The seven best trend articles in 2018 . . .

For ISO’s of small financial institutions.

Sometimes, in spite of seemingly everything changing at an accelerated pace, you find things that are familiar. In Dan’s Magnificent Seven and R7: The Top Seven Risks pieces, for example, you’ll find several new developments of interest to Information Security professionals…but you’ll also find some things, like employees clicking phishing links, to be more familiar. In light of this observation, this year we have decided to use our annual T7 piece to look at how our previously selected trend articles, and the subjects they were based on, have evolved over time.

As we’ve said before in our previous takes on this article (in 2015, 2016 and 2017), it’s important to consider when reading these pieces whether they are discussing current trends or if they’re making predictions. While both kinds of articles can be interesting to read, we try to consider them differently: by basing tactical plans on current trends, and longer term strategies based on predictions.

1. Internet of Things/Wearable Tech: A perennial favorite in trend articles by ourselves and others, the proliferation of internet connected devices shows no sign of slowing down…and still worryingly few signs of proper security. The continuing inattention to security comes as organizations such as CIO Magazine predict increasing adoption of internet-connected technology in the industrial sector, where equipment often remains in use (and vulnerable to attack) decades longer than in homes and offices.
2. Encryption: Whether it’s being used by your average consumer to protect their smartphone or by the bad guys to hold your company’s data hostage, encryption and how we implement it is another trend that we’ve been following (and will continue to follow) for years. We are also seeing encryption being employed as a way to reduce certain compliance burdens, in the European Union at least, with new legislation absolving businesses of the requirement to notify consumers about data breaches–as long as the data that was lost was encrypted.
3. Mobile Malware: In 2016 we looked at the growing trend of malware aimed at mobile platforms, and noted that the once-impervious iOS was starting to see attacks as well. In the intervening two years smartphones have become an even more inviting target, with examples of cryptocurrency-mining malware spotted in the wild. On the Android side, examples of infected applications are easy to come by through the official Google Play store, despite efforts to screen submissions for threats. If that wasn’t enough, experts are warning of the rise of Ransomware-as-a-Service: ready-made kits which allow those with no technical ability to deploy an attack.
4. Open Source Vulnerabilities: Open Source Software’s ability to be examined by the public is one of its selling points, but that presumes that there will be someone there to examine it: with billions of lines of open source code across thousands of projects, problems can lie in plain sight for years before being scrutinized. Open Source Software must also still be patched in a timely fashion to remain secure, as Equifax recently discovered.
5. Cloud Security: Data storage and virtualization continue to make computing cheaper, while wireless and wired broadband continues gets faster. Put them together and you have an ever-growing incentive to shift resources to the cloud…but just how well do you know the organization on the other end? Between Software-as-a-Service, Platform-as-a-Service, internet of things devices and data storage, the vast majority of businesses now have at least some of their information in the cloud, making this an increasingly attractive target for financially motivated attacks.
6. Ransomware: Touched upon in both 2016 and 2017’s installments, ransomware is as big a threat as ever, in part because of how profitable it can be. While experts believe most victims fail to pay their digital hostage-takers, it doesn’t take many ransom payments to make such an enterprise profitable. If that weren’t bad enough, a look at 2018’s tech threats from the MIT Technology Review says such attacks striking major cloud services seem to be only a matter of time.
7. Password Problems: A problem practically as old as computing itself, the issue of password security is one that offers no simple solution. On the bright side, this means that there’s always a new selection of articles discussing the problems, and their possible solutions, to choose from…but don’t expect to get out of those mandatory password changes any time soon.

This article is now a collaboration of several infotex team members.  Original T-7 article concept by Dan Hadaway CRISC CISA CISM, founder and Managing Partner, infotex