It’s that time of year again. The festive season is upon us and with it, online shopping will no doubt take another bite out of traditional bricks-and-mortar sales. With a colourful new president taking office shortly, 2017 promises to be an interesting year. But before we get to predictions, let’s take a look at the year that was.
2016: The year in review
After a series of high-profile breaches in 2015 that involved criminal and state-sponsored attacks against the personal data of hundreds of millions of people, our prediction last year was that 2016 would bring the increased adoption of multi-factor authentication. While it’s too early for hard numbers, there is anecdotal evidence of a spike in demand. But as you’ll see evidenced in the top security events for 2016 below, not everyone got the memo.
- Hacking the Election
Never before in US history has cybersecurity played such a significant role in global politics. Throughout the election process, the public was bombarded with insider communications made available through a hacked DNC network and the hacked emails of Clinton campaign chair John Podesta.
True or not, the information siphoned from the DNC fuelled the ideas that Hillary was given preferential treatment by party officials and that Bernie Sanders was deliberately sidelined. The DNC and their candidate both suffered as a result.
Podesta evidently fell victim to a phishing scheme that compromised his accounts and exposed insider communications that painted Clinton as pro-establishment and elitist — in a year when the US public wanted an outsider. No matter how you spin it, under-utilised security technologies, like two-factor authentication and a lack of best practices, helped deny her the presidency.
- Yahoo and Verizon stumble en route to the altar
In September, Yahoo announced thatdata associated with 500 million user accounts had been stolen in one of the largest cybersecurity breaches ever. The scale of the attack only became evident when a hacker who had previously sold stolen account information from other companies began selling millions of Yahoo users’ data online.
The company estimated that the late 2014 breach may have included names, email addresses, birthdays, phone numbers, passwords and security questions and answers, among other data.
After the breach, Verizon, who had agreed to buy the internet company, threatened to rescind its $4.8 billion offer. Yahoo warned investors that Verizon “may seek to terminate the stock purchase agreement or renegotiate the sale” due to the incident. Yahoo has reportedly been targeted with 23 consumer class action lawsuits related to the breach.
- Ransomware is the new black
According to a recent study, ransomware is quickly becoming the preferred method for cyber extortion. While it has been around for several years, 2016 saw a large uptick in popularity. The process uses malicious software to encrypt the data on any system it gains access to. Companies are then unable to access that data until a payment is made for the encryption keys.
Some ransom requirements can be huge. Upwards of 20% of UK companies report being charged more than $10,000 to unlock files. But the majority of cyber thieves seem to understand that smaller amounts are faster and easier for companies to acquiesce to. The study showed that approximately half the companies targeted do pay the ransom.
2017: The year to come
After a somewhat tumultuous 2016, where security breaches played a key role in jeopardising multi-billion dollar acquisition deals, upending US presidential elections and facilitating corporate extortion, it’s a good idea to prepare for just about anything. Here are a few predictions:
- More hawkish regulation enforcement by government entities
The US government is no stranger to cybersecurity – it’s been a primary focus for decades. But recent events like the US election have highlighted how a lack of appropriate security measures can impact the entire globe in ways we hadn’t considered.
Regulations that address the vast majority of cybersecurity threats already exist. It’s the adoption of key technologies that help to adhere to these regulations that’s lacking. And that isn’t to say that companies aren’t trying. Many organisations already have teams devoted to meeting the government and industry regulations they fall under — from PCI to HIPAA.
Still, in 2017, we’ll see a renewed effort by government regulators to accelerate the implementation of security technologies. Ignoring the regulations or inching toward adherence will no longer be acceptable. Extensive progress will be expected – and required.
- More ransomware
After a hugely successful 2016, we’ll see additional increases in ransomware. And as a result, companies may start to actually budget money to buy back their own data after a ransomware event. As long as the majority of ransoms remain relatively low, companies will continue to pay them, and they may do so without involving law enforcement to avoid disruption of their businesses and blemishes to their brands.
- Technologies to look out for:
Multi-factor authentication
I believe we’ll see widespread adoption of two-factor authentication across all industries. This is a fundamental technology that effectively addresses a problem that has grown too big to ignore.
Granular management of privileges
Obviously, Plan A is keeping hackers outside your network. But that isn’t always possible, so organisations must have a Plan B in place when perimeter technologies are breached. Most security experts today look at privilege management as an essential second layer of protection.
Simply put, privileged identity management (PIM) prevents hackers that gain access to your network from then accessing anything and everything inside it. The key is in assigning specific individuals access to specific information. Say, for example, a hacker breaks into the DNC network. Rather than gaining access to everything, they are denied access to any sensitive information because they don’t have the necessary privileges.
Least privileged access
A component of PIM is least privileged access. This means that each person granted access to the network starts with the minimal level that will allow for normal functioning — the lowest level of rights that a user can have and still do their job.
Bitcoin
A final prediction is around bitcoin. Despite a hack in early August that resulted in the loss of 120,000 bitcoins worth $65 million, the cryptocurrency quickly rebounded and has continued to grow in popularity. Expect some additional security measures to be implemented in the exchanges. On a related note, look for the rapid commercialisation of blockchain technology beyond the currency realm and into manufacturing, finance, shipping and entertainment.
Rapid7 Predictions
Corey Thomas, President and CEO
In terms of industry trends, I believe we will continue to see market consolidation of security vendors. With a focus on increasing productivity, organisations will move further from disparate, point-solutions that solve just one problem to solutions that can be leveraged throughout the IT environment. This will drive security and IT vendors to integrate, consolidate, and better collaborate. It will become increasingly clear that IT and security professionals want to manage fewer solutions that are easy to use.
I also expect to see the skills gap start to right itself. Security has reached a state of accessibility, by necessity. In most cases, you don’t need an advanced degree to enter the security field and you can often gain skills through certifications. You’ll also see employees that have been traditionally IT, shift to security through the redefining of their roles. It’s similar to what we saw in the devops space years ago.
In terms of threats, we’ll see attackers continue to focus on the seams — where organisations connect to exchange data; the SWIFT breach was an example of this. We’ll also see the commoditisation and standardisation of attacks. You’ll still have some highly specialised, sophisticated attacks, but we expect to see fewer types of attacks, the majority instead fitting into a few common buckets, at much higher volumes than we see today. It’s worth noting that basic security shortcomings (ex. failing to patch) are keeping these attacks relevant.
Craig Smith, Transportation Research Lead – Comments on Threats to Transportation
We will see malware used to shut-down a major transportation sector. I anticipate that the malware will be intentionally targeted to halt a transportation sector either for the purpose of ransomware, or political gain. There will be a large uptick in hardware related security attacks. As security research increasingly bleeds into hardware, we will see creative ways to patch vulnerabilities when no update mechanism is readily available.
We will see the concept of an internal trusted network deteriorate. Internal networks will be treated the same as any external non-trusted network. With the increase of IoT devices, phishing attacks, and social engineering, even the concept of a corporate trusted laptop will need to be re-evaluated.
Trevor Parsons, Senior Director Log Analytics and Search
We’ll see more organisations look for synergies between their technology departments, namely IT and security – thinking more about how they’re leveraging data, what tools are giving them the best visibility, etc., rather than accepting and managing several disparate solutions that aren’t necessarily helping to increase productivity.
As IT environments become more complex, monitoring tools will need to become more flexible and comprehensive in terms of data collection and correlation. We are seeing more technologies combining data sources (e.g. logs, metrics, endpoint data) to give a richer view into their environments.
More organisations will continue to move towards a BYOD model. Rather than relying on the traditional “golden image” approach, IT professionals should invest in tools that focus on providing immediate visibility across endpoints like employee laptops.
We’re going to see a continued trend with IT professionals starting to swap out traditional, heavier VMs for lightweight Docker Containers. IT professionals should familiarise themselves with the benefits of Docker and become familiar with monitoring tools that can centralise data across both traditional and containerised infrastructures.
Tod Beardsley, Senior Security Research Manager – Comments on IoT Vulnerability Management
We will see many, many more hobby hackers publishing vulnerabilities in IoT. Cost of entry is low, there are tons of new devices with old bugs and the DMCA now exempts consumer device research, which means boatloads of public vulnerability disclosures. Which is good — and also chaotic. You could say that how IoT manufacturers respond to these disclosures will be make or break for the industry. On the one hand, you might expect more mature companies to respond quickly and positively – patching and updating devices – but it’s also plausible that smaller, younger companies will be more nimble, and therefore able to respond faster.
Deral Heiland, IoT Research Lead – Comments on What we’ll see from IoT
If 2016 was the year IoT exploded, 2017 will be the year that IoT comes to life. I believe 2017 will be the first year IoT is used to inflict physical harm on a human. I also believe that audio information — voice data — gathered from home automation systems, such as the Amazon Echo will be used for the first time to solve a crime. I also expect to see MFP device security issues directly tied to a major corporate breach.
Mike Scutt, Analytic Response Manager – Comments on The Breach Landscape
From a breach standpoint, we’re expecting a significant uptick in “living off the land” style compromises and malware, a lot more script-based malware (powershell, js, vbs, etc.), and an increase in the use of native operating system tools to execute malware, persist, and perform recon.
[su_box title=”About Centrify” style=”noise” box_color=”#336588″][short_info id=’60243′ desc=”true” all=”false”][/su_box]
[su_box title=”About Rapid7″ style=”noise” box_color=”#336588″][short_info id=’60232′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.