Xerox: Cyber Attackers and Defenders Prepare for 2015

[news]

Xerox: Cyber Attackers and Defenders Prepare for 2015
By Chuck Brooks, Xerox Corp.

Chuck Brooks is Vice President/Client Executive for DHS at Xerox. He previously served at DHS as the first Director of Legislative Affairs for the Science & Technology Directorate.

2014 was known as the year of the cyber breach. Forty-three percent of companies experienced a breach last year, including highly visible and damaging hacks to Sony, Home Depot, Target, and JP Morgan Chase. Unfortunately, the cyber breaches of 2014 were not an aberration, but a likely trend. Both the public and private sectors received wakeup calls from these breaches and are beginning to respond accordingly by working together.

As for the private sector, investment by the government in cybersecurity is now a high priority. According to federal government budget projections, over $65 billion will be spent in the next five years on cybersecurity. Also, federal CIOs say by a wide margin in polls that cybersecurity is their primary IT spending focus.

An additional factor for government budget planners is that spending now correlates to policy enactments. At the end of the last legislative session, Congress passed four significant pieces of cybersecurity legislation, including The National Cybersecurity Protection Act of 2014 (S. 2519). That legislation, according to the House Homeland Security Committee, "will codify the existing cybersecurity and communications operations center at the Department of Homeland Security (DHS), known as the National Cybersecurity and Communications Integration Center. The new law will authorize the center's current activities to share cybersecurity information and analysis with the private sector, provide incident response and technical assistance to companies and federal agencies, and recommend security measures to enhance cybersecurity."

This legislation has major implications because it is the first substantive cybersecurity legislation by Congress. More importantly, it helps forge an alliance of industry with the government, especially with the DHS. The DHS has taken an increasingly larger role in cybersecurity over the past couple of years. The Office of Personnel Management (OPM) and Presidential Directives have mandated the DHS assume the primary role in the civilian side of government for cybersecurity. A major reason for the DHS's enhanced focus on cybersecurity has been the rapid changes in the information technology landscape. Since 2003, the capabilities and connectivity of cyber connected devices have grown exponentially. Unfortunately, so have the cyber intrusions and threats from malware and hackers, requiring agencies to restructure priorities and missions. The National Cybersecurity Protection Act of 2014 legislation will help provide a roadmap for the roles of the DHS and additional stakeholders for 2015 and beyond.

 

For both the public and private sectors, the protection of the nation's critical infrastructure is of the utmost priority. Cooperation is imperative since the private sector owns and operates most of the critical infrastructure that comprises the economic engine of financial, communications, transportation, security, commercial, and energy (including the electric grid) communities. Largely because of privacy and IP issues, corporations have been reluctant to share data and lessons learned in the past. Now because of the severity of the cyber attacks, voluntary cooperation has turned into more of a government push for industries to fortify critical infrastructure against cyber intrusions. The recent Sony incident is an affirmation of the need and urgency for such cooperation.

On the encouraging side, public/private cooperation in research and development is already expanding and reaping dividends. The DHS Science & Technology Transition to Practice Program has helped develop and commercialize promising new cybersecurity technologies from the National Labs and additional outside companies.

What will 2015 entail for the public/private partnership in cybersecurity? It is likely that continued hacks of corporations and institutions will lead to new Congressional legislation calling for mandatory notification of breaches. Advanced persistent threats are becoming more advanced and digital safeguards (including enterprise grade security) will be encouraged by policymakers, the C-Suite and corporate boards.

Corporations, in advisory with DHS, will also need to prioritize best risk management practices and develop resiliency plans. Bring Your Own Device and mobility security (encryption and biometrics) will need to be included in the threat matrix equation.

In 2014, Heartbleed and Shellshock were two of the biggest enterprise security threats. Such cybersecurity threats continually morph and thousands of new malicious malware strains are created daily. More potent viruses are no doubt on the horizon. Cyber extortion ransomware scams grew 500 percent in the past year alone and targeted phishing and emails are becoming more sophisticated and costly.

There are many good analyses of pending challenges in cybersecurity for 2015. McAfee Labs predicts that the top cybersecurity threats of 2015 will include:

Ransomware evolves into the cloud. Ransomware will evolve its methods of propagation, encryption, and the targets it seeks. More mobile devices are likely to suffer attacks.

New mobile attack surfaces and capabilities. Mobile attacks will continue to grow rapidly as new mobile technologies expand the attack surface.

POS attacks increase and evolve with digital payments. Point of sale (POS) attacks will remain lucrative, and a significant upturn in consumer adoption of digital payment systems on mobile devices will provide new attack surfaces that cybercriminals will exploit.

Shellshock sparks Unix, Linux attacks. Non-Windows malware attacks will increase as a result of the Shellshock vulnerability.

Growing exploitation of software flaws. The exploitation of vulnerabilities is likely to increase as new flaws are discovered in popular software products.

To combat these and other cyber threats, the DHS and industry must cooperate at a new level that will include sharing information, creating automated incident response capabilities, and instituting more comprehensive detection methods. To mitigate data breaches in 2015, preparation and commitment from both government and industry leadership is critical. 2015 will be the year of cybersecurity for the DHS and industry as technologies and processes are co-developed and implemented.

The reality is that we live in an increasingly hyper-connected world that impacts all aspects of our lives. From 2015 onward, managing and protecting data will be a growing joint endeavor of the DHS and the public sector.

Xerox: Cyber Attackers and Defenders Prepare for 2015
By Chuck Brooks, Xerox Corp.

Chuck Brooks is Vice President/Client Executive for DHS at Xerox. He previously served at DHS as the first Director of Legislative Affairs for the Science & Technology Directorate.

2014 was known as the year of the cyber breach. Forty-three percent of companies experienced a breach last year, including highly visible and damaging hacks to Sony, Home Depot, Target, and JP Morgan Chase. Unfortunately, the cyber breaches of 2014 were not an aberration, but a likely trend. Both the public and private sectors received wakeup calls from these breaches and are beginning to respond accordingly by working together.

As for the private sector, investment by the government in cybersecurity is now a high priority. According to federal government budget projections, over $65 billion will be spent in the next five years on cybersecurity. Also, federal CIOs say by a wide margin in polls that cybersecurity is their primary IT spending focus.

An additional factor for government budget planners is that spending now correlates to policy enactments. At the end of the last legislative session, Congress passed four significant pieces of cybersecurity legislation, including The National Cybersecurity Protection Act of 2014 (S. 2519). That legislation, according to the House Homeland Security Committee, "will codify the existing cybersecurity and communications operations center at the Department of Homeland Security (DHS), known as the National Cybersecurity and Communications Integration Center. The new law will authorize the center's current activities to share cybersecurity information and analysis with the private sector, provide incident response and technical assistance to companies and federal agencies, and recommend security measures to enhance cybersecurity."

This legislation has major implications because it is the first substantive cybersecurity legislation by Congress. More importantly, it helps forge an alliance of industry with the government, especially with the DHS. The DHS has taken an increasingly larger role in cybersecurity over the past couple of years. The Office of Personnel Management (OPM) and Presidential Directives have mandated the DHS assume the primary role in the civilian side of government for cybersecurity. A major reason for the DHS's enhanced focus on cybersecurity has been the rapid changes in the information technology landscape. Since 2003, the capabilities and connectivity of cyber connected devices have grown exponentially. Unfortunately, so have the cyber intrusions and threats from malware and hackers, requiring agencies to restructure priorities and missions. The National Cybersecurity Protection Act of 2014 legislation will help provide a roadmap for the roles of the DHS and additional stakeholders for 2015 and beyond.

 

For both the public and private sectors, the protection of the nation's critical infrastructure is of the utmost priority. Cooperation is imperative since the private sector owns and operates most of the critical infrastructure that comprises the economic engine of financial, communications, transportation, security, commercial, and energy (including the electric grid) communities. Largely because of privacy and IP issues, corporations have been reluctant to share data and lessons learned in the past. Now because of the severity of the cyber attacks, voluntary cooperation has turned into more of a government push for industries to fortify critical infrastructure against cyber intrusions. The recent Sony incident is an affirmation of the need and urgency for such cooperation.

On the encouraging side, public/private cooperation in research and development is already expanding and reaping dividends. The DHS Science & Technology Transition to Practice Program has helped develop and commercialize promising new cybersecurity technologies from the National Labs and additional outside companies.

What will 2015 entail for the public/private partnership in cybersecurity? It is likely that continued hacks of corporations and institutions will lead to new Congressional legislation calling for mandatory notification of breaches. Advanced persistent threats are becoming more advanced and digital safeguards (including enterprise grade security) will be encouraged by policymakers, the C-Suite and corporate boards.

Corporations, in advisory with DHS, will also need to prioritize best risk management practices and develop resiliency plans. Bring Your Own Device and mobility security (encryption and biometrics) will need to be included in the threat matrix equation.

In 2014, Heartbleed and Shellshock were two of the biggest enterprise security threats. Such cybersecurity threats continually morph and thousands of new malicious malware strains are created daily. More potent viruses are no doubt on the horizon. Cyber extortion ransomware scams grew 500 percent in the past year alone and targeted phishing and emails are becoming more sophisticated and costly.

There are many good analyses of pending challenges in cybersecurity for 2015. McAfee Labs predicts that the top cybersecurity threats of 2015 will include:

Ransomware evolves into the cloud. Ransomware will evolve its methods of propagation, encryption, and the targets it seeks. More mobile devices are likely to suffer attacks.

New mobile attack surfaces and capabilities. Mobile attacks will continue to grow rapidly as new mobile technologies expand the attack surface.

POS attacks increase and evolve with digital payments. Point of sale (POS) attacks will remain lucrative, and a significant upturn in consumer adoption of digital payment systems on mobile devices will provide new attack surfaces that cybercriminals will exploit.

Shellshock sparks Unix, Linux attacks. Non-Windows malware attacks will increase as a result of the Shellshock vulnerability.

Growing exploitation of software flaws. The exploitation of vulnerabilities is likely to increase as new flaws are discovered in popular software products.

To combat these and other cyber threats, the DHS and industry must cooperate at a new level that will include sharing information, creating automated incident response capabilities, and instituting more comprehensive detection methods. To mitigate data breaches in 2015, preparation and commitment from both government and industry leadership is critical. 2015 will be the year of cybersecurity for the DHS and industry as technologies and processes are co-developed and implemented.

The reality is that we live in an increasingly hyper-connected world that impacts all aspects of our lives. From 2015 onward, managing and protecting data will be a growing joint endeavor of the DHS and the public sector.

[Author]

January 8, 2015 at 10:43 AM