Happy 2018, fellow humans (but not to you, bot army!). Like we've done in years before, we recently rounded up some of the best minds and most trenchant commentators the security industry has to offer and asked them to sum up the year gone by (whether good, bad, or ugly) and shed light on what's in store for the 363 days ahead. To see how our predictions fared in prior years, check out the 2015, 2016, and 2017 cybersecurity horoscopes (our crystal ball is internet-connected, much to Deral's dismay, but we've set it up to double as a honeypot, so at least the research team is happy).
Without further ado, here are our group's 2017 features and 2018 forecasts to make the transition to a brand new year a little softer, a little smarter, and perhaps even a little more secure.
Jessy Irwin (aka last year's Lady Sparklesaurus Divine):
The mega-breaches of 2017 have made consumers highly aware that security is something that they should be paying attention to, though they're not quite sure what to do or how to start. In 2018, security professionals will need to engage ordinary users with humor and a little bit of empathy before irrevocable security fatigue sets in. To convince people to improve their security habits, we'll be faced with more design tradeoffs and usability concerns than ever—but the smallest improvements will add up to major improvements.
Wendy Nather, Duo Security:
Better security design will be the next frontier of innovation, as we recognize that the vast majority of consumers and enterprise end users should not have to know as much about security as those who make it their career. We will rethink not just "engineering-grade" UIs, but all aspects of workflows, integrations and deployments to make it easier to do the right thing. Acknowledging that every user of our technology is a consumer as well, vendors will differentiate their products through "consumer-grade" design.
Chris Hadnagy, Human Hacker:
This year we saw an epic increase in the combo attack where an attacker uses both phishing and vishing or phishing and SMShing to breach a target. We saw scary good phishing and an increased level of sophistication in their attacks. In 2018, I see vishing making a huge come back, maybe even coming close to matching phishing as a used vector in attack.
Dave Kennedy, TrustedSec
I think this year we saw a combination of defense getting better and an emphasis on monitoring and detective controls, which was a huge step up from any other year. Along with that, though, we also saw a number of substantial breaches and some of the most public adversary activity with leaks and amazing code. Even the government recommended not using Kaspersky, claiming they are an extension of or sympathetic to the Russian government. Phew. This year was one of the greatest (and worst) that I can remember!
In 2018, I think that if we start a war with North Korea or go more on the offensive in Russia, we’ll start to see a lot more information warfare and overt attempts to inflict damage. We’ll still see breaches happen, but I think this year will be a year of substantial growth in figuring out how to get more visibility into the types of attacks we are seeing and hopefully getting all around better in information security
Rob Graham, Errata Security:
This last year we saw ransomware (Wannacry, NotPetya) gain access to domain admin accounts and destroy entire organizations, keeping companies and business units offline for weeks or months. This works because companies have lax policies about admin accounts, and have essentially put all their eggs into one basket for domain administration. Even hot backup sites are part of the same domain system, and hence, will be taken down along with the primary systems. This should be high on the priority list to fix for the next year.
For the coming year: IoT is connected to the Internet via Bluetooth, WiFi/Ethernet, and LTE. The Mirai worm has shown us the problems with WiFi/Ethernet connected devices, but the the growth in IoT is likely to instead be 4G/LTE connected devices. For extremely low bandwidth devices (less than 1-megabyte per month), the mobile companies are offering $1/month plans. This makes it viable to connect a plethora of devices, such as security alarms, temperature sensors, and GPS trackers for fleet vehicles. Watches with such cheap LTE connections and GPS are becoming increasingly popular for tracking children. This informs us on the threat models: such devices, ensconced behind carrier grade NAT, are unlikely to be hacked by worms. Nor are they likely to suffer from users tricked into installing viruses on them. On the other hand, the risk of a vendor getting hacked, or leaving files exposed in Amazon S3 buckets, means large catastrophic events in the future, instead of low-grade background hacking of devices.
Bob Rudis, Rapid7 Sr. Director & Chief Security Data Scientist:
2018 will see a significant uptick in attackers using all the tools at their disposal to disrupt digital currency infrastructure and increase account takeover attempts to gain control over these prized digital possessions. 2018 will also see continued use of weaponized exploits released in 2017. This weaponization will increase in stealth, sophistication and success so long as organizations continue to lag behind in IT & cybersecurity operations efficiency.
Rebekah Brown, Rapid7 Threat Intelligence Lead:
Data is valuable, even when it can’t be directly monetized. In 2017 we saw how data can change the impressions people have of a person or a company. Whether it is through sophisticated information influence operations or through digital blackmail of individuals via hacked email or social media accounts, adversaries will continue to exploit non-financial data in 2018.
It was also a whirlwind year with nation state operations directly impacting consumers and corporations. It is probably not the last we will hear of the ETERNALs and the WANNACRY’s. Adversaries learned a great deal from the dumps and the attacks in 2017, and will likely continue trying to exploit these new tools as much as they can. Be prepared for copycat and one-upmanship in 2018. But remember, no matter what the adversaries can throw at us, we can find ways to adapt and overcome.
Deral Heiland, Rapid7 IoT Research Lead:
As I noted in SC, with the ever-expanding influx of Internet Embedded Technology within our businesses I would not be surprised if we see these technologies take center stage on a major breach in 2018. With a growing market in the area of voice-activated and controlled Internet Embedded Technology, I expect to see more complex and impactful security exploits that target the voice control services within these technologies.
Tod Beardsley, Rapid7 Research Director:
In an online world dominated by FAMGA (Facebook, Amazon, Microsoft, Google, and Apple), I expect to see very few actively exploited vulnerabilities in newly created and distributed software from these mature technology vendors. The hegemony of these companies will ensure a highly secure operating environment within each of their areas of dominance. Occasional issues will surface, of course, but on the whole, the computing environment for the average person will have a marked lack of "classic" software vulnerabilities.
However, this lack of "new" bugs will not put cyber criminals out of business. They will continue to spend their efforts on much softer targets. These would include older software stacks that rarely see regular software updates: multifunction printers, home and enterprise switches and routers, and IoT devices that ship old and unpatchable software. I also expect to see continued sophistication on the part of attackers in their ability to trick, scam, and phish credentials out of users, where either no bugs, or old bugs, are required for successful exploitation.
Harley Geiger, Rapid7 Public Policy Director:
In 2018, following high profile data breaches, federal lawmakers will press for data security and breach notification regulations, prompting debate over the appropriate balance between consumer protection and burden on business. This is a great prediction. Why? Because it happens every year! But will 2018 be the year that general security standards actually make real headway in Congress? That's much harder to predict, but 2017's breaches got a lot of attention, EIGHT states passed new security/breach rules in 2017, and we do live in interesting times.
Sharing Is Caring
What made your list of highlights for 2017? What do you foresee in the security sphere in 2018, be it mundane or esoteric? Hit us up in the comments if you're moved to share your own thoughts.