Security trends 2016: Five challenges

The security provider Totemo gives an overview of the top 5 threats in 2016 and explains how to manage them.

1. backdoors in encryption solutions

Attacks like the one in Paris create a climate in which calls for more surveillance thrive. Yet consistent data encryption is the number one nuisance for snoopers. The Internet and communications sector have long been unable to do without a minimum of such techniques. Whether it's e-commerce, online banking, software updates or app downloads, the digital world is no longer conceivable without end-to-end encryption. But in times of political uncertainty and terrorist threats, there are repeated calls for backdoors that could be used by security authorities to gain access to protected communications.
Apart from the debate about the extent to which such precautions undermine citizens' rights in individual countries, the real threat posed by backdoors from an IT perspective is that, as a predetermined breaking point, they torpedo the entire security architecture. This is because the keys for the backdoors must never fall into the wrong hands - a prerequisite that can hardly be met in practice for procedures that are used millions or billions of times. Numerous incidents in which the security of government servers was compromised, such as the Bundestag hack, have diminished confidence in the ability of government agencies to permanently protect such sensitive information from attackers.

2. weak point employees

The Cyber Security Intelligence Index from IBM for 2015 shows that on average 55% of all security incidents in the previous year originated from insiders - sometimes unknowingly, but often with malicious intent. Basically, there is still a lack of awareness that risks also emanate from accesses within the company. The outflow of data worthy of protection into "dark channels" is encouraged by lax security requirements such as weak passwords or shared accounts.
Unintentional security breaches can be countered with measures that automatically detect and counteract security-critical actions. For example, when a user sends a document containing credit card information, an encryption process can be started automatically to protect the content. The risk of unintentional policy violations is also reduced by a graduated authorization management: Each user only receives the authorizations that he actually needs according to his role. For example, it makes sense to define additional roles with specific access rights between the standard "administrator" and "simple user" profiles.
Such measures already put obstacles in the way of insiders with dishonest intentions. Nevertheless, further internal protective measures are necessary to guard against deliberate attacks: This includes encrypting e-mails and other content internally as well. As an additional measure, consistent logging can have a deterrent effect, as all actions are recorded in an indelible and tamper-proof manner - a requirement that can already arise in connection with audit trail requirements or compliance specifications.

3. growing shadow IT

What is often invitingly called "Bring your own Device" (ByoD) is nowadays undermining the IT security of companies as a mass movement in the sense of "ByoX". In addition to their own devices, it is primarily apps or programs that are being used more and more frequently without the blessing of IT departments, creating a veritable shadow IT infrastructure: according to a survey conducted by Cisco in the summer of 2015, employees use an average of 51 external cloud services according to the estimates of their IT departments - in reality, however, the number is 15 times higher, according to Cisco. At the turn of the year, the real use could even increase to 20 times the amount assumed by the companies.
This uncontrolled growth must be particularly worrying for IT managers, because it not only opens the door to attacks, but also reflects badly on their own IT infrastructure. After all, the users' argument usually culminates in the fact that the unauthorized solutions lead to the goal faster and more conveniently. The lesson for IT departments can only be to pay more attention to the needs of employees, especially when it comes to security-critical applications such as encryption. Basically, the IT department should see itself as an "internal service provider" that provides employees with an IT service catalog of user-friendly solutions from which they can choose. This is the only way to ensure that users actually use the approved applications and do not look for alternatives themselves.

4. internet of things - vulnerable machine communication

All signs point to growing networking between devices, because in industry, for example, automation across machine and plant boundaries promises flexibility and cost advantages. In the Internet of Things, encrypted transmission protocols should always be used to secure data transmission. But that alone is no guarantee of data protection if manufacturers give too little thought to this and, for example, use identical key material in their devices. Anyone who owns one of these devices with cloned keys can also use its private key to decrypt the data of other networked devices from the same manufacturer.
An easy mistake to avoid, one would think. But the basic problem is that the suppliers of many networked devices today come from the electronics industry and lack both the awareness and the know-how of the security industry. One example is baby monitors and cameras for monitoring offspring, or even the talking and listening - i.e., eavesdropping - Barbie that passes on all its data to the manufacturing company. As a test by a security company showed, such products are often very easy to hack. The risks are also illustrated by a number of incidents in which hackers played audios to parents on the one hand and put video recordings from the home environment on YouTube on the other. The problem with such inadequately secured devices is likely to get worse, as innovative product ideas are currently meeting with busy parents who want to see for themselves the well-being of their children at work - and are increasingly using networked devices to do so.

5. use cloud (only) with caution

In October 2015, the Safe Harbor ruling of the European Court of Justice (ECJ) heightened security concerns about storing data outside Europe. This is because the ECJ ruled that the Safe Harbor agreement may not undermine local European protection provisions. In the past 15 years, it had been sufficient for U.S. companies - without further certification of compliance with EU rules - to commit to the Safe Harbor rules in order to entrust them with data. As a consequence of the Snowden affair, however, it is clear that data is not safe there, because the US government is able to gain access at any time.
Nevertheless, the cloud continues to be a useful component of the IT infrastructure as long as no explosive data is stored in it - or at least not unencrypted. Reliable protection should actually be provided if the keys are not subject to US jurisdiction but are stored on local servers in Europe. Otherwise, the US government can demand that US service providers hand them over. However, practice shows that U.S. authorities demand handover from U.S. companies even if the data is stored on local servers in Europe. Although these companies are resisting this, the legal course of the dispute to date suggests that the data will ultimately have to be handed over. Companies around the world will therefore have their work cut out for them in 2016.

Conclusion: Trust cannot be delegated

The current acute challenges for corporate IT security show one thing above all: trust cannot be delegated. Only those who take effective measures themselves to ensure their security on site are on the safe side.