Mobile

12/26/2017
10:30 AM
Dave Lewis
Dave Lewis
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

2017 Security Predictions through the Rear Window

If you're going to forecast the future, go big.

It's no secret that I've long held a dim view of the security predictions that invariably bombard our feeds and social media accounts every December. In years past, I made a point to write up an article using a list of predictions from a blog post 10 years earlier. The catch here was that the list read as an indictment as opposed to a prediction. Of the list of 10 security issues, eight  remained relevant a decade after they were posted.

The practice of making predictions often brings to mind the image  of a palm reader or medium saying, "I'm seeing a security breach for a company that starts with … A … B?" This may seem a little cruel, but I can't help to draw a parallel with Alfred Hitchcock's Rear Window. The protagonist of the film — confined to his apartment in the summer heat — pieces together a crime from the bits and pieces that he sees unfolding in the apartment across the way from his rear window. This view feels familiar as we talk about security issues in bits and pieces as found in security predictions.

If you pull all of the predictions together, they start to paint a more vivid picture of the issues that security practitioners face every day. As the end of the year drew closer, I couldn't help but wonder how the palm readers fared with their 2017 proclamations, so I took a sampling of some of the lists that I could find online. They discussed a wide range of topics such as these:

  1. Ransomware will continue to be a problem.
  2. Security blame will continue as one of the least popular games.
  3. Mobile will continue to rise as a point of entry.
  4. The Internet of Things (IoT) will continue to haunt the security threat landscape.
  5. At least one major safety incident will be caused by an IT security failure that will cause injury.

It strikes me that these security predictions, by and large, are so poorly defined that they could easily be claimed to be correct with a thinly veiled argument. If someone stands on a stage and declares that "water is wet," there invariably will be someone who chin wags that yes, indeed it is.

When I look at this loose collection of five predictions, it is easy to say yes, they are indeed true, but they were all safe bets. Ransomware isn't going to suddenly disappear. The blame game is part of human nature and it will continue on as long as we have opposable thumbs.

Mobile security will rise as an entry point isn't far off correct in hindsight. When you look at the research from Akamai (full disclosure: that's my day job) and other companies on the discovery of the WireX botnet, this was a distributed denial-of-service botnet that was based on mobile devices running Android. This was a platform built out using roughly 300 compromised applications in the Google Play store and which infected thousands of customers.

The one prediction on the list that caught my eye and might have some actual substance is the last one, about a major safety incident. To be fair, the writer had said that this might happen in the next four years, granting him some serious wiggle room. Because I spent nine years working in the power systems industry, this is a fear I hold, too. There is always a danger that someone could die as a result of a power failure, for one example.

When we look at the rise of self-driving cars and similar IoT-related vehicles, there certainly is a chance that something could go horribly wrong. I don't say this to stir up fear, but we need to make sure that the companies making these products take security very seriously. There has been no shortage of reporting on vehicle security research, from distribution of firmware updates to communications, and there are many avenues that need to be addressed because of potential adversaries. This is definitely one prediction that I truly hope isn't something that comes to pass.

If people truly want to make predictions, they should make ones that cause them to put their reputations on the line. Don't make predictions that are merely safe bets. Better still, make a list of things that a company should be doing to better secure enterprises. That would have far greater value to those of us who are diligently working to defend our patch while attempting to avoid being thrown out the window by our very own Lars Thorwald.

Related Content:

Dave Lewis has over two decades of industry experience and has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Threat Intel: Finding Balance in an Overcrowded Market
Kelly Sheridan, Staff Editor, Dark Reading,  4/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.