Gazing ahead: Security predictions, Part 4

Moshe Ben Simon, co-founder and vice president, TrapX Security

Ransomware will grow to unprecedented levels in 2017. Ransomware attacks will continue and grow to unprecedented levels in 2017. Attackers have new tools that enable automation allow the automated manufacture of the ransomware software and the botnets that support them. Given the rapid ROI for this attack, and the easy access to non-traceable money (such as bitcoin) this automation makes it relatively easy for moderately sophisticated attackers to deploy these attacks in much higher volumes. For example, a recent ransomware attack targeted the San Francisco MUNI subway, crippling the ticketing system with a ransom of approximately $70,000 before the attackers would release control. The financial impact exceeded the ransom to include computer forensic costs, and loss of revenue as they had to provide free rides to passengers until the systems were back online.

Financial institutions will lead economic loss of any industry in 2017. Many statistics focus on the number of records stolen - not the direct theft of cash or cash equivalents through fraud. Using this metric, health care has moved to the forefront based on the value per patient record. However, attackers directly target banks in order to siphon off cash. Attackers have pilfered hundreds of millions of dollars in attacks targeting the SWIFT financial network, ATM networks and online banking. For financial services and the banking industry, 2017 will be the year that they see the biggest economic losses - mitigated only by the large number of banks globally that do not share data on internal attacks.

A Marked Increase in Clandestine Cyber Attacks by Nation States in 2017. Nation states will continue to attack government agencies and large enterprises. What's more, nation states will quietly penetrate networks in preparation for attacks that can cripple infrastructure, including power grid and telecommunications, among other things.

Health care Exploits Will Continue to Set Records. Cyber thieves will continue their barrage of attacks on health care networks to steal and sell patient records. Despite substantial disclosure about the threats, most hospitals are either unaware that they are breached or highly vulnerable to sophisticated attacks within their medical devices. attackers will move from only attacking major hospitals to mid-tier health care organizations such as surgical centers (surgi-centers), MRI/CT centers, skilled nursing facilities (SNFs), diagnostic laboratories and urology/dialysis centers and large physician practices. For example, in November of this year, the Central Ohio Urology Group was breached and thieves absconded with more than 300,000 patient records in what became the 8th largest breach in 2016.

A Successful Cyber Attack Will Take Down Part of the Power Grid in a Major Western Nation in 2017. Nation states have been attempting for years lurking for years trying to access and compromise the power grids of their political adversaries. Because the skill and technology necessary to perpetrate such an attack is now widespread, we believe such an attack is very likely in 2017. This growing trend was underscored in December 2015, when a suspected nation state perpetrated a cyber attack on the power grid in Ukraine, creating widespread blackouts and confusion.

Attacks will Surge on internet of Things (IoT) Devices. 2017 will bring a continued and massive increase in cyber attacks brought about by IoT devices. Most IoT devices manufactured today have no integrated cyber defense and do not allow third parties to install security software. To address this concern, manufacturers recommend that security for IoT devices is achieved by “installing behind a firewall,” which is no longer a guarantee of safety in today's environment. Once IoT devices are compromised, they can then provide a “back door” that serves as a clandestine communications channel for months before discovery.

The 3.9 billion IoT devices estimated to be online in 2014 increased to more than 6.4 billion devices in 2016. That is approximately 25 connected devices per 100 people in the United States. In 2020, that number is projected to increase to an estimated 20.8 billion IoT devices – a ratio that would almost reach one IoT device for every person in the United States.

Nir Gaist, co-founder and CEO, Nyotron

Increase in attacks' complexity and methodologies. Creativity and technical evolution on the offensive side has proven to be much faster than defense. In fact, we learn that any progress made by cybersecurity solutions, has a similarly “positive” effect on attack techniques and offensive methods. We estimate that approximately 10 percent progress on the defensive side will simultaneously compel attackers to improve by 20 percent. The reason? The nature of point solutions, which resolves one problem, also provides great motivation for the attackers to develop more destructive (and sophisticated) attacks.

Fewer solutions - less defense. After numerous busy years of cybersecurity investments, new initiatives, thousands of new companies and developments - investors are more cautious when examining new, young companies. At the same time, organizations realize they can't buy an infinite amount of products. Hence, we expect to see fewer solutions, and therefore, less defense.

Higher cost of damage. While there are thousands of cyber-security companies, correspondingly, there are also thousands of point-solutions. In a world of rapidly-evolving threats, the technical viability (life-span) of a point-solution is disturbingly limited to one to three years. The time it takes cybercriminals to outsmart a point-solution is only limited by their awareness of it. When solutions are on the market for several years, it's safe to assume that creative hackers have already developed more sophisticated techniques. And in light of an anticipated decrease in new cybersecurity companies and solutions, that ultimately leaves tomorrow's threats unresolved. Unfortunately, we are about to face a "deadly encounter" – fewer solutions in the market combined with smarter hackers. The outcome will be clear: more "successful" attacks that are increasingly destructive and entailing a significantly higher cost of damage to the victim organization.

Less "autonomous" security. More large-scale, sophisticated enterprises will acknowledge a growing need for external help. The tendency to keep security "inside" will be proven wrong and inefficient. We can see a significant increase in adoption of external services, mainly due to lack of human expertise. In fact, external security services are becoming more essential. As threats become more targeted, strategic and advanced, attacks turn into campaigns. Organizations, large as they may be, turn into components of a larger body – a sector, state, or even a target on a hit-list. For such organizations, surviving these threats autonomously are small to none. Service providers, on the other hand, have a huge inherent advantage – they can see a bigger picture.

Looking back at 2016: 2016 has been the year of cyber ransom and financial crimes. This did not surprise me, as more traditional criminals have migrated online due to the availability of easy to use ransomware kits and crimekits in the dark web. 

The IoT botnet leveraged against Dyn was the most surprising event of the year. 

What do cyber threats look like in the new year? 

Winter is coming in 2017. Geopolitical tension will serve as the harbinger for destructive cyberattacks in 2017.  

In 2017, we will see a dramatic increase in “Pawnstorm” attacks due to tensions with NATO over the security of the Baltics.  

Additionally, the Cyber caliphate and AQAP will demonstrate an advancement in their cyber campaigns and we will see an increase of cyberattacks from nationalistic Chinese hackers in response to U.S. Navy maneuvers in the South China Sea.   

Domestically, more disillusioned American voters will turn toward hacktivism to unleash their fury.  These actors might swell the ranks of Anonymous and develop alternative organized hacktivist crews. What will be most interesting is how these attacks are leveraged and what they manifest.  To this point, spear phishing will no longer be leveraged as the preeminent vector for attack by elite hacker crews.  

We will experience an uptick in island hopping via cloud infrastructure; compromises of IOS and watering hole attacks. As a result of these incursions, more destructive malware will be deployed to damage or manipulate the integrity of systems.    

Unfortunately, the transportation and financial sectors will be the primary victims of significant cyber intrusions in 2017.

Mobile transactions will outpace Web transactions for the first time. Fraud will continue to grow rapidly within the mobile channel, particularly from mobile applications, as banks, retailers, and other service providers offer more services to their customers via mobile apps.

Biometric authentication will start to take off for mobile users. Many such initiatives are happening now, and cybersecurity is not the main driver. User experience is key to driving adoption of the mobile channel. Biometrics are considered the best option, as opposed to the traditional username/password combination, which is not ideal as a user access method for mobile customers. Fingerprint, voice, and eyeprint, combined with risk-based transaction monitoring, will be the predominant technology combinations for authentication and fraud management in the mobile channel.

The launch of 3D Secure 2.0, led by EMVCo, is going to change the game for the e-commerce ecosystem. There has been a flurry of renewed interest in the wake of the recent announcement. The new protocol offers many enhancements to the 1.x password-based, “challenge all” approach. Merchants and issuers are at least 12-18 months out from any major technology deployments as they just begin to formulate their strategies to adopt the 2.0 framework. As a result, there still a massive window of opportunity for fraudsters to capitalize on card-not-present e-commerce fraud in 2017.

Phishers will continue to innovate in the coming year by improving on existing methods to host their attacks in order to increase the longevity that an attack is live. It is also a strong possibility that clever phishing attacks will emerge targeting cardholder information as breaches and skimming of POS terminals and ATM machines will be far less effective as more terminals are upgraded to support EMV cards.

Cyber attacks are going to continue and increase, but the level of fatigue will lead to an acceptance in the industry. There will be an increase in domestic attacks on administration and federal, as well as critical infrastructure attacks on things like electrical grids, dams, nuclear power plants, etc. I like to call this the internet of dumb things, or the internet of insecure things, because as we've seen, these are completely insecure devices, ripe for attacking.

We'll see additional attacks on DNS, like the recent major DNS outage that took down many major websites we all use on a daily basis. The next attack will be even more significant than what we've already seen, because DNS is hugely vulnerable. People don't grasp how extremely important it is, how easily it can be attacked. We may see people stop dragging their feet on DNSSEC as a result.

There's a good chance we'll see a major cloud provider admitting to a background worm that's been there forever. We think of the underlying infrastructure providers as safe havens, but they're not. There are likely major flaws in systems we've all assumed are secure, similar to Heartbleed. Things we thought were safe will turn out not to be.

We'll also likely see an increase in attacks on small and medium businesses as hackers make their way down the food chain and move down-market to volume play.

The commercialization of cybercrime will increase. Similar to how other commercial businesses are structured, in 2015 we saw the beginning of the commercialization of cybercrime as criminals put out base products. 2016 saw traction and big wins in the cybersecurity realm. In 2017, we'll see further investment and commercialization in this industry. Like any commercial business, the steps can be mapped. The cybercrime space now has money, and criminals are now investing. If we thought it was bad before, get ready.

We will see a rebalancing of the relationships between prevention, detection and reaction. We all know that the firewall is ineffective, and identity is the new perimeter. With this shift comes the need to focus on detection and reaction in seconds and minutes, not days and months as we've previously seen. As a result, we'll see a rebalance of the relationship between prevention, detection and reaction.

There will be a GDPR wakeup call, which will leave companies scrambling. When people begin to truly understand the implications of what the General Data Protection Regulation (GPDR) means for businesses today, it's going to result in a lot more disclosure in general. While no one will be penalized until 2018, businesses must begin to ramp up. For example, if you lose your laptop and it's not encrypted, and it has a list of customers, your company will have to declare that publicly to avoid a hefty fine. The GDPR wakeup call will leave companies scrambling in the coming year.

The U.S. will undergo a cybersecurity shakeup due to major political change. As with any major political change, there's the potential for a big shakeup in the U.S. administration and its initiatives with regards to cybersecurity. President Obama invested billions in the Cybersecurity National Action Plan, which has a projected spending of 19 billion in 2017, which is a 35-percent increase over 2016. No one knows what will happen with this plan - or other initiatives like cyber education fund, the National Cybersecurity Alliance, or the National Strategy for Trusted Identities in Cyberspace - once the new administration is in place. Where does all of this infrastructure end up? What does it mean for the future of cybersecurity and the government? Will these initiatives continue? We knew we were behind as a nation, and now we may be starting from scratch.

There will be a move toward behavioral security, as organizations come to the realization that security has to be behavioral, which is why identity context in identity and access management (IAM) is so important. It's at the center of everything we do. With this will be the realization that IAM is a requirement for everyone, large and small.

There will be a focus on unstructured data. Organizations are realizing the level of exposure risk people have due to what is fundamentally a mess of files and data drawn from structured systems and left in unstructured data. There will be disillusionment with Cloud Access Security Brokers because people are realizing it on only works on-prem. There was a big rush for these solutions, but they only work when someone is in the office, not in the remote, global workplace.

In 2017, we will see an increase in the number of rookie hacktivists and hobby hackers driven by the pop-culture references and increased media attention. These attackers will use off-the-shelf tools for nuisance attacks, such as web defacement, DDOS as-a-service, and even port scans. These attacks will mostly cause an increase in noise for organizations, since the adversaries won't have the skills for lateral movement, but any trouble they could cause will be in the reputational damage to the company brand.

Automation and analytics will help organizations address the shortage of security personnel. Often organizations invest heavily in effective security hardware and software, but lack the security specialists necessary to ensure their effectiveness. As an example, breaches like the ones that impacted Target and Home Depot were detected by their high-end security systems, but the security operations practitioners were too overwhelmed by the thousands of alerts they received per hour to see which ones posed the most imminent threat. As automation becomes more integrated into security solutions, security personnel will receive fewer notifications with more relevance, relieving them of the manual task of hunting through a sea of alerts to find the truly malicious ones.

We will see an increase in the collaborative security industry. The security industry is slowly working toward collaboration between adversaries, but at the end of the day, collaboration remains nascent. Beyond sharing basic data, we still lack the interoperability necessary to address the next-generation of threats. This has led to an increase in cybersecurity startups finding favor among funders – venture capital investments in cybersecurity startups went from less than $1 billion in 2010 to $2.5 billion in 2014 (source). A recent study from SANS Institute found that 71 percent of respondents said access to shared threat intelligence gave them improved visibility into threats, while only 40 percent are actively contributing to threat intelligence. This disconnect indicates that all security organizations need to be working together and sharing open threat intelligence, which is crucial in order for the industry to remain one step ahead of attackers. 

Cyberattackers will expand their horizons to smaller targets. While hackers have traditionally targeted enterprises with large amounts of data and deep pockets, we will start to see attackers focusing more on smaller businesses who are potentially easier targets. While these SMBs may not have as much for attackers to gain, they are viewed as softer, easier marks good for making quick money, which can be devastating and possibly bankrupting to small organizations. As large enterprises ramp up their security, expect to see SMBs more frequently targeted by hackers.

 IoT under pressure. Today, IoT is letting us down, underperforming and under delivering. In fact, in some ways it's making life more complex and less secure as it's quickly becoming the gateway to cyberattacks. Although consumer adoption of IoT is still in its early stages, there are very few turnkey orchestration tools to successfully manage IoT security. For IoT to survive and live up to what it promises, it's vital that technology companies master security and unlock the possibilities of integration. The real “winners” are going to be companies who can code their own solutions to ensure their products are secure.

I suspect most IT security professions will be primarily concerned about ransomware in the coming year. Criminals are quite aware how profitable this type of threat has been, and how easily an attack is accomplished. At this point most people probably know someone who has been affected by ransomware, and this has a way of making the threat feel very real. Right or wrong, most security professionals won't necessarily assume that their organization has anything of interest to nation-state sponsored attackers, or that they might be considered part of the critical infrastructure that might worth attacking. But they very well may fear the threat of meriting the attention of their own government agencies due to a breach or some other situation that would bring an audit. Hopefully, the threat of audits and ransomware will motivate security professionals as well as management and board members to put more resources into thoroughly assessing their level of risk and acting to mitigate it. 

In 2017, data breaches featuring the theft of data and company secrets will continue at an unrelenting pace, but network attacks involving data manipulation will become more common, with devastating results. Attackers can still largely go to work on a network without fear of being detected, and they will see a bigger payoff from data manipulation than outright theft.

Click here for Predictions 2017 Part 5