After a series of high profile data breaches in 2015 – including TalkTalk, Ashley Madison and Hacking Team – consumers are becoming increasingly aware of the seriousness of security breaches and their potential impact on data theft victims. AlienVault believes that these highly-publicized incidents will help lead to a shift in the way that businesses respond to attacks, with security teams looking to strengthen their incident response methodologies and collaborating to find new ways to protect themselves from emerging threats. Javvad Malik, Security Advocate at AlienVault, explains: “As more and more high-profile breaches occur, there is a greater need for companies to respond quickly and effectively. This is not just from a technology perspective to get their systems back up and running again; companies also need to make sure they have the right communication strategies in place to reassure both stakeholders and customers. There have been several examples throughout the year where the public relations part of a breach was not handled optimally. So in 2016 we expect the boardrooms of many companies to increase their focus on all aspects of incident response as they look to acquire or further develop the required skills to respond effectively.”
AlienVault also believes that criminals may be able to combine personal data stolen from different breaches to cause further damage to the affected individuals. Malik explains: “The Ashley Madison breach changed the dynamic in that it brought to light the fact that, given the right context, both personal and professional lives could be much more severely impacted by data breaches than previously thought. Unfortunately, the rising frequency of breaches doesn’t look to be slowing down any time soon, and thus, going forward, the cumulative impact of data correlated from multiple breaches may pose a significant threat to victims.”
As high-profile breaches become more commonplace, better collaboration will be needed among IT security teams in order to share information on emerging threats. Malik continues: “Next year we expect to see more formal processes in place for sharing information on potential security threats. This will not only be among organisations and industry verticals, but perhaps more importantly among individual practitioners. The more trust networks are created and threat data and best practices are shared, the better advantage companies will have to protect themselves.”
Responsible disclosure
The proliferation of the ‘Internet of Things,’ and the security threats that come with it, have been in the news repeatedly in 2015, as researchers discovered and made public potential vulnerabilities around the plethora of internet-connected consumer devices. Researchers found serious vulnerabilities in things like aeroplanes, medical devices, guns and cars, where hacks could have potentially devastating consequences. The discovery of new security vulnerabilities in the expanding number of internet-connected things is likely to continue in 2016.
However, as more security vulnerabilities come to light, we can also expect to see further delays in the time taken by companies to respond to security researchers who contact them about potential problems. Earlier this year, an AlienVault survey revealed that the majority of IT professionals (64%) believe that if security researchers get no response from manufacturers when disclosing vulnerabilities with life-threatening implications, then such information should then be made available to the public.
Malik explains: “Security researchers are positioned at a pivotal time in breach history, and 2016 could bring about radical changes in how vulnerabilities are discovered, confirmed, reported and addressed. The emergence of tech companies adopting bug bounty programs has helped facilitate company/researcher relationships; however, there are still large segments of manufacturing and industry that would rather utilise lawyers to block research than address discovered vulnerabilities. Researcher self-regulation has been touted as another option for security researchers to consider. It is unlikely that we will see the conclusion to this debate in 2016, but we will likely see some moves being made.”