The high-water line in information security gets higher each year. Just as we think we’ve finally figured out how to defend against attacks, then attackers come up with something new and we are right back to trying to figure out what to do next.
For example, ransomware has surged in the last year. Although that kind of malware has been around for years, the current model of encrypting user files to hold data hostage came about just recently. Infections quadrupled in 2016, with the FBI estimating an average of 4,000 attacks a day. A recent IBM survey of 600 business leaders in the United States found that one in two had experienced a ransomware attack in the workplace, and that companies paid the ransom 70 percent of the time. As a result, criminals are on track to make nearly $1 billion this year from ransomware, IBM X-Force said.
And there’s been seemingly no end to hackers getting into corporate databases. Just ask Yahoo. Or the Democratic National Committee. Even the FBI was able to find a firm to hack into the Apple iPhone 5c, which for a while seemed unhackable.
For IT and security professionals, this endless fire fighting gets exhausting. Old threats come back in new forms, and new attacks keep making the list of things to worry about even longer. Malicious word macros are back. Exploit kits still love Flash. SMS text messages with one-time codes for second-factor authentication proved hackable. It all makes you want to give up and curl up in a dark corner.
But 2016 wasn’t all bad news for enterprise security, and there are some wins that give hope for a more secure future.
1. We’re looking at passwords in a better light
Authentication, especially how we use passwords, was a recurring theme with every data breach. Yes, password reuse is still a problem and weak passwords like “password1” and “123456” are still a thing, but we are seeing more people use password managers to secure their online accounts and fingerprint sensors to lock their physical devices. “Biometrics will no longer be seen as novel in 2017, but necessary,” said Daniel Ingevaldson, CTO of security company Easy Solutions.
There are fingerprint sensors on the market today with security features including TLS 1.2 and 256-bit encryption, anti-spoofing technologies, live-or-dead detection, and match-in-sensor architectures, said Anthony Gioeli, a vice president at Synaptics’s biometrics division. Apple has had hardware-secured fingerprint sensors in its mobile devices for several years, and now in its newest MacBook Pro. Samsung and Google use similar technology in their latest smartphones. And Microsoft has built in support for biometrics in Windows 10 and beefed up the security in this year’s Windows 10 Anniversary Update.
The National Institute of Standards and Technology is also tackling the problem. The draft version of the Digital Authentication Guideline document includes new guidance on password policies, such as allowing for longer passwords; allowing spaces and other characters; removing special character requirements (such as what combination of letters, numbers, and non-alphanumeric characters must be used); and doing away with password hints. NIST also said in the draft that sending unique passcodes via SMS messages should not be used as part of a two-factor authentication scheme, and that stronger authentication schemes should be adopted.
Although the guidance is still in draft form and the official public comment period doesn’t start until early 2017, IT departments can use it to start thinking about how to improve authentication, such as rolling out multifactor authentication and changing password requirements.
Another bonus: NIST’s Mary Theofanos said mandatory password changes don’t make sense, so IT departments can now work on alternative methods — and stop torturing users.
2. We may finally be taking IoT security seriously
Last year, we could see the ransomware wave coming. This year, it’s internet of things (IoT) security — or the extreme lack thereof — that is clearly on the horizon.
The distributed denial-of-service (DDoS) attacks this fall, which spread through home security cameras, VCRs, and other connected devices, took down the internet and seemed to be the industry wakeup call that finally worked. Made up of compromised IoT devices, the Mirai botnet launched large attacks against French service provider OVH, the website of security blogger Brian Krebs, and networking company Dyn.
The last time DDoS was the big story, it was about hacktivists and online pranksters targeting financial websites and other visible targets. This time, botnets are launching large, multivector attacks that can exceed 1 terabit per second — and interrupt internet access for millions.
Security experts have been warning for some time about the millions of devices that are connected to the internet without even the most basic security features, so the Mirai attack shouldn’t have been a surprise. And with Mirai’s source code publicly available, it is safe to assume there are other IoT botnets waiting in the shadows to strike. With all these devices connecting to the internet, we are ripe for an IoT worm, said Lamar Bailey, senior director of security research and development at Tripwire. Fixing the problem will require a lot of coordination, creativity, and persistence, but perhaps people are actually seeing the risks.
The silver lining is that the Mirai attack was a “fairly cheap lesson in what a compromised IoT [threat] would look like while there’s still time to do something about it,” said Geoff Webb, vice president of solution strategy at Micro Focus. But IoT vendors need to get serious about security fast — and consumers should avoid their products until they do.
3. We’re getting other benefits on the coattails of new security technology
It’s always a good sign when adopting something for security reasons winds up having other benefits. New protocols like Transport Layer Security (TLS) 1.3 and HTTP2 will make the web safer, but there are clear performance improvements as well. It’s very likely the uptick in adoption of TLS 1.3 and HTTP2 by web developers will be spurred by the increased speeds the protocols enable, said Ryan Kearny, CTO of networking company F5 Networks. “In 2017, the increase in web speed will spur rapid adoption of TLS 1.3 —- and that will, in turn, make the web more secure,” Kearny said.
4. We’re getting more realistic about security
Security was one of those things people never really understood. TV shows and movies didn’t help, with slick graphics and fancy dramatizations of what hacking supposedly looks like. Then, along came the TV show “Mr. Robot,” and the show’s star, Rami Malek, winning an Emmy for his portrayal of Elliott Alderson. “Out of all the attempts that Hollywood has made to tell a compelling story using cyber as the backdrop, Mr. Robot is the most complete,” said Rick Howard, CSO of networking security company Palo Alto Networks.
If nothing else, nonsecurity professionals now have a better understanding of just how bad things can get. It’s no longer just that one weak password, one link in an email, or that one old software application that hasn’t been updated. There is no need to oversensationalize the security issues in “Mr. Robot” — the reality is bad enough.
That better understanding should help users understand why they need to pay more attention to at least security basics. And why they keep getting breach notices from the likes of Yahoo and Dailymotion.
But it doesn’t help that there’s still a culture of silence about breaches among security pros and the companies they work for. No one likes to talk about their failures or to be a headline. But because no one is sharing what mistakes were made, the same breaches keep happening over and over.
That’s why the formation of new Information Sharing and Analysis Centers (ISAC) is a positive — though small — development, a sign of realism creeping into the security professionals’ culture, too. Although existing ISAC and commercial information-sharing platforms are expanding to include more enterprises, they need to become even more widespread.
Developers have plenty of places where they can post code snippets and get programming help. IT and security professionals should have forums where they can share their security stories, ask questions without judgment, and learn about what worked for their peers, said Jeannie Warner, a security strategist at WhiteHat Security. “The bad guys have Tor, Reddit, and other social networks to share information and tools. The good guys need to adopt theirs just as freely,” Warner said.
It’s easy to see information security as a never-ending stream of attacks. Perhaps the most distressing thing about the year’s outages and breaches is the fact that there is an awful lot happening that IT doesn’t know about. Security experts frequently warn that just because there is no evidence of a breach doesn’t mean there isn’t a breach. That was definitely true at Yahoo: The internet company disclosed two gigantic breaches, but the scariest thing wasn’t the number of victims — it was the fact that they happened years ago and no one even suspected.
“We went years with billions of records being sucked out from right under our noses and we didn’t even know it,” wrote security expert Troy Hunt. He called the current mindset “conscious incompetence,” where we know we have a big problem. That’s a better place to be than the previous stage, where the prevailing attitude was, “It won’t happen to me.”
The big question is knowing where to go next. “How much more are we going to discover over the next year? Or not discover at all?” Hunt asked. If we’re finally getting real about security, and come out of the shadows, we should finally begin to make real progress.
5. We may finally get security promises we can bank on
As consumers, we demand money back when we are not satisfied with a product’s performance or functionality. But IT typically doesn’t get that option with security products. Only 25 percent of U.S. IT security decisionmakers said their primary security vendor is willing to guarantee their product by covering the costs of a breach, including lawsuits and ransoms, according to a recent survey by endpoint security company SentinelOne. But most IT security professionals in the survey said they would like security vendors to offer a guarantee their products would deliver on their promises — and 88 percent claimed they would change providers if a competitor offered such a guarantee.
“The industry has reached a tipping point, where security vendors will need to guarantee that their products will hold up against cyberattacks and assume responsibility if they fail to do so,” said Jeremiah Grossman, chief of security strategy at SentinelOne. “Customers are tired of paying additional fees to address security breaches, especially when they have already paid for security defenses in the first place.”
There are now a handful of companies that offer security guarantees. SentinelOne’s guarantee covers $1,000 per endpoint, or $1 million per company payout, in the event of a successful ransomware infection after installing SentinelOne’s Endpoint Protection Platform. Cymmetria covers the costs incurred in notifying victims, hiring attorneys, bringing in digital forensics investigators, and repairing the damage in case of an advanced persistent threat gaining unauthorized access, moving laterally through the network, and stealing protected information from compromised systems in organizations that have deployed Cymmetria’s MazeRunner cyber-deception platform. Trusona and WhiteHat Security also have similar product guarantees.
As we’ve seen over the past few months, even security products can have vulnerabilities. But in several of the cases, the mistakes seemed fairly basic, even avoidable — not at all at the level of what a security provider should be delivering. Providing product guarantees should wring out such sloppiness from security providers, because they’ll finally pay a real price for their own neglect. “It’s high time people in our industry started putting their money where their mouth is and taking responsibility for what they sell, assuring what they do works,” said Gadi Evron, Cymmetria’s CEO.