Cost and Scale of Data Breaches Increase

Info Security LogoGreat Article here by Tara Seals in Infosecurity Magazine – Number 9 on her list – “Cost and Scale of Data Breaches” – is a much underrated risk and is indeed set to increase dramatically:

As cyber-criminals get smarter and the pace of communications accelerates, organizations are being forced to continually adapt and rapidly respond to a shifting threat landscape. The Information Security Forum (ISF) is taking a view to 24 months out, predicting that ever-faster internet speeds, tech rejectionists and even human death will all be hallmarks of the future security reality.

Threat Horizon 2017, the latest in a series of the ISF’s annual Threat Horizon reports, identifies nine specific emergent threats that encapsulate the imminent dangers that the ISF considers the most prominent. They all have the capacity to transmit their impact through cyber-space at break-neck speeds, particularly as the use of the internet spreads beyond the estimated 50 percent of the literate population who are already connected, the organization noted in its report.

The threats are:

  1. Increased Connectivity Speeds Present Issues in Organizational Response Time
  2. Criminal Organizations Become More Structured and Sophisticated
  3. Widespread Social Unrest Breaks Out, Led by ’Tech Rejectionists’
  4. Dependence on Critical Infrastructure Becomes Dangerous
  5. Malicious Agents Weaponize Systemic Vulnerabilities
  6. Legacy Technology Crumbles
  7. Disruption to Digital Systems Leads to Verifiable Human Deaths
  8. Global Consolidation of Organizations Endangers Competition and Security
  9. Cost and Scale of Data Breaches Increases Dramatically

“The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations,“ said Steve Durbin, managing director of the ISF. “Although cyber-space offers opportunities for leading organizations, this environment is uncertain and potentially dangerous.“ He added, “We predict that many organizations will struggle to cope as the pace of change intensifies. Consequently, at least until a conscious decision is taken to the contrary, these nine threats should appear on the radar of every organization.“

For instance, regarding the first point, it’s clear that reasonably-priced gigabit connectivity will become widely available to supply the growing demands of devices and users, signifying a dramatic leap forward, increasing both data volume and velocity. In an interview, Durbin laid out some of the risk scenarios for super-charged connectivity.

“As billions of devices are connected, there will be more data that must be managed,“ he explained. “Conventional malicious use will increase rapidly, resulting in cascading failures between sectors. This will enable new and previously impracticable avenues for destructive activity online, increasing financial and reputational liabilities and overwhelming traditional defenses. When combined with the steady growth of processing power and storage, this increased connectivity will allow malicious actors to launch new attacks that will be both lucrative and difficult to detect. Businesses will struggle to keep up with these attacks.“

Also, as connectivity gets faster and more mission-critical functions are moved online and to the cloud, ISF predicts that the disruption of digital systems in transport and medical services will lead to verifiable deaths. Organizations should thus assess the exposure to and liabilities of cyber-physical systems, and revise corporate communication and crisis response mechanisms accordingly.

Related to the hyperconnectivity issue, increasing network scale, helped along by global consolidation, presents another emerging threat. As the pending Comcast-Time Warner Cable and AT&T-DirecTV mega-mergers demonstrate, broadband companies are interested in getting larger. Companies of all sizes will have fewer options for connectivity, which could give network operators undue influence (and create a known number of “super-vectors“ for criminals to attack).

To address this threat, organizations need to first identify and assess risks related to dependence on the suppliers for which there are few alternatives; engage in dialogue and exchange information with governments to assess the extent to which markets remain either competitive or closed; invest in expanding and diversifying the suppliers of critical services; and, where diversification proves difficult, focus instead on embedding resilience in information security strategies.

“Network operators should be ever-mindful of the challenges that consolidation brings to the industry, and should proactively engage in dialogue with governments and regulators whilst continuing to operate in a transparent fashion with customers,“ Durbin said. “This will be challenging and may bring them into conflict with government security agencies, as we have seen with Apple and Google, in terms of providing access to government agencies to core products, but will be essential as they are a provider of core infrastructure service which continues to grow in importance. Maintaining an objective stance will be difficult, but essential, to preserve the trust of the end user.“

Despite lightning-fast broadband, the report predicts that “tech rejectionists” will disrupt local economies in response to record levels of socio-economic inequality, leading to widespread, global, social unrest.

“Discontent will be driven by uncertainty and confusion and inflamed by job losses and displacement due to globalization and automation,“ Durbin said. “Rejectionists will dismiss the benefits of technology-enabled globalization, pointing instead at the social and economic costs shouldered by those who are not among the economic elite. The resulting chaos will disrupt businesses and supply chains, and force countries to reconsider the balance between technological progress and long-established social and economic equilibriums.“

The future of data science

Thought provoking words from Hilary Mason about the future of data science

Hilary Mason is an important person in the world of data science and so her words are always worth listening to. This interview has some particularly thought provoking ideas.

Hilary Mason

As she rightly says “Things that maybe 10 or 15 years ago we could only talk about in a theoretical sense are now commodities that we take completely for granted. Hadoop existed, but was still extremely hard to use at that point. Now it’s something where I hit a couple buttons and a cloud spins up for me and does my calculations and it’s really lovely.“

My view is that it’s a lot more recently than 10 years that the data science toolkit has really entered the realms of the possible. Hand in hand is the fact that the majority of corporate technologists are unaware of how far data science has come and frankly disbelieving on the realms of the possible.

At Idax, we perform data science on identity and access management data, using unsupervised learning techniques to determine whether internal staff’s access rights are appropriate. As a result we tend to perform analytics on reasonably large data sets with hundreds of thousands of accounts and millions of permissions.

But the main observation from our clients is that for the non data scientist there’s still a lot of catching up to do. Of course, they love the results. Being able to dynamically determine a risk rating for all staff with no additional business knowledge being input is a huge benefit.

But their general unfamiliarity with the techniques means that firstly they can’t quite believe that their corporate entitlements database can be analysed in real-time on a machine no bigger than a high end gaming laptop. Secondly, that by using in memory databases and algorithm optimisation we can provide them with results across the whole domain in seconds and minutes rather than hours; and lastly, that the dirtier the data, the better the results.

As Mason says: “A lot of people seem to think that data science is just a process of adding up a bunch of data and looking at the results, but that’s actually not at all what the process is. To do this well, you’re really trying to understand something nuanced about the real world, you have some incredibly messy data at hand that might be able to inform you about something, and you’re trying to use mathematics to build a model that connects the two.“

The Outlier Risk under their noses

The Outlier Risk under their noses. It seems funny at first, but not really. Could have been really nasty indeed. Of course, if they’d been using idax they’d have spotted him in a heartbeat.

This article from “Here In The City” tells the tale of how the simplest of actions can completely bypass complex security .

The guy just turned up on thefake_rolex_34316 trading floor one day.

Bloomberg News reports that KK Ho appeared out of nowhere last year on the Royal Bank of Scotland’s London trading floor.

He had freshly printed business cards identifying himself as a bond salesman. He met with customers and impressed executives in internal meetings with his talk about rich clients he knew, according to two people familiar with the matter.

Then, just as suddenly, he was out the door several months later after bank managers began asking questions about him, questions that led to the realization that he wasn’t a bond salesman after all, the people said.

RBS informed regulators but otherwise kept the matter private, according to another person familiar with the matter. Some details became public when another bank executive mentioned it in a complaint he filed over an employment dispute.

Ho had been a manager in RBS property services facing a layoff, and was given a desk to help him find a new position, according to the three people, who asked not to be identified because they weren’t authorized to discuss it. Ho wasn’t assigned to a team, had no manager and wasn’t authorized to sell securities or meet clients.