A new year invariably brings new resolutions, reflections, and predictions, and we are no different in our look at information security for 2016. Here are some things to consider and our predictions.
Significant security incidents will continue apace
This barely qualifies as a prediction, given the past few years, but expect to see several high-profile security incidents that expose personal information, financial data, and organizational secrets. Despite the growing awareness of information security and security incidents, the collective belief of organizations that their security is good enough or the complex interactions of technologies, human factors, and economics will continue to yield vulnerable environments and opportunities for attackers.
Meet the new risks; same as the old risks
While new technologies and new usage brings new risks, new horizons also allow the same security vulnerabilities to proliferate to new kinds of systems. Security weaknesses in children’s toys, medical devices, or wearables aren’t new categories of vulnerabilities, but, by in large, stem from the same roots as conventional security vulnerabilities: missing patches or software updates, typical web application insecurities, minimal or ineffective authentication, weak or missing cryptography, and the like.
Sophisticated attacks go down market
Security experts have long noted that attacks get better and not worse. The corollary to this is that sophisticated attacks get easier and more accessible to less-skilled attackers. Expect attack vectors classified as sophisticated or mostly theoretical a few years ago to see practical use, particularly those attacks that began as the purview of nation-state security or intelligence services.
Speaking of intelligence services
Expect to find new revelations of what various government agencies have been doing to attack networks and endpoints for surveillance purposes. Further, expect to see backdoors inserted either by nation states, or at their behest, used by other parties (see some analysis of the Juniper ScreenOS vulnerability here, here, and here for at least putative examples of this). Fully expect situations like this not to enter any of the public discourse of the advocates for government access to encryption keys.
Defense is still hard
Changes in technology and our uses thereof such as cloud services, social media, and mobile devices create an expanding horizon of places that criminals can attack and data we need to protect. Defending these elements has never been easy, and it’s not getting any easier. A good approach to security is going to require digging more deeply into the effectiveness of your security controls than before: not just what’s good enough to get past your security auditors, but what’s sufficient to stop actual attacks from determined and sophisticated attackers.
About the Author
Jacob Ansari is a Manager at Schellman. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS and P2PE. Jacob’s career spans fifteen years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and information security expertise in support of legal matters. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS. Jacob speaks regularly to a variety of audiences on matters of information security, incident response, and payment card compliance strategy.More Content by Jacob Ansari