2016 : Two Steps Forward, Three Steps Back

Written by

I’m delighted to end 2016 with a permanent role on Infosecurity, which will see me not only continue to write and contribute editorial to both this website and the print edition, but also head up our webinar channel, and work on our virtual conferences and continue to get out and about into the industry.

Looking back upon 2016, it does feel like a year when security took some distinct backward steps, and a few in the right direction. Let’s look at what was bad first: the Mirai botnet, it’s capability to launch record-breaking DDoS attacks and the fact that it was “powered” by IoT devices enabled by unchanged default password for me demonstrates some major failings in the security industry.

Firstly, we’ve seen botnet takedowns in the past, and I hope that right now efforts are being made to sinkhole this botnet to prevent further attacks on websites and services. Secondly, I’ve been around long enough to remember the attack on Spamhaus which was measured at 300 gigabits per second, while Mirai’s capabilities have been reported as being into terabytes of packet data. Thirdly, how are we allowing people to use default passwords still? For me, the responsibility of getting this correct falls upon the manufacturers of the devices who should make changing the default password both easier, and mandatory.

I am in dark admiration at how Mirai has been made to be so capable in such a short time period using such a basic concept. The industry has previously been excellent in taking down and repairing botnet activity, let’s hope we see more of it in this case.

It seems that in 2016 we have written a lot about ransomware, with an article from mid-December proving that this method remains profitable for attackers, and that victims continue to pay up. One piece of extremely good news came in the form of collaborative effort No More Ransom which enabled those people and companies who were locked down to decrypt.

However, my concern remains that this effort needs to be supervised and have ownership so that the effort is maintained, and the work done so far could be easily undone without proper maintenance. Also, there is the concern that not enough people know about this: in a recent poll we asked what the name of the project was, and only 34% of the 114 voters named the initiative correctly. No More Ransom has recently taken on more partners so I hope this succeeds, as at the moment ransomware continues to be a problem and needs to be stamped out to turn it into a minimal issue.

Elsewhere, large breaches seemed to continue with the two biggest of all time reported in 2016, both by dot com survivor Yahoo. The loss of one billion and 500 million does mean a huge number of credentials are now on sale to any bidder, and as we saw with the LinkedIn breach, these credentials are used by attackers to access other services.

We’ve covered political issues as a theme in our 2017 predictions, and with a CEO set to take the most powerful job in the world in January, there will be uncertainty about the state of cybersecurity in the government’s eyes. Here in the UK things do seem progressive in terms of the National Cyber Security Strategy and its focus on defense and offense, but the Investigatory Powers Act will make many focus on their personal privacy more than ever before.

However, the battle between the FBI and Apple at the start of 2016 demonstrated how good encryption can be, and how personal privacy made for the consumer is actually pretty good. Sadly I think this is an outstanding case in terms of security “winning”, and people would more likely turn over devices and passwords than face the wrath of the law.

We also saw the old Safe Harbor replaced by the Privacy Shield with Google, Dropbox, Cisco and Microsoft among those achieving certification, but concerns remain on visibility and self-certification.

In terms of getting out of the office, I was delighted to attend major conferences in the USA including Black Hat, Def Con and RSA Conference, in central Europe at CPX2016 and Trust in the Digital Life, as well as speaking at ESET’s Security Day, the ESRM Conference and Infosecurity Europe, and I made a first visit to the Sheffield conference Steelcon. Infosecurity’s first magazine conference in Boston was a success, attracting speakers from retail, government, research and online services.

Looking ahead to 2017, I do not predict anything to get especially better unfortunately. Year after year I have seen vendor predictions that mobile malware will be a key trend and once again I expect that to be false, as more “noisy” attack methods are used, such as DDoS and ransomware. This could mean that endpoint security continues to be the place for malware prevention, but network security will be far from absent if credential database stealing continues.

In the same vein, I expect more focus will be on better ways to provide authentication as the password debate continues for another year. The most read story of 2016 on Infosecurity involved a password reset, so it seems fitting that my next action will be to reset my PC password to one that will be memorable for when I return to work in the New Year.

What’s hot on Infosecurity Magazine?