Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

12/19/2017
04:36 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

My Cybersecurity Predictions for 2018, Part 1: Following Trends & the FTC

2017 was a wild ride in cybersecurity. It's looking like 2018 won't offer any calmer ride.

It's that time of year again. Leaves have fallen, brick-and-mortar retailers are pumping Christmas music over their speakers and security pundits are looking to the new year with fresh batches of predictions on what to expect in InfoSec in 2018.

It's hard to predict the future. For this reason, many predictions are blindingly benign flashes of the obvious -- basic stuff like "passwords will still be problematic" and "bot attacks will increase." In McAfee's 2017 Threat Labs Predictions, the antivirus-software peddler went out on a not-so-bold limb indeed by declaring that the cloud would become a bigger target because more people and enterprises would rely on the cloud. McAfee's 2017 prediction report is chock full of several of these -- shall we say -- "high-level" prognostications.

"We will continue to see conflicts of speed, efficiency, and cost pitted against control, visibility, and security in cloud offerings." (Duh.)

"Attacks will come from all directions and leverage both east-west and north-south attack vectors." (Stop it! You're killing me!)

"[Internet of Things] device makers will continue to make rookie mistakes as they IP-enable their products." (Satire is dead.)

It's particularly easy to pick on this particular McAfee report only because it is so voluminous. Short blog posts covering the same topics are guilty of the same sort of faux psychic demonstrations -- such as a recent item oh so eerily predicting increases in both the "cybercrime epidemic" and "the adoption of artificial intelligence" in 2018.

Rarely do cybersecurity forecasters swing for the fences -- and when they do, such predictions involve terms that can be tenuously defined. Even their bolder predictions tend to be near-binary -- predicting that there will be either more or less of something.

Usually, the guesses involve predicting more attacks of such-and-such type. Once in a blue moon, you might see the opposite, ostensibly to shake things up a bit -- and the results are usually as disastrously wrong you might expect. For example, last year more than one cybersecurity company predicted that ransomware exploits would slow down in 2017. LOL.

To wit, there is a shortage of good annual cybersecurity prognostications that don't wuss out. I'm here to help make up for that. So here begins the first of my series of my best InfoSec predictions for 2018 -- bold, "out there" forecasts that don't bear the hedge-your-bets weaknesses of the so-called predictions described above.

I am staking my professional reputation on these honest-to-God predictions that could very well be wrong -- or could very well be right. Accordingly, to any extent that these predictions prove false, I welcome you, dear reader, to throw this article in my face with a good old-fashioned "neener neener".

2018 Prediction No. 1: Following a headline-making exploit, the Federal Trade Commission will seek to make an extremely harsh example of a major smart-device manufacturer.

If you know anything about the FTC, it's not difficult to see why the infamously regulatory-phobic Trump Administration has delayed nominating new FTC commissioners for so long.

The FTC is the uber-regulator (and, incidentally, the Uber regulator -- see: Uber Loses Customer Data: Customers Yawn & Keep Riding). It has incredibly broad enforcement and oversight powers and responsibilities spanning 70 federal laws. Most notable among these is the FTC Act, which by itself gives the FTC tremendous consumer-protection powers.

On the one hand, the FTC has long lobbied for yet more power to regulate IoT and all other things cyber -- to little avail. Cyber laws of any kind, still being somewhat of a political niche, are hard enough to push through even with bipartisan support -- especially because of the rather libertarian roots of the Internet. Last year, tough-on-crime Republican hawks could not get various anti-encryption bills out of subcommittee last year. Meanwhile, after years of advocating for tougher oversight of IoT makers since shortly after his election in 2013, a bill introduced by Senator Edward Markey of Massachusetts that merely seeks to implement voluntary cybersecurity standards through public-private sector collaboration has had no action on it since being introduced in October.

On the other hand, the regulatory agency -- in part because it has so much power and enforcement responsibility -- is stretched thin. And regulators are essentially political demagogues; they tend to not reach too far past the low-hanging fruit unless the target is quite large.

In short, the FTC is champing at the bit to get someone for a major IoT snafu -- a big someone, because the agency needs a big win to justify itself politically.

Given IoT manufacturer's long history shrugging off white-hat security researchers and more recent history of getting their butts handed to them by black-hat attackers, the fulfillment of this prophecy is just a matter of time. That time will be 2018.

Related posts:

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.