Security predictions 2017
As we head into a new year at Security News Desk, Tim Compston talks to security vendors and industry experts who have been spotlighting what they expect to be making waves security-wise over the next 12 months and the lessons learnt from 2016.
There is little doubt that this has been a turbulent year on the cybersecurity front with major data breaches being reported - Yahoo being a case in point; a spate of ransomware attacks hitting the headlines, and even allegations that state actors have been taking advantage of the cyber arena to influence elections.
Top three threats
Kicking off our discussion with a look back at 2016, Limor Kessem, Executive Security Advisor, IBM Security, tells Security News Desk that the top three cybersecurity issues which made their mark over the past 12 months were, specifically: Internet devices becoming ‘cyber weapons’; the response to data breaches by organisations, and ransomware and the fact that people are now, seemingly, paying out.
Tackling these cybersecurity threats in turn, on the subject of the potential for Internet devices to be employed as ‘cyber weapons’, Kessem points out that, worryingly, back in October cyber attackers were able to take control of consumer IoT (Internet of Things) devices such as Wi-Fi cameras, smart thermostats, modems, and DVRs, to create an army of devices that took down a large part of the Internet: “Since the first attack, several other copycat attacks using malware called Mirai have occurred, making it a continuing threat to consumers and businesses.”
Turning to how the speed, and quality, of response to data breaches impacts on consumers, Kessem flags up the fact that in 2016 alone 2.1 billion records were stolen by hackers including huge heists like Yahoo, LinkedIn and MySpace. She emphasises that when organisations prepare, and plan, for how to respond to cyberattacks they are much better equipped to respond effectively: “Consumers feel the pain because it takes companies an average of 201 days to find out about a cyber breach. The response is often slowed down because 75 per cent of companies don’t have incident response plans in place.”
Kessem believes that ransomware - the act of encrypting digital data and holding it until the owner pays a ransom - has also become a more significant security threat through 2016: “We have seen police stations, schools, and even hospitals hit - many paying the ransom in these attacks.”
To put the scale of the rise of the ransomware challenge into some sort of perspective, Kessem cites figures for the United States which show that in the first three months of 2016 alone more than $209 million in ransomware payments were paid: “Compared to 2015, that’s a dramatic 771 per cent increase from a reported $24 million for all of 2015.” According to Kessem, the FBI estimates that ransomware is on pace to be a $1 billion source of income for cyber criminals by the end of 2016.
Reflecting on the year to come, Kessem expects many of the above issues to still dominate but also stresses that IBM X-Force is characterising 2017 as the year when: “IoT [Internet of Things] security becomes everyone’s problem”.
The escalating nature of ransomware is something that is also exercising the thoughts of Matt Walker, VP Northern Europe, at HEAT Software, when he is interviewed about the trajectory of cybersecurity: “Companies are still really struggling to cope with the ransomware issue. For a long time sophisticated malware attacks have been a problem for businesses, creating inconvenience or some data security data breaches, but I think that this next wave is more insidious in a way because what’s been worked out is that this is very profitable.”
Walker adds that he is witnessing the start of a move away from ransom demands just being made because of data: “It is becoming an infrastructure type of threat as well. We have seen this before in fact we had a company we dealt with in Kuwait who felt very much threatened. They were told they were going to be attacked and they put in place our application control, in terms of whitelisting, because of this.”
Looking ahead, Walker believes that companies are really going to have to start considering an application control approach to stem this ransomware tide: “Previously they maybe thought it was too difficult to implement but it is the one way to stop software running that you don’t want and that, effectively, is ransomware,” he concludes.
Gaining an IQ
Keeping on the ransomware theme for 2017, Hitesh Sheth, CEO at Vectra, homes in on ‘ransomware gaining an IQ’ and IoT device vulnerabilities as one of his central predictions: “Because it provides the fastest way for an attacker to monetise an attack, through untraceable Bitcoin, ransomware attacks will grow more intelligent by targeting high-value digital assets, including surveillance cameras, phone systems, security systems and other business IoT devices.”
Ultimately, in 2017, Sheth feels that new forms of ransomware will become the biggest headache for security response teams and the business driver of growth in cybercriminal income, given the way that it automatically and rapidly extorts money from enterprises. Sheth says that we should also witness more collaboration in 2017 between private industry and law enforcement agencies – both domestic and international – as they attempt to close down and bring ransomware operators to justice.
Another prediction on the 2017 radar for Sheth is the expectation that so-called ‘bad actors’ will turn their focus to ‘the soft underbelly of data centres and cloud deployments’: “They will try to gain control of firewalls, servers and switches that make up the physical infrastructure.”
Sheth also believes that 2017 is likely to be the year of the automated security response or, at least, some way towards it: “Human beings alone, no matter how skilled, won’t have the bandwidth to handle the tsunami of security data, cacophony of alerts, and plethora of security tools in 2017. With hyper growth in the attack surface and threat landscape – and constrained by limited security analyst resources and capabilities – enterprises will augment their teams with artificial intelligence to automate the detection and response to security incidents. Security analysts will remain in the loop and continue to bring unique insight and capabilities. Think Robocop, not Skynet.”
Time to take stock
With the GDPR and NIS Directive looming on the horizon, Greg Day, VS and CSO, Palo Alto Networks, suggests that as businesses prepare for this upcoming EU legislation it provides a rare opportunity for them to step back and take stock of their capabilities: “They can validate if they are still fit-for-purpose for the approaching deadline and for the future thereafter. This will mean that businesses finally have to gain control of the mountains of data they have gathered and generated and to understand both the value and risks they create for the business.”
Another aspect of the cyber threat that Day is keen to expand on is the way that targeted credential theft is allowing attackers to move their attack out of the business network: “As more businesses embrace cloud, credential theft, whether through social engineering or attack, will mean that adversaries have to spend little or no time in the businesses network to achieve many of their cyberattack goals.”
Regarding the wider global threat landscape in today’s uncertain times, Adam Vincent, CEO, ThreatConnect warns that with state-sponsored hacking now a mainstay, and cybercriminals pushing into new powerful forms of ransomware, 2017 is shaping up to be a challenging year for the cybersecurity community: “At ThreatConnect we conducted much of the cutting edge research regarding the newsworthy breaches of 2016, including the DNC and WADA hacks. Organisations face new, powerful threats and adversaries playing a much longer game against specific victims. The era of so-called “scattergun scams” is gradually evolving into a trend for far more finely-targeted exploits designed to achieve strategic goals, both for the advancement of national policy and criminal gain.”
Drilling down into state-directed attacks, Vincent anticipates a further upswing: “The use of cyber-espionage reached a new level of maturity in 2016. We will see an increasingly vocal response from western governments to escalating Russian hacking activity as we begin to move towards more codified rules of cyber-engagement. 2017 will still be a period of unfettered hacking activity, however, as state actors use aliases to mask their involvement.” In light of this, the takeaway message, from Vincent, is that organisations with any strategically useful information, whether in the public or private sector, must prepare themselves to deal with highly sophisticated phishing, infiltration, and data leaking campaigns.
Seeking out the thoughts of smart encryption expert Matt Little, VP Product Development at PKWARE, his starting point on 2017 is that it is going to be both exciting and thought-provoking on a number of fronts: “The culmination of quantum computing, which is currently looming on the horizon, will cause the long anticipated crypto-apocalypse,” explains Little. He also predicts that artificial intelligence-powered protection solutions will enter the market to combat the next generation of hackers. Alongside this, Miller says that we will continue to countdown to GDPR [General Data Protection Regulation] a reality which, he reckons, is already causing disarray around data protection roles and responsibilities within companies that conduct business in the EU: “Data level encryption solutions will be a critical component for organisations to meet GDPR compliance, protection requirements, and many will also provide the ability to digitally shred information to meet destruction requirements,” he concludes.
There is certainly room for improvement where encryption is concerned and a recent survey by PKWARE, which examined the data security knowledge and best practices of UK-based technology decision-makers, certainly provides food for thought as we head into a new year. Worryingly, according to PKWARE, the survey suggests that nearly a quarter of tech senior decision-makers in the UK do not fully understand what encryption actually is in the first place. This number increases to 40 per cent in the retail sector, reports PKWARE, and half in the healthcare sector.
Overall, only 50 per cent of respondents questioned said they actually encrypt their customer data. “These results are mind boggling,” says Miller Newton, CEO of PKWARE. “It’s hard to believe how many companies are still scraping by with such lax security when handling their customers’ valuable data. Just being compliant with basic security regulations isn’t enough anymore. As demonstrated by numerous high profile cyber-attacks, organisations need to encrypt their data and have fool proof security measures in place.”
Keep a look out for the second part of the 2017 Security Predictions from Security News Desk, online soon. Or, if you can't wait, click here for the feature in our newspaper.