And so to the peace and calm of the world, post-Infosecurity Europe. Twenty years is a good birthday to celebrate and the industry’s premium event certainly didn’t fail to live up to expectations. In addition to the expected new products and services, the show presented an industry that finds itself at something of a tipping point as to what it actually is, and the relative importance of its core component parts.
The undoubted star turn of the event was John McAfee. The industry legend and pioneer – he is both, whatever your opinion on him – did not disappoint, blazing into day two of #infosec15, leaving a trail not of devastation but of devastatingly good soundbites in his wake. A couple of pearls included:
“There's a fantastic hole in security called mobile.”
“It’s easy to tell what your mobile apps are doing – who is reading them, and your emails.”
“We can't allow fearful institutions to create [security] weaknesses.”
“It's much easier to gain a password from a secretary than it is to gain one using a supercomputer.”
“I am a hacker; that’s vital to understand security. Never buy software from someone who doesn't know about hacking.”
“People need to take control and be responsible on their own – governments can't protect you.”
At a reception, McAfee braved delegates with a no-holds-barred Q&A. He was grilled on a number of topics, mostly surrounding privacy. One topic that he wasn’t asked about was the meta-narrative developing during the event of the ‘logical’ need to re-allocate resources from preventing incidents to dealing with their aftermath. It wasn't just the specialists in response pushing this line – in fact one delegate at a session proclaimed that AV was dead. It’s amusing to think of how McAfee, one of the fathers of antivirus software, would have responded to the assertion.
But is it dead? Has detection and prevention suddenly become so unimportant. This is a huge and potentially dangerous assumption, said industry stalwart Jack Daniel as he was inducted into the Infosecurity Europe Hall of Fame. Daniel warned that any advocates of the ‘detection in marked demise’ doctrine, who felt compelled to simply rush headlong into response, had better be pretty darned good at protecting their infrastructure.
And, as pointed out very clearly at the Intelligent Defence conference within the show, which Daniel chaired, the threat vectors are increasing in number and sophistication, aided and abetted by companies themselves: such as the increasing use of internet of things (IoT) devices.
Leading provider of network security and DNS services, OpenDNS, warned at Intelligent Defence that the increased demand for the use of IoT devices in the enterprise was creating new attack vectors, and opening new avenues for faster exploitation. IoT devices are now moving to the corporate environment just like smartphones and tablets did. However, revealed OpenDNS research, the risks from such wide penetration were increasing even in some of the world’s most regulated industries, including healthcare, energy infrastructure, government, financial services and retail.
"Has detection and prevention suddenly become so unimportant? This is a huge and potentially dangerous assumption"
Even sanctioned IoT devices are now increasingly operating outside the control of IT departments because they rely on cloud-based and hosted network infrastructures. Many companies are basically under-prepared for their use. Indeed, the survey also showed that nearly a quarter of respondents had no mitigating controls in place to prevent someone from connecting unauthorized devices to their company’s networks.
Other research showed rather clearly that the threat landscape sure isn’t diminishing. At the show, PwC introduced the 2015 Information Security Breaches Survey, commissioned by HM Government, which found that almost three-quarters of small UK businesses, and 90% of large organizations, have experienced a security breach, roughly a 10% increase for both compared with the same time last year. PwC also found that the nature and type of threats that organizations now face have changed with data leaks and attacks from unauthorized outsiders of most worry – almost 70% of large UK organizations were attacked by unauthorized outsiders in 2014, up from 55%.
Commenting on the findings, Richard Horne, PwC cybersecurity partner, said “A breach is pretty much inevitable for an organization in the UK in today’s world. Dealing with breaches is now a fact of life.” Yet what he did not do was advise making a drastic move away from protection. Instead he suggested: “People are starting to realize that cybersecurity is not about fixing technology; it’s about fixing the way we use technology.” It was, as Jack Daniel also suggested, a question of balance.
Same as it ever was.