Each year, organizations from around the world start looking at the new year and try to make predictions on what will occur. The security industry is no different. Our WhiteHat team has gathered their thoughts on predictions for 2017 and new vulnerabilities or trends that might emerge in 2017. I hope you find their predictions a great way to kickstart 2017 planning and start implanting some thoughts on how to protect your applications in the coming years as threats continue to increase. We are a small security community with pretty much the entire world trying to attack our applications. I’m proud and honored to start the conversation about how we can fight back and protect our assets and our customers.
We’ll start out with my prediction.
Every year around this time, people start asking me what I think the cyber security trends for the next year are going to be. What new vulnerabilities are going to come out? Is IoT going to be hacked in a major way? Will self-driving cars start smashing into each other because they’re connected to the Internet? All are valid questions and any of them could occur next year. However, I, unfortunately, predict a somewhat bleaker and kind of boring thing will happen… Nothing will change. Companies will continue to get breached because of simple vulnerabilities. We have seen year after year that vulnerabilities we knew about at the turn of the century continue to be exploited leading to massive data breaches that affect both companies and their users. Cross-site scripting and SQL injection continue to be found on site after site after site. Here at WhiteHat, we still find cross-site scripting on about 50% of all sites we assess. SQL injection, which leads to database breaches, still occurs on about 6% of all sites. It’s staggering that we haven’t learned from the past and continue to introduce these easily exploitable vulnerabilities.
As a security community, we need to do a better job. We need to start training all developers on secure coding from day one. Universities need to start teaching secure coding to all computer science majors. The security teams need to share their knowledge with the developers and the rest of the company. We need to tear down the walls that so often pop up between the different organizations. Only then can we start to make forward progress on stopping the bad guys.
OK, enough of my predictions and recommendations. On to the predictions of some of the team here at WhiteHat…
Marc Druzin, Product Management
Cars are a key target for hackers. There will be a lot more surfaced vulnerabilities in cars next year. You can bet as soon as newer models come out with more auto-driving/steering and logically, interconnected features, the hack-a-thon will be on.
Antoine Baisy, Threat Research Center
- Cars are a key target for hackers.
- There will be a published hack for Google Home or the Amazon Echo.
So, when I gazed into my crystal ball located conveniently on my desk, two major events appeared in the mist. One is another remote hack on self-driving cars, which will continue to hammer home that they need to be properly secured before they are released to the masses. The other is a published hack for either the Google Home or the Amazon Echo. The Echo has been out for two years and it’s been solid so far. However, with the Google Home emerging, the always-on microphones in people’s homes are a serious concern for the general consumer. I’ll trust both Google and Amazon to patch the hacks before they are published, but I do think both devices have a target on them in the hacking community. If you believe crystal balls that is.
Brian Williams, Threat Research Center
DDoS attacks are likely to become a big problem.
The record-breaking Mirai botnet, and the subsequent release of its source code, was some of the biggest security news that we saw this year. The malware first reared its head back in September, when it was used to deliver a record-breaking DDoS attack on Brian Krebs’ security blog. Mirai exploits default passwords on Internet of Things devices, such as routers, security cameras, and DVRs in order to gain control of them. Thousands of devices are infected at once, and then used to deliver a massive barrage of requests to a target victim, unloading up to 700 gigabits of data per second. Directly following the attack on Brian Krebs’ blog, the source code for Mirai was released to the public.
On October 21, Mirai was used to take down the DNS provider, Dyn. By targeting Internet infrastructure, attackers were able to deny service to a large number of websites for most of the day, including Twitter, Amazon, Tumblr, Reddit, Spotify, Netflix, and GitHub.
Since the source code of Mirai is easily obtained, I expect that DDoS attacks of this nature will continue.
Jeannie Warner, Security Manager
The social and political unrest around the world will encourage a dramatic rise in Hactivism.
I foresee the return of Anonymous, cranking up U.S. operations to unheard-of new levels. We’re all used to www.whitehouse.gov and www.cia.gov being constantly attacked, defaced, and taken offline. With all of the anger and frustration of the 2016 U.S. elections, we’re going to see a lot more attacking, DDoS, and exposure attacks of many media outlets, right- and left- leaning special interest groups, and definitely the FBI. Anonymous already stands with Standing Rock and the protests there. There will likely be a lot more attacks on big oil, as well as state-level sheriff and police supporting these kinds of activities. The gloves seem to be off on the topic of fair play. Google and Facebook are both declaring they are working at eliminating the fake news issues that plagued social media over the last 12 months. What will come of it remains to be seen, but I predict there will be a lot of focus on new natural language processing technology examining ad filters and URL processing as part of web applications.
New guidelines will emerge from organizations such as NIST requiring that application security vendors partner with device manufacturers and testing labs to deliver secure IoT systems.
The Internet of Things is growing daily, with smart devices and controlling applications at the core of every business from Healthcare to smart cars and smart buildings. It’s essential to protect smart anything from attackers attempting to exploit their vulnerabilities – and I’m expecting/hoping to see a shift from the term “security” to “safety”, as well as an increase in legislation mandating increased rigor of testing. In the same way manufacturing safety testing via the American National Standards Institute controls new releases in devices, I think that the National Institute of Standards and Technology’s SP 800 or a similar body will form guidelines for a comprehensive security assurance through the integration of dynamic application scanning technology and rigorous device controls testing. Commonalities in all IoT systems include controls for tracking and sensing interfaces, combined with web- or mobile-enabled control applications which combine to expand the borders of the security ecosystem. New guidelines will (ideally) force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organizations to manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products.
Dan Lacey, Threat Research Center
Nothing will change.
Attackers will continue to discover and exploit zero-days. Companies large and small will continue to lose data and money to the usual attacks, often because they didn’t take basic security precautions. Individuals will continue to lose money in the usual ways, often because they lack basic knowledge of Internet safety. Manufacturers will continue to produce Internet-connected devices with no security, or easily by-passable security, enabling attackers to hijack them. Someone might pass laws mandating that new Internet of Things devices have security, but those laws will be unenforceable and impossible to apply retroactively.
No one will deploy a better authentication system than passwords.
The government will continue to press for increased surveillance including backdoors.