Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

12/26/2017
10:30 AM
Dave Lewis
Dave Lewis
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

2017 Security Predictions through the Rear Window

If you're going to forecast the future, go big.

It's no secret that I've long held a dim view of the security predictions that invariably bombard our feeds and social media accounts every December. In years past, I made a point to write up an article using a list of predictions from a blog post 10 years earlier. The catch here was that the list read as an indictment as opposed to a prediction. Of the list of 10 security issues, eight  remained relevant a decade after they were posted.

The practice of making predictions often brings to mind the image  of a palm reader or medium saying, "I'm seeing a security breach for a company that starts with … A … B?" This may seem a little cruel, but I can't help to draw a parallel with Alfred Hitchcock's Rear Window. The protagonist of the film — confined to his apartment in the summer heat — pieces together a crime from the bits and pieces that he sees unfolding in the apartment across the way from his rear window. This view feels familiar as we talk about security issues in bits and pieces as found in security predictions.

If you pull all of the predictions together, they start to paint a more vivid picture of the issues that security practitioners face every day. As the end of the year drew closer, I couldn't help but wonder how the palm readers fared with their 2017 proclamations, so I took a sampling of some of the lists that I could find online. They discussed a wide range of topics such as these:

  1. Ransomware will continue to be a problem.
  2. Security blame will continue as one of the least popular games.
  3. Mobile will continue to rise as a point of entry.
  4. The Internet of Things (IoT) will continue to haunt the security threat landscape.
  5. At least one major safety incident will be caused by an IT security failure that will cause injury.

It strikes me that these security predictions, by and large, are so poorly defined that they could easily be claimed to be correct with a thinly veiled argument. If someone stands on a stage and declares that "water is wet," there invariably will be someone who chin wags that yes, indeed it is.

When I look at this loose collection of five predictions, it is easy to say yes, they are indeed true, but they were all safe bets. Ransomware isn't going to suddenly disappear. The blame game is part of human nature and it will continue on as long as we have opposable thumbs.

Mobile security will rise as an entry point isn't far off correct in hindsight. When you look at the research from Akamai (full disclosure: that's my day job) and other companies on the discovery of the WireX botnet, this was a distributed denial-of-service botnet that was based on mobile devices running Android. This was a platform built out using roughly 300 compromised applications in the Google Play store and which infected thousands of customers.

The one prediction on the list that caught my eye and might have some actual substance is the last one, about a major safety incident. To be fair, the writer had said that this might happen in the next four years, granting him some serious wiggle room. Because I spent nine years working in the power systems industry, this is a fear I hold, too. There is always a danger that someone could die as a result of a power failure, for one example.

When we look at the rise of self-driving cars and similar IoT-related vehicles, there certainly is a chance that something could go horribly wrong. I don't say this to stir up fear, but we need to make sure that the companies making these products take security very seriously. There has been no shortage of reporting on vehicle security research, from distribution of firmware updates to communications, and there are many avenues that need to be addressed because of potential adversaries. This is definitely one prediction that I truly hope isn't something that comes to pass.

If people truly want to make predictions, they should make ones that cause them to put their reputations on the line. Don't make predictions that are merely safe bets. Better still, make a list of things that a company should be doing to better secure enterprises. That would have far greater value to those of us who are diligently working to defend our patch while attempting to avoid being thrown out the window by our very own Lars Thorwald.

Related Content:

Dave Lewis has over two decades of industry experience and has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.