With the ever-expanding influx of Internet Embedded Technology (IET) within businesses, such as printers, conferencing solutions, building security technology, heating, ventilation and air conditioning, automated lighting and other various consumer-based Internet of Things technologies, I would not be surprised if we see these technologies take centre stage in a major breach in 2018.
Currently no large breaches have been centred directly around IET. However, there are two ways these technologies could play a role in a breach. One way is indirect, where a business has been previously compromised and the IET is then compromised as a secondary phase and used to hide the malicious actor’s presence as an advanced persistent threat (APT) on the network. Unfortunately these technologies are not monitored and are often overlooked when it comes to a healthy security environment, making it very practical for them to be used as an APT.
The second way IET could be used for a breach is direct. With many IET solutions having some form of direct access, including IP exposure to the Internet, WiFi capabilities and radio frequency functions such as Zigbee, Zwave, Bluetooth, BLE and others, I see malicious actors using these communication services to compromise the IET devices to gain a foothold on the business network. They can then silently hide on the corporate network, be able to launch direct attacks against other critical systems and exfiltrate data off the network in a stealthy way, again taking advantage of the lack of monitoring of IET.
Deral Heiland, IoT Research Lead, Rapid7
Cyber criminals will focus on soft targets
In an online world dominated by FAMGA (Facebook, Amazon, Microsoft, Google and Apple), I expect to see very few actively exploited vulnerabilities in newly created and distributed software from these mature technology vendors. The hegemony of these companies will ensure a highly secure operating environment within each of their areas of dominance. Occasional issues will surface, of course, but on the whole, the computing environment for the average person will have a marked lack of “classic” software vulnerabilities.
However, this lack of “new” bugs will not put cyber criminals out of business. They will continue to spend their efforts on much softer targets. These would include older software stacks that rarely see regular software updates – multifunction printers, home and enterprise switches and routers, and Internet of Things devices that ship old and unpatchable software.
I also expect to see continued sophistication on the part of attackers in their ability to trick, scam, and phish credentials out of users, where either no bugs, or old bugs, are required for successful exploitation.
Tod Beardsley, Research Director, Rapid7
Increased use of built-in tools, service accounts become a target
Given the trends established in the second and third quarters of this year, I expect attackers in company networks to continue to leverage built-in Windows management tools to achieve lateral movement within networks once a foothold is gained. One-off incursions on isolated systems will become increasingly rare, and incident responders will find themselves hunting down infected neighbours with greater frequency. IT departments should make an effort to gain more control over the use of powerful admin-level tools like PsExec and begin to profile and establish baselines for legitimate use to make it easier to identify potentially malicious behaviour.
Attackers will also tend to compromise service accounts – those accounts used by business processes with unusually high access privileges and weak credential management – when given half a chance. Those features make these accounts treasured prizes, but there are a few, basic steps organisations can follow to ensure they remain out of reach.
Rebekah Brown, Threat Intelligence Lead, Rapid7
“2018 will be the year when organisations across Europe and those who serve European customers make significant progress to safeguarding the privacy of their information due to the stringent requirements of the General Data Protection Regulation (GDPR). Improving their ability to detect the early signs of privacy breaches will be key either by relying upon the managed services of experts or deploying specialist software in-house. Sadly all too many vendors will continue to pitch their wares as silver bullets for GDPR compliance when the reality is that guidance is required regarding how best to improve the maturity of the associated policies, processes and procedures in addition to the application of appropriate technology.
The information security and privacy market will continue to grow in terms of the ever growing range of technologies and vendors providing services. Figuring which controls are most effective for your organisation to reduce it’s risk to an acceptable level while ensuring the best balance with regard to business efficiency will remain an art form. Thankfully practical advice is available from our consultants to ensure you make good progress within sensible budgets.”
Steve Lamb, Head of Cyber Consulting for Europe at Rapid7
Data security and breach notification regulations
In 2018, following high profile data breaches, federal lawmakers will press for data security and breach notification regulations, prompting debate over the appropriate balance between consumer protection and burden on business. This is a great prediction. Why? Because it happens every year! But will 2018 be the year that general security standards actually make real headway in Congress? That’s much harder to predict, but 2017’s breaches got a lot of attention, EIGHT states passed new security/breach rules in 2017, and we do live in interesting times.