These are the threats that keep me awake at night

We have fortunately reached the date on the calendar when the myriad of articles predicting hot information security issues for 2017 have begun to wind down. I say fortunately, because I personally have never found much use for them.

In many cases, they predict things that are readily obvious — for example, ransomware will be a greater issue in 2017. I can all but guarantee that this prediction will come true, as can almost anyone in the industry. Since ransomware built momentum in the fourth quarter, it is unlikely to dissipate in 2017, despite California making it illegal. 

The other type of predictions usually found in these articles are the ones from left field — the wild conjectures. The writers include them because they sound interesting and attract attention. They may never come to pass, but since nobody tends to audit prediction articles, it will all be forgotten when the 2018 prediction articles start hitting in December. 

Since I find little value in such articles, I don’t write any of them myself. Frankly, I spend too much of my time worrying about the cybersecurity issues I face today. To protect the organizations I have responsibility for, I must focus on what is in the threat landscape today, with enough vigilance to watch for evidence of new threats. After all, the bad actors are at least as good at coming up with new ideas as we writers are. 

To that end, instead of the obligatory prediction article, I will provide a brief list of the threats that are currently keeping me up at night, and why.

Complexity

In our efforts to contain threats known and unknown, we in the industry are building increasingly complex networks, including numerous security devices. This trend is creating a challenge in itself — the difficulty of managing such complex implementations.

Broad security solutions often involve many moving parts, and someone must understand the big picture in order to maintain and troubleshoot them. I know of one organization this week that had issues because of a minor security program everyone had forgotten about.

Internet of things (IoT)

The increasing introduction of IoT devices continues to trouble me. While the hijacking of such devices to bring down networks — such as the recent DDoS attack by the Mirai botnet — makes the news, this is not what bothers me the most. My concern is the influx of such devices into corporate networks with poor management or planning. Without vigilance, these devices can become a back door, allowing an attacker to gain access to a valuable corporate network.

An article this week in Top Tech News correctly observed that the a growing number of IoT devices are cloud-controlled, and this cloud channel increases the chances for network compromise.

Our users, ourselves

Let’s face the facts: A single user clicking on a phishing link can compromise the security of an entire organization. That thought should certainly lead to some sleepless nights.

Gone are the days of phishing messages that contain obvious misspellings and poor interpretations of the English language. These messages are now sophisticated enough to fool many information professionals. If they can fool us, it is hard to expect our users to spot them.

Over-reliance on threat intelligence

The concept of threat intelligence is sound: Use another organization’s discoveries about potential threats to augment your own security. The problem is that the quality of threat intelligence data is highly variable. Those who rely on it without the proper vetting may make matters worse and not better.

As an example, many organizations applied the indicators of compromise provided by the U.S. government as part of the Grizzly Steppe investigation to their own monitoring systems. Burlington Electric was one such organization, and it quickly identified a PC with activity matching information in the government alert, causing a media storm related to the U.S. electrical grid being “hacked.” Sadly, some of the information in the alert turned out to be inaccurate, and much time was expended investigating an employee who had innocently checked his Yahoo email.

Under-reliance on threat intelligence

On the other hand, the many who ignore the wealth of available threat intelligence information also help my sleep deprivation. A wealth of good information is available, much of it free. While it does require some analysis, organizations can avoid many problems that others have experienced by making use of this information.

Mega data breaches

Many large data breaches have made the news in recent months: Yahoo (twice), LinkedIn, MySpace, etc. These breaches are bad enough on their own, but the aftermath is at least as bad. The bad actors, armed with a wealth of personal data, launch major phishing and spear-phishing attacks. As a result of this, a single large breach is quite likely to facilitate others.

Bottom line: Articles about predictions for 2017 can be entertaining, but I am concerned about the problems in cybersecurity we face today. Until we are handling those well, it is best that we not spend too much of our time trying to anticipate tomorrow.