Following on from the round-up we released yesterday, today we look through the rest of what our regular contributors shared as their standout moments from 2018.
Bob Covello, IT Security Director | @BobCovello
"The most memorable event for me in 2018 was a positive one. There was enormous progress made towards getting multi-factor authentication the recognition it deserves. Then, it was dashed to pieces by the recent Azure 2FA failures. Too many folks recommended the use of a 'safety account' that is not protected by 2FA. I certainly understand that businesses lost money during those Azure failures, but how can we argue against government backdoors to encryption yet think to allow a back door to our accounts. I will probably spend 2019 trying to reconcile this and trying to convince people of the benefits of two-factor authentication. I hope that the 2FA engineers can make this failure a distant memory."
Chris Hudson, Professional Services Consultant | @askjarv
"Unless you are of a particularly geeky persuasion, most firmware update releases will likely pass you by. Spectre showed the world that hardware related exploits were real, and it had the potential to affect all of us. It also highlighted the challenge of patching hardware and its impact. (I’ll leave it to analysts to cost up the real world price of slower execution caused by hotfixes.) Finally, by revealing to us the possibility of CPU exploits, researchers are now finding new risks. If your security solution didn’t take regular patching into consideration, here’s yet another reason why you should make sure your devices consistently stay up-to-date."
Kim Crawley, Cybersecurity Writer | @kim_crawley
"Of all of the cyber attacks I have followed in 2018, SamSam ransomware is the most memorable for me. Yes, SamSam first emerged in 2016. But in 2018, SamSam has been more destructive than ever. The City of Atlanta and many hospitals around the world were some of its victims. No decryption tool has been developed for SamSam-encrypted files as of yet; the ransomware is notoriously evasive. To top things off, SamSam has now been found for sale on the Dark Web for about $750. That's a bargain when cyber attackers can use one SamSam deployment to extort $50,000 from an institution."
(2/2) What was the biggest event in the infosec community in 2018?
Please vote and retweet. #security #infosec (Please reply with other suggestions) — Tripwire (@TripwireInc) December 14, 2018
Jim Nitterauer, Senior Security Specialist | @JNitterauer
"The most memorable industry event in my mind was the disclosure of multiple security issues involving Facebook. From the selling of data to Cambridge Analytica, the spread of misinformation via known fraudulent accounts and the recent hack that occurred in October 2018, Facebook has been the poster child for irresponsible handling of personal data and uncontrolled manipulation of user behavior. This should alert us all as to the need for control and for securing our information regardless of the seemingly innocent façade the darling business of the day presents. Uncontrolled and unsecured power and influence should make us all very nervous."
Angus Macrae, Head of Cyber Security | @AMACSIA
"From the opening weeks of 2018, when the Spectre and Meltdown vulnerabilities were first officially confirmed, the year certainly hasn’t let up in terms of security-related events, and it would be impossible to define in a single example. It will, however, go down for me as the year that the old adage of ‘when, not if, you are breached’ became a proven fact of almost mundane regularity. From Facebook to Aadhaar to British Airways right up to this month's Marriott and Quora revelations. The reporting of mass-scale breaches has become the new normal. So relentless has it been this year that we are becoming almost disturbingly desensitised to hearing about them. And how many people really stopped using any of these services as a result? Whilst the ICO may have retrospectively slapped some with its biggest fines yet (under the prior 1998 Data Protection Act), in reality the monetary penalties were little more than loose change to some of the offending organisations, and the GDPR bogeyman of ‘4% of annual global turnover or €20 million – whichever is greater’ has failed to yet materialise. In terms of the UK security industry itself, Jane Frankland’s calling out of the red ballgown stand at Infosec Europe 2018 and the heated but worthwhile discussions it prompted were certainly notable. One that will no doubt make others think twice about pulling any similar stunts at a conference attended by thousands of female professionals."
Tyler Reguly, Manager, Software Development | @treguly
"Being Canadian in a world where security news tends to be US-centric, I was excited to see our mandatory Data Breach Notification law take effect. It isn’t perfect, as it only makes notification necessary when there’s a real risk of significant harm, which includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business, or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. I would have preferred mandatory notification of any break, regardless of the risks involved. There’s still a lot that Canada has to do regarding cybersecurity, but, for now, this is a start."
Anthony Israel-Davis, Sr. Manager, R&D | @anthony_id
"GDPR was officially implemented in May, and every enterprise with a hint of European business was impacted. It’s not over yet, either. With California considering a similar privacy regulation, the obligation of protecting personally identifiable information will only grow. Companies need to be on top of what information they are storing, how and where they are storing it and by what means they're managing that data appropriately. Data retention and destruction policies will be critical for compliance, and the ‘right to be forgotten’ is as important as protecting the data in hand."
Glenda Snodgrass, President and Lead Consultant at The Net Effect | @Glenda_TNE
"While doing research on cybersquatting for expert witness testimony, I was stymied at one point by ICANN's block on publicizing WHOIS information due to the GDPR. ICANN's failure to receive an exemption and/or to come up with an alternative plan has made it difficult for legitimate users of WHOIS (e.g., law enforcement and security researchers). The need for individual privacy is real, but as cybercrime becomes more of a problem, the good guys need every tool available to identify and block malicious activity online. The long-term ramifications of this situation are not yet known, while a solution of any kind is still very much up in the air. Perhaps not the most interesting industry event this year, but definitely one of the most important."
