Skip to main content

Cyber Security Predictions for 2017

I was asked to sit on a panel of experts, gaze into the crystal ball and make my predictions for what 2017 holds in store for cyber security, which got me thinking. Let's start with more breaches, more ransomware, more cyber security jobs, wage increases for security professionals, more 'qualified' professionals who don't really know what they're doing but have a piece of paper and, of course, vendors making even more money out of Fear, Uncertainty and Doubt (FUD). However, none of those is terribly interesting or any different from 2016, or 2015 for that matter, or indeed anything other than trends in the industry.

So what does 2017 hold in store for us in the security industry and is there anything new to worry about? Well an obvious one to call out is the EU's General Data Protection Regulation (GDPR). So what is GDPR? Well, GDPR replaces the previous data protection directive and aims to improve and harmonize data protections for EU citizens. This will impact non-EU companies that hold data on EU citizens as well as EU companies and agencies. Why is this such a big thing? Well, the regulation increases accountability and responsibility on companies, makes it law to disclose breaches and increases potential fines up to €20m or 4% of global turnover from the previous year, whichever is greater.

When does it come into effect? 25th May 2018. So why talk about it as a prediction in 2017? Companies will have to be prepared well before this date and vendors will start working towards selling services specifically aimed at GDPR compliance this year. The problem I have with this is that I believe companies will take their collective eye off the ball and be so busy with GDPR that they won't keep pace with the changes in technology and threat landscape.

I also believe that fines should be handed out more readily. Too often we have companies suffering a breach saying that they were compliant and it must have been an 'advanced attack' or 'nation state' actor. This is mostly complete rubbish! What's actually happening is that people do whatever gives them a tick in the compliance box without paying any mind as to whether it actually makes them secure. They use compliance as an insurance policy instead of following the principles to make themselves more secure. Most breaches occur through the same broad issues as a decade ago (or more). Frankly, if, for example, you have an OWASP Top 10 in your web app/service and you are breached, you should have the full fine thrown at you and those in charge should face negligence charges. There is simply no excuse for such well-known vulnerabilities to exist in live systems. Another point to remember with GDPR is that Brexit won't make us immune in Britain as the Information Commissioners Office (ICO) has already committed to it, so companies will have to prepare.

What else could we see in 2017? The IT industry is embracing DevOps, continuous integration, Platform as a Service (PaaS), software defined networks and, of course, agile. Many of these systems or vendor offerings have poor or non-existent security models. That industry needs to catch up; fast. In my opinion, the reason why we haven't seen more issues with these technologies is that they haven't, until now, been adopted by the big target companies, e.g. the banks. This is changing now and I think we'll see more focus on these technologies over the course of this year in situations where security is of high importance.

This isn't just about the technologies though, agile and the speed of deployment will change the way security professionals have to work. Gone are the days when the security professional has time to assess a solution at their leisure and fully test and assure it before go-live. I think threat modelling is going to become more important in this arena. Threat models can be built ahead of time and applied to new systems as they are developed. The emphasis then has to be on preventing the threat scenario as a whole (through a layered approach) not focusing on every single individual vulnerability/weakness. Basic security hygiene has to be brought up to an acceptable level across the board to enable this new way of working, as we can't rely on stopping a project whilst we fix every bit of it.

Something else I think will become more prevalent is big data and behavioural analytics. Companies are now starting to realise the power of big data and this is spilling over into the security industry. Some security teams are now employing data analysts and setting them anomaly detection problems or running behavioural reports on their employees, which is one of the best ways to catch the rogue insider. These are interesting developments and this type of data analysis is the future of security (alongside more traditional technologies and policy as well).

What else? I think that third party suppliers, the supply chain and smaller businesses will start to become more heavily targeted as the main targets get harder to breach. Smaller businesses can't usually afford the experienced cyber security teams that are required to secure them. So, they turn to vendors to sell them a silver bullet... on a budget. That's not going to work. Actually, basic security hygiene doesn't have to cost that much and doesn't require huge pay-outs to vendors. It does take expertise though and that is in short supply. As an industry I think we could do more to help smaller businesses with things like best practices and Security Technical Implementation Guides (STIGs) before the epidemic hits.

Finally, my fifth prediction is that we will start to see more attacks on connected systems, such as connected vehicles, building management systems, IoT devices, etc. I have worked with vehicle manufacturers and those involved in smart cities and smart homes/offices, and I can safely say that security is not top of their agendas - safety may be, but not security. Unfortunately, a lack of security can lead to a lack of safety in these cases, but I think a few harsh events will happen before the lessons are learned. Will 2017 be the year for this? Possibly not, as I think adoption of the technologies may not quite be there yet, but if we don't start dealing with it now we'll be in for a whole world of pain later.


Popular Posts

You say it's 'Security Best Practice' - prove it!

Over the last few weeks I have had many conversations and even attended presentations where people talk about 'Security Best Practices' and how we should all follow them. However, 'Best Practice' is just another way of saying 'What everyone else does!' OK, so if everyone else does it and it's the right thing to do, you should be able to prove it. The trouble is that nobody ever measures best practice - why would you? If everyone's doing it, it must be right.

Well, I don't agree with this sentiment. Don't get me wrong, many of the so-called best practices are good for most organisations, but blindly following them without thought for your specific business could cause as many problems as you solve. I see best practice like buying an off-the-peg suit - it will fit most people acceptably well if they are a fairly 'normal' size and shape. However, it will never fit as well as a tailored suit and isn't an option for those of us who are ou…

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post.

How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't really…

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this.

Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most o…