Note: This is a long post about infosec in 2016 and 2017. Read when you have the time.
2016 has been an interesting year. Donald Trump became president elect. The Syrian crisis worsened. Brexit happened. India demonetised 87% of its currency in one stroke. Cybersecurity and infosec was uttered more frequently in corporate boardrooms - and for good reason too.
How was the year for infosec? Here are a few areas where things happened and will probably continue to happen in 2017.
Data Privacy - and our apathy toward it
We are moving towards an Orwellian world, and are happy about it!
It began with the biggest data privacy debate of the year. The San Bernardino terrorist attack. It also pulled at our moral and ethical heart strings. Would you be willing to compromise your personal data privacy to set up a system to catch terrorists? The US Government wanted to know the contents of the dead terrorist’s phone. Apple refused to provide a ‘backdoor’ for decrypting the iPhone. It was a high profile case. There was a lot of drama with both the government and Apple issuing multiple statements. It ended in a rather anti-climatic manner when the government managed to figure out another way to break into the phone and did not need Apple to decrypt the phone anymore. The biggest data privacy debate died without any logical conclusion. There were megabytes of articles about this. If you really want to get a quick view of everything there are 2 points that you should not miss - John Oliver on Encryption and Dilbert on encryption.
Google and Facebook, the other tech giants harvest our data for a living and we are glad that they do! Windows 10 was already caught capturing data from computers and sending them to Microsoft servers, despite users setting their privacy settings. No one knew, or cared, what happened to that.
The EU had already passed the ‘right-to-be-forgotten’ policy. Google had already been asked to remove search results on the request of users. Google implemented it for local EU domains, but you could still go to google.com and see the actual search results. In 2016, the right to be forgotten was expanded to include any search result for the EU irrespective of the domain. Is the right to be forgotten a good thing? We don’t know yet. Maybe 2017 will tell us something?
While Apple was in the limelight for the encryption case, there was one bit of Apple news that did not get as much media hype. Differential Privacy. Apple wants to implement a system which collects as much data about a group of people, but as less data about an individual in that group. We would surely like to see more thought given to privacy in 2017.
WhatsApp, that ubiquitous messenger, owned by Facebook, got end-to-end encryption. This meant that it was probably illegal in India, but we don’t really follow the law, so there was no problem anyway. However, WhatsApp, decided to share phone numbers with its big daddy - as an opt out service. This left us feeling rather wary of Facebook, especially after the Free Basics fiasco.
If all the biggies were collecting personal data, some of the other Internet behemoths decided that it was worth collecting some more data. Uber decided to track a phone for upto 5 minutes after the end of the ride. Again, it was met with apathy.
2016 was a year of apathy towards data privacy. What we need in 2017 is more awareness of data privacy. If we can uninstall an app on our phone because it was being endorsed by a celebrity who said that he does not feel safe in the country, we should also be uninstalling apps that want to be intrusive and collect more data than they should.
The rise and rise of Ransomware
It is a battle, not of technology, but of user psychology.
Ransomware was the flavour of 2016. Awareness related to ransomware has increased, but the attacks of ransomware have increased as well. Is our awareness not working? Or are the ransomware proponents using more and more sophisticated techniques? It turns out that the techniques are more ancient than we thought. Locky - a rather infamous ransomware - uses a word macro!! Why do we still fall prey to such ancient tactics? Why do we click on ransomware?
The power of habit. If Outlook shows an unread mail, it needs to be read. If there is an attachment, it needs to be opened. If there is a link, it should be clicked. The power of habit. For 2017, we should resolve to break this habit. We should resolve to be more situationally aware before opening or clicking things. We should resolve to report any such suspicious mails / links / attachments. We should resolve to check with the sender of the link / attachment was unexpected.
It is all about our psychology. Thinking fast (system 1 as per Daniel Kahneman’s book, Thinking, Fast and Slow), can lead to insecure online behaviour and bad decisions. This is what the ransomware proponents hope. They want us to think fast. They do not want us to evaluate things in detail and come to a conclusion. This is the reason all the CEO scams and Romance scams actually work. They appeal to our emotions. They appeal to that part of our thinking that decides fast and based on emotions. For 2017, we should resolve to think slow. Stop. Think. Act.
Apart from tinkering with our thought process, the ransomware factory has grown by leaps and bounds in 2016. We now have ransomware-as-a-service! We do not really help by using 123456 and ‘password’ as passwords. Let 2017, be the year of good passwords.
What do you do if you are affected by ransomware even after you have taken all the necessary precautions? Should you pay up? The FBI suggests that you should. Most others recommend that you don’t. Which path to take? I would say - think about situational awareness again. If all your patients health records are locked up, then you might want to clutch at the last straw of hope in retrieving the data, but most of the times, you should not pay. Strengthen your systems, train your people and restore from your backups. You do have backups, right?
Is the war lost before the first battle begins?
We touted 2016 as the year of IoT. Infosec professionals all over the world said that this was a chance for infosec to not goof up. Sadly, we did. There were instances of connected CCTV cameras with username - ‘camera’ and password - ‘000000’. No, I am not making this up. This really happened in 2016. IoT security is like software security all over again. “Release the product. We can think of security later!” While the IoT proponents were busy making insecure ‘things’, infosec professionals were busy ignoring everything IoT. The only action about IoT security were long presentations in infosec conferences. Nobody really went beyond talking about IoT security.
Insecure IoT devices were the reason DDos attacks were over 100 Gbps this year. Devices got smarter and intruders got into your bedroom. Samsung issued an advisory asking people not to speak personal and sensitive thing in front of smart TVs. Err, can you make your devices more secure before asking people not to do personal things in their bedrooms? The problem was not restricted just to end user based IoT. It was seen in the Schneider Building management system as well. The bug in the BMS allowed users to bypass security altogether.
The one good thing that happened during 2016 in the IoT security space was the release of the NIST standard - 800-183 which defines what the Network of things is. Hopefully this should be a starting point for us to start defining IoT and IoT security. For 2017, companies coming up with IoT products should get a strong CISO and get the CISO involved in the design process of their ‘things’.
We disallowed it, but we really don’t know what it is.
India ruled to disallow Facebook’s Free Basics. It was an uneasy victory for the net neutrality advocates. We are not really clear about the details of net neutrality, are we? We were told that this whole thing means WhatsApp will continue to be free and the big bad wolves that the telcos are, won’t charge us extra for it. The world would be a better place. Sure, we all want WhatsApp to remain free, but are we clear what net neutrality is? The TRAI (telecom regulatory authority of India) released a couple of iterations of their so called paper on net neutrality, before public protests made them back down and disallow Free Basics.
In 2017, we would like to see a clear definition of net neutrality. For example, is the use of ad blocking software going against the basics of net neutrality?
Cloud Security and Big Data Analytics
Moving from buzzwords to actions
Infosec professionals, again, spoke more and acted less on cloud security and big data analytics. 2016 was a step forward, though. We were asking the right questions about cloud security. As shadow IT gained more popularity, both traditional IT as well as infosec professionals were caught napping. To, their credit they did wake up and start the move in the right direction. We just hope that the trend continues in 2017. We hope that cloud security and big data analytics do not just remain buzzwords at conferences, but become actionable for infosec professionals.
Infosec in attack and defence
Awareness and patching go a long way in cyber defence
Clearly, the biggest story here was the attack on Bangladesh Bank and the subsequent revelation that it was not the first such attack. The SWIFT system was unnecessarily blamed for the same. The silver lining to this was that central banks and finance ministries woke up to cyber threats and issued cybersecurity directives.
Vulnerabilities in Wordpress and Joomla platforms suddenly made more than 700,000 websites vulnerable. Wordpress and Joomla fixed the vulnerabilities quickly, but as usual, the users did not patch their websites as quickly.
LinkedIn revealed that 117 million passwords had been breached and urged users to change their passwords. This had been preceded by a similar announcement by Yahoo. Large websites have always been targets and the trend will continue in 2017.
A fake call center in India called US citizens and asked them to pay taxes in store gift cards. US citizens fell for it and the call centre earned close to INR 500 crore before being busted. Vishing at its best?
3.2 million debit cards were compromised by an attack in India. It was followed up by central bank guidelines and a secretive investigation that did not reveal any details to the public.
Uber was caught storing its key under the database. Their Github page had a sensitive database key. Lapse of a process, is it? Or is it infosec professionals not believing in processes and trusting technology solutions to do the job?
On the defence side of things, there was a general concern about the bug reporting system CVE. There were inordinate delays from the time a bug was reported to the time it appeared as a part of the CVE database. Meanwhile, such bugs could be sold on the dark web and used for big ticket exploits. In 2017, we hope to have a better, mature and faster bug reporting system. Awareness and patching go a long way in cyber defence.
General Infosec news in the year
More women, less passwords. Be a business enabler and support open source.
There were discussions about women in the cybersecurity workforce. A gender balance does help any profession to be well rounded in its thinking. The regular voices in the back of our heads said - “be business enablers, don’t just be compliance officers.” We listened to some parts of it and did not listen to some parts. We realised that passwords are the root cause of all evil and decided to have a go at finding password less systems. Google and Amazon led experiments towards that. Yahoo did some work around it too. A future without passwords is either a more secure future or an Orwellian one. Take your pick. Some governments got a law mandating open source software. Blockchain transactions were implemented. We don't know the security benefits of it yet.
2016 saw infosec take centre stage. We hope that 2017 sees infosec take centre stage again - for all the good reasons.