From Weaponized Homes to new DevSecOps Jobs: Security Trends for 2017
January 30, 2017 No CommentsFeatured article by Carson Sweet, co-founder and CTO, CloudPassage
As we ring in the new year for 2017, there’s plenty of uncertainty surrounding the security and privacy of our digital world. Much of this uncertainty stems from escalating intensity of cyber attacks against consumers and businesses and the evolution of the “Internet of Things” as a weaponized battlefield.
As the year comes to a close and we consider what impacted the security industry in 2016, I’ve put some thought into my own perspectives as to what 2017 might hold, find my predictions for 2017 below.
Weaponization of the “Personal Network of Things”
Home automation products combined with a multitude of personal computing devices has created a “personal network of things” (let’s call it a PNoT for fun). The combination of home computers, tablets, mobile phones, gaming systems, home automation products, security cameras, and a multitude of other Internet-connected devices — all connected to your home network — present a tiny but significant “mini-enterprise” to attackers.
PNoT systems are rarely protected or maintained with the same vigor as corporate I.T. systems, making them generally more vulnerable to being compromised and drafted into a zombie army, meaning they become part of a massive attack network (a.k.a. botnets) like the one dubbed Mirai that recently took down multiple Internet sites in a huge, sustained distributed denial of service (DDoS) attack.
The problem with vulnerable personal devices is nothing new, but in the next year we can expect to see “personal networks of things” become far more interesting to attackers when coupled to homes with gigabit internet connectivity. Already available to 50m consumers, gigabit connectivity as a hot attacker focus will will truly explode if vulnerabilities in popular home devices can be exploited mechanically. Keep in mind that the massive DDoS attacks that we saw from the Mirai botnet were based on seeking and exploiting vulnerabilities in long-forgotten devices… in the case of recent Mirai attacks, IP cameras and recorders.
In future attacks, count on poorly secured home devices being targeted — especially those in homes with gigabit Internet connectivity.
Consumers will need to protect their personal networks from this new version of Mirai botnets, creating demand for services that safeguard them. More importantly, vendors will need to adopt better standards for protection of devices. If the Mirai botnet is any indication, the lack of security in device design is still quite profound.
Attackers Zero In on DevOps and Continuous Delivery
Nasty people who want to do ugly things constantly seek out high-value targets that give them the most leverage over victims with the least amount effort. There’s even a well-known term in certain circles known as “compromise impact efficiency”.
Continuous delivery / continuous integration pipelines that are now widely adopted in agile development and devops shops are just such a target. Consider the impact of advanced persistent threat (APT) malware, but applied at the application level instead of the system level. If a threat actor (one of the nasty people) is able to breach the software development pipeline, they can essentially control the company by subverting their software code and components.
Healthcare and financial services organizations have some of the most valued data and so are likely to be attacked first. These attacks are likely to be aggressive and very public , meaning that devops teams will need to live up to new standards of testing and prevention — preferably harmonizing these operations with existing devops tools and functions.
Microservice Architecture Fails to Deliver (On Uneducated Enthusiasm)
Despite the buzz, 2017 will not be the year that microservices start to take over the world. This isn’t because microservice architectures don’t offer amazing capabilities — it’s because applications must be refactored to realize their value.
It’s easy to get containerization mixed up with microservices. But where a traditionally monolithic application can be delivered in a large container model, moving an application from a traditional monolithic architecture to microservices requires complete refactoring. And as many enterprises learned when they tried to build private clouds, just because a new technology is hot doesn’t mean there’s enough engineering talent to go around. In the case of microservices, there’s a need for developers, QA engineers, and infrastructure architects who actually understand microservices. It’s unlikely there will be enough of these talents to go around for at least several years, and in the short term the large service providers and hot startups will snap them up.
So while the interest and demand for microservices is high, it’s also far ahead of the industry talent pool needed to adopt it broadly. We have a few years of refinement and learning ahead before the talent pool can match the craze. But be careful… it doesn’t take a prediction to know there’ll be five unqualified people claiming to be microservices engineers for every real one.
DevOps Teams Become Even More Critical Security Players
History doesn’t repeat itself, but it rhymes. In this case, the rhyme is that the primary technology owners will also own security control implementation — even if they don’t operate it.
As distributed computing and TCP/IP took hold in the early 1990’s, the information security world revolved around RACF and TopSecret — mainframe access management. Distributed computing and network security had never been issues before, so there were no skilled security practitioners to get the job done. The result… network security was owned by the network organization. The same thing happened when web application security became a demand; the web developers were responsible for implementing security controls (e.g. WAMs) even though central infosec was providing guidance and standards.
Just as network security ownership defaulted to network teams in the 1990s, the same will be true for agile security and DevOps teams in 2017. Cloud and agile technologies are being adopted faster than ever, and the industry doesn’t have time to wait for infosec to develop the needed skills. Therefore, devops teams will be on the hook for implementing actual security controls. The successful security team will recognize this and seek to provide tools that harmonize with this trend instead of fighting it. In so doing these teams will maintain high degrees of visibility and create leverage for their already-stressed resources.
We’ve said for over a decade that security should be built in, not bolted on — here’s a prime opportunity to move towards that reality.
With 2017 just breaking the horizon, these predictions barely scratch the surface for what we’ll see in the coming year. Threats to personal computing and the rise of threats to and from the Internet of things are just the beginning of what promises to be an interesting year.