Justin Sherman, Cybersecurity Fellow | @ethicaltechorg"In January, it was revealed that researchers could trace the geographic locations of U.S. military personnel via data from their wearable fitness devices. In July, researchers similarly traced the real-time locations of intelligence personnel around the globe—including in sensitive locations like the NSA, MI6 and the Guantanamo Bay detention facility in Cuba—and also exposed the names of those personnel in agencies like the French DGSE in Paris and the Russian GRU in Moscow. In this second incident, affected personnel had been wearing IoT devices—fitness trackers—that revealed their locations online. Perhaps more than ever, these events make it clear that IoT privacy breaches can have a direct impact on national security."
Christopher Burgess, Cybersecurity Advisor | @burgessct"The airlines get us from place to place as their primary task, yet they are entrusted with our most valuable personal identifying pieces of information. This information is sufficient to conduct identity theft with little effort. From poorly configured apps to award portals and breaches of infrastructure, the industry must heed the following wakeup call: data security is a responsibility, and maintaining the privacy of the passenger is just as important as maintaining an aircraft itself. The 2018 experiences of Air Canada, Cathay Pacific and British Airways are prime exemplars."
Chris Hudson, Professional Services Consultant | @askjarv"GDPR was responsible for clogging up our mailboxes at the beginning of the year, but a far greater legacy of GDPR’s guidance will be enshrining the requirements to provide notification of a personal data breach to a supervisory authority (Article 33). Strengthening our policies (especially ones that cover more than one country) to improve our security reporting standards will move security migration measures into the public discourse more regularly, which I believe to be essential in order to ensure that companies keep up with their obligations of keeping our data safe. Whilst it’s early days still for GPDR and it’s enforcement, I’m hopeful this will bring about a positive change in the years to come (perhaps more than any other mere technological change)."
(1/2) What was the biggest event in the infosec community in 2018?Please vote and retweet. #security #infosec — Tripwire (@TripwireInc) December 14, 2018
Adrian Sanabria, VP of Strategy & Product Marketing | @sawaba"The single, most memorable event was the massive fervor over Meltdown and Spectre early in the year, which resulted in massive amounts of wasted time and damages to those that tried to do the right thing by patching quickly. To me, it highlights a consistent lack of alignment in our industry between actual threats and what we perceive to be threats. I'd bet if we look at the events that actually resulted in damages, losses and insurance filings, it wouldn't come close to resembling the potential threats reported by the media. Our industry's focus is often more captured by the output of vendors, events and researchers than by the actions of criminals and victim experiences."
Maribeth Pusieski, Account Executive | @mb_pdx"Since entering the cybersecurity industry, every year there has been an increase in size, number of and the severity of breaches. This matches the increase in discussions regarding what privacy really means personally and professionally. For so long, the convenience of smartphones, social media, digital access, Bluetooth, etc. has eclipsed concerns about personal privacy and corporate marketing. Combine the recent Facebook controversies around fake news, political advertising and campaigning with the September Facebook breach, and we realize we may indeed have reached an inflection point. As a capitalistic economy, if the demand for increased privacy goes up due to these breaches and the corporate bottom line takes a downward turn, people will pay attention. Just ask Mark Zuckerber how he is feeling about Facebook's stock being down 40% from July’s high. Nothing creates change more in the USA than money, so maybe privacy can be protected and breaches will eventually go down."
Ben Layer, Principal Software Engineer | @benlayer"For me, the most important event took place in May when the EU General Data Protection Regulation (GDPR) went into force. GDPR is designed to enhance the data privacy of EU citizens, giving users more control over what personal data can be gathered while also ensuring that organizations storing data protect it from misuse. Penalties for not doing so can reach staggering levels, far higher than fines which have previously been levied. There have been many memorable high-profile data breaches this year, and GDPR has the potential to finally start making a difference in preventing them or limiting the impact of these attacks."
Chuck Brooks, Principal Market Growth Strategist | @ChuckDBrooks"In the world of non-stop cyber breaches, 2018 was a very costly year. The Ponemon Institute’s Cost of a Data Breach 2018 study prepared for IBM found that the cost of the average data breach to a U.S. company was $7.91 million and that the total cost for cyber-crime committed globally was over $1 trillion dollars in 2018. For me, the most interesting and perhaps frightening development of 2018 was not the volume and cost of attacks (to be expected) but the brazen targeting of American cities. For example, both Atlanta and Baltimore were victimized by ransomware attacks in March. The hackers demanded $55,000 from Atlanta, and the cost of remediation from attacks in the city amounted to projections of nearly $20 million. In Baltimore, the 911 dispatch system was taken down from a ransomware attack, and it was out of commission for hours. The Atlanta and Baltimore incidents are especially worrisome as we advance toward more digital connectivity. With increasingly large attack surfaces comprised of the Internet of Things and eventually 'smart city' sensors, our entire way of urban life can be at risk. These events should provide a wake-up call for all cities and localities on the urgent need to mitigate sophisticated growing cyber threats in 2019 and beyond."
Nick Santora, CEO | @Curricula"The most memorable event for me in 2018 was the Atlanta ransomware attack back in March. As a resident of Atlanta, I was a lot closer to the action to understand the impact. Ransomware isn’t going away, and the bigger problem lies not in just paying the ransom but also in recovering from an attack. We clearly saw how devastating this attack was on the entire city of Atlanta and the impact it made across the world on responsiveness. There is always a lot to learn from an event after it happens, but most organizations should look towards practicing simulated events to understand their own weaknesses."
(2/2) What was the biggest event in the infosec community in 2018?Please vote and retweet. #security #infosec (Please reply with other suggestions) — Tripwire (@TripwireInc) December 14, 2018