"What's your infosec key learning from 2015?"
We asked this question of a number of minds in infosec and got a variety of answers. Below are the responses from some of our brilliant and insightful friends in the infosec community, including from within our own lovely Rapid7 team. The responses varied from brief to elaborate, and touch on changes in perceptions within infosec, as well as broader trends that will affect infosec from the outside. We hope these reflections will prompt you to share your own key learnings as well -- let us know what your big takeaway from the year has been in the comments below.
Chris Hadnagy (@humanhacker), President and CEO of Social-Engineer Inc
It is easy for us to say: "We saw more social engineering in attacks this year." It would be true but vague. So let me tell you what I really saw in more detail.
Phishing - massive rise in the complexity, frequency, branding and realism of phishing emails. This year wins the award for most realistic phish in an email scene. We found a site on the dark web that offers a paid service to malicious phishers to spellcheck, grammar check and increase click ratio or money back.
Rick Holland (@rickhholland), Vice President and Principal Analyst at Forrester Research
The key highlight for me is that there is no such thing as a cybersecurity sprint. The path to building residency isn’t through a 30 day run. It is more like the Marathon des Sables, a 155 mile run through the Sahara desert that you then have to run over and over with no legs. There is simply no cybersecurity finish line.
David Kennedy (@HackingDave) CEO and Founder of TrustedSec, Founder of DerbyCon
I think the focus of 2015 really started to be a positive motion on detection. Companies truly realizing that prevention isn’t always a sure sign and focusing on what attackers are doing. I think we’ll continue to see this moving forward. We also know that the attackers haven’t gotten smaller – only larger and that the beaches themselves continue to have a high impact on reputation and damages to the company. 2015 didn’t really trend anything new per se — it's been the same types of attacks time and time and the same methods of exploitation – client side, third party connectivity, and perimeter attacks as main vectors.
Katie Moussouris (@k8em0), Chief Policy Officer at HackerOne
2015 seemed to be the year that the general public, governments, and the IT industry woke up to opposing sides of a common goal: protecting human safety and human rights when technology can be used to cause harm. We saw this highlighted in the unprecedented unification of big and small businesses with security researchers to oppose the overly broad Wassenaar language that regulates the export of intrusion software technology and tools, which can be used by defenders as well as criminals. We also saw a broad interest increase among technologists, consumers, and mainstream media in hackable vehicles and other technology that is part of everyone's daily life. We also saw some significant data breaches across enterprise and government targets, driving up both the awareness of internet security threats, as well as the understanding that all infrastructure is vulnerable to attack, especially when there is something significant worth protecting.
Wendy Nather (@RCISCwendy), Research Director at the Retail Cyber Intelligence Sharing Center
I totally agree with Rick [see above] that there’s no such thing as a cybersecurity sprint. If you think of it as a cybersecurity lifestyle (nobody is Born This Way), you’ll understand why it’s so hard to change an organization's habits permanently, and why so many are subsisting on the equivalent of junk food (AV).
Kurt Opsahl (@kurtopsahl), Deputy Executive Director and General Counsel of the Electronic Frontier Foundation
2015 illustrated the challenges and opportunities presented by the Internet of Things. We saw vendors add connectivity to goods, introducing new capabilities, but also new attack surfaces. The challenge was for vendors, sometimes new to inosec, to react well to vulnerability reports, and fix the problems. Tesla showed how to do it well when its CTO shared the stage at DEF CON with security researchers, and Volkswagen showed the challenges remaining, when a paper, suppressed for two years by legal action, was finally unveiled this summer.
Tod Beardsley (@todb), Security Research Manager at Rapid7
2015 saw a marked interest in the security of non-computer devices, such as smartphones and cars, and I believe that this will inform where research – both legitimate and criminal – will go in 2016. We are on the hockey stick of growth for the population of connected devices, and we have an opportunity, now, to get ahead of the security problems that so far have plagued non-traditional computers ranging from toys to personal tools to industrial control systems.
Rebekah Brown (@pdxbek), Threat Intelligence Lead at Rapid7
Communication is HARD! In infosec, we often have great answers to problems, but our messages don’t always get across – not to end users, not to the Board, sometimes not even to other teams we work with day in and day out. In 2015, we saw more and more people focus on the nuanced skill sets that enable better communication of security issues.
Jen Ellis (@infosecjen), Vice President of Community and Public Affairs at Rapid7
In the wake of the Sony breach and several widespread, high profile vulnerability disclosures last year, we entered 2015 with a noticeably pronounced emphasis on cybersecurity in the Government. The White House issued three legislative proposals, held a cybersecurity summit, and signed a new Executive Order, all before the end of February. Since then, we’ve seen the OPM breach drive huge dialogue on cybersecurity across the Government sphere – every office and agency is now building a position on this topic. Congress has passed three cybersecurity information sharing bills, and introduced dozens of other bills with cybersecurity provisions, and a number of agencies in the Administration have been engaged in debate over new export controls for intrusion technologies.
While cybersecurity legislation is not, in and of itself, new or surprising, the shift in tone and focus is. Firstly, cybersecurity is a far more widespread priority across both branches of Government in a way we have not previously seen; and secondly, there is a much greater desire and emphasis on engaging the security community in the discussion. The Legislature and Administration is actively seeking security expertise to work with as they try to navigate the complexities of the landscape to build productive policy. We have seen this in the engagement to find the right approach to implementing the Wassenaar Arrangement in the US. And in various Congressional offices seeking assistance from security professionals to vet legislative language. We’ve seen the Departments of Justice and Commerce both actively engaging the security community on multiple fronts, as has the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA), and countless others. We even saw an exemption for security research approved for the Digital Millennium Copyright Act (DMCA) this year.
Trey Ford (@treyford), Global Security Strategist at Rapid7
Less is more.
Security professionals need to be more deliberate in upward communications. Your title doesn’t matter (CISO to Security Manager) — when communicating to senior executives, give a clear, simple and consistent message. Too much data, too much distraction and reactionary reporting and commitment to technical accuracy is killing us.
Guillaume Ross (@gepeto42), Senior Security Consultant at Rapid7
The highlight for me has been seeing more coverage in the regular news, as well as more interest from executives in general with regards to infosec/cybersecurity. It felt that for a few years, security was stagnating, or even getting worse, as environments started becoming more complex as companies adopted a mix of Cloud services, authentication beyond their perimeter and to new types of devices with varied levels of controls. PCI DSS pushed compliance forward while leaving security in the back seat, but now it feels like the balance is truly shifting towards actually caring about security. While things like this can’t happen in a very short period of time, it does feel like the pace of acceptance for security, as well as for the need not to have perfect security but ways to mitigate the inevitable incident, has accelerated in the last year.
Corey Thomas, President and CEO at Rapid7
The key learning for me in 2015 for the infosec industry is that the bottleneck has shifted from awareness to skills and expertise.