Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

12/26/2017
10:30 AM
Dave Lewis
Dave Lewis
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

2017 Security Predictions through the Rear Window

If you're going to forecast the future, go big.

It's no secret that I've long held a dim view of the security predictions that invariably bombard our feeds and social media accounts every December. In years past, I made a point to write up an article using a list of predictions from a blog post 10 years earlier. The catch here was that the list read as an indictment as opposed to a prediction. Of the list of 10 security issues, eight  remained relevant a decade after they were posted.

The practice of making predictions often brings to mind the image  of a palm reader or medium saying, "I'm seeing a security breach for a company that starts with … A … B?" This may seem a little cruel, but I can't help to draw a parallel with Alfred Hitchcock's Rear Window. The protagonist of the film — confined to his apartment in the summer heat — pieces together a crime from the bits and pieces that he sees unfolding in the apartment across the way from his rear window. This view feels familiar as we talk about security issues in bits and pieces as found in security predictions.

If you pull all of the predictions together, they start to paint a more vivid picture of the issues that security practitioners face every day. As the end of the year drew closer, I couldn't help but wonder how the palm readers fared with their 2017 proclamations, so I took a sampling of some of the lists that I could find online. They discussed a wide range of topics such as these:

  1. Ransomware will continue to be a problem.
  2. Security blame will continue as one of the least popular games.
  3. Mobile will continue to rise as a point of entry.
  4. The Internet of Things (IoT) will continue to haunt the security threat landscape.
  5. At least one major safety incident will be caused by an IT security failure that will cause injury.

It strikes me that these security predictions, by and large, are so poorly defined that they could easily be claimed to be correct with a thinly veiled argument. If someone stands on a stage and declares that "water is wet," there invariably will be someone who chin wags that yes, indeed it is.

When I look at this loose collection of five predictions, it is easy to say yes, they are indeed true, but they were all safe bets. Ransomware isn't going to suddenly disappear. The blame game is part of human nature and it will continue on as long as we have opposable thumbs.

Mobile security will rise as an entry point isn't far off correct in hindsight. When you look at the research from Akamai (full disclosure: that's my day job) and other companies on the discovery of the WireX botnet, this was a distributed denial-of-service botnet that was based on mobile devices running Android. This was a platform built out using roughly 300 compromised applications in the Google Play store and which infected thousands of customers.

The one prediction on the list that caught my eye and might have some actual substance is the last one, about a major safety incident. To be fair, the writer had said that this might happen in the next four years, granting him some serious wiggle room. Because I spent nine years working in the power systems industry, this is a fear I hold, too. There is always a danger that someone could die as a result of a power failure, for one example.

When we look at the rise of self-driving cars and similar IoT-related vehicles, there certainly is a chance that something could go horribly wrong. I don't say this to stir up fear, but we need to make sure that the companies making these products take security very seriously. There has been no shortage of reporting on vehicle security research, from distribution of firmware updates to communications, and there are many avenues that need to be addressed because of potential adversaries. This is definitely one prediction that I truly hope isn't something that comes to pass.

If people truly want to make predictions, they should make ones that cause them to put their reputations on the line. Don't make predictions that are merely safe bets. Better still, make a list of things that a company should be doing to better secure enterprises. That would have far greater value to those of us who are diligently working to defend our patch while attempting to avoid being thrown out the window by our very own Lars Thorwald.

Related Content:

Dave Lewis has over two decades of industry experience and has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...