This year has been remarkable for computer security in many ways, while I could list all of the security breaches we were notified upon this year, I think everyone in the security industry cannot disagree mirai was the most noteable for 2016. Covered heavily by major news outlets [1][2][3] due to some of the botnets power, we can now discuss how routers and kettles can destroy the world. There is a larger talking to point why routers, cameras and other ‘smart’ connected devices are poorly made in terms of security which in my opinion can be lack of skilled workforce across the globe, rise of consumerism and the requirement to have produced something on budget. But one thing is for certain, we should be employing more in security, we have left it too late and we must start catching up in 2017.
More often now, box ticking in computer security is no longer an option. We can look at many attacks against large companies like TalkTalk or Tesco which were done in different ways, although Tescos hack is still under speculation. TalkTalk last year produced an embarassing bit of news, they were hit with an SQL injection. When I first heard this I thought it was a joke, especially as it was from the main part of talktalks site and not an obscure location. The only way this could of happened is simply having the bare minimum with security regulation, simply ticking boxes which are usually wide in definition and accepting the rest as risk appetite. In April 2015, I discussed the lack of TLS/SSL within what I will now say is TalkTalk’s communication between it’s customers routers, which could lead to a classic man-in-the-middle attacks (Article). This year mirai attackers decided to utilise the protocol to take over routers in which again, some TalkTalk customers recieved issues. The actual TR-069 protocol that is up-to-date is fairly feature filled with security, although I haven’t extensively researched the protocol. With little to no authentication, certain botnet operators had power we rarely see many have, done in a fairly trivial way which is the most worrying thought. The lack of employed security people doing “background” research (What I call it) in security is astonishing, many technologies that are open source are occassionally reviewed in security because it’s not seen as beneficial to companies that use it. Heartbleed produced in 2014, a reason for why background research is needed. An open source project had a buffer underflow, in a security context, a fairly trivial (again) error. In 2017, I would like to see more companies allowing research to security researchers for more abstract areas like OpenSSL, Mozilla asked Cure53 to analyse cURL, a popular tool used by many in many different circumstances. They found a large amount of vulnerabilties that potentially keeps many companies around the world safe from possible security attacks.
Currently research like this is left to enthusiasts or security analysts who love their job who wish to do more work in the evening (crazy people right?) :). Companies around the world must understand that they should extend their assets to third parties aswell, be it third party alliances which you share information or assets to or a open source library. Many in risk management would see it as acceptable in their risk appetite to simply leave the third party to produce their own security standards (box ticking probably). Cooperation and transparency sound like buzzwords when it comes down to many subjects, but security is so important to every countries economy and well being of individuals that I see it that companies cooperate and be transparent with their research in security, many already do. Transparency in findings allow for others to patch security vulnerabilities and understand attacks they may have recieved recently. Holding back vital technical details does not help anyone except an attacker, this assumes I must admit, that all companies are competent and vigilant with their security, which is not always the case.
A final category I find interesting this year is the recruitment strategies that many companies are employing, I interact with many people with different backgrounds and see two sides of the story. The hard problem in finding the right candidate and the confused pontential candidate who wants to know where to find security jobs. Security recruitment cannot be like other normal recruitment, many talented individuals are not on classic tools like LinkedIn. Recruiters for security must understand where ‘hackers’ are, how to know if someone is struggling with basics and have the ability to know a hacker when you see one. Candidates need to be more open, social and energtic. Hard for security researchers I know, but is a must. Candidates should start a blog, release research, find things you like, produce points of passion and release content regularly. In 2016 I saw a complete disconnect between the two, a potential candidate for a security job, and owners of businesses and security recruiters requiring people with expertise. Some major rules that I go on.
Many achievements have been made in 2016 in regards to security, one is wide adoption in TLS/SSL and further understanding and media attention on encryption overall. Moving into 2017, hopefully we can try and get basic authentication implemented in most manufacturers products protocols.