SecureTheBreach

All agree. Cars is going to be interesting one to follow, especially as see more driverless car prototypes and use

but what are your predictions for what will be different?

Agreed. I read once, All code is vulnerable. Enough time has to pass for us to work out why. Cars, planes, boats and toasters.

What’s different now from last year’s prediction? Why will these attacks get worse? The first generation of cyber attacks were about cutting access to data, and then we moved on to data theft.

@Hart_Jason Now, we’re starting to see evidence of that stolen data being altered before transition from one machine to another, effecting all elements of operations.

Calling IoT a pain is an understatement :)

I think the only difference will be more criminals having a go... The tools are readily available for curious people to attempt a large scale attack. We saw that with LOIC and now with Mirai.

I think we might see the 1st physical injury due to #cybercrime #IoT

@neirajones I agree on that.

I was at a session where someone talked about the need to pentest a new shower. people were like "why"? The answer was that it could be altered from afar to shoot out scalding water

and this is why we can't have nice things.

@neirajones Agreed. "How did you break your leg?" "The internet did it" - imagine saying that 10 years ago.

exactly my point. And we have all seen the attacks on hospitals.

@LewisMorgan_ The proliferation of the Internet of Things means hackers have a seemingly infinite number of different attack surfaces and personas that they can manipulate.

@neirajones so a car crash? or out of control smart device?

@neirajones it would be interesting to see attacks on medical records so that someone has an un-needed operation and the hospital is liable as they were not secure enough

@Hart_Jason Your Fitbit as an example, look at the number of people who touch it—the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc.

Any of these...

@Hart_Jason This creates a cross-pollination of risk that the security industry has not seen before, and that’s just one person’s “thing.”

@Gemalto kettle blows up as the turn off signal was disrupted.

@Hart_Jason Ah yes. Excellent point, which brings me to Supply Chain Due Diligence...

@neirajones that's the one Neira ... global supply chain. Where your data exists in multiple countries under multiple laws.

@neirajones But how can we get better at this? So hard to control? and also have risk not just in software but the hardware side, chips themselves, the attack baked in (scenario in my GhostFleet book)

Is the answer that all data being passed over the internet has to be encrypted and only those with valid decryption key can see it?

One fun project I am helping to launch this week is trying to enlist Hollywood into the effort

I am writing you from LA, where @NewAmerica and UCLA are bringing our top cybersecurity experts to meet with writers and producers. We'll have folks from CyberCommand and various firms, ethical hackers etc and ~60 entertainment industry people

The idea is to try to recreate in cybersecurity what happened with public health projects, where medical experts worked to help not only aid in stories but inject key public health messages (like cancer screening). Can we do same in Cybersecurity?

so do you think that Hollywood's approach so far to hacking has been too dramatic and not based in reality? Can you recall one of the worst offenders?

Given how so many attacks take advantage of lack of user awareness, the hope is that even small levels of greater realism and awareness could have a big impact

Plus, wouldn't it be great if movie/TV shows on this topic were just a bit better? They don't have the best track record :)

CSI Cyber, Mr Robot, Hackers 2 and 3 ... Oh wait ... you are right. They don't have a great track record.

That is one of the issues, this cross between it being super complex, only the wizard can pull it off, and thus there is nothing that you can do to protect yourself. but also it portrays as simple, just bang on a keyboard for under 30seconds to do

A related issue is the characters themselves, every one of them sullen loners, usually in a hoodie. They also are predominantly male or if a girl, a goth

The reason why is Pen Tests are boring to watch !

Now we all know folks like that, but it is not the entire field. More importantly, how does it shape both public perceptions of it, and whether young people want to go into it? This is key given human workforce talent gap for industry as whole

As one young person put it to me, "I dont see myself in those shows."

and a skateboard is an obligatory prop! Swordfish seemed entirely unplausible too. Would you say that reusing passwords and phishing seem to be the topics most in need of being addressed?

I see nothing wrong here ... http://uproxx.com/we...

YES.

A Swordfish reference! yes, those would be good. But also imagine a world where more people/firms had multi-factor or encryption. Indeed, Donald Trump would not be president in that world.

For those tracking the DNC/Podesta email breaches, the news today was that Trump again denied Russia had any role in it “I don’t believe it. I don’t believe they interfered.”

Sorry to get "political" but it is a good illustration of both need for greater cybersecurity awareness and looming problems of attribution, when a leader disagrees with what his briefers are saying

So is this the new playground of spycraft then?

Well, they are certainly more aware now...

Perhaps lack of mandatory laws to reveal breaches in several countries help them to remain ignorant.

compliance is certainly a driver.

but bad public exposure in same sector is another driver.

@neirajones 100% agree. I'd hate to imagine the start of global security if there were no compliance requirements...

@neirajones isn't there any universal body fighting to make it mandatory everywhere?

*state, not start :)

I would say not ignorant of the growing risk, but ignorant of how to weigh it/what to do about it. Depends on sector though, some like Banking, they tend to have better handle, other like retail/health, are well behind

The EU GDPR is certainly going to help

No Universal Body, but plenty of bodies... They have to cooperate.

To say "ignorant" is not an indictment or mean spirited. It is just that this wasnt in their background or training. The problem is that will stay this way for long time. MBA programs still don't teach executives the base level things they need

Breaches will continue to happen to expect otherwise would be unrealistic. But as their scale and complexity grows, focusing on them first would take up all of an organisation’s IT security bandwidth.

A better starting point is to know what you are trying to protect.

Hence the importance of the "Modern CISO"...

An executive (not just the CISO) has to have some general understanding of this topic area, as they will be making decisions related to it. Cost of worst breaches is often determined not by IT dept but how CEO, public affairs, legal dept (mis)handled

Shoudl they be a non-executive and therefore have no direct relationship to prfit etc? Their advice would be impartial?

Yes, but the "Modern CISO", commercially & business aware should be able to express risk.

@SPCoulson What an excellent idea! I'm game ;)

@neirajones thought you might be? The Virtual Modern CISO?