Security Awareness on the Rise
The previous year was a tough one for the Security World: the attack rates increased, big names like Evernote, New York Times, LivingSocial, Twitter, and Facebook faced some serious security issues, and <need to include latest attacks against Target and others> Edward Snowdan blew everybody`s mind when he revealed the NSA documents. The last fact was an eye-opener for a lot of people as it drew attention to the previously overlooked area of corporate security – the internal security. This single event changed the perception of security and privacy all over the world forever.
Now many companies are highly focused on implementing security measures and even announcing them as a competitive differentiation to positioning their products in the marketplace. Customers are now more aware of the security threats and more interested in how vendors and service providers can ensure information security in their products and custom development activities. They frequently request a number of security features to be present in the products they use (for example, encryption, double verification, etc.), and demand independent 3rd party security audits as proof of security measure effectiveness.
Government and Regulatory bodies around the world apply increasingly severe regulations for domains where protecting sensitive information is a key to success, such as Finance and Healthcare.
The increased security awareness is a positive trend we expect to become even more pronounced in 2014, but there exists a parallel counter-productive tendency we`ve noticed. Though most of the new customers we start working with are aware of the security needs and take measures to heighten security at their company, their efforts seem to be limited to buying a security tool instead of creating a comprehensive security strategy, including a secure Software Development Lifecycle (SDLC) process, security trainings for developers and Quality Assurance engineers, etc.
Another paradox is that while everybody admits that security attacks are becoming more and more sophisticated, the majority of breaches are still exploited by attacks rated as “moderately” difficult or of “low” difficulty. Indeed, there`s no need to fire a missile into an unlocked window. And if the system vulnerabilities are left unaddressed, even the best security tool won`t stop a malefactor from exploiting logical defects.
Security in 2014: Focus Areas
As technology develops, there are some specific areas, especially among the emerging technology trends, that will need special attention of IT security experts in 2014:
• Mobility has already become an inevitable part of life and businesses, but there are clear indications that its impact on modern business processes will grow in 2014. Mobility threats will vary from specific targeted malware (for example, to bypass two-factor authentication for a bank) to multi-target spyware for smartphones and tablets. Another possible targeted attack vector could be Mobile Enterprise Application Platforms, endangering a wide range of mobile enterprise applications.
• Internet of Things is an emerging technology which opens new business possibilities alongside with a new realm of risks. We expect serious investments to be made in this area, including investments of time and effort to harden communication channels, leverage risks, etc. <can we expand on this a bit?>
• Big Data and Machine Learning. The Advanced Persisted Threats (APTs) will continue to threaten organizations across the world. As these sophisticated, targeted attacks are hard to detect by using traditional means of analyzing familiar, already-known patterns, we expect more advanced techniques based on Big Data and Machine Learning technologies will appear to counter the APT attacks.
In 2014, Big Data will be one of the most promising security areas. Apart from threat intelligence, it can also help with identifying user behavior patterns as a part of risks analytics during authorization decisions. The leading Security Information and Event Management (SIEM) tools are already moving in this direction, but we expect more sophisticated algorithms and a larger variety of data available for analysis.
Key Security Trends for 2014
In 2013, SoftServe`s Incident Forensics service helped a majority of our security clients counter threats of cloud breaches. In 2014, we expect a larger part of our security projects will be aimed to counter and prevent Advanced Persistent Threats – more sophisticated attacks targeting system administrators, top managers, and cloud engineers attempting to steal their accounts or cloud access certificates.
Based on our industry observations and the tendencies we`ve witnessed in our security projects, here are six trends we believe will be defining the Security World in 2014:
1. At SoftServe, we expect compliance and regulation hardening in 2014, so more businesses will need Penetration tests or even a continuous security program, such as secure Software Development Lifecycle Services (SDLC) to meet compliance requirements in the areas of Healthcare, etc. For SaaS-based Independent Software Vendors, (ISVs), a good example of standard driving effective compliance preparation and assessments activities is the ISO/IEC 27017 Cloud security standard.
2. Distributed Denial of Service (DDoS) attacks will be more frequently targeted against SaaS/Cloud based products and services, which will increase the scalability expenditures for the resource owners. Currently, Infrastructure as a Service (IaaS) providers do not build in protection against DDoS attacks, and the businesses rely on third-party security service providers for help with protecting their products against DDoS. Most often the DDoS attacks are targeting application defects, so companies should consider detailed forensics for their products to close any potential gaps.
3. The majority of ISV companies that purchased a Static Application Security Testing (SAST) code verification tool will need to apply it to the Continuous Integration (CI) and Delivery process. As a result, we expect security integration into Continuous Delivery will become a new trend in 2014. SoftServe`s security experts hold certificates for the best Gartner Application Security Testing (AST) tools and are experienced in integrating them with the CI tools like Jenkins, which helps decrease time spent on security tests by 40%.
4. In 2013, our security team had to deal with Cybersquatting and Typosquatting (URL hijacking) attacks, when malefactors purchased a domain name similar to that of a company they were targeting. They set up a web-site identical to the original portal with the same Log-in form to steal users` log-in information. The number of such attacks will increase in 2014 by 30%. To shield the businesses against such manipulations, SoftServe`s security team created a countermeasure program of technical and organizational activities. We expect it will be also effective as a counter to possible email manipulation attacks that are likely to become more frequent in 2014.
5. DevOps and Security integration is rapidly becoming a critical need for the majority of IT-related
businesses. As our experience proves, the combined DevOps + Security approach can bring security monitoring to a new level by enabling companies to detect anomalies, analyze Log files, apply proper Patch and Update management process, perform regular external Vulnerability Scanning, roll-out Security Information and Event Management (SIEM) systems to report who, when, and how accessed any internal and external resources.
6. Social Engineering. As software security is improving, the attacks will turn on people, exploiting their psychological vulnerabilities. Social Engineering attacks will grow considerably, resulting in a need for better IT security education for employees. For example, at SoftServe we train our employees based on real-world Social Engineering cases teaching them how to apply proactive technical countermeasures in case of an attack.