T H R E A T H O R I Z O N 2 0 1 8 – 2 0 2 0 2

01

9

2 0 2 0

2 0 1 8

Conflict looms

Technologyoutpacescontrols

Pressure skewsjudgement

Disruption: from an over reliance on fragile connectivity

Technology adoption dramatically expands the threat landscape

Distortion: as trustin the integrity of information is lost

Ability to protect is progressivelycompromised

Deterioration: when controls are eroded by regulations and technology

Governments become increasingly

interventionist

THREAT HORIZON 2020FOUNDATIONS START TO SHAKE

20181.1 The IoT leaks sensitive information1.2 Opaque algorithms compromise

integrity1.3 Rogue governments use terrorist

groups to launch cyber attacks

2.1 Unmet board expectations exposed by a major incident

2.2 Researchers silenced to hide security vulnerabilities

2.3 Cyber insurance safety net is pulled away

3.1 Disruptive companies provoke governments

3.2 Regulations fragment the cloud3.3 Criminal capabilities expand gaps

in international policing

20191.1 Premeditated internet outages

bring trade to its knees1.2 Ransomware hijacks the Internet

of Things1.3 Privileged insiders coerced into

giving up the crown jewels

2.1 Automated misinformation gains instant credibility

2.2 Falsified information compromises performance

2.3 Subverted blockchains shatter trust

3.1 Surveillance laws expose corporate secrets

3.2 Privacy regulations impede the monitoring of insider threats

3.3 A headlong rush to deploy AI leads to unexpected outcomes

20201.1 Cyber and physical attacks combine

to shatter business resilience1.2 Satellites cause chaos on the ground1.3 Weaponised appliances leave

organisations powerless

2.1 Quantum arms race undermines the digital economy

2.2 Artificially intelligent malware amplifies attackers’ capabilities

2.3 Attacks on connected vehicles put the brakes on operations

3.1 Biometrics offer a false sense of security

3.2 New regulations increase the risk and compliance burden

3.3 Trusted professionals divulge organisational weak points

The themes and threats included in Threat Horizon 2020 are summarised below, along with recommendations arising from the full report.

THEME 1: CONFLICT LOOMS Recommendations

1.1 Cyber and physical attacks combine to shatter business resilienceNation states and terrorists will combine traditional military force with their increasingly sophisticated cyber arsenals to launch hybrid attacks that create maximum impact.

Update crisis management plans to cater for a wider range of extreme eventualities. Conduct scenario planning and training exercises.

1.2 Satellites cause chaos on the groundDisabling or spoofing signals from GPS will put lives at risk and impact global travel and finance markets. Attackers may also target media, communications, meteorological and military functions to further disrupt operations and trade.

Conduct a full risk assessment to profile how satellite communications are used in the organisation.

1.3 Weaponised appliances leave organisations powerlessEnemies aiming to inflict damage will take advantage of vulnerabilities in connected appliances such as thermostats, refrigerators, dishwashers and kettles to create power surges strong enough to knock out regional power grids.

Ensure that Internet of Things (IoT) appliances within the organisation’s control cannot be used as part of an attack.

THEME 2: TECHNOLOGY OUTPACES CONTROLS Recommendations

2.1 Quantum arms race undermines the digital economyThose who develop or acquire quantum computing technology will be able to break current encryption standards. With a fundamental security mechanism rendered obsolete, information and transactions of all kinds will suddenly become vulnerable.

Invest in, and be prepared to move quickly to, encryption methods that cannot be broken by quantum computing.

2.2 Artificially intelligent malware amplifies attackers’ capabilitiesAttackers will take advantage of breakthroughs in artificial intelligence (AI) to develop malware that can learn from its surrounding environment and adapt to discover new vulnerabilities.

Invest in people with technical expertise in AI, particularly machine learning, malware analysis and reverse engineering.

2.3 Attacks on connected vehicles put the brakes on operationsBy hacking connected systems, including those that control vehicles, attackers will cause accidents that threaten human life and disrupt supply chains – not to mention impacting the reputation and revenue of vehicle manufacturers.

Undertake a thorough risk assessment of supply chains to understand whether vehicles are safe and secure.

THEME 3: PRESSURE SKEWS JUDGEMENT Recommendations

3.1 Biometrics offer a false sense of securityOrganisations will sleepwalk towards a degradation of access controls: biometrics will frequently be compromised by attackers who learn to find increasingly sophisticated ways to overcome them.

Conduct risk assessments to evaluate which combinations of roles and levels of data criticality can be used with which authentication methods.

3.2 New regulations increase the risk and compliance burdenDemands for transparency will lead to information being stored in multiple locations and with third parties, increasing the likelihood of a data breach occurring. At the same time, new data privacy regulations will greatly increase the financial impact of a breach by levying materially significant fines.

Communicate the intricacies of balancing compliance needs with business risk to board members and other senior stakeholders.

3.3 Trusted professionals divulge organisational weak pointsIncreasing pressure on trusted professionals will lead some to divulge their organisation’s weak points. Those entrusted with protecting information will be targeted or tempted to abuse their position.

Identify every individual and external party with access to critical or sensitive information and verify – and then regularly reassess – whether that access is necessary.

WHERE NEXT?

CONTACTFor further information contact:

Steve Durbin, Managing Director US: +1 (347) 767 6772UK: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800steve.durbin@securityforum.orgsecurityforum.org

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

REFERENCE: ISF 18 01 02 | CLASSIFICATION: Public, no restrictions ©2018 Information Security Forum Limited

We recommend that ISF Members:

‒ review the threats in Threat Horizon 2020, identifying those that are of high priority

‒ use ISF Live to become familiar with the techniques ISF Members have used to implement Threat Horizon

‒ consider how the contents of Threat Horizon can be adapted to work best within your organisational culture, for example to: develop a forward-looking cyber resilience strategy; enable threat analysis and formulation of potential impacts and responses; brainstorm risk treatments.

‒ use the ISF Threat Radar with business leaders to help categorise and prioritise threats and actions: particularly when time and budgets are limited

‒ work with other organisations to collaborate on threat intelligence and strategies

‒ give careful consideration to the ISF resources in this report including: Information Risk Assessment Methodology 2 (IRAM2), The Standard of Good Practice for Information Security, Protecting the Crown Jewels: How to secure mission-critical information assets, Threat Intelligence: React and prepare, Industrial Control Systems: Securing the systems that control physical environments and Managing the Insider Threat: Improving trustworthiness.

Consultancy services from the ISF provide Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.

The report is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at steve.durbin@securityforum.org.