How about an ISC2 Community Predictions for 2020?

Caute_cautim · ‎12-17-2019

Hi All

How about some debate about security and privacy predictions of our own for 2020?

1) Pushing things off the ramp, I believe IoT, IIoT, and OT - putting them in the same domain, although there is some subtle differences within OT. This area will become a major concern in 2020, especially after the study on RSA digital certificates state within these IoT devices: https://www.computing.co.uk/ctg/news/3084715/iot-encryption-weak?utm_source=Adestra&utm_medium=email...

2) Is it not time for passwords to be phased out and for us to go FIDO instead? https://fidoalliance.org/

Any thoughts on how to establish and achieve this in 2020?

3) Ransomware is increasing, as shown with many education establishments in the USA lately being held to extortion attempts - so relate to IoT and they the cyber-criminals are likely to literally make a killing in terms of increased revenues to themselves.

4) The ramifications of the CCPA and SB-327 will be known in 2020 and the likelihood of USA adopting a GDPR like legislation?

5) Any others that come to mind?

Regards

Caute_cautim

CISOScott · ‎12-18-2019

I would have said ransomware if you hadn't already. I really expect it to explode this year (2020).

rslade · ‎12-18-2019

> CISOScott (Community Champion) posted a new reply in Industry News on 12-18-2019

> I would have said ransomware if you hadn't already. I really expect it to
> explode this year (2020).

Up in Canada we've got a lot of media attention over LifeLabs. They've reported
paying ransom, so I assume it's ransomware, but, as always, the media hasn't got a
clue and are reporting it like it was a breach (which ransomware really isn't) and as
if someone came and took the records away and then gave them back when the
ransom was paid. They are talking about medical records being stolen and the
privacy implications of it. What's worse, is the media is finding talking heads,
supposed security experts, who don't understand the difference either. (One report
last night had a putative security expert opining that the "theft" of DNA data
would make a problem with biometrics. Argh!!)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
We should be careful of each other, we should be kind, while
there is still time. - Philip Larkin
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Caute_cautim · ‎12-18-2019

@rsladeYes, Ransomware will figure higher in 2020, now that some have decided to pay the ransom, which promotes the perpetrator to do it again and again.

However, I foresee Ransomware, IoT, 5G Edge Computing and vast speeds being a serious issue in 2020 myself. I think I can safely add AI and poor Machine Learning coding and development with poor ethics and bad data to the list as well.

I spoke to a fellow colleague the other day, about her PhD subject,which is designing antenna or aerials for 5G purposes within buildings. Having studied radio communications from a young age, it is amazing how little the younger generation appreciate how pervasive radio communications can be in its many forms.

We seem to be in such a rush for high speed communications, higher transfer rates, yet we have little time to fathom the implications of those decisions, even if they are innovative and great for marketing, product, operational and business models.

Regards

Caute_cautim

CISOScott · ‎12-18-2019

@Caute_cautim wrote:

I spoke to a fellow colleague the other day, about her PhD subject,which is designing antenna or aerials for 5G purposes within buildings. Having studied radio communications from a young age, it is amazing how little the younger generation appreciate how pervasive radio communications can be in its many forms.

We seem to be in such a rush for high speed communications, higher transfer rates, yet we have little time to fathom the implications of those decisions, even if they are innovative and great for marketing, product, operational and business models.

Regards

Caute_cautim

We are slowly microwaving ourselves. We should be good and cooked by 2050.

Caute_cautim · ‎12-18-2019

@CISOScottRemember 2.45 GHz is the frequency at which water boils within a Microwave, but there are many Watts of power within an enclosed space. The other issue rather like LED Lamps is the increased level of electromagnetic noise generated, many issues are created by the actual power supplies not being filtered or because they use switched mode Power Supply Units apart from other shielding. In fact some of my colleagues, will actually go into electrical outlets and take an AM radio and check them out, before they purchase them.

Getting back to predictions: Other thoughts -

1) 5G and Wifi-6 high speed, high band width wireless networks

2) Artificial Intelligence and Machine Learning - ethics and how good the original data actually is

3) Application Programming Interfaces and secure coding and development techniques or lack of

4) Lack of pre-production testing and testing for the unexpected.

Regards

Caute_cautim

denbesten · ‎12-19-2019

@Caute_cautim wrote:
2) Is it not time for passwords to be phased out and for us to go FIDO instead? https://fidoalliance.org/

It is clear that passwords being deemphasized as a sole source of authentication, but I don't anticipate any one mechanism as the replacement. There are just too many competing options with financial advantage for different parties. For example, Windows will cooperate with other SAML authentication and FIDO plugins will not be blocked, but somehow things will work best if you use Microsoft Authenticator and Microsoft Hello.

In addition to @Caute_cautim's list, I am hoping to see:

A trend towards Private VLANs (aka port isolation) to prevent lateral movement in an attack -- both in enterprises and in consumer-grade equipment.
Greater efforts by manufacturers to eliminate default passwords (ala the California "default password" law) and perhaps adopting similar legislation in larger populations.
An emphasis on backups (potentially including cloud-sync) as a preventative measure against ransomware.
An improved focus on human-factors in authentication design -- as suggested in NIST 800-63b.
Improved consumer/public awareness and sensitivity to surveillance, be it by ring cameras, Alexis, hidden cameras, Teslas, cop-cams, etc. Perhaps, legislation requiring indicator lights and prominent notice on all recording devices.
That browser manufacturers uphold their promise to kill flash.

Caute_cautim · ‎12-19-2019

@denbestenOn the password front, we definitely need to sort this out given this trend from this study:

https://securityintelligence.com/news/study-3-in-4-users-required-a-reset-of-a-forgotten-password-in...

In terms of predictions, here is another 11 add to the list:

https://securityintelligence.com/posts/ibm-x-force-security-predictions-for-2020/

Let the madness begin.

Regards

Caute_cautim

CISOScott · ‎12-19-2019

I once worked at a place of about 5000 employees. The helpdesk averaged 600-700 password resets a week! I pointed out to the CIO how this was problematic and he did nothing to resolve it. This was across several platforms like Network, Email, and some applications, but still 10% of your employees needing to reset passwords every WEEK?

I left before I could implement any change there. So I agree with the doing away with passwords and moving to something better approach.

Starat · ‎12-24-2019

Legislation discussion around security will grow in 2020

Cloud technology will begin to grow beard.....and become an household item for all organization