Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10 Sea-Changing IT Security Trends Of The Last 10 Years

A look at ten of the megatrends that have shaped IT security -- and in some cases, enterprise business -- over the last decade.

 

Resource Center, which began collecting data on major breaches in 2005, reported 781 major compromises in 2015 – the second most recorded during the decade. In addition, many companies have come forward to disclose lesser breaches: Risk Based Security’s Data Breach QuickView Report cited an all-time high 3,930 incidents in 2015, representing more than 736 million records.

As enterprises became more public with their compromises, security researchers spent an increasing amount of time and effort disclosing new vulnerabilities. Over the past decade, a cottage industry has emerged in finding and selling security vulnerability information to interested parties that were willing to pay for them. This "bug bounty" trend has continued to grow in recent years, and many major companies – including Facebook, Google, and Yahoo – now offer such programs as a part of their business. As a result, security vulnerabilities are being discovered and disclosed at record levels today.

With the increasing publicity of security breaches and vulnerabilities, the stigma and secrecy surrounding the security problem have begun to diminish. While companies are still reluctant to reveal the compromises they experience, there is greater acceptance that bad breaches can happen to good companies – and that the sharing of breach and vulnerability information can benefit entire industries. The emergence of information sharing groups within sectors such as financial services, retail, and energy suggests that companies are more willing than ever to admit they have a problem and then share it with others.

Out Of The Data Center And Into The Boardroom

The aforementioned publicity has resulted in another new phenomenon during the last decade: security is now a boardroom issue. Once sequestered into cubicles deep in the data center, IT security managers are now routinely consulted by management in matters of new technology deployment – and perhaps more importantly, business risk. Many organizations now recognize the threat of a breach as perhaps one of the most impactful – and least predictable – risk factors that can affect a large enterprise during the course of a given fiscal year.

While fear of negative headlines was the initial driver behind security’s rise to the boardroom, risk management has become the reason why many CISOs are keeping their seats at the mahogany table. Just as today’s businesses now recognize that they cannot build a single set of castle walls to defend, many are also recognizing that all new business decisions carry a certain level of cyber risk. As a result, today’s security team is tasked not only with defending the data the company already has, but with assessing the potential risk of new business and technology ventures. This trend promises to continue as companies “Internet-enable” a wide variety of devices and applications that previously had no intelligence: the Internet of Things.

The War Between The States

Cybersecurity was an issue for military and defense organizations long before 2006, but in recent years, the role of offensive, state-sponsored hacking activity has become a much larger and more important issue for enterprises as well. While Russian-backed attacks on government systems in Estonia and Georgia in 2007 opened the eyes of some security pros, it was their reach into non-government systems – such as contractors and media outlets – that worried many IT organizations. Subsequent reported attacks by China on Google and other media businesses made it clear that state-sponsored attacks would not be limited to military targets, but extended to targets of business espionage as well.

Today, most savvy IT organizations understand that some foreign governments actually support and fund the process of collecting business intelligence from rival nations through the use of state-sponsored hacking units. While China is the most frequently-mentioned offender, many other countries also conduct their own sorties into foreign business systems – including the developers of Stuxnet, an attack on Iranian systems that clearly served US interests. The result of all this state-sponsored activity is clear: the IT security department must now concern itself not only with financially-motivated attackers, but politically-motivated operatives as well.

Hacktivism Becomes A Thing

As governments were discovering the many useful ways that cybercrime could further their political interests, smaller groups of political activists – and even individuals – were discovering that online attacks were an effective method of raising awareness or making a protest. For several years, the largest of these groups, Anonymous and LulzSec, effectively kept the IT security industry on its haunches, wondering where they would strike next.

Hacktivist groups brought new threats to enterprise defenders, who previously had developed defenses primarily to protect the organization’s financial interests. Hacktivists, largely uninterested in data or financial theft, introduced the industry to new exploits such as distributed denial of service (DDoS), which simply made enterprise systems unavailable, or “doxing,” in which sensitive data and email was captured and published for all Internet users to see. With different methods and motivations than their financially motivated forbearers, hacktivists created a whole new theater of attack and defense for IT security departments to deal with – and those attacks and defenses are now part of any good corporate IT security strategy.

Blacklisting Blacklisting

In 2006, the chief defenses for enterprise security were based on "signatures" – the idea that a security system could store all known threats and simply block them when they arrived. Antivirus, intrusion detection systems, intrusion prevention systems, and other tools were generally built on this concept of “blacklisting” any incoming malware or data bearing a known bad signature

Over the course of the decade, however, the growth of new threats that had never been seen or recorded – so-called "zero-day threats" – has skyrocketed, primarily thanks to polymorphic technology that enables malware to be deployed and redeployed in a new version each time, essentially creating thousands of new instances that each constitutes a previously-unrecorded zero-day exploit. While signature-based technology still blocks many known threats, most security pros now recognize a need for tools and strategies such as behavior-based defense, which identifies malware by the way it acts, and whitelisting tools, which enable only known good data and applications while placing everything else in a safe “sandbox” where a determination can be made as to its security.

While it’s popular to state that antivirus is dead – and this sentiment was even repeated by the CEO of Symantec, maker of the world’s most popular antivirus software, in 2014 – most enterprises still use AV technology to help filter out the increasingly-smaller segment of malware that is both known and bad. However, using the term "signature-based" at a security conference continues to be about as well-received as using the term "high fat content" at the local gym.

Encryption Gets Both Good And Bad Names

As enterprises continue to struggle with blacklisting, whitelisting, behavior, and sandboxing, many security proponents are increasingly offering another, simpler strategy: encrypt everything. No matter what defenses you use, they say, attackers are likely to break through them – so the answer is to encrypt all sensitive data, therefore rendering the compromises useless, since the attackers end up with only streams of data that they can’t read. A good deal of promising encryption technology has come and gone over the last decade, much of it hobbled by cost of implementation, impact on performance, or confusion on how to manage the keys that unlock the encrypted data.

While encryption technology continues to improve and become easier to implement, it also has proven to be a double-edged sword because of its availability to attackers as well. In recent years, attackers have successfully penetrated enterprise defenses by simply encrypting their exploits -- and thereby obfuscating them from the view of security tools and IT security professionals. Other cybercriminals are now using encryption as a means of kidnapping enterprise data and holding it for ransom until the victim company pays a premium. IT organizations also are wrestling with legitimate encryption, which can make it possible for employees to hide their activities on corporate networks while limiting the effectiveness of traditional security technology such as deep packet inspection.

What's Next

What trends will define IT security a decade from now?

There’s no sure way to tell. Today’s behavior-based solutions may give way to some new generation of technology. The current emphasis on forensics and incident response may give way to a new set of prevention tools. The current emphasis on cyber risk might be offset by a new class of cyber insurance. Your guess is as good as ours. The one thing that we know for sure is that, when it comes to security, the only constant is change.

Related Content:

 

 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChrisHarget
50%
50%
ChrisHarget,
User Rank: Author
6/1/2016 | 6:17:52 PM
What's Next? Machine Learning, Anyone?
A number of startups are trying to find ways to let machines look at internal user behavior, create statistical norms for what is typical, then highlight or escalate abnormal behavior that might be a breach. If you have 100 employees with the same job title, but only one of them is storing gigabytes of data in a cloud drive, that might merit the attention of a security analyst.

 

This is still very early days, and one can imagine all manner of places it won't work (what if you only have 2 employees with a particular job title?), but if it's even useful 1/4th the time in a large organization, that might still be a big step forward for accelerating early detection.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...