What will 2015 bring to infosec?

Matthew Hackling

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling

It’s always wonderful to start a new year. A new year brings a fresh perspective and renewed enthusiasm. So what do I think twenty-fifteen will bring us?

More breaches! No organisation’s security is perfect, security breaches, data theft and public data disclosure will continue. Generally, in the private sector you just have to “target harden” enough until security becomes a competitive advantage instead a liability to your executive’s tenure.

More badly written regulation. Unfortunately many regulators write security and privacy regulations and legislation with no alignment to the ISO 27K series of standards, the bible for information security and the basis for many Information Security Management Systems. For goodness sake regulators, please consult Wikipedia before you pick up your pens, or engage professionals! At least you could include mapping to the relevant ISO standard, and align the standard statements in them to your standard statements. Help us ease the compliance burden if you must re-write the bible! If you feel the need to elaborate on them, participate in the standards committees!

DevSecOps. The cloud enabled approach of version controlling your infrastructure deployments via automation scripts will continue. Securely configured Amazon Machine Images (AMIs) are now available and organisations will more widely start to deploy file system permissions and application software secure configurations along with binaries and compiled code as part of automated deployments.

Agile Security. Security governance, architecture and testing need to revisit their core functions and re-invent themselves to enable agile development rather than hinder it. This may mean firewall rule requirements gathering as part of design for epics, abuse cases written up as part of user stories, static analysis as part of development frameworks, developer initiated dynamic analysis, dedicated security testing and code review resources for core enterprise applications etc.

Mergers and Acquisitions in product land. As anti-malware becomes less effective, I suspect we will see “the 200 pound gorillas” acquire smaller more agile security companies with more advanced malware protection technologies. I would not be surprised if we saw main stream web content management systems enabled with technologies that detect malware command and control communications, or email content systems that dynamically quarantine files with suspected malicious content identified on a site via sandbox based analysis—rather than by MD5 hash designated as malicious by an overworked analyst in a data entry environment after someone submits a malware sample.

As always your comments are welcome below and please consider following me on twitter for more irreverent commentary!

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags: infosec, malware, data theft, data breaches, CSO Australia, 2015, Amazon Machine Images (AMIs)