Forrester predicts that more than 500,000 internet of things (IoT) devices will suffer a compromise in 2017, dwarfing Heartbleed. Drop the mic \u2014 enough said.\n\nWith the sheer velocity of how the distributed denial-of-service (DDoS) attacks spread through common household items such as DVR players, makes this sector scary from a security standpoint.\n\n\u201cToday, firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly,\u201d write Forrester analysts.\n\nThe analyst firm adds that when smart thermostats alone exceed over 1 million devices, it\u2019s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed. Security as an afterthought for IoT devices is not an option, especially when you can\u2019t patch IoT firmware because the vendor didn\u2019t plan for over-the-air patching.\n\nAlex Vaystikh, co-founder\/CTO of advanced threat detection software provider SecBI, says small-to-midsize businesses and enterprises alike will suffer breaches originating from an insecure IoT device connected to the network. The access point will be a security camera, climate control, an old network printer, or even a remote-controlled lightbulb. This was demonstrated in September in a major DDoS attack on the web site of security expert Brian Krebs. A hacker found a vulnerability in a brand of IoT camera and caused millions of them to simultaneously make HTTP requests from Krebs\u2019 site. \n\n\u201cIt successfully crashed the site, but DDoS attacks are not a great way to make money. However, imagine an IoT camera within a corporate network being hacked. If that network also contains the company\u2019s database center, there\u2019s no way to stop the hacker from making a lateral move from the compromised camera to the database,\u201d Vaystikh said. \u201cThis should scare organizations into questioning the popular BYOD mentality. We are already seeing a lot of CCTVs being hacked within organizations.\u201d \n\nFlorin Lazurca, senior technical manager at Citrix, believes that consumers will be a target of opportunity in 2017. Innovative criminal enterprises will devise ways to monetize on potentially billions of internet-facing devices that many times do not meet stringent security controls. \u201cWant to browse the internet? Pay the ransom. Want to use your baby monitor? Pay the ransom. Want to watch your smart TV? Pay the ransom,\u201d Lazurca says.\n\nMike Kelly, CTO of Blue Medora, says, more connected devices will create more data, which has to be securely shared, stored, managed and analyzed. As a result, databases will become more complex and the management burden will increase. Those organizations that can most effectively monitor their database layer to optimize peak performance and resolve bottlenecks will be in a better position to exploit the opportunities the IoT will bring, he says.\n\nLucas Moody, CISO at Palo Alto Networks, says security has to be baked into the IoT devices \u2013 not be an afterthought. The bloom of IoT devices has security practitioners in the hot seat, with industry analysts suggesting a possible surge up to 20 billion devices by 2020.\n\n\u201cGiven the recent upward trend in both frequency and intensity of DDoS attacks of late, 2017 will introduce an entirely new challenge that security teams will need to contend with; how do we secure devices, many of which are by design dumb and, for that matter, cheap?,\u201d he says. \n\nLarge corporations are still challenged with finding security talent to manage security in the \u201ctraditional\u201d sense, leaving IoT startups to fend for themselves in a digital economy. \n\nMoody asks, can they keep up? For the interconnected future of cars, televisions and refrigerators, maybe, but maintaining the security of smaller \u2013 and seemingly less critical items \u2013 such as toasters, thermostats, and pet feeders, it seems unlikely.\n\n\u201cSecurity has to be baked into these technologies from the conception and design stages all throughout development and roll-out. Security practitioners will need to do more than just scramble to develop strategies to address this pivotal trend,\u201d he says.\n\nCorey Nachreiner, CTO at WatchGuard Technologies, predicts that IoT devices will become the de facto target for botnet zombies. With the shear volume of internet-connected devices growing every year, IoT represents a huge attack surface for hackers. More disturbingly, many IoT manufacturers do not create devices with security in mind, and therefore release devices full of potential vulnerabilities. Many of their products have vulnerabilities that were common a decade ago, providing easy pickings for cyber criminals.\n\nMany IoT devices coming on the market have proprietary operating systems, and offer very little compute and storage resources. Hackers would have to learn new skills to reverse engineer these devices, and they don\u2019t provide much in terms of resources or data for the attacker to steal or monetize. On the other hand, another class of IoT products are devices running embedded Linux. These devices look very familiar to hackers. They already have tools and malware designed to target them, so \u201cpwning\u201d them is as familiar as hacking any Linux computer.\n\n\u201cOn top of that, the manufacturers releasing these devices seem to follow circa 2000 software development and security practices. Many IoT devices expose network services with default passwords that are simple for attackers to abuse,\u201d Nachreiner says.\n\nHe cited the leaking of the source code for the Mirai IoT botnet. This botnet included a scanner that automatically searched the internet to find unsecured, Linux-based IoT devices, and take them over using default credentials. With this leaked code, criminals were able to build huge botnets consisting of hundreds of thousands of IoT devices. They used these IoT botnets to launch gigantic DDoS attacks that generated up to 1Tbps of traffic; the largest ever recorded.\n\nIn 2017, criminals will expand beyond DDoS attacks and leverage these botnets for click-jacking and spam campaigns to monetize IoT attacks in the same way they monetized traditional computer botnets. Expect to see IoT botnets explode next year, he says.\n\nMike Davis, CTO at CounterTack, believes IoT will continue to be a part of the threat conversation in the coming year, but fundamentally there will be a massive change in the risks associated with the devices \u2014 it won\u2019t be about security, it will be about patching. \n\nHold your IoT security hypberbole\n\nStan Black, CSO at Citrix, says we need to dispel security myths around emerging technology like IoT, machine learning and artificial intelligence.\n\n\u201cMany people are afraid to adopt these emerging technologies for fear that they may be their security downfall, but as with any technology, the same security 1-2-3s apply. Change the admin username and password, allow and enable devices on separate networks (separate from the networks used to pass sensitive data), create management and access policies, and above all, make sure that employees are educated about how, when and where to use these kinds of technologies,\u201d he says. \n\nAdoption of emerging tech like IoT can actually have more security benefits than challenges, if implemented correctly, Black says. The same goes for machine learning. The security wave of the future includes these technologies, so it\u2019s best for businesses to learn about them early, learn about the benefits and reap the rewards of clouds, devices and networks that can learn from, and adapt to, changing behaviors to make for a stronger security posture.\n\nThe wave of the future will be computers that can grant or deny access based on fingerprinted keyboards that can sense the normal amount of pressure your fingers normally apply. Taking advantages of benefits like these will help companies move to a new security infrastructure and mindset, he predicts. \n\n\u201cThe mobile devices we depend on every day are loaded with sensors, heat, touch, water, impact, light, motion, location, acceleration, proximity, etc. These technologies have numerous applications including sensing motion and location to ensure people are safe when they travel,\u201d Black adds.\n\nThese devices are rarely protected or maintained with the same vigor as corporate IT systems, making them generally more vulnerable to being compromised and drafted into a zombie army. This situation is nothing new, but in the next year we can expect to see \u201cpersonal networks of things\u201d reside in homes with gigabit internet connections \u2014 like those offered by Google and AT&T \u2014 and so make home networks far more interesting, especially if vulnerabilities in popular home devices can be exploited mechanically (e.g., how the Mirai botnet was built).\n\nConsumers will need to protect their personal networks from this new version of Mirai botnets, creating demand for services that safeguard them. More importantly, vendors will need to adopt better standards for protection of devices. If the Mirai botnet is any indication, the lack of security in device design is still quite profound, Black says.\n\nSpeaking of standards\n\nSteven Sarnecki, vice president of federal and public sector at OSIsoft, pointed to the National Institutes of Standards and Technology\u2019s (NIST) National Cyber Center of Excellence for a glimpse of what is to come. NIST is currently piloting a project to assess how energy companies can better utilize connected devices to integrate and increase security with hopes of sharing those best practices and insights across the energy sector. \n\n\u201cAs more companies wake up to the reality of IoT security threats, these solutions will become more commonplace, enabling enterprises to markedly increase their security footprint with only minimal incremental cost,\u201d he says.\n\nSarnecki adds that in 2017 he would expect a large portion of IoT users, especially within the enterprise and industrial spaces, to begin to seriously consider the \u201cinternet of threats\u201d aspect posed by IoT to their networks. Energy companies, water utilities, and many other critical infrastructure sectors rely on connected devices to support their missions.\n\n[ ALSO: Security and the Internet of Things \u2013 are we repeating history? ]\n\nJeannie Warner, security manager at WhiteHat Security, agrees that new guidelines will emerge from organizations such as NIST requiring that application security vendors partner with device manufacturers and testing labs to deliver secure IoT systems. \n\n\u201cThe internet of things is growing daily, with smart devices and controlling applications at the core of every business from healthcare to smart cars and smart buildings. It\u2019s essential to protect smart anything from attackers attempting to exploit their vulnerabilities,\u201d she says.\n\nIn the same way manufacturing safety testing via the American National Standards Institute controls new releases in devices, she believes NIST SP 800 or a similar body will form guidelines for a comprehensive security assurance through the integration of dynamic application scanning technology and rigorous device controls testing.\n\nCommonalities in all IoT systems include controls for tracking and sensing interfaces, combined with web- or mobile-enabled control applications that combine to expand the borders of the security ecosystem, she says. New guidelines will (ideally) force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organizations to manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products.\n\nBig data\n\nThe enterprise has paid attention to IoT for some time, though 2017 will be the year we move past the \u201cwow\u201d phase and into the \u201chow do we do we securely and effectively bring IoT to the enterprise, how do we handle the high speed data ingest, and how do we optimize analytics and decisions based on IOT data,\u201d says Redis Labs Vice President of Product Marketing Leena Joshi.\n\nMark Bregman, Chief Technology Officer at NetApp, believes 2017 will be about capitalizing on the value of data. The explosion of data in today\u2019s digital economy has introduced new data types, privacy and security concerns, the need for scale and a shift from using data to run the business to recognizing that data is the business.\n\nOff-line data analytics and threat hunting become endless money pits, says Gunter Ollmann of Vectra Networks. \u201cWe\u2019re told, and we observe, that each year our corporate data doubles. That power-of-two exponential growth, after merely four years of storing, mining, and analyzing logs for threats, means a 16-fold increase in overall costs \u2014 with an accompanying scaled delay in uncovering past threats.\u201d\n\nCybersecurity will be the most prominent big data use case, says Quentin Gallivan, CEO of Pentaho, a Hitachi Group Company. As with election polls, detecting cybersecurity breaches depends on understanding complexities of human behavior. Accurate predictions depend upon blending structured data with sentiment analysis, location and other data.\n\nThis then opens another door for hackers. WatchGuard\u2019s Nachreiner says attackers will start leveraging machine learning and AI to improve malware and attacks.\n\n\u201cIn the past few years, cyber security companies have started leveraging these technologies to help defend our organizations. One of the big problems in infosec today is we are too reactive, and not predictive enough when it comes to new threats. Sure, once we recognize a piece of malware or a new attack pattern, we can design systems to identify and block that one threat, but hackers have become infinitely evasive. They have found techniques that allow them to continually change their attacks and malware so regularly that humans and even basic automated systems can\u2019t keep up with the latest attack patterns. Wouldn\u2019t it be great if we had technology that predicted the next threats instead?,\u201d he says.\n\nMachine learning can help us do just that. By feeding a machine learning system a gigantic dataset of good and bad files, or good and bad network traffic, it can start to recognize attributes of \u201cbadness\u201d and \u201cgoodness\u201d that humans never would have noticed on their own.\n\n\u201cNext year, I expect the more advanced cyber criminals to start somehow leveraging machine learning to improve their attacks and malware," he says, adding that today, both good and bad guys have easy access to open source machine learning libraries like Google\u2019s TensorFlow.\n\nThe security community as a whole will utilize big data more effectively in order to identify trends and threats, predicts Matt Rodgers, head of security strategy at E8 Security. \u201cOrganizations have the information they need, but they cannot find it. In 2017, companies will start looking at their data sets through advanced analytics to identify trends and risks. Big companies are already starting to augment their existing SIEM technology with behavior analytics capabilities to this end,\u201d he says.