2015 saw a record level of cyber attacks, of all kinds, ensuring that the issue of cyber security
will remain firmly at the top of many Boards agendas. Here editor Ian Hunter looks at two
views of the increased threats to look out for in 2016.
I recently read a blog by Roger Grimes, a principal security architect at Microsoft, where he commented on 10 security technologies destined for the dustbin.
Coming in at No. 5 was Firewalls. Really?
Grimes explains. “The ubiquity of HTTPS essentially spells the doom of the traditional firewall. I originally wrote about this in 2012 and some people would say I was wrong. Three years later, firewalls are still everywhere. True, but most aren’t configured and almost all don’t have the ‘least permissive, block-by-default’ rules that make a firewall valuable in the first place. Most firewalls I come across have overly permissive rules. I often see ‘Allow All ANY ANY’ rules, which essentially means the firewall is worse than useless. It’s doing nothing but slowing down network connections.
Anyway you define a firewall, it must include some portion that allows only specific, predefined ports in order to be useful. As the world moves to HTTPS-only network connections, all firewalls will eventually have only a few rules — HTTP/HTTPS and maybe DNS. Other protocols, such ads DNS, DHCP, and so on, will likely start using HTTPS-only too. In fact, I can’t imagine a future that doesn’t end up HTTPS-only. When that happens, what of the firewall?
The main protection firewalls offer is to secure against a remote attack on a vulnerable service. Remotely vulnerable services, usually exploited by one-touch, remotely exploitable buffer overflows, used to be among the most common attacks. Look at the Robert Morris Internet worm, Code Red, Blaster, and SQL Slammer. But when was the last time you heard of a global, fast-acting buffer overflow worm? Probably not since the early 2000s, and none of those were as bad as the worms from the 1980s and 1990s. Essentially, if you don’t have an unpatched, vulnerable listening service, then you don’t need a traditional firewall – and right now you don’t. Yep, you heard me right. You don’t need a firewall.
Firewall vendors often write to tell me that their ‘advanced’ firewall has features beyond the traditional firewall that makes theirs worth buying. Well, I’ve been waiting for more than two decades for ‘advanced firewalls’ to save the day. It turns out they don’t. If they perform ‘deep packet inspection’ or signature scanning, it either slows down network traffic too much, is rife with false positives, or scans for only a small subset of attacks. Most ‘advanced’ firewalls scan for a few dozen to a few hundred attacks. These days, more than 390,000 new malware programs are registered every day, not including all the hacker attacks that are indistinguishable from legitimate activity.
Even when firewalls do a perfect job at preventing what they say they prevent, they don’t really work, given that they don’t stop the two biggest malicious attacks most organisations face on a daily basis: unpatched software and social engineering.
Put it this way: Every customer and person I know currently running a firewall is as hacked as someone who doesn’t. I don’t fault firewalls. Perhaps they worked so well back in the day that hackers moved on to other sorts of attacks. For whatever reason, firewalls are nearly useless today and have been trending in that direction for more than a decade.”
- Secondly, Colin Tankard, Managing Director of digital security company Digital Pathways, told us his predictions for 2016 when it comes to new or increased threats to look out for. He’s got a list and interestingly is I believe on a similar Firewall page to Microsoft’s Roger grimes.
- There will be more IoT devices released into the ‘wild’ with poor security. This has been highlighted recently with the ‘Hello Kitty’ hack just before Christmas.
- More network vendors are going to find their equipment compromised including building service systems such as HVAC.
Legislation, such as The Regulatory Powers Act, will get tighter when dealing with personal data and PCI will ‘raise its head’ especially at the SME level.
- I see larger fines – perhaps up to £1million – for data breaches come into force from the Data Commissioners Office.
We will continue to have no criminal penalties for unethical data handling. Nor will company directors face prosecution unlike Health & Safety regulations.
- End to end encryption, without legislative access, will be a huge argument and, ultimately, will be forced in place leading to greater use of the Dark Web.
- E-Wallets/Mobile Wallets will become the next generation for payments and, as a result, we will see an increase in targeted attacks on Smart devices.
- Companies will start to introduce air-gapped networks due to the cost of maintaining multiple Firewalls and the constant risk of poor policy rules which leave open ports. This will force organisations to consider better access controls to servers and even introduce cloaking technology to hide their digital attack surface.