As usual, we have the requisite
Information Security Predictions for the coming New Year:
- Jeff Harris, vice president of solutions for Ixiamp, sees a ramp up in weaponization of the Internet of Things (IoT) to carry out widescale DDoS attacks in 2017
- James Carder, CISO of LogRhythm, predicts that in 2017 we could be in for a total shut down of the Internet for up to 24 hours
- Lamar Bailey, senior director of security R&D at Tripwire, believes 2017 will see the return of the worm with IoT devices
- Bruce Snel of McAfee sees IoT malware opening a backdoor into homes
Netanel Rubin certainly agrees on
that last item, claiming the increased use of smart meters which utilize
insecure encryption and known-pwned protocols is a large threat. The utility hacker and founder of Vaultra derided global
governmental efforts to install the meters as reckless, saying the “dangerous”
devices are a risk to all connected smart home devices.
Here are my predictions:
- The majority of businesses and consumers will continue to ignore the changing threat landscape
- We will continue to connect anything and everything to the Internet (needed or not)
- We will continue to believe the Internet will always be available, so we will continue to rely on it for banking, emergency response, traffic and SCADA systems
- We will continue to learn nothing from recent history
To be sure, there will be no slowing
down of this pervasive cyber universe… until it breaks on a large scale. When
it does, get ready for invasive government oversight.
The other day I was setting up a
WiFi router access point to practice a small bit of hacking. As I was plugging
in the power brick for the device, I notice it had a UL stamp. Underwriters
Laboratories (UL) is a global independent safety science company with more than
a century of expertise. UL claims to help safeguard people, products and
places in important ways, facilitating trade and providing peace of mind.
My WiFi router's power supply design
was reviewed, tested and carried an approval from UL. The actual access point
itself… not so much. No, the actual item that could be used to break into my
local network or participate in a DDOS attack had no stamp of approval. That
device’s design was reviewed by “who knows”, certified by “no one”, and carried
the stamp of “quales desit”.
It might surprise you to learn (it
did me) that UL actually has a Software
and Security discipline for cyber security. I hold many certs and I
have been in this business a long time. I never had the opportunity to hear a
vendor say, “You know our product carries a UL CAP (Underwrites Laboratory
Cybersecurity Assurance Program) stamp of approval”. I never learned about UL
CAP in any certification course.
UL CAP is a perfect example of why I
so push to professionalize the Information Security profession. How do such
potential paradigm shifts in this nascent cyber universe get traction with no
core and no leadership? My little power supply is certified to be safely
plugged into the power line, but my Internet Router carries no such
certification to be safely plugged into the Internet.