Forcepoint 2016: Top 8 Predictions
Looking forward for the rest of 2016, here are Forcepoint Security Labs' Top 8 security predictions.
1. The US Election cycle will drive themed attacks
The 2016 presidential race will likely see the most prolific use of online and social media campaigning yet as candidates and their teams regularly turn to online resources, campaign websites, Facebook, Twitter and Instagram to reach voters and target specific demographics in their race to win the White House. With 74 percent of adults active on social networking sites as of 2014, according to the Pew Research Center, social media may eventually surpass traditional news media and paid advertising as the top source for voters for election news and opinions.
2. Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
The payments and payment security landscape is set for some tumultuous shifts to occur in 2016. These seismic shifts are exactly the types of situations from which savvy cybercriminals usually seek to take advantage. As criminals look to shift their game plans, there are three distinct areas where attackers are migrating: newly introduced infrastructure, new payment methodologies and mobile wallets. Criminals well versed in physical tampering of terminals may even take advantage of the migration to the new Pin and Chip credit and debit cards to “introduce” a number of data capturing devices of their own into a large terminal replacement projects. As adoption and the types of transactions capable on mobile phones increases, malware authors will also increase their efforts to steal from a digital wallet. Mobile malware will evolve to use these payment methods to commit fraud.
3. The addition of the gTLD system will provide new opportunities for attackers
For those accustomed to the old Internet of .com, .edu, .gov, .net, .org, and .info, your intimate little neighborhood is about to get a lot more neighbors. The implementation of expanded new generic top- level domains (gTLD) by the Internet Corporation for Assigned Names and Numbers (ICANN) means that you are now beginning to see many more URLs ending in .club, .xyz, .faith, .download, .guru and many more dot-word domains. Will consumers shopping for a computer steer towards shop.apple, apple.macintosh or apple.computer? Will businesses users with Salesforce accounts respond to an email that comes from renewal.salesforce, salesforce. software or salesforce.updates? This potential confusion is a golden opportunity for criminals and nation-state attackers to create highly effective, social engineering lures to steer unsuspecting users toward malware and data loss.
4.Cybersecurity insurers will create a more definitive actuarial model of risk – changing how security is defined and implemented
2015 was a tough year for breaches and the trend for 2016 looks to be no better. Against this backdrop is the gradual realization within corporations that the value of their company's data is a large part of corporate assets, and a huge potential cost during a cyber event. A November 2015 Wells Fargo survey of U.S. companies with $100 million or more in annual revenue found that 85 percent have purchased cyber or data privacy insurance, primarily to protect the business against financial loss. Of those with policies, 44 percent have filed a claim as a result of a breach. According to Carl Leonard, principal security analyst at Forcepoint Security Labs, “The cyber insurance market will dramatically disrupt businesses in the next 12 months. Insurance companies will refuse to pay out for the increasing breaches that are caused by ineffective security practices, while premiums and payouts will become more aligned with the actual cost of a breach. The requirements for cyber insurance will become as significant as regulatory requirements, impacting on businesses' existing security programs.”
5. Data Theft Prevent adoption will dramatically increase in more mainstream companies
Chances are high that data about you was leaked or stolen in 2015. The variety of industries targeted by attackers in 2015 is unprecedented. Simply put: If your company holds information, you have been and will be an attractive target for attackers. It is now common among security professionals to suggest that organizations practice security with the assumption that the organization has already been breached. Assuming a breach is one thing, but companies with an eye on the bottom line will begin to no longer strive for “perfect protection,” but to highly prioritize the rapid detection of existing and future theft and to make every effort to minimize their window of compromise by remediating not only the threat, but also the root cause. Threats will initially target specific high-value sectors or industries, but will then spread out to attack a broader range of businesses.
6.The Forgotten ongoing maintenance will become a major problem for defenders as maintenance costs rise, manageability falls and manpower is limited
IT Infrastructure continues to grow and expand in depth and criticality, requiring increasing resources just to maintain the status quo. In essence, with every passing day, IT managers have to work harder just to stay in the same place and that's a problem. When it comes to security, keeping up on maintenance is a continual effort where the consequences of failure are far worse than a missing webpage. Instead, attackers continually search for forgotten or abandoned systems, looking to worm their way into the heart of the enterprise. At some point, the cost of older systems that must be maintained will reach a tipping point and become prohibitive. When this occurs, look to vendors to radically restructure their support plans, and aggressively cut end-of-life software support in order to provide service to more recent releases. Updates of operating systems and software that previously were opt-in will now be automatic with no user action. Many software providers will look to this model as patching holes in previous iterations of the system becomes prohibitively costly to maintain. Forcepoint's own research supports this. Examining some of the most popular websites in the world, Forcepoint observed certificate issues related to older hashing schemes such as SHA-1, as well as problems related to the version of ciphers supported. These issues trickle down to users. If some of the “big names” on the Internet are struggling to keep up, how can smaller vendors cope?
7. The Internet Of Things will help (and hurt) us all
The websites, apps and electronic devices that comprise the Internet of Things (IoT) make navigating personal and business tasks more convenient than ever, but their popularity also means a wider attack surface, expanse of data and range of vulnerabilities for threat actors to exploit. Digital and connected diagnostic and screening systems in the healthcare field are expected to reach more than 40 percent global penetration by 2020. While these connected medical devices are invaluable to medical facilities, staff and patients in advancing overall progress and care, they also contain the potential to adversely affect information systems protecting patient safety and data. Mobile technologies and Internet-connected devices have been a boon for business productivity. Workers are able to access email and business networks on the go in an instant. But many are also doing so in ways IT security may not be aware of, putting their organizations at risk. Richard Ford, chief scientist at Forcepoint, says, “We'll see the Ghosts of Internet Past come back to haunt businesses through compromises caused by old and broken versions of applications, havoc-invoking vulnerabilities in operating system updates and end-of-life processes, and weaknesses in new applications built on recycled code.”
8. Societal views of privacy will evolve, with great impact to defenders
The concept of privacy is fluid and changes as a function of time. In fact, the very definition of privacy can be different based on culture, historical period and societal pressures. This is apparent in places such as social networks, where different generations share information in very different ways. It is not that one generation has “no concept of privacy” – far from it. The truth is that the Internet generation has a different concept of how the personal sphere is to be treated. It is important to note that it isn't just Millennials shifting their thoughts on privacy. Because the digitization of activities is becoming the routine of life, Generation X and Baby Boomers are also shifting their mores. Whether they know it or not, their information is quietly being gathered by digital devices and everyday activities