer forensics, incident
management and information
security. He has worked closely with financial institutions, law firms and government to perform computer
forensic investigations and fraud analysis. Gerald is a
certified computer forensic examiner (EnCE, GCFE), Certified Fraud Examiner (CFE), Certified Information Systems Security Professional (CISSP), and Certified EDiscovery Specialist (CEDS). He is also a member of the
High Technology Crime Investigation Association
(HTCIA), and a graduate of McMaster University’s Computer Engineering and Management program.
Francisco Amato
Infobyte, CEO
He is a researcher and computer security consultant who works in the area of vulnerability Development, blackbox testing and reverse engineering. He is CEO of Infobyte Security Research
(Infobyte LLC) www.infobytesec.com, from where he published his developments in audit tools
and vulnerabilities in products from companies like Novell, IBM, Sun Microsystems, Apple, Microsoft. His last work was evilgrade a modular framework that allows the user to take advantage of
an upgrade process from different applications, compromising the system by injecting custom
payloads. Founder and organizer of ekoparty south america security conference.
www.eforensicsmag.com
www.hakin9.org
- 132 -
M
ISCELLANEOUS
LogRhythm’s Predictions for Cybersecurity
An uptick in all-in-one home surveillance systems. We are seeing more motion sensing/camera/
recording devices in the home that can be managed through personal devices. This type of technology will
continue to expand, and with this expansion, hackers will try to exploit them or cause chaos.
A rise in the use of mobile wallet apps. Like having virtual money and an ID in one’s pocket, mobile wallet
apps are at the intersection of marketing and payments. And although a mobile wallet is convenient, it is
directly tied to one’s mobile phone which is a critical access vector for cyber threats.
New model of what to protect. Instead of a mandate to “protect everything on the network,” IT staffs
must work more like a unit, centralizing and protecting the most critical resources. This approach moves
defense-in-depth to the most critical business components of the organization.
Identity access management: The unsung hero. Companies will be investing more money and R&D resources in behavior-based modeling, analytics and identity access management to track behaviors. More customers are asking about it, which will motivate the rest of the industry to follow.
The next big attack target: Education. This industry has a plethora of data that cyber criminals want - credit reports, personally identifiable information (PII), donor money, tuition money. And these institutions
are not doing an adequate job of securing all their systems. Add to that the myriad “customer” – namely
professors, student, parents, administrators – and you have magnified the attack vectors exponentially.
Emergence of hacking for good. More organizations, like Anonymous, will be leaving the dark side and
hacking for the public good. They are more motivated by the notoriety and publicity on social media than
for financial gain. Teens are learning to program on their own; high schools are introducing technology and
coding to get this generation aware of and more proficient in this industry. Younger generations are finding
coding and programming cool. This is the next gen workforce that we hope will continue to want to positively impact society.
Security is in a renaissance. Security is a hot space. And the fact that CISOs are getting a seat in the Boardroom is another indication of the importance of this industry for all organizations, regardless of the vertical market. Many companies still don’t have adequate security infrastructures, awareness or training to
defend themselves. There will also be consolidation. Companies will either “get it” or not, and governments will start ramping up regulations.
www.eforensicsmag.com
www.hakin9.org
- 133 -
M
ISCELLANEOUS
LogRhythm’s Predictions for Cybersecurity
Next steps for CISA, open sharing of threat intelligence. Critical infrastructure will emerge as more companies in various sectors, such as energy, financial and healthcare, join in. The principle and the intention
behind the creation of a more collaborative community for the open sharing of threat intelligence is grand,
with two distinct sides of the political aisle. We will either see a big push or nothing happen at all.
Ransomware gaining ground. The ransomware-style of attack is powerful and expanding into Macs and
mobile devices, making it easier to target consumers. Criminals can gain big profit by locking down an entire system; victims have no choice but to pay. Although consumers are ripe for the picking, businesses are
not immune to this approach.
Vendors need to step up – Despite the running list of breaches, many companies still do not have an
adequate security infrastructure to defend itself against cyber criminals. And we cannot rely on consumers
to know how to protect home systems. It is up to the security vendors to build better software, systems
and patching mechanisms, as well as offer training and services to protect people, companies and their assets.
www.eforensicsmag.com
www.hakin9.org
- 134 -
M
ISCELLANEOUS
IBM’s Predictions for Cybersecurity
Bob Stasio, senior product manager for cyber threat analysis, i2 Safer Planet:
The market for behavioral analytics and threat detection offerings will continue unabated • Large financial
organizations will continue divesting themselves of managed security services to create their own fusion
centers • “Big X” consulting firms will offer their customers cyberintelligence-as-a-service consulting options • Companies and government agencies will begin using block-chain encryption to protect against
cyberthreats • Private organizations will increase their visibility into the dark web to become more proactive about cyberthreats than ever before.
Shahid Shah, CEO, Netspectives Communication:
The market for behavioral analytics and threat detection offerings will continue unabated • Vulnerability
curators will become increasingly prevalent as companies learn to share breach data • Companies will
begin properly inventorying digital assets and data as part of their risk management strategies, heightening
understanding of threat surfaces and ways of minimizing them • Third-party libraries and software components will increasingly gain attention as CIOs and CISOs realize how many vulnerabilities they create.
Todd Rosenblum, senior executive for worldwide big data, i2 Safer Planet
Auditability and managed access of US citizens’ personal data will be an increasingly important requirement for US national security agencies • The international community will create safe zones in Syria to
stem the mass migration to Europe, and big data analytics will play an integral role in enforcing identity
resolution and border security in those safe zones.
Andrew Borene, federal manager, i2 Safer Planet
Continued cybersecurity breaches and state-sponsored cyber espionage will lead to spikes in cybersecurity
spending on both workforce and software solutions • New data sources arising from the Internet of Things
and biometrics will lead to a renewed government interest in using big data to prevent terrorism.
www.eforensicsmag.com
www.hakin9.org
- 135 -
M
ISCELLANEOUS
Kenneth C. Citarella, Guidepost Solutions: Every year we learn about new
intrusions and new breaches until we
have almost become numb from the relentless reports. It will not change in 2016
unless there is serious cooperation among
all levels of government, the computer
industry and network owners, coupled
with serious diplomatic pressure from the
U.S. government on the international
front.
David Clarke, VCiso:
Cyber Security Vendors who can spend
the most on R & D and who have market
positions now will dominate the Information Security Marketplace. • The CISO
role will need to change from being part
of IT and report to either directly to the
CEO or at least to Legal or Finance board
members. • Legislation or pressure from
Cyber Insurance, will enforce that certain
cyber security components are mandated,
eg strong authentication. Other industries
such as the car industry, aero, nuclear and
building have many mandated safeguards
already, seat belts, vehicle checks, crash
standards. An unsafe vehicle cannot be
put on the roads, unsafe aircraft in the air,
thus unsafe IT would not be permitted on
the electronic highways.• Governments
may need to provide assistance on protecting information superhighways similar to
the way the road systems and airspace is
protected. • Cyber Security will need to
become an outsourced function due to
complexity, rapidly evolving cyber technology, huge amount of Data to be processed and analysed, intricate threats, and
exponential skills shortage.
Richard De Vere,The AntiSocial Engineer:
The industry hasn’t taken the large steps
it needs yet to focus on security first and
profit second. Finance still leads most businesses security implementations in 2015
and for our selfish greed in this matter,
we will see security breaches and online
crime rise like it has done every other
year previous. This is good for business in
the short term yes, but the industry
should seek to help people reduce crime
before our business model collapses on
itself.
Wade Johansen, CouriTech LLC: Organizational hacking will become a normal
course of business and defense, if botnet
time and crypto ransomware services can
be bought for as little as $50 for an account, I believe you will see similar services
being more readily available for purchase
such as hackers for hire.
Irfan Shakeel, EH Academy: The importance of incident handling and digital forensics will increase. The community will
invest their time and resources to develop
and create the effective work-process to
solve hacking cases.
www.eforensicsmag.com
www.hakin9.org
- 136 -
M
ISCELLANEOUS
Kris Rides, Tiro Security: I think we will
see more attacks coming through small
vendors to larger companies. Many high
tech vendors who are providing niche services have little or no security posture
making them an easy way to get at the
real target. We are already seeing SMB’s
increasing their spend on security as they
realize it can be a differentiator when it
comes to winning new business against
competitors.
www.eforensicsmag.com
www.hakin9.org
- 137 -
W
HO IS
WHO
James Carder
LogRhythm
Greg Foss
LogRhythm
CISO & VP
Security Operations
Team Lead
He has over 18 years of
experience working in corporate IT security and consulting for the Fortune 500
and U.S. Government. At
LogRhythm, he develops
and maintains the company’s security governance model and risk strategies, protects the confiden`tiality, integrity and availability of information assets, oversees
threat and vulnerability management and the Security
Operations Center. He also directs the mission and strategic vision for the LogRhythm Labs machine data intelligence, threat research, compliance research, incident
response, and threat intelligence teams. He holds a Bachelor of Science degree in Computer Information Systems from Walden University and is a Certified Information Systems Security Professional.
He is LogRhythm’s Security
Operations Team Lead and
a senior researcher with
Labs, where he is tasked
with leading both offensive
and defensive aspects of
corporate security. He has just under a decade of experience in the Information Security industry with an
extensive background in Security Operations, focusing
on Penetration Testing and Web Application Security.
Greg holds multiple industry certifications including the
OSCP, GAWN, GPEN, GWAPT, GCIH, and C|EH, among
others. He has presented at national security conferences such as DerbyCon, AppSecUSA, BSidesLV, and is a
very active member of the Denver security community.
Dennis Chow
Millar Inc, Security Manager, Incident Response
He is a security practitioner that has over 10 years of combined IT and Information Security experience. Dennis currently leads Information Security efforts at Millar, Inc. as their Network Security Manager. In addition management and practitioner experience, Dennis has consulted for various clients
within Oil and Gas, Healthcare, Defense, and other critical infrastructure industries. Dennis also holds
several industry known certifications including the GCFA, GCIH, GCIA, GPPA, CISSP, E|CSA, C|EH, and
L|PT and is currently the Program Manager for a collaborative Cyber Threat Information Sharing
Grant by the Department of U.S. Health and Human Services.
www.eforensicsmag.com
www.hakin9.org
- 138 -
W
HO IS
WHO
Andrew Borene
Federal manager, i2 Safer Planet
Bob Stasio
Senior Product Manager of Cyber
Analysis at IBM i2 Safer Planet
Bob Stasio is the He brings nearly
14 years of rare expertise fighting
top tier malicious actors through
his work in the intelligence community, the U.S. Military, NSA and
commercial sector. Bob served on
the initial staff of US Cyber Command. Serving in Iraq during “The
Surge,” Bob’s intelligence unit
supported the detainment of over
450 high-value targets.
Andrew Borene provides executive
leadership for IBM’s i2 Safer Planet
Federal business team. He served
as Associate Deputy General Counsel at the U.S. Department of Defense and is a former U.S. Marine
Corps military intelligence officer. Prior to joining IBM, Mr. Borene was a Counselor to the international law firm of Steptoe & Johnson LLP. His career includes leading
corporate development at a microrobotics startup and U.S. intelligence community program management for a publicly-held big data
company. He is active within leading public-private initiatives for
improved U.S. national security,
global leadership and technology
growth.
Todd M. Rosenblum
Senior executive for worldwide big
data, i2 Safer Planet
Todd M. Rosenblum joins IBM as a
Senior Executive for Global Business Development. He is responsible for identifying market engagement opportunities for IBM’s Safer
Planet, Enterprise Insight Analysis
suite of capabilities. Todd focuses
especially closely on deepening
collaborative partnerships with
senior executives in the United States Government, U.S. State, local
and private sector companies, as
well as worldwide defense, intelligence and law enforcement institutions.
Shahid Shah
CEO, Netspective Communications
He is an award-winning Government 2.0, Health IT, Bio IT & digital
Medical Device Inventor & CTO
with over 25 years of technology
strategy, architecture, engineering,
entrepreneurship, speaking, and
writing experience. He is the chair
of the #HealthIMPACT Forum.
www.eforensicsmag.com
www.hakin9.org
- 139 -
A
DVICE
What advice would you give to fellow cybersecurity
professionals going into 2016?
Mark Bennet, Blustor: Cyber security professionals and the industry need to challenge our current paradigms that often
involve centralizing and attempting to
control every element of data flowing in
and out of the systems under our protection. We are in a leaky ship and bailing
the water out faster isn’t really solving the
problem. We need to look closer at the
underlying root issues, which include
things like immutable human behavior
and the inherent weakness of outdated
security mechanisms such as usernames,
passwords, and PINs. Until we do that, at
best we are just keeping our heads above
water.
Rajeev Chauhan, Cyber Oxen: Be suspicious, but don’t be paranoid about security, the best approach is having preventive
measures in place.
Kenneth C. Citarella, Guidepost Solutions:
Be patient when reminding others, be
vigilant, and hold on tight.
David Coallier, Barricade: If you have to go
to one conference this year, go to a conference that's NOT about security. Maybe a
software or cloud conference. Talk to people about security and note their eye-roll/
exasperation reactions. Security is scary,
and it's adversarial. Let's break down the
barrier and make security something more natural.
Amber Schroader, Paraben Corporation:
Vigilance to where we are leaving our digital identities. We are expanding out to
more and more layers that hold information tied to who we are and not thinking
how to protect and secure each of those
layers. We need to focus on knowing what
is where as we look at a cyber future with
devices tied to ourselves at every corner.
Mayur Agnihotri: “Keep seeking out new
things to learn and master what you
know.”
Wade Johansen, CouriTech LLC: You will
never be right 100% of the time, don’t let
it stop you from being right 1% of the time. Also, if you have a one-in-a-million
idea to improve something, then there
are 8,000 other people on this planet
thinking the exact same thing as you... be
the first to say it out loud.
Nick Prescot, ZeroDayLab: Talk security as
a business issue and not an IT issue. IT
creates the systems that process data, the
business are the ones that process the
data and the operations teams are the
ones that are responsible for the data.
www.eforensicsmag.com
www.hakin9.org
- 140 -
A
DVICE
What advice would you give to fellow cybersecurity
professionals going into 2016?
Mitchell Bezzina, Guidance Software: The
“assumption of compromise” mindset has
been gaining notoriety within Security
teams, it takes the active defense approach where security teams consciously
hunt for organization threats rather than
rely on technology to alert. The personnel
problem does not help this cause but building teams from parallel skillsets is the
only way to ensure there are more security professionals, and don’t concern yourself with a flooded market – there will
never be enough skilled cybersecurity
specialists.
Alina Stancu, Titania: Keep on top of compliance, as that will remain important in
ensuring baseline security. Certification
against governmental or business accreditations will travel down the supply chain
as more suppliers demand that businesses
present some form of security assurance
of their product and services.
Gerald Peng, Mocato: Your role is more
broad and important that you may imagine. Protecting the public from cyberattacks on their IT infrastructure and devices will help deter cybercriminals from
their spheres of activity. Our focus must
extend past our employers and clients.
We must collaborate to secure our data
sovereignty, and reduce any weak points
in our systems.
Roberto Langdon, Nicolas Orlandini,
KPMG: Our vision of what will be going in
2016, is that there have been several cases where the forensic investigation helped to discard false hypothesis, false
conclusions, and these aspects are showing the importance of this discipline to
be used strongly each time, and so on in
the future. As the forensics doctors said
“a dead body can still tell information regarding to resolve a murder”, the information technology recipients or devices
can bring more than we can imagine, in
order to resolve frauds or criminal cases.
Paul Hoffman, Logical Operations: Jump in
with both feet.
Dotan Bar Noy, Re-Sec Technologies: We
live in exciting challenging times and are
receiving public attention as well as enterprises boards. We need to make sure the
advice and solutions we are offering are
not just adding layers of more of the same, but substantially improve the overall
enterprise security while keeping organization productivity untouched.
Stephan Conradin: Learn, understand,
have global view, learn again, understand
again.
www.eforensicsmag.com
www.hakin9.org
- 141 -
A
DVICE
What advice would you give to fellow cybersecurity
professionals going into 2016?
Michael A. Goedeker, Auxilium Cyber Security: LEARN HOW TO HACK THINGS, Be
curious, always continue to learn new
things and technology. Stay informed and
aware, assume every OS, Application and
piece of hardware can spy on you, has
weaknesses and needs to be verified. Security is a business process just as much
as it is a technological one, never EVER
forget this. Security protects IP, revenue
and the business. Be creative, think outside the box.
David Clarke, VCiso: Keep Going. Keep the
Passion.
BroadTech Security Team: Stop hype. Learn your stuff. Know what you are talking
about. Keep yourself updated daily & share your knowledge with others. Stop using
jargon and fancy words and explain things
clearly to people. Our job is to keep things
secure and not to show off our knowledge
or expertise. One more prediction. Once
Hammer2 is feature complete, DragonFLYBSD implements single sign on and
redundancy using CARP, etc. The way of
doing cloud computing will take a new
turn.
Craig McDonald, MailGuard: The number
one tip is to plan a 360 degree approach
to cyber security. Understand all your businesses attack vectors and how these can
be infiltrated by cyber criminals. Blocking
threats through the use of cloud security
services such as email and web filtering
should be the first line of defence – protecting the organization’s network.
www.eforensicsmag.com
www.hakin9.org
- 142 -
C
ONTRIBUTING
COMPANIES
www.eforensicsmag.com
www.hakin9.org
- 143 -
www.eforensicsmag.com
www.hakin9.org
- 144 -
www.eforensicsmag.com
www.hakin9.org
- 145 -
www.eforensicsmag.com
www.hakin9.org
- 146 -
www.eforensicsmag.com
www.hakin9.org
- 147 -
Descargar