#Security Predictions – 2017

 Each year organizations from around the world start looking at the new year and try to make predictions on what will occur. The security industry is no different. Our WhiteHat team has gathered their thoughts on predictions for 2017 and new vulnerabilities or trends that might emerge in 2017. I hope you find their predictions a great way to kickstart 2017 planning and start implanting some thoughts on how to protect your applications in the coming years as threats continue to increase. We are a small security community with pretty much the entire world trying to attack our applications. I’m proud and honored to start the conversation about how we can fight back and protect our assets and our customers.

We’ll start out with my prediction.

 Every year around this time people start asking me what I think the cyber security trends for the next year are going to be. What new vulnerabilities are going to come out? Is IoT going to be hacked in a major way? Will self-driving cars start smashing into each other because they’re connected to the Internet? All are valid questions and any of them could occur next year. However, I unfortunately predict a somewhat bleaker and kind of boring thing will happen… Nothing will change. Companies will continue to get breached because of simple vulnerabilities. We have seen year after year that vulnerabilities we knew about at the turn of the century continue to be exploited leading to massive data breaches that effect both companies, and their users. Cross site scripting and SQL injection continue to be found on site after site after site. Here at WhiteHat, we still find cross site scripting on about 50% of all sites we asses. SQL injection which leads to database breaches still occurs on about 6% of all sites. It’s staggering that we haven’t learned from the past and continue to introduce these easily exploitable vulnerabilities.

 As a security community, we need to do a better job. We need to start training all developers on secure coding from day one. Universities need to start teaching secure coding to all computer science majors. The security teams need to share their knowledge with the developers and the rest of the company. We need to tear down the walls that so often pop up between the different organizations. Only then can we start to make forward progress on stopping the bad guys. 

 Ok, enough of my predictions and recommendations.  On to the predictions of some of the team here at WhiteHat…

Marc Druzin, Product Management

(Reference: http://spectrum.ieee.org/cars-that-think/transportation/systems/its-now-temporarily-legal-to-hack-your-own-car)

Cars are a key target for hackers

There will be a lot more surfaced vulnerabilities in cars next year. You can bet as soon as newer models come out with more auto-driving/steering and logically, interconnected features, the hack-a-thon will be on.

Antoine Baisy, Threat Research Center

• Cars are a key target for hackers
• There will be a published hack for Google Home or the Amazon Echo

So, when I gazed into my crystal ball located conveniently on my desk, two major events appeared in the mist. One is another remote hack on self-driving cars which will continue to hammer home that they need to be properly secured before they are released to the masses. The other is a published hack for either the Google Home or the Amazon Echo. The Echo has been out for two years and it’s been solid so far. However, with the Google Home emerging, the always-on microphones in people’s homes are a serious concern for the general consumer. I’ll trust both Google and Amazon to patch the hacks before they are published, but I do think both devices have a target on them in the hacking community. If you believe crystal balls that is.

Brian Williams, Threat Research Center

DDoS attacks like Mirai will continue.

DDoS attacks are likely to become a big problem.

The record-breaking Mirai botnet, and the subsequent release of its source code, was some of the biggest security news that we saw this year. The malware first reared its head back in September, when it was used to deliver a record-breaking DDoS attack on Brian Krebs’ security blog. Mirai exploits default passwords on Internet of Things devices, such as routers, security cameras, and DVRs in order to gain control of them. Thousands of devices are infected at once, and then used to deliver a massive barrage of requests to a target victim, unloading up to 700 gigabits of data per second. Directly following the attack on Brian Krebs’ blog, the source code for Mirai was released to the public.

On October 21, Mirai was used to take down the DNS provider, Dyn. By targeting Internet infrastructure, attackers were able to deny service to a large number of websites for most of the day, including Twitter, Amazon, Tumblr, Reddit, Spotify, Netflix, and GitHub.

Since the source code of Mirai is easily obtained, I expect that DDoS attacks of this nature will continue.

Jeannie Warner, Security Manager

The social and political unrest around the world will encourage a dramatic rise in Hactivism.

I foresee the return of Anonymous, cranking up U.S. operations to unheard-of new levels. We’re all used to www.whitehouse.gov and www.cia.gov being constantly attacked, defaced, and taken offline. With all of the anger and frustration of the 2016 U.S. elections, we’re going to see a lot more attacking, DDoS, and exposure attacks of many media outlets, right- and left- leaning special interest groups, and definitely the FBI. Anonymous already stands with Standing Rock and the protests there.  There will likely be a lot more attacks on big oil, as well as state-level sheriff and police supporting these kinds of activities. The gloves seem to be off on the topic of fair play. Google and Facebook are both declaring they are working at eliminating the fake news issues that plagued social media over the last 12 months. What will come of it remains to be seen, but I predict there will be a lot of focus on new natural language processing technology examining ad filters and URL processing as part of web applications.

New guidelines will emerge from organizations such as NIST requiring that application security vendors partner with device manufacturers and testing labs to deliver secure IoT systems.   

The Internet of Things is growing daily, with smart devices and controlling applications at the core of every business from Healthcare to smart cars and smart buildings. It’s essential to protect smart anything from attackers attempting to exploit their vulnerabilities – and I’m expecting/hoping to see a shift from the term “security” to “safety”, as well as an increase in legislation mandating increased rigor of testing. In the same way manufacturing safety testing via the American National Standards Institute controls new releases in devices, I think that the National Institute of Standards and Technology’s SP 800 or a similar body will form guidelines for a comprehensive security assurance through the integration of dynamic application scanning technology and rigorous device controls testing. Commonalities in all IoT systems include controls for tracking and sensing interfaces, combined with web- or mobile-enabled control applications which combine to expand the borders of the security ecosystem. New guidelines will (ideally) force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organizations to manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products.

Dan Lacey, Threat Research Center

Nothing will change.

Attackers will continue to discover and exploit zero-days. Companies large and small will continue to lose data and money to the usual attacks, often because they didn’t take basic security precautions. Individuals will continue to lose money in the usual ways, often because they lack basic knowledge of Internet safety. Manufacturers will continue to produce Internet-connected devices with no security, or easily by-passable security, enabling attackers to hijack them. Someone might pass laws mandating that new Internet of Things devices have security, but those laws will be unenforceable and impossible to apply retroactively.

No one will deploy a better authentication system than passwords.

The government will continue to press for increased surveillance including backdoors.

Whitehatsec.com

Genesis mining promo code: CZL5k6

Internet of Things device security degrades over time #IoT

 Connected home devices may be secure enough off the shelf but this doesn't mean this will always be the case, tech firms have warned.

Symantec

The security of smart home devices must become sustainable to keep consumers safe, the Open Trust Alliance has warned.

The Internet of Things (IoT) and the concept of the connected home is an emerging industry. IoT devices can make our daily lives more efficient, but manufacturers are yet to get up to speed when it comes to security -- and a constant stream of research concerning smart systems has revealed just how easy it can be to exploit vulnerabilities and manipulate these kinds of devices.

Formed in January this year, the 100 member-strong Open Trust Alliance (OTA) -- counting members including AVG, Microsoft, Symantec and Target -- believes that an industry-based set of guidelines may push designers and manufacturers in the right direction, and begin to view security as a critical part of the production process.

Security, privacy and the often-overlooked area of sustainability are of particular interest to the OTA. According to the group, sustainability and how devices are kept secure after circumstances change and warranty expires.

This, in turn, could lead to attackers being able to "remotely disabling house alarms, opening garage doors, infiltrating fitness wearables to spy on health vitals, or creating mayhem by sabotaging connected appliances," according to the non-profit.OTA says that unless sustainability becomes part of the IoT security question, devices which may have been secure at the time of purchase will eventually become flawed over time -- and could become more susceptible to outside influence.

As a result, the OTA has developed and released the Internet of Things Trust Framework, a set of guidelines designed to "address IoT risks comprehensively." The guidelines are focused on IoT manufacturers and retailers designing and marketing connected devices in the home automaton and consumer health markets, including smart home systems and wearable technologies.

The OTA includes a number of proposed best practices for IoT security and sustainability within the framework. Among the guidelines, the OTA suggests that privacy policies should be made readily available for review available for purchase, all personally identifiable information should be encrypted or hashed, and companies should be ready to disclose data collection practices prior to the purchase of connected device products.

In addition, OTA says IoT manufacturers should disclose whether or not users have the ability to delete or make anonymous such data once a device reaches its end-of-life or is discontinued -- an important facet when you consider how home circumstances can change.

"The rapid growth of the Internet of Things now includes thousands of connected products, yet it's shocking how little planning there has been for these devices becoming part of everyday life," said Craig Spiezle, Executive Director and President of OTA.

"For example, what if someone sells a house with a smart thermostat or garage door? How do you ensure the old owner doesn't access the devices once the new owner moves in? Or what if a hacker find a vulnerability to activate your smart TV's camera or microphone? We also need to look at the collective impact when hundreds of thousands of these devices are compromised at once, impacting critical infrastructure and the smart grid, and diverting first responders."

The OTA is also in the midst of creating a voluntary code of conduct for IoT manufacturers to join.

Last week, critical flaws were discovered in the ZigBee standard, a popular backbone system used by IoT device manufacturers ranging from Samsung to Philips. The vulnerabilities potentially allow cyberattackers to take over any device connected to a ZigBee-based controller hub.

Zdnet.com