WIXLIB

IoT and Embedded Systems: the risks keep growingAuthor: Adam Caudill, Director – Application Security TestingAs more devices are connected to the internet, from refrigerators to coffee makers the risk these devices presentto their environment is going to continue to grow. While hacking a “smart” appliance may seem like a trivial risk,it’s the access they can provide to other devices on the same network that presents the greatest threat.By targeting IoT devices, attackers can gain a foothold in anetwork, allowing them to use the device as an entry pointto attack systems that are far more critical. When targetinga network, attackers will seek out the weakest link first, andIoT devices are far too often not living up to the same securitystandards of the other systems that they share a networkwith. By installing devices that may have entirely unknownsecurity properties on a network, it’s easy to create new weakpoints on a network, just the thing attackers look for.Keeping these devices isolated from important systems byproperly segregating the network and ensuring that thedevices have been tested by a reputable penetration testingfirm are key steps to protecting the environment in whichthey will live.Blockchain and immutable ledgers: moving beyond hypeAuthor: Adam Caudill, Director – Application Security TestingThere’s no question that there has been a huge amount of hype around blockchains and other forms of immutable ledgers inrecent years.While there is still a great deal of hype, these technologiesare more and more being used in business-critical systems,making it vital to ensure that they are secure. While systemsbuilt around blockchains have some unique weaknesses thatdo not apply to most applications, in reality most issues thatare found in these systems are common application securityfailures that could be prevented by following well establishedbest practices; failing to learn from the past, failing to learnfrom the well documented and well understood best practicesthat have been established is a recipe for disaster – and therehave certainly been some spectacular failures.As more business look to leverage the benefits of immutableledgers in their business processes, using their ability toprovide cryptographic assurances to allow their customersand business partners to authenticate data, there willalso be increased interest in subverting these systems toallow attackers to manipulate data for their own purposes.Whether it be maliciously altering existing records, insertingnew records, or attempting to deny access to the systemaltogether, there will be substantial focus on these systemsand the monetary impact could be very significant.Immutable ledgers – the vital core of blockchains – providesubstantial value to businesses, helping to address a varietyof challenges, such as tracking a chain of custody, verifyingthat records haven’t been altered after the fact, documentingcritical details as components pass through the supply chain,and many others. A ledger that is append-only, immutable, andbacked by strong cryptographic guarantees can be leveragedin numerous ways to provide assurances that are difficultotherwise.Call: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (IE)Email: cyber@bsigroup.com or Visit: bsigroup.comEmerging Trends in the Information Security Landscape 20207

Advanced hacking techniquesRise of the machines: machine learning and artificial intelligenceAuthor: Adam Caudill, Director – Application Security TestingAs machine learning is being deployed in an ever-expanding number of roles, attacks against these systems (whichmay have a life or death impact) are also improving at a rapid pace. Machine learning is being applied to a trulymassive number of problems; from self-driving cars, detecting medical issues such as cancer, advising doctors andinsurance companies of the best medical care plans, predicting supply chain issues, to optimizing investments andportfolio management. Machine learning is becoming a defining technology in solving some of the most pressing challenges thatbusiness face. It also creates some unique security challenges.There has been a great deal of academic research into howto attack and otherwise trick systems that rely on machinelearning, from fooling facial recognition systems to makingself-driving cars think that a stop sign is instead a speed limitsign. As this research begins to move out of academia andinto the real world, the results will likely be substantial andhard to predict.Machine learning, for all the good it can do, also opens upentirely new classes of security issues (without closing anyof those faced by other software), and as a result presentsa greater challenge to secure. We expect to see someparticularly interesting attacks in 2020 and beyond, whichcould lead to rather expected results for those using systemsthat are reliant on machine learning.Due to the nature of machine learning systems, in that theyare often not fully understood even by their developers,the results of an attack can be hard to detect, and unlikeother cybersecurity issues, may be very subtle. Attacksagainst the data used to train a machine learning algorithm,be it a labeled dataset, or the data ultimately fed into areinforcement learning system, can result in the most subtleresults – changing the outcome of the algorithm in ways thatcould easily go undetected for years.This is an area that we see as being at the earliest stages ofattack development and expect implementation of properdefenses to become extremely important.Emerging Trends in the Information Security Landscape 2020Call: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (IE)Email: cyber@bsigroup.com or Visit: bsigroup.com

Third party riskSupplier risk managementAuthor: Herman Errico, Security Consultant – Cyber, Risk and AdvisorySupplier risk management is a practice that allows organizations to identify, assess, manage and treat supplierrisk. This practice applies to information security risks that relates to both supplier for services and forproducts. From a process perspective, organizations are following ISO 27002 and 27036 to perform supplier riskmanagement operations.In 2019, supplier risk has registered a substantial increase interms of visibility and regulatory recognition. On one hand,legislative requirements such as the General Data ProtectionRegulation (GDPR) and the Network and Information Security(NIS) directive have identified a requirement to managesupplier risk effectively. On the other hand, some of the majorrecent data breaches (e.g. Airbus [2019]; Marriot International[2018]) were due to the lack of security controls within asupplier’s environment and this has increased overall visibility.relationships will continue to be considered an emergingtrend. However, we do see some differentiators for 2020compared to 2019. Companies will require the ability tofurther customize their solutions to better identify securitycontrols baselines that are necessary to reduce suppliers’risks. This approach will contribute to the effective reductionof risks to offsite processing of information, outsourcedsystem development, integrations, configurations or hardwareproduct provenance to name a few.Companies are starting to improve their ability to managethose risks by adopting third party services for outsourcedmonitoring (e.g. Security rating – BitSight) or by implementingcloud-based management systems for supplier riskmanagement. Therefore, in 2020, risk related to supplierBy having a dedicated security baseline to manage supplierrisk, companies will be better positioned to achieve theircompliance requirements and their business’ objectives.Call: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (IE)Email: cyber@bsigroup.com or Visit: bsigroup.comEmerging Trends in the Information Security Landscape 20209

Ongoing compliance and regulationsOngoing GDPR privacy assuranceAuthor: Conor Hogan, Senior Manager – Cyber, Risk and AdvisoryEver-new and maturing privacy regulations mean that organizations need to evolve their approach to privacycompliance. Adopting a rights-focused privacy programme will enable organizations to embrace compliance as anenabling “BAU” process.Globalization and the relentless advance in technologymeans that privacy safeguards are necessary to ensure thefundamental rights of citizens are protected. Legislatures allaround the world are alert to the increasing imbalance ofpower between citizens and corporations and governments.The rise of big data and artificial intelligence continues tothreaten privacy. Strong, robust, and rights-based protectionsare needed to insulate from unnecessary intrusions, forexample tracking a person’s location and every movement viafitness trackers or “smart” watches.EU regulators continue to grapple with the weight of publicand industry expectations of GDPR enforcement. Butorganizations routinely struggle to meet the accountabilityrequirements of the GDPR. Individuals are more aware thanever of their rights, but also heavily fatigued by privacyrelated scandals.Privacy is in vogue, limited credit due in part to the GDPR,but we continue to see a steady increase in evolving or newlegislation like the GDPR. Japan’s Act on Protection of PersonalInformation (APPI) and Brazil’s Lei Geral de Proteção de Dados(LGPD) are closely aligned with the GPDR. US developments likeCalifornia’s Consumer Protection Act (CCPA), and a proposedfederal privacy bill (“Consumer Online Privacy Rights Act”)mean that the corporate challenge of privacy compliance willnot simply disappear. Organizations must consider their globalEmerging Trends in the Information Security Landscape 2020requirements with a properly resourced and scoped privacyprogram to help plan, manage and demonstrate compliance.Adopting a principles-based privacy program to establish arights-centred approach to controls is a pathway forward.Documentation is critical to evidence compliance – whether inresponse to a regulatory demand or to satisfy a customer orcertification audit. Embedding a culture of privacy takes timeand investment - especially when compliance is traditionallyviewed as a barrier to innovation. Privacy must be consideredat the earliest possible stages of projects to help organizationsimprove data protection maturity. The simple idea of “shiftingprivacy compliance left” means that that a culture of privacyby-design can be nurtured, and the challenges of ongoingprivacy assurance can be more easily met.Organizations traditionally engage third party auditors or aninternal function to provide varying degrees of assuranceover internal controls. Indeed, assurance frameworks area dime-a-dozen (e.g. ISO27001, ISO27701, SOC2; PCI DSS;BS10012; HIPAA; FISMA, etc.). But demonstrating privacycompliance is not an easy task and cannot be considereda point in time requirement. Ongoing assurance over theprivacy programme will help improve privacy maturity,enable innovation, build trust with customers and investors,and help meet mounting regulatory expectations with arobust and defensible position.Call: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (IE)Email: cyber@bsigroup.com or Visit: bsigroup.com

Weaponized DSARs and the automation to comeAuthor: Ciaran Mahon, Consultant – eDiscovery & Digital ForensicsIncreasing use of Data Subject Access Requests (DSARs) by individuals, activists and cybercriminals will acceleratethe move towards improvements in standardized processes and automation for handling DSARs.The General Data Protection Regulation (GDPR) and otherglobal privacy regulations have put organizations on apositive path to privacy management. It has encouragedmore responsible data handling, greater transparency of howpersonal information is processed, controlled and governed.However, complying with Data Subject Access Requests(DSARs) continues to be a challenging area for mostorganizations. Many departments from Human Resourcesto Legal to Compliance are continuing to feel the impact asconsumers become more aware of their right to obtain a copyof their personal data in the form of a DSAR.In 2020, new privacy laws will come into force around theworld such as the CCPA in California, the LGPD in Brazil andPDPA in Thailand. With similar bills pending in New York (NewYork Privacy Act s.5642), Pennsylvania (House Bill 1049)Massachusetts (Consumer Privacy Bill SD 341) among others,the coming year is going to be another busy year from a DSARstandpoint, organizations are likely to see the continued useof DSARs by: Individuals curious to see what personal information acompany may be processing on themCall: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (IE)Email: cyber@bsigroup.com or Visit: bsigroup.com Activists attempting to cause disruption to anorganization Cyber-criminals looking to steal personal informationIn 2019, the Blizzard Entertainment protest demonstratedhow Article 15 of the GDPR can be used by activists to flooda company with simultaneous DSARs. As these requests canplace a significant administrative burden on organizations, wemay see more of these protests in future.There is also the potential for DSARs to be used bycybercriminals as a mechanism to steal personal information.A University of Oxford-based researcher demonstrated in his‘GDPArrrrr: Using Privacy Laws to Steal Identities’ paper, howorganizations lacking a clear and robust method for verifyingData Subjects can be manipulated into sending personalinformation to the wrong individual.Given these challenges and the increasingly changingregulatory landscape, in 2020 organizations are likely toadopt more robust mechanisms for verifying Data Subjects,make smarter use of data retention strategies, and makefurther moves towards automation to reduce the resourceintensive burden that falls on organizations.Emerging Trends in the Information Security Landscape 202011

Ongoing compliance and regulationsPCI (Payment Card Industry) trendsAuthor: Leo Boike, Senior Consultant – Cyber, Risk and AdvisoryWith much anticipated excitement, v4.0 of the Payment Card Industry Data Security Standards (PCI DSS) is tentatively scheduledfor late 2020.Goals for v4.0 include:1. Meet the security needs of the payments industry2. Add flexibility and support of additionalmethodologies to achieve security3. Promote security as a continuous process4. Enhance validation methods and proceduresThe twelve core requirements of PCI DSS will not change butwill introduce a new validation methodology. Instead of thetraditional method, organizations may opt to show that theircontrols meet the intent of PCI DSS and address risk. Havinga flexible method of validation will allow organizations tobetter align their compliance efforts with risk and to allow foralternative solutions in order to meet the intent of PCI DSS.For organizations wishing to avail of this more flexible option,it is likely that significantly more time will have to be added onto their audit in order for justification to be verified.Businesses continue to move their networks to cloudsolutions for ease of configuration and network management.Also, for security, flexibility, and rapid deployment of changesneeded in today’s competitive business world.Emerging Trends in the Information Security Landscape 2020Solutions that remove the storage, processing, andtransmitting of cardholder data from the network andbusiness environment reduce not only the risks to theorganization but also reduce the reporting efforts needed tovalidate compliance to PCI DSS. These solutions include, butare not limited to payment channels for: Mail order/telephone order (MOTO) – including PBX,call recordings, and call centers E-commerce Card present (face-to-face)The trend for PCI compliance is to implement solutions thatnot only decrease risk, but also the efforts needed to meetand validate the PCI DSS compliance, allowing businesses toimprove their processes. The business goals are to maintain aculture of change and agility, without being overly incumberedby resource intensive and financially impactful compliancerequirements.As businesses move forward, they must maintainengagements with the PCI DSS advisors in order to stayabreast of changes coming in v4.0, ensuring that they arede-risking their card processing environment and where carddata must be stored and processed, are maintaining PCI DSSin an effective and efficient manner.Call: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (IE)Email: cyber@bsigroup.com or Visit: bsigroup.com

Cloud security risk managementZero trust networks in an O365 worldAuthor: Vincenzo Rea, Senior Consultant – Cyber, Risk and AdvisoryHow do you define your company’s network boundaries when using cloud services? How do you feel whenusername and password are the only obstacles between a web page and your data? The Zero Trust Networksmodel utilises new security measures for protecting organisations and their perimeter when it is truly distributed.granting access to ensure our identity is legitimate and hasthe necessary rights to proceed. Along with the credentials,additional controls include the network and the device wherethe request originated, geolocation, previously initiatedsessions including those with different applications withinthe organisation, proxy services, multi-factor authentication,access control lists, encryption and scoring mechanisms.If you are wondering how a single data breach can extractdata in a single cyber-attack, the answer is probably throughthe castle-and-moat model weaknesses.While many people may not be familiar with this terminology,the castle-and-moat model is widely used every day by manycompanies around the world.In a castle-and-moat model, everyone inside the network hasaccess to certain resources and more importantly, everyone’sidentity is trusted by all the others inside that network. Theflaw with this model is that once attackers gain access to thenetwork, they are trusted and considered as legitimate users.While the Office365 user may not realize it, he or she isalready part of the Zero Trust Network security model.In 2010, the researcher John Kindervag formalized theconcept of a Zero Trust Network model, based on the principlethat no one is trusted by default from inside or outside thenetwork, and identity validation is required from everyonebefore access is granted to any resource.There is no single technology associated with this securityconcept; it is rather a different approach to network securitythat embeds several different principles and technologies.Security doesn’t stop there though, and users still have toplay their part. As emphasized by the NCSC UK in a recentlypublished article, cloud services, including Office365, are nowat the top of the list of targets for cyber-attacks. Passwordspray attacks and credential stuffing are only two of the manyne

Call: 1 800 862 4977 (US) / 44 345 222 1711 (UK) / 353 1 210 1711 (IE) Emerging Trends in the Information Security Landscape 2020 5 Email: cyber@bsigroup.com or Visit: bsigroup.com Advanced penetration testing Author: Nick Hayes, Global Head of Technical Direction As mentioned earlier in this whitepaper, penetration testing has been a cornerstone of many security programs over several