The challenge with making security predictions is that we can only talk about bad news because that’s the only news that makes it into the public sphere
Jon McLachan
January 18, 2016: Hacks. Breaches. Theft of intellectual property. Man-in-the-middle attacks. Rogue cybercriminals and orchestrated efforts by foreign actors. Celebrities with weak passwords. Wholesale downloads of account usernames and passwords from poorly protected websites. Increasingly tricky social engineering. Secret backdoors built into IoT devices and network infrastructure and cloud services or just plain old fashion code injection.
Those were some of the biggest security news headlines in 2015. Those same headlines will be among the biggest security news in 2016 – but on an even larger scale.
The challenge with making security predictions is that we can only talk about bad news, because that’s the only news that makes it into the public sphere. Nobody talks about when encryption works to protect websites or safeguard personal information. Bloggers don’t notice when a firewall stops an intrusion, or when transport layer security (TLS) is implemented correctly in open source software. Hospitals don’t hold press conferences to declare that patient data remains HIPAA-compliant. School districts don’t declare victory at parent-teacher conferences when their infrastructure throttles back DDOS attacks.
Threats live and work in the shadows, behind the scenes, off the record. Most of the time, security works, and we never hear about any of those successes, until security fails, that is, and the threats become palpable. With that in mind, here are five security predictions for 2016:
5. Backdoors in numerous products and services, like cloud applications, enterprise routers and embedded devices, will betray users and businesses. Backdoor passwords are always a threat, especially if the customer doesn’t know about them and doesn’t have the ability to turn them off. Sometimes backdoors are inserted surreptitiously by intelligence agencies; sometimes to allow for service access by a vendor; and sometimes snuck in by unscrupulous employees. The reason doesn’t matter. During 2016, we will learn about backdoors, and this will erode trust across the board. What’s the solution? Clearly open source software allows for the possibility of detecting backdoors, but even there, you can’t always be sure that the compiled binaries (or final product) use that code. This will be a big story in 2016.
4. Many so-called ‘hacks’ will continue to be enabled by weak, easy-to-guess passwords. It doesn’t take a lot of sophistication to launch a dictionary attack on a social media account, or even gain entry by typing the name of a celebrity’s adorable bichon frise. Such attacks will allow for identity theft, espionage and intellectual property theft, the emptying of bank accounts, and all sorts of fraud. In 2016, we will learn about shocking attacks against government officials, military officers, business leaders, academics, politicians and more. Because so many people insist on reusing passwords (or variations on passwords), the consequences of weak passwords will be far-reaching. We need something better than passwords, but we won’t see wide-spread adoption of fingerprints, retinal scans or two-factor authentication in 2016.
3. Big businesses will be compromised by insecure messaging systems, which will lead to infiltration, intellectual property theft, and worse. Forget BYOD – a bigger concern is BYOM, Bring Your Own Messaging. Despite corporate policies, employees will insist on using text messages, Facebook messages, Twitter direct messages, you-name-it to collaborate with fellow workers and do important business with customers, suppliers and partners. Ad-hoc messaging is insecure, and doesn’t adhere to record retention policies. What’s more, if those systems are compromised (see #4 above), the consequences will be dire. In 2016, we will see at least one major messaging breach with HIPAA, SEC or national security implications. What’s the fix? Better secure messaging platforms, and corporate policies that use both carrots and sticks to enforce their usage.
2. Platforms will be compromised by spyware in ways that consumers, or even carriers, can’t detect or defend against. Think rootkits. Think spyware in applications baked into smartphone firmware. We saw those reports in 2015, affecting phones and notebook computers. Where is that malware coming from? In some cases, overzealous advertising networks, and in others, greedy hardware companies that loaded apps without due diligence. Some were caused by foreign actors – that is, governments and spy agencies. It’s going to get ugly as more and more devices are found to be compromised with spyware, tracking software, keyloggers and worse. We think that at least once major IoT (Internet of Things) product will be compromised in this manner. What can consumers do about it? Not much.
1. Vendors will begin changing products and services to require strong protection by default. Security often makes products hard to use, and can result in early dissatisfaction, product returns and service cancellation. That’s why many platforms come with encryption or security disabled, so that customers can begin using their new hardware, software or service immediately with ease. A bright spark in 2016 will be the realisation that we need security everywhere, and we need it immediately. Installers and configuration programs will begin to insist on the configuration of strong passwords, robust encryption and two-factor authentication before a product can be used or connected to a network. Strengthening security will be a slow, gradual process, and won’t be talked about very much. We won’t see headlines: Remember, vendors don’t like to talk about security. They don’t have to talk about it, though — as long as they start doing security right.
Jon McLachan is a security expert with Symphony