28 days of awareness: day 10

For those security awareness topics we've covered before, one of our tasks in preparing a new awareness module is to gather up and review the older materials to see if there's anything we can recycle this time around. Collecting the old stuff into a directory is easy enough although sorting and checking through it takes a bit of effort. 

The pace of change in information risk and security is notable in that anything written more than maybe 3 or 4 years ago is barely even worth checking: there may be some goodies in there worth reusing (typically some of the graphics and maybe timeless, general materials from the staff awareness stream) but most likely they would have to be revised so substantially to bring them up to date that we might as well start over and re-write them from scratch. 

On the other hand, reviewing the older stuff reminds us what were the issues of concern back in the day, and hence how much things have moved on. In years past, our malware awareness modules have focused on topics such as viruses (remember them?!), network worms, Advanced Persistent Threats (APT) and other things - such as the Sony hack which we turned into an awareness case study.

Malware is such a broad issue that we've touched on it in many other awareness topics too, such as hacking, email security, social engineering and more. That breadth gives us plenty of background context for the general malware awareness content (such as the newsletter, plus the staff presentations and briefings), while the ransomware aspect is crystallizing out as a central, topical theme to cover in more depth this year. Aha! A cunning plan is hatched!

The really fascinating bit of our job involves thinking not just about what has happened before and what is hot today, but what might be lurking just around the corner. Awareness or indeed information security programs that only address current and past risks are always on the back foot, of course, 'still fighting the last war' one might say. 

Avoiding the obvious problem of security awareness content becoming stale and outdated is the reason we designed the awareness service around a monthly delivery cycle. Unlike some of our competitors (and potential customers!), we don't just deliver a bunch of static content once, nor even once-a-year. We barely even have outline plans for the topics we are thinking of covering in the next few months. Every module is as fresh, topical and up to the minute as we can make it, reflecting past, current and future issues. If something new pops out of the woodwork, we're keen to pick up on it without delay. This is state-of-the-art stuff.

So, where is malware heading? Emerging concerns include:

• IoT malware - infections of highly vulnerable things causing chaos in terms of disrupting operation of the things themselves, snooping on every aspects of our lives, and forming botnets or comms paths to exploit mainstream ICT;
• Malware automation - just as cloud computing is exploiting software to manage networked systems dynamically, and military forces are developing and deploying autonomous weapons, so even more sophisticated and capable botnets are surely on the cards, in fact some are probably already out there ...;
• Increasing sophistication - as well as dvancing technology automation, malware threats are becoming more sophisticated. We see this most obviously in relation to APT demonstrating the potential to undermine many security controls that we believed to be invincible. Thus far, APT appears to have been used by government-sponsored groups against national security or politically motivated targets, but who knows what might be going on right now in the shady worlds of the criminal underground and competitive intelligence? More sophisticated social engineering techniques are also of concern in that it is getting harder year by year to spot phishing and other attacks.
• Failing controls - I remember the days when the antivirus companies promoted their wares as universal solutions to the malware issue (some of them still do!). Out here in the Real World, we can't help but notice that malware is very much a real and present danger, despite the huge amount of money being thrown at the AV companies, and despite their huge investment in malware analysis and countermeasures. They are almost but not quite keeping pace with the tsunami of malware being generated by an army of VXers and tools.
• Stealth - another important feature of malware is its capability to remain undetected, potentially for very long periods. Aside from malware infections at the hardware and firmware levels, there are other ways of remaining under the radar using obfuscation to hide in the background noise. 

Given the obvious technology angle to most of that, we'll mention emerging malware concerns in the awareness stream for professionals - probably the newsletter, pro seminar and pro briefing/s. One or more of these may well become a central theme in next year's malware awareness module, unless something else turns up out of the blue in the mean time, which is entirely possible.

Spotting and responding to emerging issues is probably the main reason that I've personally enjoyed doing this awareness stuff full-time month-by-month for well over a decade now, despite being easily bored by nature. On top of that, I enjoy getting creative with the formats and types of awareness materials we deliver, and with the awareness techniques we promote to our subscribers ... which is another of our monthly tasks, to think up new ways to interest and engage workers with the awareness program. Hmmm, something to ponder this weekend.