Bob Ackerman, managing director and founder, Allegis Capital
Data analytics. Whether we are looking at threat intelligence or insider behavior, which contributes to 40 to 75 percent of all breaches, data analytics will continue to be a major innovation and investment theme. There is no shortage of data, it’s finding the specific piece of hay in the haystack – not just the needle in the haystack – that is essential for the security practitioner.
Autonomic defense. The explosion in volume and quality of threat intelligence and the chronic shortage of threat analysts will drive the demand for automated response systems for cybersecurity. We need to automate the rudimentary threat responses and for all management to focus scare threat analyst resources on the most complex and critical threats. Essentially, it’s all about scale and velocity.
Cybersituational awareness. Monitoring and measuring cybersituational awareness – of the enterprise and its supply chain – moves to the top of the policy priorities. As Target demonstrated, a company is only as secure as its supply chain when things happen so quickly. As cyber moves from the domain of IT to enterprise risk, visibility, quantification and qualification become essential.
Data provenance. The global economy is driven by ones and zeros moving at the speed of light. Ensuring the integrity of those digits becomes essential as we try to move from cyber “Whac-A-Mole” to trusted systems.
Philip Agcaoili, SVP, U.S. Bancorp; CISO, Elavon; board of advisors, PCI Security Standards Council; chairman, Ponemon Institute Fellows
I’m not a prognosticator, but a CISO of a leading global payments solution provider and don’t have to predict the future. We already know what’s to come–If you don’t implement basic cybersecurity hygiene and haven’t successfully developed a culture of cybersecurity within your organization, you will get hacked. The most vulnerable organizations are the ones who have not properly prepared for such an event. Beyond ensuring the basic cybersecurity hygiene, culture change, implementation of the latest cybersecurity prevention technology, and maturing response practices, every organization needs to be prepared to be breached and focus on detecting the breach and shortening the dwell time that your adversary has to go undetected once they compromise your environment.
Dmitri Alperovitch, CTO and co-founder, Crowdstrike
Data and information will continue to be weaponized: Use of data as weapon will be a major problem in 2016. In the past, data has been taken, destroyed or encrypted, but increasingly we’re seeing breaches during which data is leaked publicly in order to cause significant damage to a business, reputations, or even the government (e.g., Sony, Ashley Madison, etc.). Criminals and hacktivists are now stealing data and threatening to place it on public websites for others to see. In conjunction with this, hackers are building massive databases that include multiple types of data (insurance, health, credit card) to present a “full picture” of an individual. It’s one thing to have your data stolen and another to have it used against you. We’ll continue to see individuals’, corporations’ and public entities’ info used against them as a weapon in 2016.
Stephen A. Aschettino, partner at Foley & Lardner LLP
With BYOD sweeping the corporate world, I expect to see in 2016 an increase in the quantity and scale of data breaches stemming from mobile devices. Millennials and others are demanding speed and mobility through their phones and tablets. Monitoring and protecting these employee-owned devices creates real challenges for company security pros. Moreover, technical exclusions in some cyber-insurance policies may void coverage for data breaches stemming from devices owned by individuals rather than the insured company.
Gasan Awad, vice president, global identity and fraud product management, Equifax
Security for mobile and online transactions was a significant concern for 2015. As more consumers make card-not-present purchases, many mobile and online merchants still need to catch up with authentication best practices. This caused an increase in fraudulent charges in 2015.
Data breaches, which are becoming much more sophisticated in complexity and scale, are a top concern for 2016. New forms of vulnerabilities and the innovative methods being employed are causing alarming losses in multiple forms – dollar losses due to fraud, reputation risk for involved firms, and individual costs to victims. Data breaches are one reason why the identity theft issue continues to move.
Sanjay Beri, founder and CEO, Netskope
Cloud adoption will peak and shift the role of IT from system fixers to innovation brokers as IT professionals develop new productivity tools and proactive policies to help enterprises make use of the cloud. Machine learning will go mainstream for anomaly detection as it integrates with core IT infrastructure. The cloud access security broker (CASB) market will emerge as the hottest market in enterprise IT after nearly $1 billion in M&A activity in the latter half of 2015 alone. Pending global privacy regulation, particularly General Data Protection Regulation (GDPR) in the EU, will force companies to step up their data protection, thereby increasing investment in security and compliance technologies.
Andrew Conway, research analyst, Cloudmark
Someone will find a way to monetize an IoT attack. Security on most IoT devices is terrible, but they have not been subject to many attacks for several reasons. Since there is a large variety of devices, there is no uniform attack surface that cybercriminals can attack. Additionally, it’s difficult to monetize a remote attack that turns down someone’s thermostat or burns their toast. However, the criminal mind is extremely inventive and someone, somewhere is going figure out how to profit by hacking your A/C and toaster.
DDoS extortion will continue to increase. The ease of using Bitcoin for various types of extortion has led to an increase in ransomware and DDoS extortion. However, for the victim the results differ. If you pay a ransom for your data, the chances are you will get it back. If you pay off DDoS attackers, they are likely to just come back for more. Businesses should sign up for a reliable DDoS protection service before they get attacked, rather than having to pay ransom to delinquent script kiddies.
Nikias Bassen, principal mobile security researcher at Zimperium
2015 was a year for the record books in information and cybersecurity. Dozens of newcomers entered the space, new vulnerabilities were uncovered, and government agencies and companies continued to find themselves victims of massive breaches. In 2016, we don’t expect this to slow down. Here are our predictions on what’s coming.
iOS: Not as secure as once thought. While Android might get more press for its security issues, expect flaws for iOS to hit the headlines in 2016. We believe a vulnerability similar to Stagefright will emerge on iOS, proving no OS is safe from motivated attackers.
We’ll also see another remotely exploitable attack, similar to 2015’s AirDrop vulnerability. This vulnerability allowed hackers to send and install malware on any device within range even if the user tried to block the incoming file. New attacks could come through AirDrop again, or could be through a new vector such as AirPlay or the Continuity feature Handoff.
Expect more iOS kernel exploits and jailbreaks for iOS 9.2 and 9.3, as well.
Android: Still insecure. Android users still have plenty to worry about as Google rolls out updates. As with the AirDrop issue in iOS, we expect Android to suffer from at least one remotely exploitable issue similar to the SwiftKey Keyboard vulnerability in 2015.
Also, while Google promised monthly security updates for Android in August 2015, those updates have not always made it from Google all the way to users’ handsets smoothly, given the fact that update availability is dependent on carriers. Don’t expect things to improve much in 2016. Devices older than 4.4 are now officially unsupported, leaving about 35% to 70% of all Android devices vulnerable.
Additional exploits will take advantage of shared address space ASLR weakness to gain system privileges. Android will suffer from more kernel exploits as SELinux is adopted.
Bug bounties will drive publicly disclosed vulnerabilities. More vulnerabilities will be disclosed due to expansion of bug bounty programs. The programs generally involve companies exposing code (for software, a web site or a mobile app, for example) to hackers and researchers to uncover bugs and vulnerabilities. The goal of these programs is to find and resolve these security flaws before the general public has a chance uncover and exploit them.
Client-side attacks grow. Network perimeters are continuously fortified with new security measures. Hackers look for the weakest link and will evade perimeter security leveraging users as a conduit to perform a network breach. Client-side attacks will increase and we expect Chrome and even some PDF readers to experience major vulnerabilities in 2016.
Other client-side attacks will include usage of media formats to exploit vulnerabilities in media processing libraries such as libstagefright. These formats are likely to be triggered via the email client, browser, MMS or IM.
Mobile in the workplace grows, so do threats. It’s no surprise that mobile usage in the workplace will continue to grow. Enterprise mobility programs seek to gain productivity from users but cause enormous complexity. The number of supported devices, OSes, applications and geographies force an already overburdened IT group to manage hundreds of policies as we bring new devices to work. Smartwatches from Apple and Samsung only exacerbate the issue further, creating new attack vectors for hackers.
Security is an issue no company with sensitive data can ignore. Whether it’s the ongoing issues with wearables, Android and new iOS vulnerabilities, or attacks targeting end-users, there’s no sign of security issues slowing down anytime soon.
Steve Durbin, managing director, Information Security Forum
A maturing information security field and more sophisticated cyberattack capabilities will demand skilled information security professionals who are increasingly scarce. Cybercriminals and hacktivists are increasing in numbers and deepening their skillsets. The ‘good guys’ are struggling to keep pace. Where will these resources and skillsets come from? CISOs need to build sustainable recruiting practices as well as develop and retain the talent they already have to boost the organization’s cyber resilience.
In 2016, the skills gap will deepen as hyper connectivity increases. CISOs should prepare to build information security capabilities across the organization and position the executive team to recognize and retain talent, both those who have come up through the ranks and newer employees who have worked in a digital environment and business roles. Moving forward, there will be a need to be more aggressive about getting the skill sets that the organization needs. While the industry continues to attract the right level of interest, and while businesses continue to work with universities and pass needed legislation, the industry as a whole must realize that there is a skills gap problem that needs to be resolved.
Smartphones are creating a prime target for malicious actors in the IoT. The rapid uptake of BYOD and the introduction of wearable technologies to the workplace will increase an already high demand for mobile apps for work and home in the coming year. To meet this increased demand, developers working under intense pressure and on razor-thin profit margins, will sacrifice security and thorough testing in favor of speed of delivery and low cost, resulting in poor quality products more easily hijacked by criminals or hacktivists.
In 2016, organizations should be prepared to embrace the increasingly complex IoT and understand what it means for them. CISOs should be proactive in preparing the organization for the inevitable by ensuring that apps developed ‘in-house’ follow the testing steps in a recognized systems development lifecycle approach. They should also be managing user devices in line with existing asset management policies and processes, incorporating user devices into existing standards for access management and promoting education and awareness of BYOD risk in innovative ways.
Neill Feather, president, SiteLock
Ransomware: This is a type of malware that forces its victims to pay a ransom in order to grant access to their systems, or to get their data back. It’s moving to extort website owners and its prevalence is sure to increase.
Biometric authentication pitfalls: With all of the biometric authentication being developed today, it all has to be stored in a centralized database somewhere. Databases that store biometric data have been and will continue to be hacked. And with biometric information being unique, it can never be changed like a password can.
SEO spam: Attackers are adapting how SEO spam files are created on or uploaded to websites. Spam files masquerade as WordPress plugins and fake cache files. Expect more ways to hide spam in plain sight.
Encryption: This is a topic that has been in the news a lot recently, however it is not going anywhere. If you weaken encryption, you weaken all security. Plus, bad guys don’t need encryption to do bad things.
Mark Gazit, CEO, ThetaRay
Cyberthreats that just a few years ago would have been considered science fiction are now becoming reality. For example, in 2015 we saw cars and airplanes being hacked for the first time ever. As the Internet of Things continues to grow in 2016, and more and more machines become connected, we can expect to see a considerable increase in cyberattacks from governments, hacktivists and cyberterrorists.
Because consumers are conducting more of their banking activities online and via mobile device, they are making themselves and their banks increasingly susceptible to cybercriminals. No longer must a thief use a gun to rob a bank, now he can simply hack into an online savings account from halfway around the world. This new form of “long distance bank robbery” is likely to increase in 2016 as more and more people take their banking online.
Venky Ganesan, managing director, Menlo Ventures
There is every sign that next year will turn out to be the golden era for cybersecurity investing.
The government market will look for and purchase new protection for an impending cyberwar, which many believe may already be underway with several countries. In the commercial market, vendors selling firewalls and other traditional cybersecurity solutions will continue to see growth of 5-8 percent a year. Additionally, newer forms of cybersecurity will grow as everyone tries unique solutions to meet more sophisticated forms of attack.
Investments in these new solutions will be focused on four major areas that are currently poorly protected: mobile apps, east-west data center traffic, automated responses to cyberattacks that combine machines and analysts, and IoT where adoption will be driven by the first highly publicized hack.
Troy Gill, manager of security research, AppRiver
There will be an increase in spear phishing and more targeted attacks. Thanks to numerous breaches and a glut of personal information available via social media, a wealth of private personal and financial information exists on the cyber underground. Cybercriminals can easily create very specific personal profiles of their targets. This information will be integral for highly targeted attacks or to be used in such a way as to defeat new card technologies.
Acts of cyber aggression will continue between many nation states, including the U.S. and China. We may not be privy to the majority of attacks between our collective countries against infrastructure or corporate espionage, but evidence suggests that the internet has become an important tool in every aspect of our lives, including war and politics. Expect this “boots at home” tactic to remain in the playbook as a first move in most conflicts whether it be just reconnaissance or the disabling of infrastructures and communications.
David Goldschlag, SVP of strategy, Pulse Secure
According to a recent Forbes report, cyberattacks are costing businesses between $400 billion to $500 billion annually, and that number doesn’t include the number of cyberattacks that aren’t reported.
Cloud access security broker (CASB) is not a magic bullet. 2016 will shine a light on CASB’s fundamental issues that were overlooked as organizations allowed uncontrolled access to ad-hoc applications like Box, Dropbox and Google Drive. Some of these overlooked issues, include that it adds another disparate layer to the security management stack, and many of the functions offered by CASB are already available in solutions already deployed and understood by the enterprise
The rise of bring your own everything (BYOx). 2016 is the year that organizations start to fully appreciate both the benefits and perils BYOx exposes. What started as employees wanting to use laptops with corporate apps has quickly spread to tablets, phones and in the future might include a lot more devices. Organizations need to be ready for this new wave of device demands and think about building platforms that can cope with the X factor
Time for the security of things. As more devices become exposed to open networks connected ultimately to the internet, security needs to be at the forefront of the revolution. A security-of-things policy will come together to create some basic building blocks to mitigate risks and pave the way for wider adoption of IoT
Organizations will make the switch to an identity- and device-based model. Mobile access to IT is on the rise from using remote systems during customer visits to collaboration with partners; access to IT needs to be more flexible. 2016 will see a lot of very large organizations start to mandate enterprise mobility management across not just one device, but every device that a user interacts with that can have an impact on the IT environment.
Fengmin Gong, co-founder and chief strategy officer, Cyphort
More APT-style financial crimes. 2016 will be a big year for similar-type attacks and campaigns, like “Carbanak” that move money out of customer accounts from inside the bank system, and the malware-powered “pump-and-dump” attack on Wall Street.
Prominence of IoT security incidents. Expect to see more security incidents related to car on-board control and access. As well, more security incidents in the area of smart homes will surely wake people up and get them to start thinking about “utility” and “security” in one thought. (Especially when more IoT sensors are deployed with remote access through smartphones.)
Android becomes a serious vector. Expect Android devices to become a serious vector for cyberattacks into business networks and assets.
Todd Inskeep, principal / director of commercial consulting, Booz Allen Hamilton
Hackers will go “quiet.” Since the Sony hack last year there have been a few high-profile attacks, but nothing quite as loud or full-on destructive. Attackers have been much quieter in 2015 in signaling their capabilities and broadcasting infiltrations and this will continue into 2016. Instead of the big showy attacks that post the data and embarrass companies, the use of more quiet attacks means the public will hear less, while boards and executives will hear more – not about the attacks themselves but about the effects of the hack. It’ll be more “Houston, we have a problem,” with less insight into how the attack was accomplished and how the hacker obtained any value from what was done. Hackers will become more insidious in nature and in practice.
Benjamin Jun, CEO, HFV Labs
Microservices will change the build vs. buy debate. 2016 a good year for DevOps: Organizations have always faced the dilemma of building or buying application security components. Traditionally, companies roll their own because 1) they believe they can do it better, and 2) they don’t want to share vulnerabilities with other companies.
In 2016, microservice security offerings will begin taking hold. Identity management and customer data – the crown jewels of any organization – will be increasingly migrated to specialized cloud services. Solutions will come from a diverse and new set of vendors, from Parse (acquired by Facebook) to Salesforce.com. Developers will insert vetted services and code into their own software, avoid building from scratch, and obtain a security level better than most homegrown offerings. And, for companies who insist on build-your-own, relief is coming in 2017 when container technologies will allow in-house teams to practically manage and integrate microservices of their very own.
Lila Kee, vice president, GlobalSign
With the New Year just around the corner, we’d like to share our security predictions for 2016. These three issues will be at the forefront for security professionals in the coming year.
Encryption and mutual authentication will be more prevalent inside the protected perimeter in defending against threats from within organizations. Data breaches have unfortunately become a normal event that will be taken increasingly seriously especially in highly regulated industries such as healthcare. Heavy fines, loss of reputation, and increased regulations will drive enterprises to step up security around both data in transit and at rest. Organizations need to be more proactive in securing and monitoring their sensitive data from those from inside the organization who wish to intentionally misuse the information and those who inadvertently mishandled private information such as customer data, corporate IP, or privileged IT information. The best way to do this is by applying encryption and mutual authentication technologies to guarantee both client and server identities are known and information exchanged is protected from unauthorized snooping.
Identities for things will outpace identities for users. Analyst firm Gartner forecasts that 5.5 million new things will get connected every day in 2016. This means 6.4 billion connected things will be in use worldwide next year (up 30% from this year). When you consider the average person has seven digital identities, it is only a matter of time before digital identities for things (devices, appliances, cars, etc.) surpass identities for users (email accounts, social media profiles, etc.). More and more value added services generated from IoT related use cases such as Smart homes will be accessed through consumer and corporate mobile devices upping the ante for stronger mobile security.
More national ID programs, banks, and consumer oriented entities will become trusted identity providers (IdPs) capable of issuing high assurance level identities required to access sensitive data. Banks make great sense as identity providers because the identities are supported by financial information. Every user of online banking services has a trustworthy digital identity issued based on a rigorous user vetting process often including face to face verification, thus this creates a great opportunity for banks to extend the value of high assurance credentials to service providers. As additional banks take the steps to become IdPs, more and more consumers will enjoy the convenience of using one set of credentials for digital identification. For example, filing tax returns or signing documents. National ID programs are moving forward as well. Earlier this year, the state of Virginia established an Identity Management Standards Advisory Council, to advise on the adoption of identity standards and to ease the state toward approval of electronic identity standards. One could easily imagine Telcos, utility companies and other IDPs leveraging a spectrum of verified identities to service providers.
Tushar Kothari, CEO, Attivo Networks
Fortune 500 companies will be among the first enterprises to adopt deception technology solutions because they have been the most vulnerable and have seen the issue of breaches reach the board. They are looking to deception technology because it is the most efficient and effective method of detecting bots/APTs and insider threats. Deception technology does not generate false positives. Instead, the alerts are substantiated based on engagement, which makes them high quality and actionable. This is very important as there is an increased shortage of security personnel and limited staffing budgets. Budgets that have been earmarked to maintain legacy security systems will be redirected to provide additional visibility into inside-the-network threats.
Lance Mueller, director, incident response and forensics, Absolute
Data breach targets transcend financial information. In 2016 we expect to see a continued rise in data beaches that expand beyond the direct targeting of credit card or financial information. An example of this in 2015 was with the Office of Personnel Management (OPM). This data compromise was significant in several ways, but the most surprising was how vulnerable and accessible that sensitive data was to internet attackers. In other words, the submitted data was not archived offline or moved to isolated backend systems once it was submitted by the applicant. This allowed the attackers to gain access to thousands of past application files once access was gained. This breach was different from the typical in that it was not about credit card numbers or financial information, but was about very sensitive personnel information that was directly related to security clearances and government employment. This breach was not your typical data compromise and the data could be used in several different ways, some of which we may not be realized for years. Another example of this in 2015 was the breach of the Ashley Madison dating website. The fact that the website and data was stolen was not a surprise, but the ramifications of this breach were enormous. Again, not your typical attack where they went after financial/credit card data that could be monetized, but this breach had serious social consequences that led to suicides, blackmailing, terminations and public ridicule. I am unaware of any breach in the past that has had such a deep and broad effect on people that was not directly related to their credit cards.
2016 will bring a rise of ransomware and Dyre attacks. 2015 was the year of ransomware and financial-stealing malware. Both of these become public in 2013/2014, but 2015 became a very popular time for these attack methods. I see no reason why 2016 will not continue with this trend. Ransomware continues to work. Therefore, as long as it continues to make attackers money, there is nothing easier than sending out emails with ransomware and waiting for people to get infected and watching the money roll in. Ransomware has already evolved to include Android devices and Mac OSX operating systems. There is no reason to believe it will not continue on to include other common devices and operating systems. Additional malware such as Dyre, that steals corporate banking credentials, which the attacker can use to transfer money overseas, also continues to be lucrative for attackers and, therefore, it is worth their effort to continue to develop and maintain the latest versions of that malware. New versions of Dyre were just released to support Windows 10 OS.
Wendy Nather, research director, Retail Cyber Intelligence Sharing Center
2016 will be the year of “extortapalooza.” Extortion attacks are nothing new – for example, take the recent situation with Charlie Sheen having to announce that he is HIV+ after paying out millions of dollars to people who knew about his status. Sheen’s case is a bit sensational, but this doesn’t happen only to celebrities; it can happen to companies of all sizes through crypto ransomware or DDoS attacks and to those on Main Street if their identity is stolen.
In 2016, we will see a rise in extortion attacks across multiple industries, but especially within healthcare. According to Reuters, medical information can be 10 times more valuable than a credit card number. Schemes will expand to medical devices such as diagnostic equipment, therapeutic equipment, and life support equipment, wherein attackers will lock it so it becomes inactive until a ransom is paid. That’s scary to think about when some of these devices are essential to keeping someone alive.
Mike Pittenger, VP of product strategy, Black Duck Software
More companies will adopt open source security policies in 2016. Due to the large-scale breaches and vulnerabilities found in recent years, open source and overall IT security has become a boardroom issue. C-level executives are putting this on the docket because they can’t control risk without visibility and are implementing internal policies that are difficult to enforce. CSOs in particular want more visibility and control. Without this, they recognize that they will continue to be surprised when these vulnerabilities are exploited without their knowledge. If they don’t have visibility into all of their code and have developers working with legacy infected code to build new software, they remain open to exploitation.
Two topics will gain visibility in 2016 as it pertains to open source security:
Supply chain. Let’s use the automotive industry for example. The lines of code in an automobile is reported at around 100 million. These lines are generated from Tier 1, 2 and 3 suppliers. Like all software, this includes large portions of open source. The more software used from multiple suppliers, the more at risk you are. If you don’t know if your suppliers’ code is free from previously disclosed vulnerabilities, and it’s used in your product and a vulnerability is exploited – it becomes a major issue for your brand. The need to ensure open source hygiene – visibility to the open source used, along with its risk profile – in all code throughout the supply chain will take on more importance in 2016.
Second, containers. Containers gained their fame in 2015, making life simpler for DevOps. In 2016, we will see more of an emphasis put on securing containers as adoption grows. They are assembled just like any other software, but if they aren’t built using clean code that is free from vulnerabilities, then it’s possible a company could deploy apps that are vulnerable in foundation.
And, a final general security industry prediction: IoT. The connected home of today links an infinite amount of data together to make certain devices smart such as refrigerators, TVs, HVAC units and door locks. Many of these are built using open source, and security may not have been a primary priority. Further, all of these are hooked up to your home network, but not many consumers take the necessary steps to secure their home network like a large enterprise, providing a simple attack vector for hackers seeking access to alarm systems, or cameras in smart TVs or monitoring systems. We will see an emphasis on this topic in 2016 – maybe not breaches – but the recognition that IoT security needs to be stronger to prevent the unknown.
Ryan Olson, director of threat intelligence, Palo Alto Networks
Attackers will continue to deploy ransomware for financial gain, and they will get more specialized. In 2015, we saw widespread infections from ransomware, which encrypt files and demand a ransom for their safe return. Next year I expect attackers to use this technique in more specialized attacks, targeting high-value files and demanding ransoms much larger than the typical $500-$700 we see today.
Human beings and their passwords will continue to be the weakest link. Malware and exploit code are common attacker tools, but they aren’t always necessary to successfully accomplish a task. At some point in almost any major network breach, a human makes a mistake (clicks a link, opens a file, etc.) and their password is captured and used for malicious purposes. This trend is not going away unless something significant changes in the world of passwords.
Mark Painter, marketing manager & security evangelist, HPE Security Products, Hewlett Packard Enterprise
Cyber attacks will enhance traditional crime methods. To prevent hackers from publically airing their victims’ dirty laundry, hackers are increasingly urging victims to pay ransom. After the Ashley Madison breach, more of these incidents are sure to follow simply because they’re proven to work. The co-mingling of traditional crime methods and information stolen via cyber intrusions is set to explode, and the JP Morgan data breach is a perfect example. In the modern era, sometimes the means to perpetrate a massive crime is as simple as acquiring the right list of email addresses.
The cyber cold war will heat up. We are approaching an age where cyber attacks will result in military retaliation. While the U.S. and China recently came to an agreement not to conduct cyber attacks designed to steal intellectual property, the U.S. also freely admits cyber warfare will remain in its catalog of offensive capabilities. We’re seeing the capacity for an accident to a degree not seen since the height of the cold war. In fact, the cyber tension is so high that Russia and the United States have a hotline in case of ‘accidents’. So far these cyber incursions haven’t risen to the threshold that would require a military response, but that day is coming.
Cybersecurity issues will kill a product. How many vulnerabilities make a product no longer worth producing? We are increasingly close to finding out. In 2016, we’ll see a major product shut down due to security issues, as the product will no longer be worth producing due to the costs of fixing these vulnerabilities and brand reputation.
Sam Rehman, chief technology officer, Arxan Technologies.
Advanced API protection will become mainstream to prevent attacks targeting them: In a move to minimize data exposure on mobile devices, organizations are increasingly keeping sensitive data server-side, often relying on authenticated communications from mobile devices through the API to the backend servers. As a result, APIs are under heavy attack and are being targeted by hackers looking to exploit vulnerable API security measures. What was once viewed as “advanced” security measures, such as cryptographic key protection (white box cryptography as an example), will become more of a fundamental security measure to shore up security vulnerabilities of those APIs.
The most important security issues in 2016: Cryptographic key protection; mobile application code hardening and runtime self-protection; API protection – hardening the authentication of communications from the API to backend servers that house sensitive data and IP.
Rehman’s advice: Include run-time application self-protection into your mobile apps to protect your brand and your customers; use security to your business advantage – customers want to do business with organizations that are most trusted to keep their data private and secure; don’t wait for security regulations before embracing IoT and mobile – harden application code before your apps are released into the wild and become susceptible to risks such as reverse-engineering and tampering.
Bruce Roberts, CTO, DomainTools
2016 will see the world’s first openly declared cyberwar. As an increased radicalization of cyber attacks occur, where primary goals of the attackers are not financial but instead emphasize terrorist or geopolitical agendas, a full-blown cyberwar will occur.
In some respects this is already occurring between non-nation-state organizations. Anonymous has effectively declared war on ISIS. But this prediction goes even further. At some point in the future (and I believe it will be soon) a nation-state will be pushed too far by an adversary, or will face internal pressures that drive external actions to deflect those internal pressures. As a result the nation state will respond with a declared cyberwar. There are many candidates for this – for example, an authoritarian state such as North Korea could lash out officially as a way of deflecting internal pressure, or just reassuring the world that they’re still insane. Other states could respond to provocations with official responses in order to enlist allies (witness Estonian and Ukrainian undeclared cyberconflicts with Russia in the past).
Because of the distributed nature of networks and computing system, an unfortunate aspect of any declared cyberwar is that a lot of non-combatant systems will get caught in the crossfire. Many non-aligned engineers and IT professionals will spend time containing and cleaning up the aftermath.
Sandra V. Sargent, senior operations officer, World Bank
The biggest security constraint in 2015 was global skill gap particularly felt by developing countries. The unavailability of skilled specialists limited both prevention and response to cyberthreats. Cybersecurity capacity building come to the forefront of agenda of multinational and bi-lateral institution such as Oxford Cyber Security Center, ITU, OECD, World Bank and others. DDoS attacks and mobile threats were at the top of the list. Once again this is particularly relevant for developing countries that excessively rely on mobile connectivity and mobile cash transfers.
For developing countries, I do not anticipate a big changes in security concerns and threats from 2015 to 2016. The skills gap will remain at the forefront of the agenda. As sophistication of mobile services will remain on the rise globally the threats will persist and have potential to impact the poorest segments of population that at the bottom of the wealth pyramid. This should further draw attention of the development community. The other continually rising concern is threats to critical infrastructure; in developing countries the most affected sectors can be transport and energy.
Note: The information provided does not represent the views of the World Bank.
Paul Shomo, senior technical manager, strategic partnerships, Guidance Software
Expect more breaches where organizations had detected compromise long before data theft, but mishandled the original response. This trend will continue to drive changes in incident response processes and the depth of forensic investigation.
Security analytics products using machine-learning capabilities will begin settling into packaged service offerings as this burgeoning industry realizes the difficulty of building one-size-fits-all algorithms for different organizational datasets
Sandbox-aware malware, which either refuses to cooperate or shows false indicators in controlled environments, will continue to stymie the revival of signature-based endpoint detection
New EU data protection laws and the desire to prioritize defending fewer endpoints with sensitive data will drive demand for data audit and governance solutions.
Haiyan Song, senior vice president of security markets, Splunk
In 2015, cybersecurity touched nearly every aspect of our lives. As we suffered through one cyber breach after the other, it became evident that in order to protect our nation, we first needed to protect our enterprise, our agencies, our schools, our networks and identities. In the internet-connected world, we are only as strong as the weakest link. As we look ahead to the New Year, both government and industry will need to prove we all learned from the security mishaps in 2015.
In the next 12 months, I hope to see both private and public sector reexaming their cybersecurity strategy – from network security to overall enterprise visibility, from behavior analytics to identity authentication and the Internet of Things (IoT). 2015 showed us how important it is to take the right approach and invest in the right technology – now it is time to put those ideas into action.
With that in mind, here are some of my security predictions for the coming year:
Behavioral analysis will expand from an emphasis on user and entity behavior to business transactions and IoT devices. Behavioral analytics and anomaly detection will be more widely adopted and go beyond analyzing users or entities for security monitoring. As online banking, e-commerce, and IoT continue to grow to be a bigger part of our life, the domain of cybersecurity and business risks are accelerating its convergence. We will see behavioral analysis expand its footprint to leverage machine learning and data science to analyze business transactions and IoT devices to bring better visibility to security and business risks.
Threat intelligence will be more contextualized for organizations and cybersecurity operations will grow to become a competitive advantage. While security solutions have previously been thought of as a cost or even impediment to the business, in 2016 companies will begin to cite cybersecurity as a competitive advantage. Threat intelligence that is contextualized for an organization, based on its infrastructure and security technology will be more actionable and effective. The more secure a company is, the more confident and strategic an organization can be.
Automation and incident response will grow within security solutions. Security analytics and anomaly detection will focus on automating detection and making responses less dependent on humans. This will let companies detect threats and respond to them without solely relying on hiring and training skilled analysts. Additionally, incident response will become a larger part of organizations’ security solutions, including automating the remediation.
The surge in personally identifiable information (PII) compromised and released in the public sphere will lead to new means for improving identity authentication. Since identity and compromised credentials are being used as a new attack surface, I expect to see more innovation in terms of strengthening authentication. There will be an even stronger push to move away from traditional methods such as passwords, even knowledge based authentication. In 2016, authentication will become more sophisticated but also easier to use.
IoT will become a significant threat surface for the enterprise, leading to more physical disruption and new solutions.
The increasing number of internet-connected systems will create more opportunities for hackers to penetrate into organizations and businesses will have to adapt to manage this new threat surface. Cyber attacks have historically caused little physical damage, but the proliferation of IoT will enable more disruption and actual physical damage instead of just virtual hardware and software disruption.
We will see new IoT solutions emerging that focus on monitoring and analyzing the behaviors of internet-connected devices to determine when something is amiss. These solutions could help enterprises with visibility bridging between segmented Operation Technology (OT) systems and their corporate IT networks to ensure they do not become an easy entry point for cyber intruders.
If 2015 was the year of the breach, 2016 should (and will) be the year of the response.
Dan Srebnick, owner, Technical Merits; former CISO, NYC Department of Information Technology & Telecommunications
Public concern around data breaches and personal privacy converged over the past year. Victims were varied and industries affected included health care, banking, education, government and IT security vendors themselves. Concern over the protection of information collected by government agencies, law enforcement and internet marketing companies increased. While the public has been willing to trade privacy for convenience in the case of mobile devices and applications, the concerns have now reached the desktop with the unprecedented cloud and search integration of the latest Windows release. Yet the nation still lacks bright line governance around culpability for breaches and ownership and privacy of our personal data.
As VoIP telephony has become the de facto standard, we will hear more about the security of our telephone calls. While the U.K. phone hacking scandal involved weak voicemail passwords and caller id spoofing, the public is not going to react well when it comes to understanding that their telephone calls are being transported over the public internet without any kind of encryption. I predict that 2016 will be the year that hacktivist groups will release audio clips of phone calls made by public officials and corporate executives. This will be done to embarrass as well as to demonstrate how easy it is for intelligence agencies to listen in on private conversations.
Russell Stern, CEO, Solarflare
Staffing up: It’s not just about IT and Unix experts. Companies are going to be changing their hiring practices and look to bring in security experts – think ex-NSA and DoD. Also expect to see an increase in cybersecurity education efforts, both from academia and the industry, given the dearth of qualified cyberprofessionals
Armed with Big Data: The use of Big Data to aid in the detection of cyberattacks will only get bigger. Data analytics will become the first line of defense offering threat prediction and detection as well as deterrence and prevention.
Don’t forget about hardware: Companies cannot just rely on software solutions alone. Hardware must be developed with security in mind.
Herbert “Hugh” Thompson, chief technology officer, chief marketing officer, senior vice president, Blue Coat Systems
Industrialization of ransomware: Many cybercrime groups are running like companies, and they can quickly move to build out a ransomware infrastructure. For most people, it isn’t shocking anymore when their credit card data gets stolen. The most frustrating part for most victims of credit card theft is that they’ve forgotten all the services associated with that credit card, and they now have to go back into lots of websites and update everything. It’s a big pain and time intensive, but the damage is typically short-term. This differs from data that might be embarrassing, invasive or harmful to a person. Stolen healthcare data doesn’t don’t have an expiration date, and we are only just starting to realize the implications of this type of being in the hands of attackers. Today, organized crime groups may steal data that is currently difficult to monetize and furthermore, steal it at a time when there may be less security investments in those sectors (i.e., financial services organization in general are harder to break into because they generally have larger security budgets and security professionals on staff, while the information security budgets of healthcare organizations are typically smaller have been heavily weighted towards compliance). Stealing this type of data, like someone’s medical history that does not expire and cannot be reset, unfortunately gives attackers the luxury of time to build an infrastructure to monetize that data.
Tyler Cohen Wood, cybersecurity adviser, Inspired eLearning; former senior intelligence officer and cyber deputy division chief, Defense Intelligence Agency (DIA)
The introduction of new Internet of Things technology creates a whole new set of risks and potential threats to enterprise networks. It is commonplace for employees to use their personal digital devices to connect into corporate networks for greater work connectivity and, as a result, these devices could potentially be used as “hop points” to access sensitive corporate data and specific network hardware. Not understanding the threats that these devices pose, we are introducing new threat vectors into our networks.
Along with this threat, the lack of cybersecurity awareness education from the top down has resulted in two of the worst years for personal and corporate security. A large number of hacks occur by a malicious user gaining access to employee credentials via network-connected digital devices or by malware being introduced into the network by a legitimate user making a simple mistake. When you have a company with a great security awareness education program, you turn what could be deemed as the weakest link into your strongest defense. In 2016, companies will struggle with the same issues.
Yinglian Xie, CEO, DataVisor
If you are a consumer-facing web or mobile app, you are up against a much more numerous and advanced adversary than ever before. Here are some online threat trends we believe we’ll encounter in 2016.
Social sites become bigger targets as lines between social and e-commerce blur. As many traditional social networking sites, such as Pinterest, Facebook and Twitter, add “Buy” buttons to their platforms to help monetize their user base, more fraudsters will be attracted to conduct fraudulent transactions on these platforms.
EMV cards and digital wallets to shift more fraudulent credit card attacks online. In 2016, we expect to see a perfect storm that is bound to result in a high level of fraudulent transactions, powered by the following three trends: Significant increase in the number of e-commerce websites and mobile apps; Growing comfort among consumers to transact online; Adoption of EMV cards and digital wallets will move fraud online.
Global O2O wars will increase the rate of user acquisition promotion fraud. The global “land-grab” strategies of online-to-offline (O2O) companies – such as Airbnb, Ola, Didi and Uber – will result in an increasing trend of user acquisition promotion fraud as bad actors take advantage of strong financial incentives and the wide availability of mobile hacking tools, such as mobile emulators and GPS location fakers.
Account takeovers will rise as result of continued large data breaches. Whether it is your health care provider, your university, your favorite retail store or the government, your personal data has probably been stolen by now as a result of one or multiple of these high-profile breaches. In 2016, bad actors will look to monetize these stolen user credentials and credit cards via fraudulent credit card attacks and account takeover (ATO) campaigns leading to further identity theft.
Cyberattackers will move to the cloud. In 2016, we expect to see the continued migration of cyberattack infrastructure to the cloud, as cloud services become more pervasive and cost-effective. Cloud allows cyberattackers to significantly increase the number of attack campaigns they can conduct, attributed to the elasticity and compute capacity of these services, and allows them to easily hide behind legitimate network sources and thus remain anonymous.
Alberto Yepez, managing director, Trident Capital Cybersecurity
New private, sector-specific, threat-sharing networks will emerge as a viable alternative to defend against state-sponsored attacks and cybercrime. Major cyberattacks against critical infrastructure will drive increased government spending and investment in cybersecurity solutions. IoT security will become mainstream as more devices are connected to the internet and the connected car becomes a reality.
Amit Yoran, president, RSA
This year marked a strategic shift from a maniacal focus on prevention, toward greater balance on monitoring, detection, and response capabilities. It’s become cliché to say that breaches are inevitable and that faster detection and more accurate incident scoping are the way forward.
2015 saw continued acceleration of threat evolution. What was considered an “advanced” threat in years past has become a commodity today, with sophisticated malware and exploits available for the price of a movie ticket. As troublesome as these observations seem, the most impactful evolution goes almost entirely unreported and misunderstood. The threats that matter most, today’s pervasive threat actors are now conducting attack campaigns comprised of multiple exploit methods and multiple backdoors to assure persistence. Incomplete incident scoping has become a critical and consistent mistake made by security teams.
This year was also notably characterized by security vendors claiming to be able to prevent advanced threat breaches when the reality is, they can’t. It was characterized by organizations recognizing the need to monitor and defend their digital environments differently, but continuing to center their security programs on the same technologies and approaches they have been using – hoping for a different outcome, but not acting differently.
Here are some of the emerging trends that our industry and organizations need to be ready for in 2016:
- Strategic data manipulation and disruption: Organizations will begin to realize that not only is their data being accessed inappropriately, but that it is being tampered with. Data drives decision making for people and computer systems. When that data is unknowingly manipulated, those decisions will be made based on false data. Consider the potentially devastating consequences of misrepresented data on the mixing of compounds, control systems, and manufacturing processes.
- Increasing attacks on application service providers: As organizations become more comfortable with the “as a service” model, many of their most sensitive applications and data reside in the cloud. The aggregation of this valuable data from many companies creates an incredibly lucrative target for cybercriminals and cyberespionage. A deeper appreciation of third party risk is needed.
- Hacktivism and the attack surface: Per my earlier comment, as cyberattack tools and services become increasingly commoditized; the cost of attacking an organization is dropping dramatically, enabling more attacks that do not have financial gain as the primary focus. Sophisticated hacktivist collectives like Anonymous have been joined by relatively unsophisticated cybervigilantes. Organizations need to realize that financial gain is no longer the only or even the biggest driver of some of their adversaries. Security operations and risk managers should evolve their understanding not only of the threat, but also of what, why, where, and how they are being targeted.
- ICS (industrial control systems) pushed to the breaking point: Intrusions into systems that control operations in the chemical, electrical, water, and transport sectors have increased 17-fold over the last three years. The advent of connected and automated sensors aggressively exacerbates these issues. The growth in the use of cybertechnology for terrorism, hacktivists and other actors, combined with the weakness of ICS security generally, combined with the potential impact of bringing down a power facility or water treatment plant (hello, California), makes the critical breach of an ICS in 2016 extremely concerning and increasingly likely.
- Shake-out of the security industry: Our industry has been awash in venture capital and as a result, foolish investments have been made in strategies and technologies that are little more than snake oil. As organizations’ security programs continue to mature, they are learning that claims of being able to prevent advanced threat breaches are nothing more than fantasy. Expect to see a shake-out in the security industry as organizations maturing understanding of advanced threats increasingly drives their security investment decisions.
Special thanks to the RSA Conference advisory board for contributions from Wendy Nather, Benjamin Jun, Herbert “Hugh” Thompson, Dmitri Alperovitch, and Todd Inskeep. And to all our contributors, thank you.