We’re wrapping up our January cybersecurity prediction series for 2014 over the next few days, and we’ve saved some of the best stuff for last. Center for Internet Security’s CEO, Will Pelgrin gave some outstanding prediction points for our series. The Center for Internet Security (CIS) is an expert group in the field of cybersecurity and advisors to public and private sector entities on securing technologies. They are composed of four groups, the Integrated Intelligence Center, the Multi-State Information Sharing and Analysis Center, the Security Benchmarks division, and the Trusted Purchasing Alliance. Through these divisions, they offer guidance through collaboration, better standards, security assurance, and high communications of these objectives.

Pelgrin’s organization is focused on raising the security bar throughout the industry and predicts that communications and information sharing will be the most important factors in improving security at every level. This is a theme that has run through our prediction series, and it’s exactly what CIS is doing in collaborative and cooperative fashion to the industry. The road ahead in 2014 will have many challenges, and it’s important to prepare to defend against these rising threats. The CIS message is that the modern security approach across the spectrum can be quite daunting when observed offhand, but can be taken in a chunkable approach, paying mind to layers and due diligence with the right strategy and practices at hand. CIS monitors the critical event flow of over half the country, through contracts with a number of major entities. They’ve developed an automation around much of their activities in order to reduce false positives and get towards a more proactive, predictive stance of threats and condition of things that may be happening tomorrow and beyond. One key element of this is a real-time or near real-time awareness element to these operations that help qualify impact and response that is effective.

The threats of 2014

Pelgrin takes both a retrospective and prospective look at the state of cybersecurity. All of us feel the impact of these unfortunate major password breaches in the news and he feels that will add to a lengthening password trend in an effort to bolster security minimums in the industry. Another big trend centers on these old computers phasing out of circulation, many affected by the eventual and overdue retirement of Windows XP. Pelgrin likens it to using old medicine that’s in your cabinet, it’s probably not going to work. This purging of older technologies will have an inherent security benefit in that a good deal of attacks are built to rely on the lowest common denominator in a situation. In the case of old computing platforms, the end of life for XP is but one case where the weaknesses that that platform base retains will not be missed by the security community. Still, that purge will take some time and threats will evolve, but the attrition of old technology across the spectrum particularly for such a widely-used operating system can only help move the needle.

We’re ‘Clickaholics’

We’re still a clickaholic society, and one of the recurring themes in the security series has been the threat of the human link in the security chain. Pelgrin touches on this topic as one of the biggest threats still today, and the impetus behind the mission of CIS. The Advanced Persistent Threat (APT) is much talked about because there are so many factors to this- the careless application installer, the careless browser, the malicious parties, the malicious insider, the malicious software and more are all have in common the human element including the fact that humans often react faster than they can actually process information. Phishing and other schemes have gotten so good that even the best of experts have fallen prey to the proliferation of this technique. This has all those elements we typically discuss, for example Pelgrin discusses BYOD and the continued need to balance convenience with security as this technology change takes place. Those are the types of layers and vigilance that CIS adheres to through their practice and campaigns. Now, with the Internet of Things around the corner, the threat can be expected to massively expand. Anything and practically everything can be expected to be connected and therefore some kind of potential security threat. Already we’ve seen this past week a refrigerator that was hacked in a proof of concept, and we can expect more of these kinds of stories as things get close to a ‘Jetsons’ reality. Insulin pumps, heart machines and other devices have been hacked at the security research level, and may be getting closer to the point where they may be tangibly threatened in the wild.  CIS sees an opportunity to be ahead of the curve, through great practices and that’s established through the Medical Device Innovative Institute where parties can come together in a collaborative way so that emerging products have security initiatives built into it first.   CIS’ mission is to prevent those incidents as these devices do have potential vulnerabilities.

That’s but just one wing to the CIS picture, as Pelgrin states –

“There’s so much to it and security is needed everywhere, by everyone”

He forecasts continuing financial fraud issues, as exhibited by what is now known as the Target breach, and that legal issues will dominate headlines as fallout from these incidents play out.

That’s where CIS has postured itself, and their feelings about the capabilities of the security market focus much less on technology as it is about personnel and processes. The movement to protection of data is an important one that will help things get better and bring a lot of the security away from the management realm of operations back into the security fray. Communications is central to this, and it often hinges on open discussions of security incidents down to the individual in the form of advisories, reviewing process and replaying the issues out at a level of awareness that benefits the entire organization. Holding information isn’t very powerful. CIS holds monthly webcasts that covers APT, phishing and a whole host of things that affect the industry.