At the end of every year, people like to get all retrospective about the previous 12 months. They want to summarise what the biggest incidents were, talk about the most impactful things then wrap it all up in BuzzFeed-worthy headline of the Top X things. I’ve had reports asking for my top things in the usual fashion and there were all sorts of biggies in the security space this year; the massive rise in ransomware, the Mirai botnet, the DNC leaks and of course, the massive data breaches we’ve seen. But I reckon there’s something more sinister than all these things – something we need to be even more concerned about – and that’s the realisation that there’s an awful lot we just don’t know.
Here’s what I mean: during the year, we saw a stream of what’s being referred to as “mega breaches”, that is data breaches impacting tens or even hundreds of millions of accounts. There was LinkedIn with 164M accounts in May then Tumblr with 65M shortly after, MySpace with 359M in July, Dropbox had 69M in August and Last.fm was 37M in September. Those numbers alone are significant, but what really stands out with each of them is that we went years before realising what had happened.
We’ve seen the same thing courtesy of Yahoo back in September when they reported that half a billion accounts had been compromised a couple of years earlier. Then, just last week, they came out with an admission that a nice round billion of them had also been hit in a separate incident, again, years earlier. They allege they had no idea an incident of this severity had occurred as did Dropbox and all the others. Some of them knew that something had happened back then (both Dropbox and LinkedIn made statements at the time), but they certainly didn’t know how bad it was. Not knowing stuff like this is very worrying.
This brings us to present day and when you look back on the year we’ve had, it’s hard not to conclude that there was an awful lot going on that we didn’t know about. But play that forward too – how much more are we going to discover over the next year? Or not discover at all? And this is one of the big problems with the state of security in that very often, we simply don’t know. Oh sure, you can say “well there’s no evidence of an intrusion”, however, absence of evidence is not evidence of absence.
Frankly, this makes the annual retrospective a little depressing. We went years with billions of records being sucked out from right under our noses and we didn’t even know it. We still don’t know them all; it’d be naive to sit back and go “well, I’m glad that’s over” because it’s not. We’ve now moved from that blissful stage of unconscious incompetence (we didn’t know we had a big problem) to conscious incompetence (we know we have a big problem). And now that we’re here, we know we’ve got more big problems ahead, we just don’t know what they’ll be yet.