Naked Security 33 1/3 – Cybersecurity Predictions for 2023 and Beyond – Naked Security

It’s the last normal weekday of 2022 (at least in the UK and US) and in the surprisingly relaxing holiday gap between Christmas and New Year…

…so you probably expected us to come up with either Review of the coolest stories of the year listicle, or What you need to know about next year (based on this year’s coolest stories) A listicle that is not a thinly disguised listicle.

After all, even technical writers like to go into vacation mode this time of year (or so they say), putting old wine in new skins, mixing up some tropes, and gilding. Vacations have never been so relaxing. A couple of lilies.

So we decided to do something completely different, but not quite.

Those who can’t remember history…

Sure, we’re looking forward to looking back, but as you can see from the headline, it’s even further back than New Year’s Day 2022.

In fact, the reference to 33 1/3 is neither strictly accurate nor is it a particular tribute to the late Lieutenant Colonel Frank Drebin. .

Better explain.

Historical references here date back to November 2, 1988. As anyone who has studied the early history of computer viruses and other malware knows, it was the day of the dramatic Internet worm.

This infamous computer virus was created by Robert Morris, then a student at Cornell University. His father, who happens to be called Robert Morris, was a cryptographer for the US National Security Agency (NSA).

I can only imagine the water cooler gossip at the NSA the day after the worm.

For those of you wondering what the legal system of the time thought about malware, whether it was considered beneficial, ethical, helpful, sensible, and legal to unleash a computer virus. Because… Morris Jr. was put on probation for three years. 400 Hour Community he serviced, and he paid a fine of just over $10,000 – apparently the first person to be convicted under the Computer Fraud and Abuse Act in the United States.

So the Morris worm is within a year from 33 1/33 years old…

…so the average year 34.1836 is close enough to 33 1/3, and we would rather prefer the number 33 1/3, as the rotational speed choice for long-played gramophone records nearly a century ago. It seems good for marketing. It’s a number I chose to sneak into the headline.

Not 33, not 34, not exactly factorizable and computer-friendly 32, but 33 1/3 = 100/3.

This is a very simple and exact rational fraction, but troublingly, it has no exact representation in either decimal or binary. (1/3 = 0.333…_Ten = 0.010101…₂)

predict the future

But I’m not here to learn the frustration of floating-point arithmetic, or that there are universally human-friendly numbers that a computer’s CPU can’t directly represent.

You said you’d make cybersecurity predictions, so here we go.

We predict that in 2023 we will continue to suffer from the same sort of cybersecurity problems that were screaming from our rooftops on a scale of over 100010.010101 as a whole…₂ Many years ago, by the dreaded Morris Worm, which was spreading rapidly.

The Morris worm had three primary self-replication mechanisms that relied on three common coding and system administration failures.

It may not surprise you that they can be easily summarized as follows.

• Mismanagement of memory. Morris exploited Buffer overflow vulnerability A system network service that was popular at the time, RCE (remote code execution).
• Bad password choice. Morris is called dictionary attack Guess possible login passwords.he didn’t have to guess everyone’s Password – crack only Someone’s I will.
• Systems that have not been patched. Morris investigated an insecurely configured email server, but never updated it to remove the dangerous remote code execution hole he exploited.

Sound familiar?

What we can deduce from this is that we don’t need a lot of new cybersecurity predictions for 2023 to really get a good idea of ​​where to start.

In other words, don’t lose sight of the basics in a scramble to sort out only certain shiny new security issues.

Sadly, as important as these shiny new issues are, we are still haunted by the cybersecurity sins of the past, and will likely continue for at least another 16 2/3 years, or longer.

what to do?

The good news is that many of these old-school problems are getting better and better.

For example, we’re learning to use safer programming practices and safer programming languages, and to keep running code in better behavior-blocking sandboxes, making buffer overflows less likely to be exploited.

We’re also learning about password managers (which have presented interesting problems of their own) and alternative identity verification technologies.

And not only are we getting patches faster from our vendors (at least the responsible vendors – just kidding). The S in IoT stands for Security It still seems to work well enough), but it also shows a willingness to apply patches and updates more quickly.

It also employs TLAs such as XDR and MDR (Expansion When Managed detection and response In short, we accept that dealing with cyberattacks is more than just finding malware and removing it if necessary.

These days, we tend to invest far more time than we did a few years ago, not only in looking for known bad things that need fixing, but also in making sure the good things that should be there are actually there. I have. It still does something useful.

We also spend more time proactively looking for potentially bad ones, rather than waiting for common alerts to automatically pop up in our cybersecurity dashboard.

For a nice overview of both, cybercrime prevention When Incident responseWould you like to listen to the latest holiday season podcasts?

Thank you for supporting the Naked Security community in 2022. We wish you a malware-free 2023.