Top 15 Security Predictions for 2016

No, they are still not coming from me but this article is actually really interesting: Top 15 security predictions for 2016.

A few of them are remarkable:

At your criminal service

(Kaspersky/Seculert) The profitability of cyber-attacks means sophisticated criminal gangs with modern organizational models and tools will replace common cyber criminals as the primary threat. That, in turn, will draw mercenaries to meet the demand for new malware and even entire operations. The latter gives rise to Access-as-a-Service, offering up access to already hacked targets to the highest bidder.

That the underground market will grow is obvious as there is – well – a market for these services. But I guess this market will definitely change. As we see all the businesses moving into an “as-a-service” model, why should the criminals not do this? You want to get access to a bank? Well, instead of buying the toolset, you might just buy the service.

Ghosts of Internet Past

(Raytheon|Websense) The structure of the Internet is aging – forgotten and deferred maintenance will become a major, increasingly expensive problem for defenders. Among them: Alexa 1000 certificates not up to date; old and broken JavaScript versions that invite compromise; rapid OS updates and new trends in software end-of-life processes that cause havoc and new applications built on recycled code with old vulnerabilities (think Heartbleed and POODLE).

Besides IoT (which I left aside on this list as I wrote about it fairly often), legacy is a serious issue. Legacy from a platform perspective (did you really replace all you Windows 95? What about Windows XP?), there are other challenges on top of that: Do you know all the key sizes in your company? And what about the old crypto algorithms? And what about….

Even if you decide to address this challenge, there still remains the question of budget. Who is going to pay for these fairly costly clean-up exercises and who decides to finally really decommission this older server?

Passwords pass away

(Identity Automation) “No password” authentication methods will no longer be a pipe dream. Organizations will begin offering authentication methods that are a quicker and more seamless experience for users than passwords. They will include biometric, geolocation, Bluetooth proximity and pictographs.

This sounds to me a little bit like the “Year of the PKI” predictions around 2000. The “Year of the PKI” was predicted several years in a role – as is the death of the passwords. Passwords will remain relevant for ages, unfortunately. We will see new ways to authenticate people, which are more user-friendly than the passwords but old systems will not change and new systems will still – and for a long time – keep the passwords in their arsenal.

The power of prediction

(Seculert) Prediction will emerge as the new Holy Grail of security. Prevention is passé, and even detection technologies will be supplanted by prediction, with machine learning becoming a key tool to help organizations anticipate where hackers will strike.

I am really looking forward to this. Since about two years, we are talking about threat intelligence and getting closer to the breach point. There is a lot of potential there and there could be a few great breakthroughs next year. Detection is the next prevention!

Getting physical

(Seculert/Imperva/DomainTools/ThreatStream) 2016 will witness the world’s first openly declared cyberwar, where the primary goals of the attackers – hacktivists, nation states or terrorists – are not financial but to cause physical damage in support of terrorist or geopolitical agendas. That will put infrastructure, priceless artifacts and more at risk. Transnational terrorist groups such as ISIS will attempt to attack a SCADA system or critical infrastructure with the goal of inflicting either economic damage or mass casualties.

I claimed that attacks to the critical infrastructure will happen soon and will happen disruptive consequences. Additionally, I am convinced that this will have the regulators acting, which does not really solve the issue. Scary, but it will happen…

Last but not least:

Get thee an MSSP

(Blue Coat) The failure of organizations and countries to build up cyber talent will become a huge problem. Demand for information security professionals is expected to grow by 53 percent through 2018. Because of this, security jobs will be filled by MSSPs, and the cost will not decrease.

I am deeply convinced that the market will (have to) consolidate and therefore managed services will be a big wave to come. We will see whether the companies will be ready in 2016 already but it will come. If there is a significant disruption because of a security incident, the market will move way faster. If not, it will take a moment longer but it will happen.

Roger Halbheer

Roger Halbheer is an Executive Security Advisor at Microsoft in EMEA acting as a trusted advisor to CxO. Before that he was a Managing Director at Accenture's Financial Services. Before joining Accenture, he was the Chief Security Officer of Swisscom (Switzerland's largest telecom provider) and the global Chief Security Advisor for Microsoft.

Decentralized identity and the path to digital privacy
May 17, 2019

Shared Responsibility in the Cloud (and how to mess it up)
May 14, 2019

Why Microsoft is getting rid of passwords
May 3, 2019

Enabling the Cloud for Banks
April 2, 2019

Make No Mistake — Microsoft Is A Security Company Now
March 26, 2019

Microsoft Security Intelligence Report – Now Interactive
March 11, 2019