From IoT to dealing with data at scale, the challenges for security pros in 2017 will be as daunting as ever. Last year at the tenth annual SecTor conference, security experts revealed what they thought the biggest challenges of the year might be – and we caught it all on camera. This is the first in a series of five videos that SecTor will be unveiling as it prepares to open registration for its 2017 conference.
Data, data, everywhere
The volume of data was one concern for 2017. KPMG security consultant Cheryl Biswas said that handling this ocean of potentially sensitive data would be a top priority for many organizations in the coming year.
Scale will be a big challenge, agreed Ben Sapiro, senior director of security, privacy and compliance at Vision Critical. As business gets faster and companies deal with more data, they will need to find ways to automate some manual tasks, ranging from policy reviews to malware handling.
IoT is the new ingress point
No discussion of future security challenges would be complete without a reference to the Internet of Things. Lock it down, warned keynote speaker Mikko Hyponnen, because otherwise intruders will treat IoT devices as an attack vector. IoT devices are a means to an end, he warned: attackers can use them as jump boxes to reach other targets on the network.
IoT devices may be attractive ingress points for network intruders, but let’s not forget that reliable old attack vector: the PC. Watch your endpoints, warned Chris Wysopal, L0pht alumni and CTO at Veracode. More than ever in 2017, attackers will be using them as attack vectors by compromising two things: users, and vulnerable software.
Back to basics
Chris Pogue, CISO at Nuix, argues that the biggest challenge for the coming year will be the same one that security pros faced in 2016, and in 2015, and for years before that: basic IT security hygiene. Patching your software, hardening your systems, and getting users not to click on suspicious things are still challenges that a large percentage of organizations are grappling with.
Security hygiene is more important than ever, says Pogue, because the nature of the network has changed. He suggests a zero-knowledge approach to security, abandoning antiquated ideas of a hardened, iron perimeter, and instead treating the network as a porous environment that has already been breached. Then, the challenge involves hardening assets inside the system and teaching users to work in what amounts to a hostile environment.
This is an idea that has surfaced repeatedly over the years. The Open Group’s Jericho Forum was promoting the idea of ‘de-perimeterization’ in the early 2000s – but creating a network in which key assets are shrinkwrapped can be more complex than it sounds.
Perhaps this is why so many organizations are still being compromised. The Congressional report into the Office of Personnel Management hack reveals that the agency’s network was flatter than a pancake with almost no segmentation. So, why are we still talking about these problems in 2017? Because they’re still challenging us.
Stay tuned for more video insights from SecTor speakers in the next few weeks.