Saturday, January 31, 2015

World Economic Forum - Global Risks 2015

Each January the World Economic Forum (WEF) has a grand meeting in Davos, Switzerland.  This meeting brings together the major decision makers and influencers in the world to review the current state of the world and its risks.

As part of this annual event the WEF compiles and publishes its Global Risks assessment.  The 10th Edition was published this for assessing the global risks for 2015.  A picture of the report's cover is below.  The report can be downloaded at: http://www3.weforum.org/docs/WEF_Global_Risks_2015_Report.pdf 


As a student of infrastructure and security I find this report to offer tremendous insight into the challenges faced by society today.  Also, the report includes some excellent graphics to help the reader get a better sense of the interplay between the various risks and what they refer to as "risk constellations."

The authors have first established five categories of risk including economic, environmental, geopolitical, societal and technological.  Then, for each category there are a collection of different risks that are graded and assessed.  The individual risks are then evaluated on a quadrant (below) assessing the risk's Impact and Likelihood.



Then, based on the above mapping/assessment the top 10 risks are determined by Likelihood and Impact as shown in the next graphic.


Finally, an aspect I normally consider with these lists are those risks listed in both columns.  These include:

  • Water Crises
  • Unemployment or Underemployment
  • Failure of Climate Change Adaptation
Even though this is a short list, please consider how they are interrelated and how the water crises are aggravated by failure of climate change adaptation which can result in job loss thus unemployment.

Overall, I would highly recommend that you review the report and especially get a sense of the risk themes raised and how they impact your profession and personal life.

###




.


Tuesday, January 27, 2015

ENISA Publishes Cyber Threat Analysis of 2014

Our friends at the European Union Agency for Network and Information Security (ENISA) has published the ENISA Threat Landscape 2014 on 27 January 2015.  The report includes some details on developments made in 2014 relative to the top cyber threats and emerging threat trends - mainly in the cyber arena.

You can download a copy of the report (Free) at:  http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014




From the Executive Summary of the report, below are some of the "positives and negatives" of today's cyber threat landscape from ENISA's point of view.

Many of the changes in the top threats can be attributed to successful law enforcement operations and mobilisation of the cyber-security community (bolding by Ernie Hayden):

  • The take down of GameOver Zeus botnet has almost immediately stopped infection campaigns and Command and Control communication with infected machines.
  • Last year’s arrest of the developers of Blackhole has shown its effect in 2014 when use of the exploit kit has been massively reduced.
  • NTP-based reflection within DDoS attacks are declining as a result of a reduction of infected servers. This in turn was due to awareness raising efforts within the security community.
  • SQL injection, one of the main tools used to compromise web sites, is on the decline due to a broader understanding of the issue in the web development community.
  • Taking off-line Silk Road 2 and another 400 hidden services in the dark net has created a shock in TOR community, both at the attackers and TOR users ends.

But there is a dark side of the threat landscape of 2014:

  • SSL and TLS, the core security protocols of the internet have been under massive stress, after a number of incidents have unveiled significant flaws in their implementation .
  • 2014 can be called the year of data breach. The massive data breaches that have been identified demonstrate how effectively cyber threat agents abuse security weaknesses of businesses and governments.
  • A vulnerability found in the BASH shell may have a long term impact on a large number of components using older versions, often implemented as embedded software.
  • Privacy violations, revealed through media reports on surveillance practices have weakened the trust of users in the internet and e-services in general.
  • Increased sophistication and advances in targeted campaigns have demonstrated new qualities of attacks, thus increasing efficiency and evasion through security defences.
The report does include a summary table of trends (Page 4) that the reader may find useful.  A copy of the table is shown below with some highlights on the areas declining and a note about ransomware.



Lastly, one area the report raises as a new focus is "Cyber-Physical Systems."  These are engineered systems that interact with computing equipment and integrated to control, manage and optimize physical processes.  The areas they mention of concern are power supply, medical systems/healthcare, industrial systems and manufacturing, transportation, telecommunication, etc.  The report includes a table (below) of the Top Emerging (Preliminary) Threats to CPS (Page 67):



Overall, the report is of excellent quality and is a useful summary of the cyber issues of 2014.

###