Cybersecurity Wishlist for 2018

Matti Suominen

January 2, 2018 at 07:47
2018_

2018 is finally here. Internet is full of predictions on what 2018 will look like for cybersecurity and what attacks will be most prevalent or which technologies you should invest in. This year, I decided to turn the question around a bit. Instead of focusing on what will be the biggest security threats of 2018, I’ll focus on what trends I’d love to see across the cybersecurity domain and what companies can do to make things better for everyone.

Let's dive right in...

1. Trust Becomes Optional

I hope that during 2018, I can stop trusting most of the services I use and in return, actually trust them more than I do now.
 

Currently, using a service like Facebook or your bank for example requires that you trust them to secure their infrastructure perfectly for your data to be secure. While a company like Facebook has the resources to really do everything in their power to ensure this, as you move further down the line, you reach companies with very limited knowledge and resources to spend on security. It’s not rational to expect that web shop operated by one person would have gone through all the hoops to get their service to be perfectly secure. Yet, we are still expected to give them our information. When the eventual hack happens, we act surprised that the service wasn’t perfectly secure. Who would have guessed.

When it comes to personal data and other valuable information, I would love to see more centralized services which store your data in a secure manner and then make it available to third parties based on your consent. Facebook and other services already do this to a degree by allowing you to log in with Facebook credentials and then share some limited amount of data from Facebook to the services. When implemented correctly, the service itself won’t store your information and just gets what it needs on-demand from Facebook. If you remove your data from Facebook, it’s also gone from the service. Facebook essentially acts as a data broker and ensures that the data is stored only in services which can afford to implement proper security. The third-party service could in theory be less secure and still pose much lesser risk to individuals using it.

This idea can be taken further to get towards a model where you as a user don’t need to really trust the services you use. Obviously, there are all sorts of caveats that would fill an article but the basic model is sound. It doesn’t have to be all-or-nothing deal either. Any amount of information we can move away from insecure data stores is a net gain.

2. Shifting Security from Humans to Machines

I hope that 2018 moves responsibility of security away from humans and recognizes that we are naturally better at trusting people.

Every year, technology becomes better and more reliable. Yet, every year we are stuck with the same flawed humans who fall for the same ridiculous social engineering attacks. If we would have a time machine and could go back to stone age, I bet that somewhere Ogg the Caveman figured out that the easiest way to get Ugg to do something he wasn’t supposed to do was to simply ask. Everyone has been to dozens of awareness trainings, seen endless articles about learning to spot these tricks and still they work like charm. It’s a battle we already lost in the stone age with Ogg the Caveman as the champion of social engineering for all generations to come.

As more and more processes become automatic and don’t rely on human input, we don’t have to worry about inconsistent humans getting in the way. When I log in to a service, I’m facing a login interface that simply takes my password, verifies it and decides if it should grant me access. It tends to work every time once the implementation is done properly. With humans, something like authentication over phone is notoriously horrible as the silliest confidence tricks or cold reading techniques can work wonders.

3. Authentication Starts Making Sense

I hope that 2018 is the year when alternative authentication methods finally become prevalent and are in most products by default, replacing passwords entirely.

I wrote an article about password guidelines almost a year ago. At the time, NIST changed their guidelines to move away from concepts like regular forced password changes to get people to use better passwords. In my article, I mentioned that my strategy for secure authentication was to type in random passwords that I couldn’t possibly remember and reset my password through e-mail every time I login to services I rarely use. This remains my method for a lot of services and it works wonders.

Do you know what the “best practices” for choosing passwords are currently? I don’t, and I’m often asked to provide recommendations and guidelines on the topic. Depending on which article or standard you read, you find different types of methods for generating extremely long passwords that are impossible for anyone to remember. Some don’t even bother and just recommend “secure” passwords, leaving the definition of “secure” up to the reader. Usually this means that the writer didn’t even want to suggest anything as it would either be horribly insecure or completely unrealistic.

4. Backups and Remote Storage Become Mainstream

I hope that 2018 makes ransomware less profitable through investments in technologies that make the attack irrelevant.

Ransomware was the big trend of 2017 that won’t go anywhere in 2018. Encrypting data stored on PCs or servers is a great way to force the victim to pay up if they can’t recover the data. When the ransom is small enough, depending on the effort involved in recovering the files, it may still be beneficial for the victim to pay to get business back online.

Ransomware as a business model obviously doesn’t work if the servers can be reset and data recovered easily from a backup that doesn’t get compromised as part of the attack. Nobody would pay anything if they could just click a button and jump back to earlier state, erasing all the damage done by the attack. What ransomware and attacks that encrypt data have shown is just how poorly systems are being backed up in practice. Either the systems simply haven’t been backed up at all or the backup isn’t very easily accessible.

There are lots of methods that could help here. Having up-to-date backups obviously helps, especially backups which cannot be erased from the same system that is making them. Similarly, using remote storage which is securely backed up from workstations makes the workstations themselves rather immune to these attacks.

5. IoT Security Becomes the Default

I hope that 2018 is the year when IoT platforms offer secure defaults in a manner that makes it preferable to implement security over not implementing it.

IoT is here to stay. 2017 was a year of increased adoption of new IoT devices and business models for many companies that traditionally weren’t involved in the field. With the increased adoption, we also saw increase in security problems as poorly secured devices jumped on to the Internet, only to become targets for hackers and automatic scripts looking for new victims.

Many of the problems with IoT devices are quite trivial. Maybe it’s the connectivity that hasn’t been secured at all. Often, it’s lack of security patches or even inability to install them on the devices in the field. Whatever the case may be, huge increases in numbers of connected devices have created a significant number of new targets that are now out there.

IoT platforms and devices could do a lot to default to secure approaches instead of dropping the bar to the floor and using that as a benchmark for security.

6. Fake News Becomes Old News

I hope that 2018 marks the rise of new methods for propagating verified and trusted security information from credible sources.

Fake News has become a buzzword during 2017. Gartner predicts that very soon we’ll consume more fake news than real news and it becomes increasingly harder to tell the two apart. The domain has become a war zone between systems creating fake information for various reasons while other systems attempt to identify what is real and what isn’t. As with most things, it’s generally easier to create something that is fake than it is to tell fake and real items apart.

This trend is also apparent in the security domain. Every time there is a major security incident that makes the headlines, wrong information starts spreading and sometimes becoming even more visible than the real information. Mitigation recommendations are often wrong and can vary greatly between different sources. Due to the speed at which information propagates between sources, nobody seems to quite remember how they got to believe that the recommendations they are giving are true. Some recommendations leave the systems vulnerable at best or are outright harmful in worst cases.

Although often this happens by mistake – wrong information spreads and is difficult to correct – it’s also possible that wrong information is passed around by design. The first thing most people do when facing a security problem is to look up answers online. Relying on complete strangers and shady websites for guidelines and best practices is a common practice in such situations. This opens a way for a malicious party to spread misinformation that may spread even faster than any malware ever could.

Having good ways for communicating trusted information is going to be critical as we move forward. Being able to tell which parties to trust and what their track record is will be the only way to ensure that the information you are reading and acting upon is true and benign.