8 things I don’t want for Xmas but will end up in my stocking anyway…

E RADAR’s Dr Daniel Dresner reflects on the IT security landscape with his thoughts, predictions and his cyber info security signposts for 2014

Ho ho ho…

‘Tis the seasons of resolution and prediction. The latter being the estimate of how long before the former dissipates. Although seasonal traditions favour duodecimal taxons, it may be that boyhood fascination with all things Treasure Island has fixed me on the octal. Whether that’s pieces of eight or eight favourite discs who can tell? So. By way of stimulating fireside chat, are my eight cyber info security signposts for 2014 that you can pile up like standard in a government consultation. Like good future history, I’ve looked back at the same time…Burnt Norton is not compromised security software. Please consider this slightly surreal mixture of red circles and triangles for the careless and carefree travellers on the information super hype-way.



1. Ocean’s 11

If we are going to prefer cyber security over the superset of information security and ignore Weiner’s genius let’s go binary where one plus one is three. In space, no one can hear you scream although by the time I’ve finished, NASA may have developed something for the NSA that at least will mean one agency will hear you. Although the nature of the job means that they won’t let on that they’ve heard you.

In 2014, the glamour of the dark Internet – or deep Web or …switch the words around like fridge magnets…will encourage more and more to surf below the surface for no better reason than the genuinely wholesome desire for privacy. I bet good businesses will use it to. As we are encouraged to take protective measures, we’re going to find that some of those measures are going punch a hole through the forensic readiness we were backing last year. Security incidents are going to happen – it’s when, not if…and the when might have been years ago. Then when we look to follow the trail to understand how to repair and enjoy, we’re going to find that it’s lost like tears in the rain (Mr Decker). Forensic arts and crafts.

2. Thing one and Thing n

Too wet to go out and too cold to play ball, So we used a device with no real security measures at all…

Even if we do use moderately or better passwords as we sit at our devices, how often do we compromise that wafer thin division between us and disaster by allowing our devices (especially the mobile ones) to access the same stuff wirelessly for no more than a clear pin or a set of greasy finger marks on the screen. And whilst we berate would-be guardians for scaremongering, the cars of today  never mind of tomorrow  are opening themselves up to more crashes than Windows 98 on a good day.

Technology is rather like the early Star Trek movies, the odd numbers are rubbish. Please G-d that I should never need one but a wirelessly adjustable pacemaker that is marketed before it is secured is scary. Consider me mongered.

3. We will continue to OD on OD acronyms and other silly names

cyber info security There’s going to be some fad that will keep the consultants happy. If we knew what it was we’d buy shares now and still we’d fail to predict the crazy risks that will emerge as side-effects.

Bring your own device (BYOD) will only bring assurance when users agree to Sacrifice Your Own Device to the data-safety policies pertinent to what they use it for. We are still bouncing about some sort of maturity graph expecting newer technologies to offer in-built protection. So in 2014 we’ll continue to confuse people with Choose Your Own Device (CYOD) which comes with the tantalising suggestion that users can choose their own policies to fit…not enough that the company kit is affectionately called ‘my PC’. More flexibility brings greater power to do more and we all remember what Spiderman says about what comes with power…was he thinking about ISO/IEC 38500 (look it up).

Meanwhile as we run these devices through to the Fog (Sorry. The Cloud.) Where is it? When it comes to data governance, the acronym will be WOLF…Write Once Lose Forever. Bad Wolf. Wait until time travel is developed to enact the old adage…never create a filing system; create a retrieval system. Reference architecture kits need to come to the front so we all see our place on the network of networks and understand what we all need to do to reach that level of security that made at least one generation still on the planet’s face to be wary of strangers.

4. Unintellectual property

As the green shoots of recovery are trimmed by the multiple dips of the lawnmower of recovery, the previously shed will reappear in the market with the memory sticks of their last positions. And some things that should not have been forgotten were not really lost at all. And as movement in the jobplace ups its pace, the careful hording of data that went on during darker times ‘just in case’ will not see it making a move as it pre-empted the whole redundancy goings on.

And as we try to sift the tacit wheat of good practice from the explicit chaff of standards, can we hope to pull out morals and objectives from the song of the new kid on the block: protect, operate, and self-preserve. Cybernetics are our only hope in the fungal spread of requisite variety. Who has the forensic readiness to find a path back to the original.



5. Expect the unexpected

To be read in conjunction with the rest of the book which recommends ‘Don’t panic!’ in large, friendly letters.

Prevention remains important. Keep your garden fences in good repair so that you only have to deal with the hardened thugs who will make the effort to climber over rather than the crowd of ramblers who are just taking a short cut or want to assert rights that they really don’t need to make a point about. However, as the botnet-riddled world may have more stuff operating below the metaphorical RADAR, dealing with incidents and events will become number one skill. Cleaning up after the event…and pointing to the tracks of embarrassment with the floodlights of the European Network and Information Security Directive…will become a common theme. Some data will never be recovered…but it’s maliciously encrypted state will clog up the cloud drives until superior tech from the Planet Zargon arrives.

6. Each man’s hack diminishes me, for I am part of the network. So ask not for whom it is vulnerability…

More of a hope and a prayer perhaps than a prediction but as there are signs that powers that be may start mandating security requirements as part of procurement…may this be the year that the tsunami of advice for SMEs starts to wash up on some them and secure a huge part of UK plc’s economy.

Think about the European Computer Driving Licence… What about finally realising that good cyber (spitting noise) hygiene is actually the basis of a license to handle information of value and impact if it enters an unintended information system? You can classify data. Nice. You can measure (lovely) the security maturity of an organisation or information system (think: scope). So why don’t we permit the handling of the classified data according to the capability to protect it?

And for those who are prepared to take precautions, then mature cyber liability insurance will become a tool for underpinning the recovery process. It will become as expected as professional indemnity insurance as part of the mating ritual of trust in the supply chain.

7. Read the label

And then probably ignore it!

We will continue to be faced with more fronts than the law of requisite variety will allow us to face alone, it’s of questionable value as to how much effort we can put into lexicons and taxonomies rather than have a symbiotic ontology that helps us to deal with:

Snooping governments (our own, our special friends, or cliché-ridden Johnny foreigners),

Hacktivists and terrorists who fight for good causes, bad causes, and just bloody-minded dogma based on the false-premise of self-defined amorality,

Criminals who have the diodic belief that your possessions should be their possessions,

and

On-line vandals who can do no more than the electronic equivalent of smashing up a bus shelter.

Or any combination of the above that may be put in one class or work for another.

8. Rules of engagement

This is the time of year when the cold seems to suggest that perhaps a little cheer and encouragement may be due to the complete strangers we share this hemisphere with (with that generation caveat making muffled warning noises in the distance). But humanity’s propensity to take advantage of the situation casts a dark shadow as there are some ‘labelled’ people who use exactly this time of year to use trust as the leverage of attack.

If I can call Angela’s Law: trust is a state of positive expectation that one’s vulnerabilities will not be exploited, then perhaps security is a state when we’ve narrowed the vulnerabilities to the state where their exploitation is beyond reasonable reach. 2014 will continue to see the criminal honing of the toolbox which starts with the confidence tricks of social engineering and ends with a well embedded stash of stuff that allows control over another’s on-line persona and all that can be milked using it. We all get tired. We all make mistakes. We all need to realise that just driving when abilities are impaired can destroy, then so can handling data that can change lives.

Always on and always connected will continue to pervade the lives digital immigrants, always moral and always careful needs to pervade the lives of the digital natives from now on.

And finally…

Happy 2014. Let’s be careful wherever we click, tap, type, or slide across the screens.

Leave a Reply

Loading Facebook Comments ...
Loading Disqus Comments ...