Threat Intelligence

12/29/2016
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

10 Things InfoSec Pros Can Celebrate About 2016

There were a few items that passed for good news this year.

Let's not rehash all the miserable DDoSes of the past several months or predict the horrors IoT has in store for us next year. For now, let's snuggle up with some hot chocolate and think comforting thoughts. Let's prepare our champagne toasts for New Year's Eve and celebrate the good times (or what passed for good times in this industry) from 2016: 

Feds And Hackers Became Friends: This year, the federal government opened its doors to vulnerability researchers, establishing their very first bug bounty program, "Hack the Pentagon." After paying 117 hackers anywhere from $100 to $15,000, it went on to create Hack The Army too. 

Apple Finally Launched a Bug Bounty Program: Perhaps jealous of how cool the federal government is, Apple finally came around to launching a bug bounty program. It wasn't just them. Fiat Chrysler also did, showing the automotive industry's increasing recognition of the importance of cybersecurity. 

Google Added Kernel-Level Protections To Android: According to an HP study earlier this year, the Android operating system is the second-most heavily targeted operating system with the second-most vulnerabilities, after Windows. Fortunately, in July, Google announced new measures to increase memory-level protections and reduce the overall attack surface of Android’s Linux kernel.

The Worst Security Laggards Got Slapped For Their Bad Security: It's no secret that breaches cost companies a pretty penny, but so often the costs are residual -- lost business, breach notifications, fines for late breach notifications -- but not punishments for the bad security itself. This year, however, some companies felt an extra sting for failing to protect their customers in the first place.  Morgan Stanley was hit with a $1 million fine by the SEC. Catholic Health Care Services got stuck with a $650,000 fine for a HIPAA violation. And Ruby Corp., which runs the website for breached online dating site Ashley Madison, was found guilty of lax security and agreed to pay a multi-state and Federal Trade Commission settlement of $17.5 million  

Some Old Business Got Taken Care Of: Josh Samuel Aaron, one of the alleged masterminds behind the monstrous JP Morgan breach/stock manipulation case of 2014, was indicted in November 2015; he was eventually arrested this month. The US auctioned off another $1.6 billion in Bitcoin forfeited from Silk Road and other illegal exchanges.   

Someone Stood Up To Ransomware Operators: Congratulate the San Francisco Municipal Transit Agency (SFMTA) for sticking up to ransomware operators, despite most likely losing money in the process. Instead of paying their $73,000 ransom demands, SFMTA gave passengers free rides at affected stations for days while they dealt with the situation. Take that, ransomware operators!

Some Privacy Victories Were Made (Among the Defeats): If you ignore some other major threats to privacy, (like the signing of the UK's Snoopers’ Charter) there were some things for privacy advocates to be happy about. The EU's General Data Protection Directive was officially approved. And after a long, long, long haul, Microsoft finally won a landmark case over the US Department of Justice that prevented the DoJ from subpoenaing emails of Irish citizens located on Microsoft servers in Ireland.

The Federal Government Finally Decided It Needed a CISO: Sure, maybe the job description and pay grade aren't super-attractive, but nevertheless there is now someone officially charged with keeping the federal government's IT systems secure. President Obama called for the creation of the new position this year, and for increasing cybersecurity spending to $19 billion (a 35 percent boost) in fiscal year 2017 as part of a new Cybersecurity National Action Plan.

Security Vendors Started Taking Responsibility For Their Products: Security companies are beginning to make stronger committments to customers that yes, in fact, their products will actually provide security. SentinelOne upped the ante this year, by offering a $1 million guarantee it could stop or remediate ransomware.

Still Plenty of Job Security:  Half of cybersecurity pros are solicited weekly about a new job, according to an October report by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA). (That doesn't happen in many, or any, fields, take it from me.) The average American chief information security officer is making a cool $273,033 per year, according to a new study by Security Current. The need for more security people is so great that the industry is always looking for ways to clear a path for more people to enter the field, improve diversity, and attract more women to the job. It's now even possible to be a full-time "super bug hunter," taking full advantage of bug bounty programs.

So chin up, cybersecurity industry. There might have been a lot of rough moments throughout 2016, but it wasn't all bad.

Related Content

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bertaandberta
50%
50%
Bertaandberta,
User Rank: Apprentice
1/27/2017 | 6:35:15 AM
10 Things
Excellent information! Thank you
michaelfillin
100%
0%
michaelfillin,
User Rank: Apprentice
1/1/2017 | 4:49:05 PM
Re : 10 Things InfoSec Pros Can Celebrate About 2016
11th : Mr Robot 3rd season is coming soon. 

1st joke of 2017
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17332
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
CVE-2018-17333
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
CVE-2018-17334
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
CVE-2018-17336
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.