2015 was a wild and crazy year for anyone involved in IT security– entire industries hacked and gutted, the rise and fall of high-tech cybersecurity stocks, governments demanding back door encryption keys and the discovery of long-standing nation state back-doors in commercial firewalls.
What’s next? 2016 promises to be another banner year, although hopefully with more good news than bad news. A lot of ideas that were being built and tested over the past few years will become more mainstream in 2016. In the meantime, it will also become ever more obvious that the old 'war tubas' of WW1 (like current political demands to replace strong encryption with state-sponsored key escrow) have had their time and need to be retired this year.
Here’s my predictions for what might be coming in the next 12 months!
The Boardroom Finally ‘Gets It’
The IT industry has been decimated with so many security intrusions, privacy and data loss events (from Sony Pictures to Saudi Aramco to the Sands Casino) that they are finally getting to the point where any new viable approach is on the table for consideration. Most recently, BlackEnergy malware that was used to gain access to the Prykarpattyaoblenergo network. The attackers then opened circuit breakers that cut power, causing a portion of the Ukraine power grid to shut down. All industries are vulnerable and everyone finally knows it. Millions of dollars are being lost, CEOs are being dismissed, and IT cybersecurity budgets are increasing to reflect the now understood risks that needs to be mitigated.
Two-Factor Authentication (2FA) Becomes more the Norm than the Exception
Headlines have been claiming that “passwords are dead” for years now. (Yawn!) However, major service providers like Google, Microsoft and Apple are now providing 2FA in a seamless fashion that is almost as easy to use as our old fashioned passwords (and a lot better than hunting through a long list of 20 character passwords you’ve written down, right?) Look for smaller services to leverage the big players’ services in this arena and jump on the 2FA express.
A ‘hardened’ computer system is one that has a security policy applied to the operating controls enforcing what should and should not be allowed to exist, run or happen on a system. GPO will become the norm for Windows in the enterprise, and optionally will be ‘automagically’ applied when a new system is created, right out of the box. Other Unix-based operating systems may require a more customized approach, but are equally in need of a easy to use GPO-like means of applying security settings right out of the box. Hopefully some of the very high priced Configuration Management utilities will become more mainstream this year.
Security-related AI gains a toe-hold
Companies like SparkCognition and Darktrace are using AI to drive threat discovery engines and enhance the security knowledge base available to clients needing advice on how to fix security problems on their networks. Look for more of these leveraging technologies to help provide cybersecurity assistance in 2016.
The Internet of Things (IoT) Gets Real (Bad)
Ransomware will officially replace magic as the best means of dealing decisively with those you wish bad fortune upon. Malware agents now offer “ransomware as a service” to anyone with a vendetta, selling programs that allow a client to download a customized payload to a specific target. A recent report noted that between April 2014 and June 2015, the FBI received nearly 1,000 complaints about just one type of ransomware virus.
Will someone’s home be held ransom by their malware-infected smart refrigerator? Lock a homeowner out (or in) unless a ransom is paid? Exploit the weak IoT security controls in smart appliances? The Internet of Things is going to get much more interesting, security-wise and it's one we're not anywhere near prepared to solve. We have already seen a report on a smart IoT light bulb that accidentally performed a DoS attack on a home network after it developed a hardware problem. This is not yet a Cyber Kill Chain that most of us are prepared to deal with.
IPv6 Attack Surface is Explored
While it’s baked-in security functionality is certainly better than IPv4’s “Security? What security?”, there will certainly be more attention paid to organizations who have implemented v6 and close examination of v6 functionality to see if any of the exploits, errors and weaknesses in v4 also exist in v6. Look for news of some clever nation state actors exploiting v6 in an interesting new intrusion this year, especially on routers and firewalls. (The Snowden archive still has a lot of data that has not yet been published!)
Stop Avoiding Failure – our technology will improve in the future
While it can be discouraging to spend your days fighting what may seem to be a never-ending stream of security incidents, keep in mind that security professionals are paid to deal with the big security issues that ordinary mortals are unable to comprehend, let alone resolve. Trench fighting may not always be seen as ‘successful’ by some people’s business standards, but when we persevere in the spirit of resilience we will be seen as heros in the eyes of many other people who depend on our service.
Cultivate resilience by encouraging the people around you to take risks, experiment, and work as a team, but don’t hyper-focus on perfectionism. Try out new ideas to improve the security of your infrastructure, and cultivate the ones that reduce risk and make your job easier. Some ideas will help and some will fail, but we learn from our mistakes while constantly improving our systems.
And finally: Dear Beneficiary,
Happy 2016! I bring to your notice that a letter for your favour which had been prepared beforehand is also attached to this message. It is the legal power, giving you right and entitlement to the donated funds noted below...