2016 was an exciting year in information security. There were mega-breaches, tons of new malware strains, inventive phishing attacks, and laws dealing with digital security and privacy. Each of these instances brought the security community to where we are now: on the cusp of 2017.
Even so, everything that happened in 2016 wasn’t equally significant. Some moments clearly stood out above the rest.
Here are the security events that were most memorable for our contributors to The State of Security.
Bob Covello, InfoSec Analyst | @BobCovello
When I look back at 2016, there were so many security notable events that it is difficult to choose only one that had a significant impact over any other. Even so, the story that was most curious to me was the surprise announcement in May by the authors of TeslaCrypt ransomware. They posted a short and simple message that they had shut down their “project” and released the master decryption key. While there is plenty of speculation about why the authors did this, what exactly caused the demise of TeslaCrypt remains a mystery. While I shed no tears at the demise of any criminal enterprise such as ransomware, I truly love a mystery.
James Wright, Security Consultant | @James_M_Wright
This past year, we’ve seen significant events occur in cyberspace. A memorable moment for me was the hacking of high-level government officials and political party offices. Our infrastructure is vulnerable to attacks from remote locations around the world. We therefore need to increase information security awareness and invest in organizational cybersecurity. After all, many of the breaches this past year exploited social engineering coupled with inadequate incident response capabilities. I predict the coming year will show strong growth in the cloud along with cybersecurity services that provide the framework for companies to expand into this space.
Cheryl Biswas, Cyber Security Consultant | @3ncr1pt3d
We want security to be an All-Play, where everyone feels comfortable contributing and learning. I was part of the founding group for TiaraCon, a fun and wonderful initiative which infused a testosterone-charged week of security conferences in Vegas with diversity. Picture a sea of black. Hackers in tees and hoodies – and tiaras. Hacker Summer Camp was literally glittering with the promise of change. Indeed, TiaraCon was our summer vacay approach to a very serious topic. The response was so rewarding. Workshops, job interviews, mentoring, bonding. Attendees built confidence along with badges, for security is better done together!
Graham Cluley, Security Blogger | @gcluley
The most memorable moment for me was when a Mirai botnet, which is made up of hundreds of thousands of poorly-secured Internet of Things (IoT) devices that Mirai malware compromised via their unchanged default login credentials, brought down a DNS service and as a result made many of the world’s most popular websites inaccessible.
This is just the beginning. IoT security is going to be an even bigger problem in 2017.
Travis Smith, Senior Security Research Engineer | @MrTrav
I attended quite a few security conferences in 2016. At S4x16, retired General Michael Hayden delivered the first, and probably one of the best, keynotes I have seen this year. General Hayden has some great insights into higher-level policies not typically discussed at many security conferences. One of the bold predictions he made was that if the lights in the United States were to go out due to a cyber-attack, it would not be the first thing the president would be briefed on the following morning. This statement emphasizes that any future cyber war would probably also have some sort of kinetic aspect. I highly recommend watching the full keynote here.
Matt Pascucci, Security Architect | @MatthewPascucci
The past year has ushered new and unprecedented risks into our networks. They’ve included the explosion of ransomware and IoT botnets, but in my opinion, the biggest battle has been for privacy. We’ve seen the adoption of laws in both the UK and America (Snooper’s Charter and Rule 41) that give governments sweeping surveillance powers. Along these same lines, we’ve also watched a debate between the FBI and Apple in regards to a backdoor being built into an iPhone. Digital privacy will continue to assume a bigger role in the news next year, and I think we’ll see companies build encryption and privacy into their software as a response.
Jim Nitterauer, Senior Security Specialist | @JNitterauer
2016 has been a banner year for information security. The most memorable events of the year will no doubt prove to be the transfer of the Internet’s DNS to the Internet Corporation of Assigned Names and Number (ICANN), the growth in the number of Internet connected devices (IoT), and the continued growth of exploitation platforms like the Mirai botnet. Easy access to tools like Mirai make it easy for emotionally and ethically deprived actors to wreak economic havoc on unsuspecting targets. Remember October 21st, 2016? A bad day for Internet dwellers.
David Jamieson, Mid Enterprise Account Manager | @dhjamieson
Recently, I was the target of a phishing campaign. The attacker sent me an email saying my MS Outlook mailbox could no longer send messages because it was too large. The email asked me to click a link to log in to my MS Outlook account. The email said “failure to do so will lead to loss of access to your email account.” This email stopped me in my tracks because I regularly do exceed the allowed size of my mailbox. Clever attempt! Attackers are getting much better at manipulating us with carefully constructed messages that appear legitimate. I think their skill has improved dramatically in the past year, forcing us to be ever more vigilant to prevent serious problems.
Angus Macrae, Senior Information Security Manager | @AMACSIA
My personal security highlight of 2016 has to be hearing Bruce Schneier’s keynote at Infosecurity Europe 2016. I wrote about it for Tripwire and was doubly honoured when Bruce reproduced my hurried review on his own blog.
Reading Schneier on Security (the actual hardback book) back in 2008 made me think very differently about security, that is, beyond just the IT toward the bigger picture. His keynote this year was still just as thought-provoking but concentrated on the present and future. Sobering that it only took months for some of his warnings to manifest in the form of Mirai.
Another theme he explored was the need for Government to get more involved in cyber as a necessity now. The present problem is that too many technology people don’t understand the workings and challenges of Government while too many Government people don’t really get technology at all. It was therefore pleasing to see the UK’s own Government produce the (overall) very good and well intentioned National Cyber Security Strategy this year.
Whatever your politics, it’s vital we have a cohesive public manifesto document now, one which derives much of its content from the experts in NCSC/CESG who obviously do ‘get it.
Tyler Reguly, Manager of Software Development | @treguly
Looking back at 2016, the most memorable moment was the second Tripwire Hack Lab at SecTor.
It was an incredible experience. We had a packed table, taught IoT device hacking to people who’d never used devices, and once again discovered a 0-day. It’s difficult to see anything else when your passion and your job cross paths and allow you to teach new skills to others.
Here’s hoping it happens again in 2017.
Tracy Z. Maleeff, Principal Researcher | @InfoSecSherpa
2016 has been my own personal year of big information security news. I took the plunge and quit my job to follow my bliss into security. I attended ShmooCon, my very first security event, in January, and at the end of the year, I presented at the inaugural BSides Philly con. It has been a veritable “Alice in Wonderland” type of year for me. I’ve met interesting characters and had wild adventures. As I search for a permanent infosec job, I will continue to contribute my knowledge and skills to benefit the infosec community — and grow curiouser and curiouser about what else I can learn from others!
Bev Robb, Security Thought Leader | @teksquisite
I’ve been looking at insider threats more closely this year. In a nutshell, it only takes a few minutes to post company data for sale on the dark web. Once the information is posted, there is no going back.
Whether it is via a disgruntled employee or a compromised account, internal information offered in the underground can bring a company to its knees. Just look at AdultFriendFinder or Mossack Fonseca. They didn’t discover the data breach until an insider leaked it.
David Bisson, Infosec Journalist | @DMBisson
Nothing has defined 2016 for the security community quite like Locky. The ransomware emerged back in February with a bang when it infected the systems at Hollywood Presbyterian Medical Center, causing the hospital to shut down several of its departments and divert patients to other facilities. Since then, it’s gone through at least seven different iterations (“.zepto,” “.odin,” “.shit,” “.thor,” “.aesir,” “.zzzzz,” and “.osiris“) and embraced novel distribution methods, like SVG images in Facebook Messenger and fake Flash Player update websites, that other variants will no doubt embrace in the future. Locky has set the standard for malware developers everywhere because of its dynamic evolution and versatility. Given its sharing of infrastructure with one of the most persistent banking trojans in the wild, not to mention the current lack of a decryptor, the ransomware will likely continue to make waves in the security community and prey upon unsuspecting users for years to come.
Joe Gray, Enterprise Security Consultant | @C_3PJoe
I find the attack from the Mirai botnet to be the most notable event of 2016. While we saw a lot of ransomware, I think that Mirai demonstrated pure evil ingenuity. The attackers took a benign tool and weaponized it to bring down some of the most influential entities on the web. In addition to this, they affected downstream services and customers to three or more degrees. This was certainly an excellent example of why redundancy and the main plans–disaster recovery, business continuity, and incident response–are vital to every business.
Kim Crawley, Security Writer | @kim_crawley
I can’t forget the Dyn attack that happened just this October. Attacking a major DNS provider is catastrophic because it allows for phishing websites to succeed, which can lead to man-in-the-middle attacks, credential theft, and malware infections.
Strangely, PornHub has been doing well because they use multiple DNS providers. But Amazon, GitHub, PlayStation Network, Tumblr, Verizon, and even the Swedish government were greatly affected. Corporations online must focus on having lots of redundancy in DNS providers.
Katherine Brocklehurst, Senior Product Marketing Manager | @Kat_Brock
One of the most interesting presentations I attended was at the Belden Industrial Ethernet Infrastructure Design Seminar (IEIDS) in October, 2016. There, Sean McBride delivered a keynote and had a session talk about the work of an ICS threat intelligence analyst.
In his keynote, he shared his “Subversive Six” Unseen ICS Risk Points. They are as follows: unauthenticated protocols, outdated hardware, weak password management, weak file integrity checks, vulnerable Windows OS, and undocumented third-party relationships.
This gets to root causes of probably 80 percent or more of the risks in ICS operations networks, endpoints and control systems. They’re not too different from IT either.