Looking past the cyber threats of the last decade and the new to come

Top Cyber Security Risks

 As we pass the first decennial after 2000 we can look back at how IS threats have evolved in the last ten years such as for the complexity of the attacks and the evolution of the attacker’s motives.
This is well described by Robert Vamosi on his article on PC world “Top 10 Security Nightmares of the Decade The new threats that will be facing in 2010, according to predictions from a report from McAfee Avert labs will be exploiting of application layer vulnerabilities such as Web 2.0, social networking sites, drive by download, browser vulnerabilities man in the browser,  adobe flash vulnerabilities, mobile phone vulnerabilities, and malware attacks through botnets and banking trojans (e.g. Zeus).

For security practitioners that still think old security school, network security such as secure the perimeter by deploying firewall and IDS (that I pioneered developing at ISS) mitigate threats to the PC/desktop using AV, AS this is the main lesson from the trenches: as threat evolve and rather quickly with increased sophistication, we need new defenses expecially at the application layer to mitigate these new threats. The new defenses need to look at the security of the applications and the data expecially of the transactions and the data flows (end to end from user to application) above all.

There is also a need to look at security control from risk mitigation perspective, keep measures that work (that is risk mitigation to acceptable residual risk) and discard the ones that do not work. One example of a very destructive change in the security industry would be for example to retire all MFA (Multi Factor Authentication) that were adopted in 2006 (mostly to earn a checkmark from FFIEC) and that now just add to the TCO (Tocal Cost of Ownership) since can be easily defeated by malware.

As Einstein said,” let’s not pretend that things will change if we keep doing the same things”. In essence, we are moving to a past information age society where cybercrime threats mitigation need to be the main focus of information security. I believe that we as security practitioners we are about to reach a tipping point: organizations and governments will pay a huge price for fraud and data losses without deploying radically new countermeasures.

My wish for the 2010 is that business organizations and government will put more focus on application security and root causes of vulnerabilities such as insecure software and design. I hope we could put the effort on building new countermeasures at the application layer and use new approaches such as identification of design flaws that account for more than 50% of vulnerabilities such as by using threat modeling (that will be the book I will publish in 2010). My hope is that we recognize that we as security practitioners we are on a time race to win against cybercriminals, we need to work with businesses to roll out new security control and measures. We need to quickly adapt to the new threats and prepare to respond to the cyber threats of the next decade…

*** This is a Security Bloggers Network syndicated blog from Writing Secure Software authored by Unknown. Read the original post at: