August publication for Gaming & Leisure magazine.
As a tribute to this 15 year anniversary I thought I would do my best to look back at some of the fundamental changes in IT security while highlighting some prominent changes from the past and what might be described as a grim future.
For many IT professionals directly responsible for security initiatives over the past 15 years, it may be best summarized like salmon swimming up river only to eventually succumb to the teeth of a hungry bear or an angler in search of the big one. Keep up, keep up, keep up, change strategies, implement new policies, new hardware, new software only to be steps behind the hackers’ latest advanced attacks – diverse in thousands of ways to disrupt everything you have worked so hard to deliver to your business.
It’s probably safe to say that among all of the core technologies under the IT umbrella, security has evolved faster than them all. Due to the nature of the threats, the way companies are being hacked and attacked, and the advancements in the technology the attackers are using, security had to evolve quickly.
Big Security Changes
- Public Knowledge – One of the biggest changes to IT Security in general is how public it has become in the market place in the past 15 years. In the early 2000’s it was unheard of for a company to acknowledge a breach. Even more unheard of was for a company to provide any details or results of the breach. Prior to Breach Notification laws going into effect in most U.S. states and territories, the consumer was in the dark about what was happening with their sensitive data and most companies were perceived as having it under control. Fast forward to present day, it is commonplace to read about a security breach with the exact details of how a company was compromised. Security breaches have now become the public’s right to know. Forcing large enterprise companies to not only invest in the security products needed to protect their data, but also focus heavily on brand management to create a strong security perception to their customer base.
- Data Loss – Breached, hacked, compromised, fraudulent charges. Everyone who has been using a computer over the past 15 years has experienced some form of a security breach whether they know it or not. It’s hard to believe, but the industry has really started to adopt the assumptive breach analogy. Which means that you must assume you have already been breached and you should be taking remediation steps to that effect. From owning your own personal PC to managing massive data centers, mitigating the impact of an attack and protecting as much data as possible is the name of the game. This belief has forever changed the security practices for individuals and corporations alike.
- Security Posture – Enterprise companies have been forced to change their security stance as the advancement in criminal cyber activity continues to evolve. Corporate security professionals are no longer looked at as the defenders at the gate tasked with protecting the perimeter of the company. They are now tasked with using proactive forensic tools designed to locate threats that are likely already hiding within the infrastructure. Constant probes and proactive monitoring just scratch the surface of Enterprise Security remediation these days.
- Tools of the Trade – Year after year IT Security spend has eclipsed the previous year’s spend. More sophisticated attacks equal more sophisticated equipment. More advanced fire-walling, proactive monitoring, antivirus software, intrusion detection and prevention, encryption, tokenization, dual authentication, etc. The massive list of tools to mitigate risks grows longer, more complicated and more expensive every year.
- Tools of the Engineer – Advanced tools of the trade naturally lead us into the shrinking pool of professionals who can effectively operate these tools. Administrators who were once responsible for on-boarding new users, setting up and maintaining access controls and administering passwords are now responsible for a whole lot more. Keeping up with the security tools needed to protect the company will likely determine many engineers’ value and longevity within the organization.
So by taking a look back are we able to provide some foreshadowing of what is to come in the next 15 years of security? Alright, maybe the next 5 and that would be a reach. The 2015 review of cited breaches reached nearly 4000 with more than 736 million records compromised. This shattered the previous year! Are we left to believe that this will inherently become worse every year? If that’s the case, are the best practice security postures we share within the enterprise community really doing anything to stop the next attack on your business? Or, as previously stated in other articles, are we just preparing to limit the amount of damage the next attack has on the organization and hope we have a job left after?
It is truly a sad state of affairs when cyber security, which was once described as really only being an issue for military grade information is now fully backed and sponsored by countries looking to inflict cyber pain. Confirmation of Russian and Chinese backed attacks associated with government systems would prove to just be the start of what is now a full-fledged cyber war between many countries. Sponsored, funded and openly brash catch me if you can attitudes. We have also come to know that their focus is not to just compromise government data, but they are now focused on business espionage. It is clear that many motives of cyber-attacks are not only for competitive, military and government information, but they are targeting business information as well as politically motivated attacks to draw attention to a specific political agenda.
So just in case you didn’t have enough to worry about in the coming years as an IT Security Advisor to your company, you now get to worry about politically motivated attacks on top of financially motivated attacks. We are now dealing with hacktivist’s whose primary goal is to not steal sensitive information or financial data, but rather disrupt your business from operating just to make a point. DDos attacks really started to get popular about five years ago as hackers were looking to expose sensitive data that could potentially shed a negative light on a particular company. One of the most prominent attacks over the past few years being Sony Pictures where the attack was said to be motivated by the release of an upcoming movie.
I might argue that a DDos attack like this can do more damage to an organization than a typical hack looking to steal data for financial gains. The Sony attack, and a few other enterprise attacks that have impacted some of my largest clients, did significant damage to the company’s brand and many of the high level executives within the organization. Sony’s stock dropped almost 25% during the 15 day period where data was gradually being leaked every day. For weeks this crippled Sony and the ramifications impacted thousands of employees and other companies causing monetary damages that will be added up for years to come.
And the foreshadowing gets better! A look ahead shows that cyber-attacks will take on more personalization and consumerization which is currently showing the rise in attacks against corporate competitors, political opponents, and just ruthless hackers who want to take credit for taking down corporate America. This threat grows daily with the popularity to expose data to media for political gain. With the evolution of smarter technology comes the increased burden to keep it secure.
A look ahead shows the continued explosion of devices such as phones, tablets, wearables, smart TV’s and IoT Devices. The connected devices forecast is projected to exceed more than 200B by 2020. The number of wearable devices alone is expected to jump from 200M this year to more than 750M in less than three years. Every new device can prove to be a serious threat to every organization due to unknown vulnerabilities. Keep up, keep up, keep up!
Looking back the last 10-15 years obviously reveals simpler times, and a short look forward is daunting to say the least. It’s safe to say that as we continue to improve the defensive posture within the security community that the continued advancement in technology will make the next 15 years extremely interesting to say the least. I’ll just call it grimm!
Author Ryan Smith has spent most of his IT career supporting the Gaming & Hospitality market. First as an integrator for Cisco Systems, EMC and VMware and then as a Global Enterprise Account leader for Hewlett Packard. Ryan has helped build Enterprise architectures to support the world’s largest Gaming & Hospitality companies in more than a dozen countries. Ryan is the Founder and CEO of LCG, Inc. An IT Security Company with a core focus of helping companies address how new security standards and new payment architectures will impact their business. The team at LCG is focused on addressing the latest in breach and threat mitigation with IT Security Solutions and Software that remove liability from the customer.