Following up our earlier post with 2015 key learnings, we asked our panel of lovely infosec pros to gaze into their crystal balls, consult the runes, and read their tea leaves to make their predictions for 2016. In many cases, their notes are less prophetic and more ardent hopes for a better, more secure future. We've listed their predictions below, including several from our own fabulous Team Rapid7 (though I'm obviously biased!). We hope you'll share your own predictions too -- what do you think 2016 has in store for us? Tell us your thoughts in the comments.
If you'd like to hear more in-depth predictions for the coming year, please join us for our webcast this Thursday, December 10, at 2pm ET: "2016 Security Predictions" with Rick Holland and Lee Weiner.
Chris Hadnagy (@humanhacker), President and CEO of Social-Engineer Inc
I almost hate to do this as I fear speaking it out loud… but lots more vishing this year coming. I think we will see multi-vectored attacks on the rise. That is where attackers use phishing followed by a call, or visa versa. I think we will see a higher level of sophistication in these attacks, as well as a larger number of banking-related scams overall.
This is one area where I would love to be proven wrong and instead to see 2016 be the year of international harmony without malicious hacking….
Rick Holland (@rickhholland), Vice President and Principal Analyst at Forrester Research
The digital Tony Sopranos are only going to get worse, extortion against healthcare organizations responsible for availability of life sustaining medical devices will occur. Security teams must be on the lookout for the cyber waste management consultants.
David Kennedy (@HackingDave) CEO and Founder of TrustedSec, Founder of DerbyCon
I think 2016 is the year of mass cloud pwnage. It’s been a long time coming and more companies adopting internet of things, cloud centric servers, and mass data heists – I think this will be one of the main focal points. It probably already is, just not having any detection capabilities in cloud providers to notice it will be a challenge. Additionally, mobile attack vectors I believe will start to rise. More and more information is being stored and I feel like MDM fizzled off quite a bit this year because we haven’t seen the amount of attacks predicted. I think with Google fragmentation and security threats at an all-time high and the process of having to move from Google to manufacturer to carrier, you're looking at usually a 6 month period before an update hits your phone – this is major. Additionally, more attacks leveraging client-side exploitation and a general lack of monitoring and detection still being the leading cause of breaches in 2016.
Katie Moussouris (@k8em0), Chief Policy Officer at HackerOne
One thing is certain as we increase our dependence on technology in our society: Attacks will also increase, both targeted and otherwise, and we need all hands on deck as defenders to work together. My prediction is that security recruiting will become among the most important goals of defenders, and with a global shortage of qualified workers in this area, we will see more creative ways to find talent increase, such as the use of bug bounties to help identify key talent in the global marketplace. That means that lawmakers trying to regulate internet security technology, governments, private industry, and major enterprise consumers of technology need to find ways to hear more directly from the security research community, and carefully consider any laws or regulations that make it difficult to work with the emerging global technical talent pool. Our ability to grow our collective defense capabilities depend upon adopting a more agile recruiting model than what has traditionally been the pipeline in the past.
Wendy Nather (@RCISCwendy), Research Director at the Retail Cyber Intelligence Sharing Center
My prediction for 2016 is that we’ll continue to see a glut of security startups, all throwing the equivalent of spaghetti at the wall. At the same time, the more mature organizations, such as financial institutions, will take a harder look at their portfolios and start trimming them of waste. There will be more focus on efficiency and efficacy (not ROI), rather than buying one of everything.
Kurt Opsahl (@kurtopsahl), Deputy Executive Director and General Counsel of the Electronic Frontier Foundation
In 2016, the infosec community will have to face regulatory pressures, through things like the Wassenaar Arrangement (export controls), multi-national attempts to regulate strong encryption, and the expansion of anti-curcumvention restrictions through the Trans Pacific Partnership. By working together and educating policy makers, the infosec community can stop or slow the worst regulations and ensure that vulnerabilities can be discovered, exposed and fixed.
Tod Beardsley (@todb), Security Research Manager at Rapid7
I believe, and fervently hope, that the security issues dogging the Internet of Things will reach a critical level of both awareness and accountability. Given what the Federal Trade Commission is doing this year with its “Start with Security” campaign and the growing coverage in mainstream media outlets about the state of security with IoT, I expect to see vendors of IoT devices take on real responsibility for the security of their devices. We in the security industry all know that hacking IoT devices is like dropping back ten years, and I believe that the mass consumer market will drive creative and realistic solutions to the problems of old software, old build processes, and the fractured patch pipeline.
Rebekah Brown (@pdxbek), Threat Intelligence Lead at Rapid7
We will continue to break free from the echo chamber. We are already seeing this with security researchers spending more time talking to law makers and infosec professionals actively reaching out to engage with non-security sector organizations. This trend will (hopefully) continue into 2016 and will help break down the communication barrier that continues to plague us as an industry.
Jen Ellis (@infosecjen), Vice President of Community and Public Affairs at Rapid7
We’ll see the massive focus on cybersecurity in the policy sphere continue, and perhaps even increase, with organizational and system changes made in the Administration to reflect this prioritization. With this continued emphasis on cybersecurity in the Government, I hope we’ll see the level of engagement between policy makers and the security community increase, and I hope we’ll see it drive positive outcomes. However, I am concerned that we’re likely to see some pretty scary legislation being proposed – we’ve already seen a bill that would prohibit independent security research on cars. It’s on us to educate legislators about the potential fallout of these efforts. I hope we’ll see the security community take a more collaborative, thoughtful, and productive approach to engaging policy makers, so we can avoid legislation that hinders security, rather than helping it.
Trey Ford (@treyford), Global Security Strategist at Rapid7
Come see the softer side of security.
My prediction is probably aspirational: I am hopeful we’ll see more transparency in incident and breach communications. The public isn’t afraid of “yet another breach,” they’re afraid the organizations they have a relationship with will violate their trust. In our series on VERIS, we’ve talked about the questions the public wants to see answered: who took what action, against what systems or information, with what impact, when, and what is being done about it?
Security will continue the shift of focusing more on trust than compliance.
Guillaume Ross (@gepeto42), Senior Security Consultant at Rapid7
Privacy and security will become more of a concern for consumers in 2016, and perhaps a slight marketing advantage for hardware and software vendors, though it will not become the main criteria for most people choosing a device such as a smartphone or an operating system.
As we are talking about things that will probably not happen, let’s get those un-predictions out of the way:
The Internet will not get DDoSed by a botnet of fridges and toasters, though a few will certainly take hold.
The Internet will not get DDoSed by a botnet of smartphones, as they will run out of power after an hour.
Information Security jobs will not be filled rapidly, as companies will still be struggling to find staff, preferring managed services in many cases, where appropriate.
No, not everyone will be done patching Heartbleed, and no, the amount of services exposed to the Internet at the end of 2016, including SCADA systems, will not be lower than the amount of services exposed at the end of 2015.
Corey Thomas, President and CEO at Rapid7
We'll see a greater gap between the well-managed and the poorly-managed, our security version of income inequality. The poorly-managed will continue to ignore, pay lip service, and rely on mostly on controls. The well-managed will recruit teams directly or through partnerships and build effective programs.