2012 IT Security Predictions: Blanket Encryption or Apocalypse Now!
London: This year has provided us with every type of security drama possible from major insider breaches such as WikiLeaks and the UBS insider, to the Norwegian Army data breach, the Sony hack and the demise of DigiNotar. It has truly been a game of two halves – the first half manic and dramatic, the second half steady but still tension-filled with its unfolding stream of incidents.
It was the Year of the Third-party Trust Compromise, and the Year of the Bring Your Own Device (BYOD) Mobile Revolution. Both of these will have their parts to play in 2012.
These two personalities have more in common than you might think. For example, both engendered 2012’s emerging personality, the Year of Ubiquitous Encryption, which is already taking shape. And both relate to a common security problem: attacks from within an organisation’s systems. They also share the solution to this problem: improved processes and management.
The Year of the Third-party Trust Compromise
The Year of the Third-party Trust Compromise followed a year with ominous security implications—2010, the year that saw Stuxnet come to public awareness. This worm—which some call a cyberweapon—lies dormant and difficult to detect on infected systems, waiting for a trigger to unleash it. Stuxnet was a warning shot, announcing the arrival of highly sophisticated, authenticating malware capable of targeting physical infrastructures. One of Stuxnet’s strategies was to use a SSL certificate to authenticate to the infected system’s software environment.
Although industry pundits dismissed Stuxnet as a one-time occurrence, it was actually a proof of concept. Duqu (aka Son of Stuxnet) arrived in November 2011. Malware of Stuxnet’s ilk allows criminals to operate on the inside. In 2010, this ability foreshadowed one of 2011’s most significant security events.
In the first quarter of 2011, the previously unimaginable happened: Hackers breached RSA’s security and compromised the root of this third-party trust provider’s SecureID technology.
Virtually all SecureID tokens immediately became untrustable. Companies are still in the process of replacing these tokens and the costs to do so were astronomical. In the ensuing months, 4 CAs fell prey to attackers (Comodo, GlobalSign, Digicert, OpenSSL, and DigiNotar), cementing 2011’s identity as the Year of the Third-party Trust Compromise.
As a parting gift, this 2011 personality left three valuable lessons:
1) Third-party trust is an integral piece of our worldwide security infrastructure. It is important; the world we know cannot operate without it.
2) Because the world relies on digital certificates and the CAs (third-party trust providers) that sign them, digital certificates and CAs are among the highest-value targets for hackers. If hackers can compromise CAs and create counterfeit certificates, they can perfectly assume others’ identities.
3) Organisations must be prepared for an epidemic of third-party trust compromises, which they were not in 2011. Such compromises were not even represented in 2011 risk analyses and mitigation plans. The DigiNotar compromise virtually shut down the Dutch government for days as it scrambled to find and replace its affected certificates. Unfortunately, many organisations are still using DigiNotar certificates, even though these certificates provide a near-zero level of trust. Why? The answer to this question is alarming: Organisations don’t know which CAs issued the certificates they’re using and they don’t know where these certificates are or how many they have in their environments.
The Year of the BYOD Mobile Revolution
The year’s other personality evolved from an explosion of mobile devices in the workplace. By the end of 2011, BYOD was becoming a corporate mantra. Board members and employees alike injected iPhones, iPads, Androids (and other) devices into the corporate landscape—all with the same mandate-- that they had to be supported by corporate IT and InfoSecurity departments. The top-to-bottom BYOD movement reflected the consumerisation of IT. It accelerated throughout the year. It was and is unstoppable.
The Split is Narrower than It Looks
How did 2011’s two personalities work together to shape 2012’s? The answer hearkens back to 2010’s Stuxnet exposure. Firewalls, intrusion detection systems (IDSs), virus scanners, and vulnerability scanners are not perfect, and this lack of perfection makes organisations vulnerable. The CAs suffered devastating compromises because the malware that harvested passwords, keys, and accessed systems was inside the CAs’ organisations, avoiding detection. And human beings were knowingly or unwittingly helping the malware do its job.
With the BYOD revolution taking hold, the opportunity for bad guys to get inside any organisation on the planet is going up logarithmically. Organisations have no physical control of these devices, which as everyone knows, makes them completely vulnerable to compromise.
In other words, the combination of 2011’s two personalities yields a weakness that only an oblique approach can fix.
2012: The Year of Ubiquitous Encryption
If the bad guys are on the inside, and it is becoming easier for them to get there through an explosion of systems, applications and devices that connect with and share valuable information are secured through certificates and encryption keys, what can organisations do to stop them?
In most cases, hackers compromise systems to steal data. Intellectual property, financial data, and personal data are all valuable commodities: Hackers can use them for financial gain, to maliciously expose secrets, and to deliberately harm reputations. Security systems in 2011 focused on keeping bad guys out. But now the bad guys are on the inside. Organisations’ best defense is to encrypt data everywhere, whether the data is at rest or in motion, because encrypted data isn’t recoverable without its encryption key. Hence, 2012 will go down in IT-security history as the Year of Ubiquitous Encryption.
In Conclusion
The split-personality year of 2011 will logically lead organisations to make sure they are protected in 2012, the Year of Ubiquitous Encryption. If 2011’s leaked and stolen data had been encrypted, and the encryption keys stored in a secure area away from the data, the data would have been worthless to the bad guys. The compromised CAs would have considered the breaches inconsequential, and may not even have reported them. Again, it’s important to understand that encrypted data isn’t usable without its encryption key. With keys that are separate and safe from prying eyes, the bad guys can take all the data they want…because they’ll never know what they have.
With data and applications moving to the cloud, where they are fully accessible to all devices and can move from one physical location to another almost instantly, ubiquitous encryption becomes even more important. Even if malefactors get their hands on mobile devices (which are relatively easy to steal and compromise), encrypted data makes the thefts trivial.