I've always hated security 'predictions'; they range from scientific guesses to self-serving marketing drivel, trending mostly towards the latter. But they do serve a purpose when done right, in that they draw attention to the trends currently happening and how they might play out in the future. Given that there's been more focus on the field of computer security in 2015 than in any year before, it's probably not a bad idea to look at how some of the most important trends of 2015 are going to play out in the coming year.
It's not a prediction, but rather a statement of fact to say that computer security is only going to become more important in the coming year and gain even more public attention. We are at the start of a wave of changes that no one can accurately predict. Security professionals around the globe have lamented for years that business leaders haven't paid enough attention to our advice, but that's changing rapidly and caught many people off-guard. One of the things we need to be able to do is to understand some of the trends of today and where they might lead to tomorrow. Which is why predictions can actually be valuable, if taken with a grain (or perhaps a block) of salt.
So here is my view on how the top 5 security trends of 2015 will develop in 2016.
- DDoS extortion will become more common - In 2014 we saw a new threat, DD4BC arise. In 2015 they went away, but were immediately replaced by the Armada Collective. Both groups sent threatening emails requiring the payment of a small number of bitcoins, otherwise the company's site would be taken offline. The success of these groups has led to the Armada Collective becoming more aggressive and a number of copycats have arisen. There's no doubt in my mind this will continue into 2016 and get much worse as more criminals see the potential profits of DDoS extortion.
- The Internet of Things will be compromised - The Internet of Things (IoT) isn't a single technology or product, but rather a whole class of technologies and products, most of which were designed and developed with nothing more than a passing thought to security. As Christmas approaches, the best examples of dangers of IoT are Hello Barbie and the compromise of toy manufacturer VTech. IoT devices are collecting more information about their owners than most people realize, and even if the devices are perfectly secure, the services behind these devices often leave a lot to be desired in terms of security. This data is valuable and we'll see more compromises of the tools and toys of IoT, as well as the companies that are collecting our personal data.
- Security won't improve markedly - This is one trend I hope I'm misreading for 2016, but nearly two decades in the security field tell me I'm not. Despite the many claims of security vendors that they have the one technology that can solve all of your security woes, no such product exists. Instead, we have to realize that we're looking at a long, slow haul of minor improvements to security, measured in decades, not years. Companies will find new, better ways to secure their systems, attackers will find new, better ways to compromise them. Slowly, over time, we'll figure out how to do a better job of building software and systems that are secure from the ground up. It's actually more likely that security will seem to get worse in 2016, but that will be a symptom of organizations getting better at recognizing the indicators of a compromise, rather than security getting worse.
- Government will have a major impact on security - China has always required access to all traffic on their Internet, Russia passed a law in 2014 mandating that its citizens' traffic stay in the country and be available to officials. Both the USA and the UK have been lobbying Silicon Valley companies to give them access to encrypted communications and in the wake of the Paris attacks, France is considering outlawing Tor and public wifi access. Politics aside, it's clear that governments around the world are seeing the need to be heavily involved in legislating the Internet and this will have a huge impact on the security of individual businesses as well as the Internet as a whole. If you're not paying attention to this changing landscape, then new legislature is going to blindside you, not a position any security professional should be in.
- The Unknowable Unknowns - While many of our concerns are about the things we can predict, there's never been a lack of unforeseen incidents. Every organization will have at least one incident in 2016 that couldn't have been predicted by extrapolating current trends towards the future. The secret that we need to understand as security professionals is identifying as many of the knowable threats as possible and then build a program that addresses the known threats while being flexible enough to deal with the unknown as well. Do you have a plan for rebuilding your web servers if they're compromised? Take it a step further: what if your AD servers are affected? Take it to the worst-case scenario and have a plan to deal with your whole network being wholly owned. It might sound like going overboard, but it's happened to Sony, to the OPM in the US and it's probably happened to other organizations who haven't made the news yet. Review your processes and procedures with an eye towards making sure they support your goal of keeping your organization secure, even if something completely unforeseeable happens. What's your plan for the zombie apocalypse? It should probably look a lot like your plan for an infectious disease outbreak.
No one I know actually has a crystal ball and can see the future. The best we can do is the same thing science fiction writers and futurists have been doing for years, which is extrapolate current trends into the future and imagine where they might lead. The points above are a best guess about where current trends are leading us, but I feel fairly comfortable in predicting that all five will happen.