Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

12/19/2017
04:36 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

My Cybersecurity Predictions for 2018, Part 1: Following Trends & the FTC

2017 was a wild ride in cybersecurity. It's looking like 2018 won't offer any calmer ride.

It's that time of year again. Leaves have fallen, brick-and-mortar retailers are pumping Christmas music over their speakers and security pundits are looking to the new year with fresh batches of predictions on what to expect in InfoSec in 2018.

It's hard to predict the future. For this reason, many predictions are blindingly benign flashes of the obvious -- basic stuff like "passwords will still be problematic" and "bot attacks will increase." In McAfee's 2017 Threat Labs Predictions, the antivirus-software peddler went out on a not-so-bold limb indeed by declaring that the cloud would become a bigger target because more people and enterprises would rely on the cloud. McAfee's 2017 prediction report is chock full of several of these -- shall we say -- "high-level" prognostications.

"We will continue to see conflicts of speed, efficiency, and cost pitted against control, visibility, and security in cloud offerings." (Duh.)

"Attacks will come from all directions and leverage both east-west and north-south attack vectors." (Stop it! You're killing me!)

"[Internet of Things] device makers will continue to make rookie mistakes as they IP-enable their products." (Satire is dead.)

It's particularly easy to pick on this particular McAfee report only because it is so voluminous. Short blog posts covering the same topics are guilty of the same sort of faux psychic demonstrations -- such as a recent item oh so eerily predicting increases in both the "cybercrime epidemic" and "the adoption of artificial intelligence" in 2018.

Rarely do cybersecurity forecasters swing for the fences -- and when they do, such predictions involve terms that can be tenuously defined. Even their bolder predictions tend to be near-binary -- predicting that there will be either more or less of something.

Usually, the guesses involve predicting more attacks of such-and-such type. Once in a blue moon, you might see the opposite, ostensibly to shake things up a bit -- and the results are usually as disastrously wrong you might expect. For example, last year more than one cybersecurity company predicted that ransomware exploits would slow down in 2017. LOL.

To wit, there is a shortage of good annual cybersecurity prognostications that don't wuss out. I'm here to help make up for that. So here begins the first of my series of my best InfoSec predictions for 2018 -- bold, "out there" forecasts that don't bear the hedge-your-bets weaknesses of the so-called predictions described above.

I am staking my professional reputation on these honest-to-God predictions that could very well be wrong -- or could very well be right. Accordingly, to any extent that these predictions prove false, I welcome you, dear reader, to throw this article in my face with a good old-fashioned "neener neener".

2018 Prediction No. 1: Following a headline-making exploit, the Federal Trade Commission will seek to make an extremely harsh example of a major smart-device manufacturer.

If you know anything about the FTC, it's not difficult to see why the infamously regulatory-phobic Trump Administration has delayed nominating new FTC commissioners for so long.

The FTC is the uber-regulator (and, incidentally, the Uber regulator -- see: Uber Loses Customer Data: Customers Yawn & Keep Riding). It has incredibly broad enforcement and oversight powers and responsibilities spanning 70 federal laws. Most notable among these is the FTC Act, which by itself gives the FTC tremendous consumer-protection powers.

On the one hand, the FTC has long lobbied for yet more power to regulate IoT and all other things cyber -- to little avail. Cyber laws of any kind, still being somewhat of a political niche, are hard enough to push through even with bipartisan support -- especially because of the rather libertarian roots of the Internet. Last year, tough-on-crime Republican hawks could not get various anti-encryption bills out of subcommittee last year. Meanwhile, after years of advocating for tougher oversight of IoT makers since shortly after his election in 2013, a bill introduced by Senator Edward Markey of Massachusetts that merely seeks to implement voluntary cybersecurity standards through public-private sector collaboration has had no action on it since being introduced in October.

On the other hand, the regulatory agency -- in part because it has so much power and enforcement responsibility -- is stretched thin. And regulators are essentially political demagogues; they tend to not reach too far past the low-hanging fruit unless the target is quite large.

In short, the FTC is champing at the bit to get someone for a major IoT snafu -- a big someone, because the agency needs a big win to justify itself politically.

Given IoT manufacturer's long history shrugging off white-hat security researchers and more recent history of getting their butts handed to them by black-hat attackers, the fulfillment of this prophecy is just a matter of time. That time will be 2018.

Related posts:

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...