As 2018 draws to a close, it’s been a fascinating year in the IT security community. From record-breaking data breaches, new regulations and the Meltdown and Spectre debacle, we can certainly say it’s been eventful. To round the year off, we thought it would be interesting to ask some of our regular contributors (and followers on Twitter) what their standout moments were.
Justin Sherman, Cybersecurity Fellow | @ethicaltechorg
“In January, it was revealed that researchers could trace the geographic locations of U.S. military personnel via data from their wearable fitness devices. In July, researchers similarly traced the real-time locations of intelligence personnel around the globe—including in sensitive locations like the NSA, MI6 and the Guantanamo Bay detention facility in Cuba—and also exposed the names of those personnel in agencies like the French DGSE in Paris and the Russian GRU in Moscow. In this second incident, affected personnel had been wearing IoT devices—fitness trackers—that revealed their locations online. Perhaps more than ever, these events make it clear that IoT privacy breaches can have a direct impact on national security.”
Christopher Burgess, Cybersecurity Advisor | @burgessct
“The airlines get us from place to place as their primary task, yet they are entrusted with our most valuable personal identifying pieces of information. This information is sufficient to conduct identity theft with little effort. From poorly configured apps to award portals and breaches of infrastructure, the industry must heed the following wakeup call: data security is a responsibility, and maintaining the privacy of the passenger is just as important as maintaining an aircraft itself. The 2018 experiences of Air Canada, Cathay Pacific and British Airways are prime exemplars.”
Chris Hudson, Professional Services Consultant | @askjarv
“GDPR was responsible for clogging up our mailboxes at the beginning of the year, but a far greater legacy of GDPR’s guidance will be enshrining the requirements to provide notification of a personal data breach to a supervisory authority (Article 33). Strengthening our policies (especially ones that cover more than one country) to improve our security reporting standards will move security migration measures into the public discourse more regularly, which I believe to be essential in order to ensure that companies keep up with their obligations of keeping our data safe. Whilst it’s early days still for GPDR and it’s enforcement, I’m hopeful this will bring about a positive change in the years to come (perhaps more than any other mere technological change).”
(1/2) What was the biggest event in the infosec community in 2018?
Please vote and retweet. #security #infosec
— Tripwire (@TripwireInc) December 14, 2018
Adrian Sanabria, VP of Strategy & Product Marketing | @sawaba
“The single, most memorable event was the massive fervor over Meltdown and Spectre early in the year, which resulted in massive amounts of wasted time and damages to those that tried to do the right thing by patching quickly. To me, it highlights a consistent lack of alignment in our industry between actual threats and what we perceive to be threats. I’d bet if we look at the events that actually resulted in damages, losses and insurance filings, it wouldn’t come close to resembling the potential threats reported by the media. Our industry’s focus is often more captured by the output of vendors, events and researchers than by the actions of criminals and victim experiences.”
Maribeth Pusieski, Account Executive | @mb_pdx
“Since entering the cybersecurity industry, every year there has been an increase in size, number of and the severity of breaches. This matches the increase in discussions regarding what privacy really means personally and professionally. For so long, the convenience of smartphones, social media, digital access, Bluetooth, etc. has eclipsed concerns about personal privacy and corporate marketing. Combine the recent Facebook controversies around fake news, political advertising and campaigning with the September Facebook breach, and we realize we may indeed have reached an inflection point.
As a capitalistic economy, if the demand for increased privacy goes up due to these breaches and the corporate bottom line takes a downward turn, people will pay attention. Just ask Mark Zuckerber how he is feeling about Facebook’s stock being down 40% from July’s high. Nothing creates change more in the USA than money, so maybe privacy can be protected and breaches will eventually go down.”
Ben Layer, Principal Software Engineer | @benlayer
“For me, the most important event took place in May when the EU General Data Protection Regulation (GDPR) went into force. GDPR is designed to enhance the data privacy of EU citizens, giving users more control over what personal data can be gathered while also ensuring that organizations storing data protect it from misuse.
Penalties for not doing so can reach staggering levels, far higher than fines which have previously been levied. There have been many memorable high-profile data breaches this year, and GDPR has the potential to finally start making a difference in preventing them or limiting the impact of these attacks.”
Chuck Brooks, Principal Market Growth Strategist | @ChuckDBrooks
“In the world of non-stop cyber breaches, 2018 was a very costly year. The Ponemon Institute’s Cost of a Data Breach 2018 study prepared for IBM found that the cost of the average data breach to a U.S. company was $7.91 million and that the total cost for cyber-crime committed globally was over $1 trillion dollars in 2018. For me, the most interesting and perhaps frightening development of 2018 was not the volume and cost of attacks (to be expected) but the brazen targeting of American cities.
For example, both Atlanta and Baltimore were victimized by ransomware attacks in March. The hackers demanded $55,000 from Atlanta, and the cost of remediation from attacks in the city amounted to projections of nearly $20 million. In Baltimore, the 911 dispatch system was taken down from a ransomware attack, and it was out of commission for hours. The Atlanta and Baltimore incidents are especially worrisome as we advance toward more digital connectivity.
With increasingly large attack surfaces comprised of the Internet of Things and eventually ‘smart city’ sensors, our entire way of urban life can be at risk. These events should provide a wake-up call for all cities and localities on the urgent need to mitigate sophisticated growing cyber threats in 2019 and beyond.”
Nick Santora, CEO | @Curricula
“The most memorable event for me in 2018 was the Atlanta ransomware attack back in March. As a resident of Atlanta, I was a lot closer to the action to understand the impact. Ransomware isn’t going away, and the bigger problem lies not in just paying the ransom but also in recovering from an attack.
We clearly saw how devastating this attack was on the entire city of Atlanta and the impact it made across the world on responsiveness. There is always a lot to learn from an event after it happens, but most organizations should look towards practicing simulated events to understand their own weaknesses.”
(2/2) What was the biggest event in the infosec community in 2018?
Please vote and retweet. #security #infosec
(Please reply with other suggestions)
— Tripwire (@TripwireInc) December 14, 2018
Sarah Clarke, Security Governance, Risk, Compliance Specialist | @TrialByTruth
“The most memorable industry event this year was people starting to get privacy. It wasn’t Chris Wylie’s revelations about data dealing, psychometric profiling and psychological manipulation by Facebook, Cambridge Analytica and SCL. It wasn’t the GDPR becoming enforceable. It wasn’t furore about Russian cyber interference in Brexit and US elections. It was about, for the first time, implications beginning to stick.
We have seen a real shift towards outrage and taking action to tackle unethical use of data and technology among tech leaders, the developer community and a myriad of associated groups including, crucially, a subset of consumers. That cumulative wave of disgust about infringement of human rights has done more to drive purse-holder attention to security and data protection than anything that’s gone before. It’s a tipping point we didn’t believe would be reached.
The pendulum will no doubt swing back towards tolerance for disrespectful data dealings thanks to new and clever obfuscation, cynical spin or regulator/legislator weakness, (e.g. While smart home devices top the Amazon sales list, the US govt. still plans to let the data poachers set and enforce the gamekeeping rules.) but we’ve still made, in my honest opinion, a significant incremental gain.”
Anthony Israel-Davis, Sr. Manager, R&D | @anthony_id
“The actions of Facebook and the increased scrutiny on social media in general has been a significant shift in how we perceive privacy and media in 2018. It’s shocking, though not surprising, that our personal data was being sold and used not just for advertising but weaponized for social engineering at scale. Facebook, in particular, is reeling in Europe where GDPR has clearly had a major impact and where privacy is much more of a social norm than in the United States. Mark Zuckerberg’s no-show to the British Parliament shows just how on-the-ropes Facebook is.
Hopefully, this will continue to fuel an awareness among people of what data they are providing, how it is being used and whether or not they want to provide it at all to companies. Social media is a great tool; we just need to recognize it’s not all cat videos and pictures of the kids – caveat emptor.”
Lane Thames, Sr. Security Researcher | @Lane_Thames
“On July 23, 2018, reports started to surface about Russian hackers who, over the course of two years, had penetrated multiple utility networks in the United States. These utility networks are classified as critical infrastructure by the Department of Homeland Security (DHS).
According to the reports, the hackers made their initial access into 3rd party vendors using spear-phishing and watering-hole attacks. Once inside these third-party vendor networks, the hackers pivoted their way directly into critical utility systems such as utility control rooms. This shows that we still have a long way to go in terms of cybersecurity.
This 2018 cybersecurity event used human weaknesses and supply-chain dependencies to be successful. We have to do a better job providing security awareness across the entire spectrum of our employee bases. Security implications for supply-chain relationships and dependencies is rapidly becoming a hot security topic. Hopefully, we will see technological advancements for securing our supply-chains soon.”
You can read part 2 here.