What I hope to see in 2019 for Information Security
2019 is upon us. We survived that mess of a year we called 2018. I think of it like a test. We managed to pass and are still here. There were a lot of security breaches in 2018 because of some very simple mistakes made by rather large organizations. From backup databases left in the open and fully discoverable by Shodan, to companies leaving default passwords in place on large appliances and then sending them out in the world… we have seen a large number of blunders.
So, for 2019, here is a list of things I hope to see change or improve:
Simply put, companies have zero incentive to be transparent about their actual security practices. Every company has an agreement they publish with how they protect data and how they use your data, but there are a ton of loopholes. From backup databases and migration projects going wrong, to companies using BASE-64 encoding as an encryption (hint, it ISN’T one).
In 2019 I hope to see more companies decide to be transparent about the breaches they have and the security practices that lead to the breaches. A company that is not upfront about their failures is a company that does not deserve your business. Unfortunately, many companies are focused on the fiscal impact of publicity surrounding breaches and they don’t realize it is an opportunity to improve security and help the public see how serious they are taking these incidents.
Consumer Controlled IDP
This one will take more time than just 2019, but I hope to start seeing some serious advancements in consumer control of identity and data. Many companies are in the IDP game (OneLogin, Okta, etc.) but the central point to all of them is that they are business controlled. Today a consume has no choice in how to provide an identity to a site. Sure, things like Facebook and Google logins exist, but most consumers want an identity provider that is segmented from the sites and services consuming those identities.
Google and Facebook have access to ever bit of metrics surrounding the use of your identity and in exchange, they get to market to you based on that data. Using Google to authenticate to a site about being a single mother, guess what… now Google is going to start marketing goods and services to you as such. You are handing over details to a company that has a vested interest in selling information about you instead of a company who has a vested interest in making sure your identity is secure and private.
In 2019 I hope to see a framework start up that will allow sites and services to consume user controlled IDPs. I am working on a proof of concept, but there are much larger fish in the IDP sea out there who could spin something like that up in a couple months. The real issue to solve though isn’t the development of the framework. The real issue is creating a framework for sites and services to use for consuming any IDP chosen by each user as their identity provider. We need a framework that allows a site to not be hard wired to using a specific IDP or set of IDPs (sites saying choose between Google or Facebook), but rather allows them to consume any that follows a standard set of protocols and practices (you tell us what IDP you use that is compatible with standards and we will consume it).
I have some concepts in mind for an IDP that uses blockchain technology to sign authorization and authentication to sites and services. Allow that data to exist purely in contracts via blockchain and once that signature is revoked, all access to that data is revoked. It is a difficult concept to implement due to the integration methods and the fact that state governments have an interest in making sure they continue to have access to whatever data they want.
Advertisers Put in Check
It’s no surprise to anyone that most of the IT world is dominated by advertisement revenue. The reason for this is simple… people want to consume services for free. The problem is that nothing is free. If a company is offering something without an upfront cost, it means they are getting revenue from another channel, be it selling your data to third-parties or marketing products and services to you based on data they are gathering.
In 2019 I hope to see more companies offering paid services the preempt you from being included with these marketing schemes. The real problem comes in verifying your data isn’t actually still being sold. One problem at a time though…
Today, the problem is that many of these services simply do not exist outside of these free/advertisement driven avenues. Even if you wanted to, you couldn’t Experian is one of the largest brokers of marketing data in the world and they are also one of the three main companies basically deciding if you should be able to buy a house, get a car, or get a credit card. Until people start demanding their data be handled in a proper manner, we have no hope for change.
When it comes to preventing fraud, theft, and intrusions, the biggest thing we need to improve is consumer awareness and education. Many people don’t even know their options when it comes to security. Many people don’t even know some banks offer hardware based multifactor authentication.
The best security is a combination of something you have and something you know. For decades now we have mostly relied on just half the security… a password (something you know). If you add a hardware based authentication system like the Yubikey, you can drastically improve your security.
DO NOT RELY ON SMS CODES. I have been speaking out against this for years and years. The Signal Systems 7 system used for SMS is very easy to breach and with modern technology, can be done with about $30 in hardware. You can intercept an SMS just as easy as an email. If you have the option… ALWAYS use hardware based MFA.
Credit/Debit Card Security
This one hits home as my information was recently stolen. Thankfully I had enough things in place that I didn’t lose any money, but it was certainly not fun to deal with. Remember that there is no security better than using cash. Cash is not always easy to use, especially for things like online purchases, but when you can, use it.
Services are starting to pop up that can help when you do have to use a credit or debit card to make purchases. Privacy.com is an amazing tool that I advise you all research. It allows you to generate one time use or single merchant cards that route back to your main account. The idea is, when you make a purchase online, you generate a new card and provide that information for the purchase. Then if anything happens and that data is stolen, it can’t be used to make any purchases against your account.
Regardless of what steps you take this year, remember… chances are some of your information will be leaked. There are just too many systems sitting out there with your information on them and too many ways to get it… even if it’s just by purchasing it from Experian. Do what you can, research what you can, and try to be prepared for when things do go wrong.