Article

ISF Reports Future Threats to Information Security

Dhwani Pandya, Principal Correspondent

The Information Security Forum (ISF), an independent, non-profit

Requires Free Membership to View

The ten threat scenarios
Contingency fails: Over-reliance on the Internet for all forms of communications, under-investment in critical infrastructure leads to poor resilience at network level with risk of complete loss of communications.
The cloud becomes a fog: The business and cost benefits of cloud computing has led to short-cuts being taken, and security and compliance concerns being overridden.
Who took my boundary?: Mobile and remote working, outsourcing and cloud computing have combined to remove organizations' network boundary with the outside world.
The mobile mainframe in your pocket: The predominance of smartphones and laptops (both corporate and private) has blurred the line between business and personal usage, leading to unproven and untrusted software being used for business communications and transactions.
Privacy vs security debate: The conflict between the right to privacy and the need of government agencies to analyse personal information in crime prevention has reduced public confidence in organizations' ability to safeguard personal information to an all-time low.
The greening of business: Initiatives to improve environmental performance and reduce carbon footprint have led to order-of-magnitude growth in home and remote working, which security systems have not scaled to accommodate.
Espionage gets serious: The highly competitive global market has given rise to more sophisticated cyber-espionage attacks, both from commercial competitors and from organized criminals.
Threats converge: Attackers have adopted strategies based on a combination of threats, some of which are outside the information security remit.
Integrity is king: The sheer scale of information, has led to a 'toxic information wasteland' where organizations are unsure of which of the multiple copies is right and true, or who is qualified to make that judgment.
A merger of work and home life: For the Internet generation, the boundaries between work and home life are even more indistinct; some even have difficulty distinguishing between real life and fantasy life (the'avatar effect').

 organization, dedicated to identifying and benchmarking good practices in information security, has come up with a 'Threat Horizon 2012' report that details ten future scenarios identifying the key areas of risk to business both within and beyond the information security remit. ISF has exclusively shared the details of this report with SearchSecurity.in. Overall, about two hundred member representatives contributed their thoughts and ideas to this project.

Rather than looking at information security risk purely from a technical standpoint, this report tries to offer a holistic view of threats to businesses and considers (PLEST framework) political, legal, economic, socio-cultural and technical macro-economic factors that will affect organizations in coming years. The 10 threat scenarios are mainly an outcome of broader risks like cultural changes, globalization and weakening infrastructure.

On being asked about the most critical threat to information security in India, the author of the report Andy Jones, CISSP, Principal Research Consultant, ISF, chooses 'contingency fails'. He explains, "Whilst under investment in critical national (and organizational) infrastructure is an issue for many countries and organizations, I believe that the competency that India has built in the outsourcing area makes it more vulnerable to outages in major infrastructural components – for example, the Internet." For an outsourcing company to be isolated or to suffer degraded global Internet connectivity is likely to be very damaging. He also cautions about a similar scenario that occurred two years ago when the main Internet pipe to the region was trawled upon and damaged.

Further sharing his observations on threats to information security in India, Jones says, "In this region, we saw more focus on the technical risks, rather than some of the softer cultural risks," The report also stresses that changes in cultural behavior coupled with higher adoption of technology has resulted in a changed attitude towards protecting information, especially among the generation that has grown up with the Internet. We are living in a world where social networking platforms are encouraging individuals to share as much personal information as possible while the authorities and governments are coming up with more and more stringent privacy protection laws.

Jones also pointed out that they found the interest in cloud issues is stronger in India than other regions. He also recommends certain actions against threats to information security in the cloud.
•    Develop a security strategy for cloud computing and understand how existing identity and access mechanisms can be adopted for the cloud environment
•    Understand disaster recovery in the cloud
•    Establish criteria for what information can be placed in the cloud without falling foul of legal and regulatory obligations
•    Draw up a contingency plan to retrench from the cloud if necessary
•    Determine an information classification system, which you can use to communicate with cloud providers

The 'Threat Horizon 2012' not only identifies future threats to information security but also offers high level actions for organizations so as to prepare the groundwork through a proactive and strategic approach to risk management.