Infosec Trends in 2016

March 10, 2016 Jacob Ansari

A new year invariably brings new resolutions, reflections, and predictions, and we are no different in our look at information security for 2016. Here are some things to consider and our predictions.

Significant security incidents will continue apace

This barely qualifies as a prediction, given the past few years, but expect to see several high-profile security incidents that expose personal information, financial data, and organizational secrets. Despite the growing awareness of information security and security incidents, the collective belief of organizations that their security is good enough or the complex interactions of technologies, human factors, and economics will continue to yield vulnerable environments and opportunities for attackers.

Meet the new risks; same as the old risks

While new technologies and new usage brings new risks, new horizons also allow the same security vulnerabilities to proliferate to new kinds of systems. Security weaknesses in children’s toys, medical devices, or wearables aren’t new categories of vulnerabilities, but, by in large, stem from the same roots as conventional security vulnerabilities: missing patches or software updates, typical web application insecurities, minimal or ineffective authentication, weak or missing cryptography, and the like.

Sophisticated attacks go down market

Security experts have long noted that attacks get better and not worse. The corollary to this is that sophisticated attacks get easier and more accessible to less-skilled attackers. Expect attack vectors classified as sophisticated or mostly theoretical a few years ago to see practical use, particularly those attacks that began as the purview of nation-state security or intelligence services.

Speaking of intelligence services

Expect to find new revelations of what various government agencies have been doing to attack networks and endpoints for surveillance purposes. Further, expect to see backdoors inserted either by nation states, or at their behest, used by other parties (see some analysis of the Juniper ScreenOS vulnerability here, here, and here for at least putative examples of this). Fully expect situations like this not to enter any of the public discourse of the advocates for government access to encryption keys.

Defense is still hard

Changes in technology and our uses thereof such as cloud services, social media, and mobile devices create an expanding horizon of places that criminals can attack and data we need to protect. Defending these elements has never been easy, and it’s not getting any easier. A good approach to security is going to require digging more deeply into the effectiveness of your security controls than before: not just what’s good enough to get past your security auditors, but what’s sufficient to stop actual attacks from determined and sophisticated attackers.

About the Author

Jacob Ansari

Jacob Ansari is a Senior Manager at Schellman & Company. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS, P2PE, and 3DS. Jacob's career spans nearly 20 years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and assessment of cryptographic systems. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS.

More Content by Jacob Ansari
Previous Article
Data Breach in your CRM System. Do you know the Risks?
Data Breach in your CRM System. Do you know the Risks?

Co-Authored with  Kurt Long from Fairwarning and originally published on Today’...

Next Article
WEBINAR: SOC 2 and You: Overview and Update
WEBINAR: SOC 2 and You: Overview and Update

Increasing concerns regarding information security have heightened scrutiny of service organizations’ contr...


First Name
Error - something went wrong!