Privileged access hacks will continue
Data breaches as a result of compromised privileged access are widespread. It’s all about privilege—hackers need high level access, which they get through targeting privileged users like IT professionals, CEOs and vendors via phishing or malware to achieve their financial goals or other motivations. These users are targeted by the threat actor because they are likely to have access to other privileged credentials that the hacker can leverage to increase dwell time and compromise their target. We have seen this all too often in 2017 as in the leak of content from Netflix’s Orange is the New Black as a result of a vendor hack. Through the rest of 2017, it’s likely another vendor breach via privileged access accounts will cause harm to a major brand. Businesses need to get serious about security around their most privileged users—identifying them, monitoring their access, and closing off access to what they don’t need.
Vendors, service providers, and other third parties continue to be initial points of compromise for breaches
The recent news that data from nearly 200 million voters was exposed by a Republication National Committee server breach is just the latest example of a breach involving contractors and other third-parties. Organizations in the public and private sectors alike are increasingly working with external vendors who either have access to or store sensitive data. This significantly increases the risk of that information being leaked or a breach occurring due to a contractor being compromised, as was the case with the historic OPM breach. As 2017 progresses, we’ll continue to see organizations victimized in this way because they falsely assume their contractors uphold the same security standards as they do open themselves up to risk in today’s heightened environment. To stay safe, companies must set security policies for all external groups and enforce adhering to them as a prerequisite for doing business.
The most at-risk industry for a cyber attack in 2017 is manufacturing:
The technology to run critical infrastructure systems like power, water, and oil refinement weren’t designed with information security in mind and many of the players engaged in cyber warfare understand this. The good news is that there is a push to rapidly modernize and harden these systems along with adoption of industry standards such as the NIST Cybersecurity Framework and NERC CIP, developed to help reduce risks to critical infrastructure. The bad news is many systems today are vulnerable to being exploited and compromised. While standards and increased awareness in closing security holes is an improvement, most critical infrastructure has significant exposure that leaves it vulnerable to the next attack.
The security blame game will heat up:
The IoT and integrated relationships with security solution providers mean companies may not be able to easily account for ownership or origin once a breach happens. Who is responsible for securing, maintaining and patching the various technologies? Worse yet, has a product been connected that can’t even be patched? A number of IoT devices are often overlooked because they fall outside of IT’s traditional purview. Companies might even be unaware the security responsibility lies with them, leading to a scenario in which a connected device ends up on a vulnerability database and is quickly exploited. In other instances, security updates might be maintained by a vendor or another third party who has access to the company’s system. A company is only as secure as its least secure device or relationship. When a breach occurs, even with layers of security, the question of who “owns” responsibility for it and who had power to do something about it will create intense reactions and finger-pointing.
Healthcare will continue to lose to hackers:
Healthcare is falling further behind and will continue to lose to hackers. Healthcare data breach costs are the highest among surveyed sectors for the seventh straight year, according to the IBM and Ponemon 2017 Cost of a Data Breach Study: Global Overview. As seen with the WannaCry malware attack and its paralying impact on major hospitals in the UK, healthcare will suffer another major security breach this year as the industry is particularly susceptible to ransomware attacks. Losing access to patient records can cripple the ability to provide services to patients, putting the health of consumers at risk. Hackers know this risk and aren’t hesitating to target organizations with inadequate security controls in place.
Security overshadows M&A as companies begin investigating security hygiene in their own industry:
We’ll not only see more enterprises get serious about security around their most privileged users, but those of their acquisitions and takeovers as well. According to a survey by stock market operator NYSE, about 85 percent of executives said uncovering major vulnerabilities during the audit of an acquisition target’s software assets would “likely” or “very likely” affect their final decision to move forward with the deal. Companies and investment funds will begin investigating the security hygiene within their own industry and evaluate not only the deal itself, but the entire security infrastructure of the acquisition. This may cause major deals to fall through in 2017 and beyond, and cause companies across the board to invest more seriously in modernizing their security. Companies are paying attention to the security issues they may be inheriting when striking a contract with another organization, and we will see this heightened awareness continue throughout the year.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.