The high-water line in information security gets higher each year. Just as we think we\u2019ve finally figured out how to defend against attacks, then attackers come up with something new and we are right back to trying to figure out what to do next.For example, ransomware has surged in the last year. Although that kind of malware has been around for years, the current model of encrypting user files to hold data hostage came about just recently. Infections quadrupled in 2016, with the FBI estimating an average of 4,000 attacks a day. A recent IBM survey of 600 business leaders in the United States found that one in two had experienced a ransomware attack in the workplace, and that companies paid the ransom 70 percent of the time. As a result, criminals are on track to make nearly $1 billion this year from ransomware, IBM X-Force said.And there\u2019s been seemingly no end to hackers getting into corporate databases. Just ask Yahoo. Or the Democratic National Committee. Even the FBI was able to find a firm to hack into the Apple iPhone 5c, which for a while seemed unhackable.For IT and security professionals, this endless fire fighting gets exhausting. Old threats come back in new forms, and new attacks keep making the list of things to worry about even longer. Malicious word macros are back. Exploit kits still love Flash. SMS text messages with one-time codes for second-factor authentication proved hackable. It all makes you want to give up and curl up in a dark corner.But 2016 wasn\u2019t all bad news for enterprise security, and there are some wins that give hope for a more secure future.1. We\u2019re looking at passwords in a better lightAuthentication, especially how we use passwords, was a recurring theme with every data breach. Yes, password reuse is still a problem and weak passwords like \u201cpassword1\u201d and \u201c123456\u201d are still a thing, but we are seeing more people use password managers to secure their online accounts and fingerprint sensors to lock their physical devices.\u00a0\u201cBiometrics will no longer be seen as novel in 2017, but necessary,\u201d said Daniel Ingevaldson, CTO of security company Easy Solutions.There are fingerprint sensors on the market today with security features including TLS 1.2 and 256-bit encryption, anti-spoofing technologies, live-or-dead detection, and match-in-sensor architectures, said Anthony Gioeli, a vice president at Synaptics\u2019s biometrics division. Apple has had hardware-secured fingerprint sensors in its mobile devices for several years, and now in its newest MacBook Pro. Samsung and Google use similar technology in their latest smartphones. And Microsoft has built in support for biometrics in Windows 10 and beefed up the security in this year\u2019s Windows 10 Anniversary Update.The National Institute of Standards and Technology is also tackling the problem. The draft version of the Digital Authentication Guideline document includes new guidance on password policies, such as allowing for longer passwords; allowing spaces and other characters; removing special character requirements (such as what combination of letters, numbers, and non-alphanumeric characters must be used); and doing away with password hints. NIST also said in the draft that sending unique passcodes via SMS messages should not be used as part of a two-factor authentication scheme, and that stronger authentication schemes should be adopted.Although the guidance is still in draft form and the official public comment period doesn\u2019t start until early 2017, IT departments can use it to start thinking about how to improve authentication, such as rolling out multifactor authentication and changing password requirements.Another bonus: NIST\u2019s Mary Theofanos said mandatory password changes don\u2019t make sense, so IT departments can now work on alternative methods \u2014 and stop torturing users.2. We may finally be taking IoT security seriouslyLast year, we could see the ransomware wave coming. This year, it\u2019s internet of things (IoT) security\u00a0\u2014 or the extreme lack thereof \u2014 that is clearly on the horizon.The distributed denial-of-service (DDoS) attacks this fall, which\u00a0spread through home security cameras, VCRs, and other connected devices, took down the internet and seemed to be the industry wakeup call that finally worked.\u00a0Made up of compromised IoT devices, the Mirai botnet launched large attacks against French service provider OVH, the website of security blogger Brian Krebs, and networking company Dyn.The last time DDoS was the big story, it was about hacktivists and online pranksters targeting financial websites and other visible targets. This time, botnets are launching large, multivector attacks that can exceed 1 terabit per second \u2014 and interrupt internet access for millions. \u00a0Security experts have been warning for some time about the millions of devices that are connected to the internet without even the most basic security features, so the Mirai attack shouldn\u2019t have been a surprise. And with Mirai\u2019s source code publicly available, it is safe to assume there are other IoT botnets waiting in the shadows to strike.\u00a0With all these devices connecting to the internet, we are ripe for an IoT worm, said Lamar Bailey, senior director of security research and development at Tripwire. Fixing the problem will require a lot of coordination, creativity, and persistence, but perhaps people are actually seeing the risks.The silver lining is that the Mirai attack was a \u201cfairly cheap lesson in what a compromised IoT [threat] would look like while there\u2019s still time to do something about it,\u201d said Geoff Webb, vice president of solution strategy at Micro Focus. But IoT vendors need to get serious about security fast \u2014 and consumers should avoid their products until they do.3. We\u2019re getting other benefits on the coattails of new security technologyIt\u2019s always a good sign when adopting something for security reasons winds up having other benefits. New protocols like Transport Layer Security (TLS) 1.3 and HTTP2 will make the web safer, but there are clear performance improvements as well. It\u2019s very likely the uptick in adoption of TLS 1.3 and HTTP2 by web developers will be spurred by the increased speeds the protocols enable, said Ryan Kearny, CTO of networking company F5 Networks. \u201cIn 2017, the increase in web speed will spur rapid adoption of TLS 1.3 \u2014- and that will, in turn, make the web more secure,\u201d Kearny said.4. We\u2019re getting more realistic about securitySecurity was one of those things people never really understood. TV shows and movies didn\u2019t help, with slick graphics and fancy dramatizations of what hacking supposedly looks like. Then, along came the TV show \u201cMr. Robot,\u201d and the show\u2019s star, Rami Malek, winning an Emmy for his portrayal of Elliott Alderson. \u201cOut of all the attempts that Hollywood has made to tell a compelling story using cyber as the backdrop, Mr. Robot is the most complete,\u201d said Rick Howard, CSO of networking security company Palo Alto Networks.If nothing else, nonsecurity professionals now have a better understanding of just how bad things can get. It\u2019s no longer just that one weak password, one link in an email, or that one old software application that hasn\u2019t been updated. There is no need to oversensationalize the security issues in \u201cMr. Robot\u201d \u2014 the reality is bad enough.That better understanding should help users understand why they need to pay more attention to at least security basics. And why they keep getting breach notices from the likes of Yahoo and Dailymotion.But it doesn\u2019t help that there\u2019s still a culture of silence about breaches among security pros and the companies they work for. No one likes to talk about their failures or to be a headline. But because no one is sharing what mistakes were made, the same breaches keep happening over and over.That\u2019s why the formation of new Information Sharing and Analysis Centers (ISAC) is a positive \u2014 though small \u2014 development, a sign of realism creeping into the security professionals\u2019 culture, too. Although existing ISAC and commercial information-sharing platforms are expanding to include more enterprises, they need to become even more widespread.Developers have plenty of places where they can post code snippets and get programming help. IT and security professionals should have forums where they can share their security stories, ask questions without judgment, and learn about what worked for their peers, said Jeannie Warner, a security strategist at WhiteHat Security. \u201cThe bad guys have Tor, Reddit, and other social networks to share information and tools. The good guys need to adopt theirs just as freely,\u201d Warner said.It\u2019s easy to see information security as a never-ending stream of attacks. Perhaps the most distressing thing about the year\u2019s outages and breaches is the fact that there is an awful lot happening that IT doesn\u2019t know about. Security experts frequently warn that just because there is no evidence of a breach doesn\u2019t mean there isn\u2019t a breach. That was definitely true at Yahoo: The internet company disclosed two gigantic breaches, but the scariest thing wasn\u2019t the number of victims \u2014 it was the fact that they happened years ago and no one even suspected.\u201cWe went years with billions of records being sucked out from right under our noses and we didn\u2019t even know it,\u201d wrote security expert Troy Hunt. He called the current mindset \u201cconscious incompetence,\u201d where we know we have a big problem. That\u2019s a better place to be than the previous stage, where the prevailing attitude was, \u201cIt won\u2019t happen to me.\u201dThe big question is knowing where to go next. \u201cHow much more are we going to discover over the next year? Or not discover at all?\u201d Hunt asked. If we\u2019re finally getting real about security, and come out of the shadows, we should finally begin to make real progress.5. We may finally get security promises we can bank onAs consumers, we demand money back when we are not satisfied with a product\u2019s performance or functionality. But IT typically doesn\u2019t get that option with security products. Only 25 percent of U.S. IT security decisionmakers said their primary security vendor is willing to guarantee their product by covering the costs of a breach, including lawsuits and ransoms, according to a recent survey by endpoint security company SentinelOne. But most IT security professionals in the survey said they would like security vendors to offer a guarantee their products would deliver on their promises \u2014 and 88 percent claimed they would change providers if a competitor offered such a guarantee.\u201cThe industry has reached a tipping point, where security vendors will need to guarantee that their products will hold up against cyberattacks and assume responsibility if they fail to do so,\u201d said Jeremiah Grossman, chief of security strategy at SentinelOne. \u201cCustomers are tired of paying additional fees to address security breaches, especially when they have already paid for security defenses in the first place.\u201dThere are now a handful of companies that offer security guarantees. SentinelOne\u2019s guarantee covers $1,000 per endpoint, or $1 million per company payout, in the event of a successful ransomware infection after installing SentinelOne\u2019s Endpoint Protection Platform. Cymmetria covers the costs incurred in notifying victims, hiring attorneys, bringing in digital forensics investigators, and repairing the damage in case of an advanced persistent threat gaining unauthorized access, moving laterally through the network, and stealing protected information from compromised systems in organizations that have deployed Cymmetria\u2019s MazeRunner cyber-deception platform. Trusona and WhiteHat Security also have similar product guarantees.As we\u2019ve seen over the past few months, even security products can have vulnerabilities. But in several of the cases, the mistakes seemed fairly basic, even avoidable \u2014 not at all at the level of what a security provider should be delivering. Providing product guarantees should wring out such sloppiness from security providers, because they\u2019ll finally pay a real price for their own neglect. \u201cIt\u2019s high time people in our industry started putting their money where their mouth is and taking responsibility for what they sell, assuring what they do works,\u201d said Gadi Evron, Cymmetria\u2019s CEO.