Mike Pittenger, VP, security strategy, Black Duck Software
The number of cyberattacks based on known open source vulnerabilities will increase by 20 percent. Why: Organizations of all sizes and types are expanding their use of cloud and mobile applications, which rely heavily on open source components, and live outside the company firewall. Hackers have learned that applications are the weak spot in most organizations’ cybersecurity defenses, and widely available open source vulnerability exploits have a high ROI, allowing them to compromise thousands of sites, applications, and IoT devices with minimal effort.
In 2017 we will continue to see high-profile, high-impact breaches based on open source vulnerabilities disclosed years previously, such as Heartbleed, Shellshock, and Poodle. Why: The average age of an open source vulnerability is more than five years. The Linux kernel vulnerability discovered in August (CVE-2016-5195) had been in the Linux code base since 2012. Most organizations don’t know about the open source vulnerabilities in their code because they don’t track the open source components they use, and don’t actively monitor open source vulnerability information
2017 will see the first auto manufacturer recall based on an open source breach. Why: A typical new car in 2016 has over 100 million lines of code. Automobiles are becoming increasingly intelligent, automated, and most importantly, internet-connected. This will exacerbate a problem that already exists – carmakers don’t know exactly what software is inside the vehicles they manufacture (most of the software that binds sensors and other car hardware together comes from third-parties). That software almost certainly contains open source components with security vulnerabilities. Vulnerabilities in open source are particularly attractive to attackers, providing a target-rich environment that may have disastrous implications to a moving vehicle.
(Patrick Carey, director of product marketing, contributed to this prediction)
Jeff Pollard, principal analyst, Forrester
The internet of Things merges problems of scale with software security in a new way. Ubiquitous inexpensive connected devices for enterprise makers, operators, and users will explode in number in the coming year. Every piece of well-understood hardware now includes dynamic, impermanent, software. That creates an attack surface for enterprises that transcends the digital-physical divide with real world implications as seen when IoT cameras shut down internet properties and corporate infrastructure – despite the attackers never sending a packet to many organizations hurt by the attack.
Security teams should be talking about more than customer data when discussing breaches. The type of information stored electronically is enormous and what attackers can gain from breaches is far worse than a social security number or credit card. Health care organizations – as an example – could store genetic data on patients. Biometric data might be stored on cell phones or in software applications. If that data isn’t properly encrypted and anonymized then attackers potentially gain a lifetime of identifiable information. I can change my credit card and monitor my credit – the same isn’t true for my genetic phenotype or iris patterns.
There is no easy button coming for security and risk professionals. There isn’t anything on the horizon that makes business, technology, security, or privacy any easier in 2017. In fact, attacks and their ramifications are increasing in severity. As 2017 unfolds once recoverable events will become catastrophic. Security leaders need to reassess their business impact analyses and resilience planning to make sure they’ve “right-sized” models to include damages from exposing customer information, disclosing brand information, or leaking sensitive information designed to embarrass company leaders – or all three and more.
Rob Rosenzweig, vice president and national cyber risk practice lead, Risk Strategies Company.
Because they’ve been slower to adopt appropriate safeguards and policies, we will see significantly more breaches impacting middle-market companies.
The lure of accessing highly valuable, fundamental personal identification information will drive a record number of health care breaches.
As attacks become more common and damages more widespread, we will start to see some insurers cut back their cyber liability offerings.
Stephen Scharf, managing director & chief security officer, The Depository Trust & Clearing Corporation; former global chief information security officer, Experian
Navigating the new patchwork of domestic and international cyber regulations. Throughout 2016, a number of regulatory agencies around the world published guidance on how to effectively manage cybersecurity programs. While most of the guidance highlights common best practices, there is limited consistency in structure nor recommendations on the use of common frameworks. Firms must parse through a number of guidelines across local jurisdictions and ensure they are effectively addressing these differences.
Focus on the basics. The evolution of cyber defense has spawned creative and useful tools and techniques. Yet post-mortems following each breach usually highlight a failure in long-established best practices and techniques. Foundational security elements such as Identity & Access Management, Vulnerability Management, Patch Management, Inventory Management, Configuration Management must remain priorities. Past incidents highlight that firms are better served by addressing these critical areas, rather than placing a disproportionate amount of time and resource on the latest security tool or product.
Bradley J. Schaufenbuel, CISO, Paylocity
Bad: I believe that the shortage of cybersecurity professionals will grow more acute, so much so that the key determinant of a security leader’s success in 2017 will be his or her ability to attract and retain exceptional talent.
I believe the convergence of two trends, the proliferation of ransomware and internet connected devices (IoTs), will result in life threatening scenarios in 2017 such as ransom being demanded by an attacker to regain control over a self-driving car or a medical device.
I believe that we will see an acceleration of massive distributed denial of service (DDoS) attacks in 2017 originating from bot nets composed of internet connected devices (IoTs) like the one recently impacting the site that hosts Brian Krebs’ blog.
To avoid detection, I believe that attackers will leverage the same behavioral analytics capabilities, machine learning algorithms, and artificial intelligence mechanisms in 2017 that security professionals are quickly adopting to keep them out, thus continuing the never ending game of cat and mouse.
Good: I believe that by automating the sharing of cyber intelligence and eliminating the barriers to doing so, information sharing organizations, security vendors, and governments will finally spur most organizations to begin collaborating for their collective defense in 2017.
I believe the current boom in venture capital backed cybersecurity companies will begin to slow in 2017 as product categories become saturated and competition grows to a fever pitch, resulting in market consolidation that should lead to less risky and speculative investment decisions by security leaders.
I believe that the migration of security tools into the cloud will accelerate in 2017, leading to improved control over increasingly boundary-less corporate networks and making it easier for security leaders to take advantage of capabilities that would be difficult to rapidly deploy in house (e.g., big data, analytics, artificial intelligence, etc.).
I believe that cybersecurity will continue to be a topic of boardroom discussion in 2017, giving security leaders more face time before the their own organizations’ governing bodies and providing them with more opportunities to join the boards of other organizations as an independent director with subject matter expertise.
Michael Shalyt, VP product, Aperio Systems
Critical infrastructure. Securing critical infrastructures against cyber attack will be prioritized as President-Elect Donald Trump declared it a top goal for his first 100 days. But regulators, politicians and SCADA operators will be challenged to implement meaningful changes due to the expense and difficult nature of securing systems that are antiquated from a cybersecurity perspective and cannot be taken offline. Political pressure will result in some security upgrades, such as legislative adoption of the NIST Cybersecurity Framework that has been bandied about for several years, but many gaping holes will remain in 2017.
Hackers will move from stealing data to forging data. We will see an increase in attacks on critical infrastructure that are destructive, as opposed to disruptive. We’ve already seen a rise in disruptive incidents against critical systems, such as the disruptive cyber attack against German and South Korean nuclear power plants disclosed by the International Atomic Energy Agency. There are numerous indications that attackers are leveraging data forgery to enable them to carry out destructive attacks on critical infrastructure. (See here for a video explaining what is data forgery and how cyber attackers use it.)
Mafia-style cyber ransomware attacks on critical infrastructure. 2017 will see a rise in Ransomware attacks on critical infrastructure. For the cybercriminal it makes a good “economic model” as plant managers understand that it would cost a small fortune to shut down an entire plant and/or operations so they are likely to give in to the extortion. Ransomware is less likely to be used by nation-state attackers in this manner but will become a mafia-style extortion-scheme for cybercriminals.
Laws. A number of massive breaches have prompted regulators across the globe to push for a range of cybersecurity regulations worldwide. While the laws are intended to defend from a myriad of cyber attacks, the fallout in 2017 will be felt far and wide as companies struggle to comply with regulations while balancing corporate priorities. Global corporations will find themselves in an even greater predicament as regulations going into effect in the UK and Australia do not necessarily align with those already in place in other countries, such as the United States.
Paul Shomo, technical manager strategic partnerships, Guidance Software
In 2016, artificial intelligence (AI) went mainstream with its ability to detect malware binaries on the disk, including the polymorphic variants missed by signatures. In 2017, AI will conquer dynamic analysis, adding the detection of running and injected processes to its accomplishments.
Exploit kits have made building zero days a piece of cake the past few years. The low cost of polymorphic variants finally hit last year’s Verizon DBIR report, which noted that 70-90 percent of malware hashes are now unique to organizations. In 2017 the use of file hashes to correlate malware samples into known families and for attribution, will become old fashion.
Detecting today’s malware requires a grab bag of tools leveraging threat intelligence, sandboxing, analytics and artificial intelligence. After detection, additional forensic tools must determine how far an adversary progressed.
IT security requires a shotgun approach: threat intel is used for known bad, sandboxing, analytics and artificial intelligence are used for advanced malware. Then forensic tools determine how far an adversary progressed. In 2017 we’ll see the rise of Security Orchestration products, allowing IT security to coordinate, automate and make sense of their many tools.
In 2017 IT security will finally demand an answer to the question, “Where does our sensitive data actually reside?” For too many years the industry has employed security professionals to cutoff breaches before adversaries reach privileged data. Yet in practice, IT security rarely knows the location of the data they’re protecting.
While recovering from his failed presidential run, John McAfee will start a rock band. After a month of curiosity eats at me, I will purchase said McAfee album.
Stephen Stuut, CEO, Jumio
Biometric facial recognition will bring KYC/AML compliance to a digital world. Today, identity verification has been reliant on matching face to identity documents like passports or other government-issued forms of ID. Over the past year, biometrics, and especially facial recognition, has moved from the realm of science fiction to business reality. For example, biometric facial recognition is enabling companies to tie digital and real-world identities together with certainty. MasterCard and others have implemented the technology into their applications to ensure that the user holding the mobile device is the owner of the credit card stored in the app. As the implementation of facial recognition spreads across banking, travel and other industries, what it means to be “know your customer” (KYC) and Anti-money Laundering (AML) compliant will evolve to include this type of verification.
Trust will move to center stage within the sharing economy. The sharing economy was estimated at $15 billion in 2014, and arecent survey has found growth specifically in the luxury side of this industry. The survey outcomes included 37 percent of affluents, and 60 percent of the wealthy, have shared their homes, vehicles, yachts, jets, apparel, jewelry and/or watches. This calls for a new level of “trust” in a growing economy where what is being shared isn’t just a ride to the airport. When it comes to renting something truly valuable – like a $10,000 per night estate on Airbnb – more than a username and password is needed to validate and approve the renter. That new trust will be, in part, defined by what technology can tell us about that person – who they really are, not who they “say” they are online.
Technologies will consolidate to expand the role and meaning of ID verification. For most organizations, ID verification is limited to connecting some basic data points about a customer or user – a still photo, a name and address. As regulatory requirements tighten globally and the risk of fraud puts greater pressure on security organizations, businesses will look for a way to connect even more data points together to form a holistic picture of the customer. In 2016, the most significant advance to hit the mainstream revolved around biometrics – facial recognition, iris scans and fingerprints. In the coming year, expect to see these technologies matched alongside geo-location data, social media cross-checks, behavioral analysts and more to enhance what qualifies as a valid and verified identity.
Another key driver to improve ID verification is the growth in app-based businesses – these are companies that primarily (or only) drive revenue through mobile apps as opposed to brick-and-mortar stories, mainstream websites, etc. Industry watchdog App Annie reported that the app economy is expected to almost double to $101 billion by 2020.
An uptick in technologies that go beyond the power of passwords and multifactor authentication (i.e. security questions, security PIN texts, etc.). Relying on usernames and passwords for security is simply not enough. Multifactor authentication helps to reduce chance of fraud by texting a one-time-use security PIN or prompting for a security question. The recent Tesco Bank hack resulted from sophisticated malware that allowed the hackers to replicate the banking website. Tesco Bank users unknowingly were logging on to their accounts from a fraudulent site. What’s more, the malware also has a fraudulent mobile component that is able to bypass two-factor authentication with the use of a one-time passcode, which allows hackers to leverage a password valid for only transaction. Businesses must seek identity verification tools that bridge the digital and real world by checking a physical user against ID documents when initiating new accounts.
Vanja Svajcer, senior manager of security research, Hewlett Packard Enterprise
While more security features will be built into IoT devices in 2017, making IoT inherently more secure, a large number of existing and new devices will be used as the platform to launch targeted breaches and DDoS attacks. In 2016 we have seen several major DDoS attacks using IoT devices such as IP cameras and SOHO routers. IoT sensors, with their limited computing power are as secure as the firmware running on them, with their security very much dependent on device manufacturers. Successful attacks on IoT sensors are difficult to detect because of the limited access to a device’s system state, and in 2017 we will see more attackers focusing on compromising exactly those edge devices.
The DDoS attack firepower in 2016 has increased to frightening levels, allowing attackers to launch attacks using bandwidth in the range of Tbps, requiring specialized DDoS protection that can be provided only by a very few organizations in the world today. In 2017, this ever-increasing DDoS force will be used to attack internet infrastructure of whole countries in support of a physical military attack. With increased military tensions in several places in the world today, it is likely we will see more DDoS attacks in 2017 dedicated to taking whole countries offline.
More countries will accuse each other of politically motivated cyber attacks in 2017. Following several major politically motivated breaches in 2016, such as the DNC hack, we will see an increase in politically motivated cyber attacks conducted by world’s cyber superpowers. Those attacks will likely result in disclosure of confidential documents and information with the goal of compromising target’s reputation. However, attributing attacks to nation states will also be increasingly difficult and we are likely to see many incorrect identifications of attackers in order to collect political points and deny responsibility for breaches.
Shlomo Touboul, CEO, illusive networks
In 2107, we will see a significant growth of targeted application-level attacks. These are the most sophisticated attacks that until recently only state-level attackers had the know-how to execute but will now be propagated by cybercriminals. These attacks use application specific attack vectors to enable attackers to harvest highly privileged credentials, move laterally, and deliver the payload. For example: the 2016 Bangladesh Bank cyber heist showed how lucrative an application level attack (in this case, on SWIFT) can be. Advanced attackers and state level attackers will attack mission critical applications by determining specific attack vectors of those applications. These types of attacks are far more difficult to detect. Mission critical apps include databases, ERP systems, management and control systems, etc.
In 2017, financial institutions will see a spike in daring cyber heists, as attackers are emboldened by the successful attacks on Tesco and Bangladesh Banks. We have seen how application level attack vectors, such as those in SWIFT, can be leveraged to steal millions of dollars. Recently, attackers are constantly mapping out financial-specific applications to detect new attack vectors never before used in order to reach financial assets. Financial institutions will need to reassess their online banking security application and take the attackers perspective, understanding the attacker view by mapping out the attack vectors in those applications.
In 2017, ransomware attacks will evolve from opportunistic to strategic and targeted, with devastating results for companies that do not properly secure their sensitive assets (for example, a company’s trade secrets, IP, source code of a key product, etc.). There have been a number of high profile ransomware attacks that generated headlines (especially in the health care industry). However, the majority of ransomware attacks are opportunistic, with attackers aiming to capture as much low-hanging fruit as possible with minimal effort or sophistication. Ransomware will evolve into Advanced Ransomware Threats (ARTs) with the goal of targeting strategic assets and generating far more ransom (i.e. $$$$) than current attacks. Ransomware will begin to operate like APTs. The attack will begin with a studying phase, during which attackers identify the specific mission-critical asset they wish to target. Next, they will infiltrate the network and begin moving laterally toward the target asset. At the end of this phase, the attacker will have control of the computers with the asset and then activate the ransomware payload – encrypting the content and its backups. When this happens, we will begin seeing ransoms move from thousands of dollars to potentially millions per attack.