Ah, the end of the year. The time when everyone posts their ‘Top 10’ lists

Every year the last week of December is filled with ‘Top 10’ lists or ‘Year in Review’ lists.  The information security community is no different.  Whether it is threatpost’s 2016 Year in Review, DarkReading’s 21 Biggest Cybercriminal Busts of 2016, or even the University of San Diego’s Top Cyber Security Blogs and Websites of 2016 (sadly not including JurisHacker.com), everyone seems to look back at the year to see what has happened or changed.

Unfortunately, not enough has changed.  If we look back at esecurityplanet.com’s Top Five Security Threats for 2006 (no, that’s not a typo.  The list is from 10 years ago) we see:

Targeted Phishing Scams
Self-Contained Electronic Devices
Voice over IP
and Microsoft vulnerabilities.

With the exception of Microsoft vulnerabilities (36 critical vulns over the past year), we are still fighting many of the same battles.  Now we call it spear-phishing, BYOD, and IoT.  We still face insecure vendor defaults (now in IoT devices), vendor backdoors, and increasingly clever spear-phishing attacks.  At least two of these issues can be fixed by the vendor community.

I hope that in 2017 the vendor community will finally understand that poor default security hurts the consumer and that backdoors are only useful to attackers.  My fear is that I’ll still be talking about these in 2026, though.

Personally, I think I’ll drown my sorrows watching the worst movies of 2016.