Word-cloud of 2014 security predictions

A year ago I wrote a mother of all security predictions. I created word-clouds from 2013 security predictions of 10 different companies and also a separate word-cloud from combined texts of all them. Creating the word-clouds was more fun than actually reading the predictions:-)

Now, just after Christmas, I'm feeling even lazier and decided to create only one world-cloud from the combined predictions of following companies: Fortinet, Information Security Forum, Kaspersky, Microsoft, Sophos, Symantec, WatchGuard, Websense, Trend Micro and FireEye. My intention was to use same companies as last year, but couldn't easily find anything from Stonesoft (McAfee) and F-Secure. Got Trend Micro and FireEye instead.

Here's the word-cloud made with Wordle.

2014 security predictions

For the comparison, here's the last year's word-cloud.

2013 security predictions

What can we see from these? Mobile doesn't seem to be on predictions focus so much as last year and data has more visibility. Malware attacks seems to be on everyone's map, targets being devices in general, not just mobile devices. Since everyone mentions data a lot, it could mean that attackers are predicted to be after valuable data more than trying to just blackmail or create havoc.

So, number 1 security prediction for 2014 is: Expect data-stealing malware attacks against all devices.

No surprise there. What actually surprised me was that word cyber didn't dominate the cloud. I take that as a positive sign.

Why people open dangerous email attachments despite all awareness campaigns – are their stupid or what?

Just recently I followed Duke University's online course, A Beginner's Guide to Irrational Behavior, which was taught by Professor of Psychology and Behavioral Economics, Dan Ariely. The course was excellent and motivated me also to read Professor Ariely's books.

Got a certificate:-)

The course had a small writing assignment to show that teachings were internalized. I, of course, decided to write something security related keeping in mind that the readers are not security experts. I chose my topic to be

Why people open dangerous email attachments despite all awareness campaigns – are their stupid or what?

Common way to spread computer viruses is via email attachments designed to infect user’s computer. Without clicking the attachment the computer doesn't get infected, so the user must be lured to open the file. Although organizations put lots of effort in order to educate users not to open suspicious attachments, someone will always do. Lots of money is spent in order to automatically recognize and delete these malicious files, but there are always new tricks to circumvent the countermeasures. Not to mention that number of viruses has sky-rocketed in last years.

Here’s a typical example of email including an infected attachment I got recently, apparently coming from Bank of America:

Transaction is completed. $39976449 has been successfully transferred. If the transaction was made by mistake please contact our customer service. Receipt of payment is attached.

Problem from organizations point of view is that these malicious files are emailed in masses and it may take only one user to click the attachment to open it and the whole network will be infected.

Common saying is that user is the weakest link of security meaning actually that users are stupid and lazy. I would say that computer programs are not designed correctly taking human intuition and behavior into account.

Why people tend to open malicious attachments? I can think of several reasons. First, we get legitimate attachments all the time which we need to open, so it’s common practice for us and anchoring bias makes opening attachment a default behavior.  Second, these scams usually offer us richness, love, health or something everybody usually wants and it’s FREE. Third, email spreading virus usually have falsified sender name which seems legitimate. Fourth, understanding computers, software and viruses is complicated. Hence we take the path of least resistance and just click the attachment. Fifth, although we've been informed about dangers of viruses and how to behave in a secure manner, it has probably been a while ago and these awareness trainings don’t have long-term effect. In my mind security awareness trainings are comparable to reminding about morality.  I could think even more reasons, but this will do for now.

What to do, then? Obviously we have to enhance automated security measures to make sure that more viruses get caught before users even see them. However, it’s impossible to catch them all. I think that first we need better computer operating systems to prevent infections or at least make it much more difficult. Then we need intelligent email clients which can learn from user’s email communication how typical email from that users point of view looks like. Finally we need to remind the user about virus possibility just before she opens the file. Clicking the attachment could give a reminder explaining why the email software has categorized the attachment as dangerous and what could be the unwanted consequences of opening the file. User gets the warning just in time and need to verify, if she really wants to open the file. Naturally the default must be not opening the file. The trick here is to make email software intelligent enough, so that user doesn't get false alarms and that the user doesn't need to make these decisions too often.

In general software companies need to understand human behavior and especially irrational behavior much better and make use of that knowledge when designing software. It’s not the users of software that are the weakest link – it’s the programmers who don’t make software suitable for users, but instead force them to make tough decisions in complicated environment.

First look at Finland's Cyber Security Strategy

Finland's cyber security strategy was finally published today after two years preparation. First the workgroup  used most of 2011 to gather background information and experiences and to define cyber security. The actual strategy work took the whole year 2012. Quite a long time to create strategy - especially when the importance of strategic agility was mentioned in the strategy document itself.

Finland cyber security vision is that (a) vital functions of society are protected against cyber threat in all situations, (b) citizens, authorities & businesses can use & benefit from a secure cyber environment and (c) Finland will be a global forerunner in cyber security at 2016.

I tweeted about five minute cyber strategy a while ago. With that I mean guidelines any security professional worth his salt would suggest in five minutes: better situational awareness, better public-private-partnership, cyber incident handling capability, more education and research.

Finland cyber security strategy has the following 10 guidelines:

1. Create an efficient collaborative model between the authorities and other actors for the purpose of advancing national cyber security and cyber defence.
2. Improve comprehensive cyber security situation awareness among the key actors that participate in securing the vital functions of society. 
3. Maintain and improve the abilities of businesses and organisations critical to the vital functions of society as regards detecting and repelling cyber threats and disturbances that jeopardise any vital function and their recovery capabilities as part of the continuity management of the business community.
4. Make certain that the police have sufficient capabilities to prevent,expose and solve cybercrime.
5. The Finnish Defence Forces will create a comprehensive cyber defence capability for their statutory tasks.
6. Strengthen national cyber security through active and efficient participation in the activities of international organisations and collaborative fora that are critical to cyber security.
7. Improve the cyber expertise and awareness of all societal actors.
8. Secure the preconditions for the implementation of effective cyber security measures through national legislation.
9. Assign cyber security related tasks, service models and common cyber security management standards to the authorities and actors in the business community.
10. The implementation of the Strategy and its completion will be monitored.

I would say that  (1), (2), (3), (7) and  (9) nicely covers the five minute strategy. In addition  more resources to the Police and Defence Forces, international co-operation and fixing legal issues was suggested.

This is a good start, but I must say I expected more and not least because of long time used for the strategy creation. 

Few things I would have liked to see in the strategy:

• Linkage between information security, IT security and cyber security. It would help to demystify cyber security and help to understand that we have lots of know-how and expertise already. 
• Concrete goals and action plan. Now the strategy has too high-level suggestions and actions will be defined separately. It will take even more time to start the real work. Also metrics to measure progress and success is yet to be defined.  
• Stronger business involvement. The strategy workgroup consisted mostly of authorities and had only a minor business representation. Everyone admits that most of the critical infrastructure is in the hands of private businesses, but still the strategy seems to focus on Government functions.
• Collaboration between authorities and businesses must be two-way. Traditionally authorities expect information flow from businesses to authorities, but it's equally important for businesses to understand the full situational picture.
• Government security and preparedness responsibilities are scattered around different ministries. It would have been great to see a change where one ministry would be responsible of cyber security.

The strategy originally had two parts. The first part is the actual strategy and recommendations, the second part has background information and explanations. Only the first part is officially accepted and the second part didn't get the official status. Reason being (according to news) that the background document suggest a need of "offensive cyber capabilities" and that raised some concerns. 

There certainly has been lots of talk and speculation around national cyber security strategy. Expectations were high and I'm sure we will see lots of comments, articles & blogs analyzing the strategy. 

As always with security, it's a business enabler. Cyber security is not an exception. We absolutely need security measures and awareness in order to use cyber environment safely.

There's a long road ahead to make the vision to come true. We should start with demystifying cyber security.

[Added  strategy word cloud 24.1.13.]

[Added 25.1.13]

The second part of strategy document - so called background memo - is now published. Unfortunately in Finnish only. My original comment about offensive capabilities were based on draft document and newspaper articles about approval process. That part of text was changed and now it only mentions cyber capabilities in general. I changed my original text based on this.

[Added 26.1.13]

Here are for my Finnish-speaking readers links to word clouds of Finnish version of the cyber strategy and the strategy background memo.

Mother of all 2013 security predictions

As usual, lot's of security predictions for the next year are coming out as this year is coming to its end. While I still stand behind my own (everlasting) predictions I made 2010, I thought it would be fun to check what's out there for 2013.

Since reading through all different predictions could be somewhat mind-numbing, I decided to put a bunch of security predictions together and created a word-cloud with Wordle to see what sticks out.

So, I combined ten security predictions for 2013 from Fortinet, F-Secure, Information Security Forum, Kaspersky, Microsoft, Sophos, Stonesoft, Symantec, Watchguard and Websense. Some vendors like to repeat their own name within predictions and I removed those self-promoting sentences to clean up the result a bit.

Here's the word-cloud of combined security predictions.

Based on that it seems that we need to prepare ourselves to malware attacks on mobile devices.

In case you are interested, below you find word-clouds of individual predictions. Click the picture to get a larger version.

Fortinet	F-Secure

Information Security Forum	Kaspersky

Microsoft	Sophos

Stonesoft	Symantec

Watchguard	Websense

Demystifying Cyber Security

Information security and especially IT security has got a boost lately because of cyber security - dare I say - hype. This boost is great from my point of view, since I regard myself as a cyber security expert with years of experience. However, I think that we need to get some sense in cyber security.

I've seen blank look of business leaders when the word "cyber" was mentioned and then saw them smiling relieved when it was explained in terms of information and network security. I've seen amazement of information security expert attending cyber security workshop when he realized that instead on being rookie he actually has 10 years experience of cyber security. I've seen vendors pushing old solutions under new cyber-friendly name. I've seen proposals of changing information security guidelines headline to include word "cyber" - without changing the actual contents. There's nothing bad with some marketing, but it should not prevent getting the message through.

Cyber security is simply information security in our complex, networked world, which in my mind includes governance, risk management, IT security and network security. We shouldn't hide the basics behind complex (sometimes recursive) definitions or failed analogies. Analogies are dangerous, because not always 1+1=2. Being expert of "X" doesn't alone make you expert of "CyberX".

I love William Gibson's definition of cyberspace - "a consensual hallucination" and "buzzword". It seems that cyber is to information security what cloud is to IT - a way to (over)simplify complex environment. This reminds me of good old RFC 1925 about networking truths, which can be used in a general manner, too. Truths like every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.

I have couple of special concerns with cyber security hype. First. It took decades for information security to mature to the level where we discuss about risk management, governance and metrics. Now I'm seeing focus moving back to malware, network security and other technological countermeasures. Of course we need the full range of protection, not forgetting technical solutions, but lets look at the big picture.

Second. We shouldn't alienate current security experts from cyber security. I've heard about cyber security trainings, where basic networking security is taught. What? All networking experts worth their salt would know how to secure networks. You don't even need information security expert for that.

For many companies networked environment with all its risks is business as usual. So think cyber security more of the evolution than revolution. I understand that in some special environments, it may feel more like a revolution, but look around and you find expertise and solutions.

May the Cyber Security be with you!