Feature Article: 2012 Information Security Compliance Predictions

by Rick Dakin, CEO, Chief Security Strategist

The year 2011 proved to be another tough year for companies attempting to defend sensitive information from cyber attack.  The results reported by the Privacy Rights Clearinghouse confirm that compromise of personal records roughly tripled from 12 million in 2010 to 30 million in 2011.  These hard facts support the intelligence briefings we have previously obtained.  The cyber security activity at the federal government level has rapidly escalated in response to direct and actionable intelligence that our critical infrastructure is a target for increased attack by both cyber criminals and nation states.

A good friend of the Coalfire family of clients, Mark Weatherford, has recently been appointed to lead the national cyber security team at the Department of Homeland Security (DHS).  The challenges are numerous and severe but Mark is well qualified to lead our mutual efforts (as a nation) to respond to rapidly increasing cyber threats as well as the escalating demands of information security compliance. 

The recent delivery of a ‘weaponized’ cyber payload against the nuclear reactors in Iran (malware called Stuxnet) by an unnamed western nation has opened a new era of cyber warfare.   The sophistication of the attack, and the level of embedded stealth included, takes us to a new level of concern about vulnerabilities for our critical infrastructure, which includes finance, healthcare, utilities and government operations.  We can expect Iran, China and other nations to respond to our offensive cyber-attack capabilities deployed within the U.S. Cyber Command.

However, this brief executive summary is not intended to share more scary stories. We have consolidated a list of predictions that will likely impact every bank, credit union, retailer, service provider and healthcare organization at some level.

This summary is intended to identify the key initiatives that most organizations will address in 2012 and some of the information security issues that impact those mission-critical initiatives.  Cyber security is no longer a standalone activity for the IT department.  Each business owner or leader should consider the impact of data security as we embrace emerging technologies in a more connected world.

Coalfire’s  Top 6 Predictions for 2012

  1. Cyber attacks will increase and baseline infrastructure will become more vulnerable.

    Good enough is no longer good enough. The level of cyber-attack sophistication will rise as the number of countries that deploy offensive cyber warfare capabilities increases.  It is hard to accept that the hacking community will become the primary beneficiary of the dramatic improvements in hacking tools, but beware.  The connection between organized crime and rogue nation states is real, and the frequency and effectiveness of these offensive cyber payloads will cripple even our best cyber defensives.  We simply have to become more nimble.

  2. At the federal level, we see a migration of cyber assurance and compliance validation moving to include more active monitoring to augment periodic cyber security testing. Programs like Einstein, CyberScope and CyberStat promise to identify vulnerabilities and weaknesses more quickly and to enable entire industries to take justified responsive action.  These early monitoring programs are typically coupled with risk management programs to provide both transparency of the changing threats as well as a path to direct appropriate security changes.

    Our annual budget cycles are not aligned to the ever-changing threat landscape from cyber attack.  As we consider our commercial mission, it is hard to weave in the concept of cyber warfare but that is the new reality.  Sony, Massachusetts General Hospital, Citibank and the U.S. Chamber of Commerce all experienced high-profile attacks with significant loss.  Each of these organizations thought they were thousands of miles away from the war zone but found that remote access to their systems made them an easy target.  For those of you who have already implemented mature security programs, be prepared to implement more active monitoring and periodic incident response.  For those still building baseline controls, be aware that the time to achieve full implementation may be getting shorter.

  3. The move to cloud computing will show demonstrable cost savings … but will add new risks.

    The migration to dramatically lower cost cloud services is well under way.  In many cases, organizations may not be aware that they are connected to “the cloud” or obtain services delivered from cloud providers.  As we conduct audits this year, we are seeing a very troublesome trend: service providers are becoming more virtual and have not taken adequate steps to protect their clients.

    Can you imagine a reporter calling one day to ask why your organization did not take adequate steps to protect consumers when outsourcing key processes … then, finding out that the outsourced service provider conducted the process offshore and deployed services in a shared hosting environment?  As we audit third-party agreements, we are finding very little oversight for outsourced services that end up in a shared environment or cloud.  These outsourced services require specific contract language and oversight to achieve compliance with various data protection regulations.

    Even as companies move dedicated applications to shared hosting environments, it is becoming harder to track access to sensitive data.  New cloud environments require a complete review of risks and typically require new (virtual-oriented) controls to be deployed.  Coalfire is actively working with international cloud-based services companies like Savvis, HP and VMware to develop audit procedures to validate compliance to PCI DSS, FFIEC and HIPAA standards.  The path forward to full compliance in the cloud is achievable but it will require some risk assessment for each organization.  The early-adopter companies, like the ones we are currently supporting, are not yet mainstream.  Many service providers accept unreasonable risk and do not inform their clients about those risks.

  4. Increasing usage of mobile devices will revolutionize customer service.

    For those of us last holdouts who don’t check Facebook every five minutes, the corporate version is heading our way.  The impact of social media, increasing customer expectations, and improved performance will demand the integration of mobile computing into every industry.  It is inevitable.  However, mobile computing introduces new risks that are not yet well understood.

    In a retail setting, merchants will be able to handle huge customer demands, improved inventory management and the integration of online services to a brick and mortar setting with the introduction of company-owned mobile devices or the integration of client-owned mobile devices.  We have already seen models where the self-serve check-out lane is an individual’s smartphone.  The distribution of coupons and incentives happens while customers are still shopping. Manufacturers simply send a GRC label with the product that let shoppers see what the latest offers are from both a store and from the national level.  Consumers are demanding this level of service and we will provide it.

    However, the amount of data exchanged with consumers during the process could introduce new risks.  Essentially, consumer transactions could include remote (i.e. client-end) risk that merchants are not prepared to address.  Once the cyber criminals understand the opportunity, we can expect some creative manipulation of stolen smartphones to introduce new “gotchas” to busy IT departments.

  5. Information risk management moves form the data center to the board room.

    As senior executives, we all fear the day that camera crews assemble in our parking lots to discover the extent of customer privacy damage from a data compromise.  Following the lead from the CEO of Sony when confronted with this exact situation in 2011, we can all expect that the cost to each organization will go well beyond the technical remediation.  Brand damage mitigation, customer confidence issues and regulatory oversight costs will disrupt executive and board-level discussions for an extended period of time.  The CEO for Sony acted quickly and decisively.  Costs for client communications, system remediation, fines and customer retention were significant.  Estimates for the breach have reached $50 million+.  This is an enterprise-level cost that was not accrued on the balance sheet or even communicated to the board as a contingent liability for the way past operations were conducted.

    Going forward, we can expect much more active board participation in company risk management to include information security risk management.  However, most companies do not have adequate processes to connect senior level strategy, risk appetite and policy as seamlessly integrated processes into system-level protection.  The need for enterprise-level risk management has become a very active area for program development.  Fortunately, NIST and industry organizations have published reasonable and effective methods for conducting risk assessment and the resulting risk management activities. 

    Coalfire recently supported a Department of Energy process to develop an industry risk management guideline that is aligned to the NIST Special Publication 800-39.  This early industry- focused initiative will enable industry executives to understand their role in managing cyber security risk at the enterprise level.  Other industries also maintain straightforward guidelines for managing risk.  Our prediction is that most organizations will implement those guidelines over the next two years.  Those who do not maintain active enterprise-level risk management programs (including cyber security risk management) will find that a new definition of negligence could cause dramatic impact during a future system compromise.

  6. Industry will be slow to react to increasing cyber threats and Congress will enact more regulations to enforce enhanced controls.

    As cyber security industry insiders, we always think that everyone will see the issues as clearly as we do and take appropriate action to prevent damage to customers and the organization.  However, this has proven not to be the case.  As a result, a wave of data protection and cyber security legislation has been published to force organizations to take baseline action to protect themselves, critical infrastructure and their customers.  This trend will continue at an accelerated pace in 2012.

    After reviewing several threat briefings at many levels, it is obvious that threats are escalating faster than our ability, or willingness, to deploy justified cyber security measures.  As a result, 2012 may be a banner year for both federal and state cyber security legislation.  In many states, Notice of Privacy Breach regulations are being modified to raise the bar on minimum cyber security prevention requirements as well as increase penalties for both negligence and directed cyber crime activities.

    In Congress, both the Senate and House of Representatives introduced cyber security legislation at the request of the President.  The Lungren bill appears to have the most support since it requires protection of citizen privacy and critical infrastructure.  The legislation establishes incentives for organizations to adopt strong risk management programs.  Those incentives may ultimately include safe harbor from prosecution for data breach, access to catastrophic insurance for losses resulting from a cyber attack, and access to enhanced intelligence and information sharing about threats and recommended remediation.  The legislation inherently includes an expectation that the DHS will provide oversight for each agency to draft cyber security guidelines intended to focus industry operators’ remediation activities.  These standards may not be aggressively enforced in the short term but will provide the basis for negligence claims from people and organizations damaged by industry failures.

While we are certain that few of these predictions will catch anyone by surprise, we do anticipate that many organizations have not yet fully embraced the level of change required to address the evolving cyber security landscape.  In the last year, we found that many organizations that were in compliance with regulatory requirements for the past three years are now suddenly out of compliance.  As organizations introduce new technologies to reach more customers with better service, the rapidly changing infrastructure and applications are simply not as secure.  Organizations’ rush to achieve business success has not yet fully considered the total responsibility and cost of the migration. 

Our predictions are simple.  We expect the threats to increase and the regulatory environment to become more stringent.  This escalation is occurring at a time when budgets are tight and resources are limited.  We expect cyber security and IT compliance to become a much larger issue in 2012. 

Coalfire is also reacting.  We are preparing more educational materials and events to continue providing insights to the issues and independent advice on how these issues can be addressed.  We look forward to a year that requires us to do more to support our clients and to earn the opportunity to provide services to our new friends.