Twelve months ago when I started covering cybersecurity the state of things was pretty bleak: 2014 marked another record year of data breaches, there was no miracle technology that would seal the cracks in an enterprise and every expert was predicting attackers would find new ways to get around defences.
As I look ahead to 2016 every expert I talk to says attacks will continue to find new ways of getting around defences, there’s no miracle technology coming that will seal the cracks in an enterprise and it will probably be another record year of data breaches.
In the face of that what’s a CISO to do?
For one thing, continue sealing the cracks in the enterprise the old-fashioned way: Security awareness training, using two-factor authentication wherever possible, network segmentation, limiting the number of people with administration privileges and access to sensitive data, patching, increase spending on intrusion detection and prevention (including analytics), be part of a threat intelligence (either formally by buying a service, or informally with colleagues) and solid backup and restore. On top of that, have a tested disaster recovery plan.
In addition, be aware of certain trends experts say will mark 2016 as different from the year before. Here’s some of them:
1. The evolution of technology means IT departments more than ever have to understand what business units want, and then propose secure ways of doing it, says Bob Hansmann, director of security analysis and strategy Ratheon Websense security labs.
Whether it’s the Internet of Things or new mobile payment systems the enterprise is being exposed to new risks daily. CISOs have to be prepared. “IT needs to start offering options,” he said. Unfortunately, “they’ve become the department of no for the past few years” which in some eyes makes them irrelevant.
“Too many organizations assume (supplying) vendors have security right,” he said. For example, there’s no such thing as ‘the cloud:’ There’s a server somewhere. “I need to make sure if I’m a responsible IT team that the cloud services I’m sending sensitive data through have done a proper job with security.”
2. He also warns CISOs whose firms have or are about to sign on for cyber insurance that insurers will dictate some of their strategies. Insurance companies will refuse to pay for breaches caused by ineffective security practices, Websense warns. To support this note that in its predictions Forrester Research pointed out that in one unresolved case, a cyberinsurer has denied a claim where spearphished credentials were used to facilitate fraud, arguing that it was an authorized system user who initiated a money transfer;
3. New Generic Top Level Domains (gTLDs) will be used in active spam and other malicious campaigns, Websense believes. The number of gTLDs as of November exceeded 700 domains, and about 1,900 more are in the waiting list. As new top-line domains emerge, they will be rapidly colonized by attackers well before legitimate users. Taking advantage of domain confusion, criminals and nation-state attackers will create highly effective social engineering lures to steer unsuspecting users toward malware and data theft.
4. The structure of the Internet is aging, meaning forgotten and ongoing maintenance will become a major problem for defenders, says Websense. That includes organizations with out of date certificates, old and broken javascript versions and new applications built on recycled code with old vulnerabilities (think Heartbleed).
5. A number of experts are warning that attackers are increasingly being drawn to the potential of exploiting the so-called Internet of Things. “Hackers look for newer technologies and ways to exploit vulnerabilities where people aren’t thinking about security as much as they are on a Windows device,” pointed out Doug Cooke, director of sales engineering for Intel Security in Canada. Devices that gather data — from wearables, cars, smart meters, hospital devices and cloud services are targets.
Although most wearable devices store a relatively small amount of personal information, wearable platforms could be targeted by cybercriminals working to compromise the smartphones used to manage them, Intel points out. The industry will work to protect potential attack surfaces such as operating system kernels, networking and Wi-Fi software, user interfaces, memory, local files and storage systems, virtual machines, web apps, and access control and security software, says Intel.
6. Gaining access to credit cards and bank accounts has long been a goal of attackers, but Cooke also warns intruders will increasingly move to what Intel calls “stealthy, selective compromises” to systems and data, such as seizing and modifying transactions or data to shift direct deposit settings for a victim’s paychecks and having money deposited into a different account;
7. A number of organizations — including the FBI — reported ransomware is on the rise, and that will only continue, in part because the move to anonymizing networks and payment methods for security could fuel it. Here’s one sign: last year the CrypoWall ransomware package was updated to version 3.0. Intel believes in 2016 greater numbers of inexperienced cybercriminals will leverage ransomware-as-a-service offerings which could further accelerate its growth.
Trend Micro goes one step further, predicting that 2016 will be the year of extortion, with attackers finding new ways to target a victim’s psyche to make each attack “personal”—either for an end user or an enterprise.
To support its prediction of an increase in cyber-ransom Forrester Research notes that even partial electronic health records are worth much more on the black market than credit card data. It also ties this back to the increase of IoT devices in healthcare;
8. Detection and response is important to CISOs, but prevention/protection is still vital. Forrester predicts spending on prevention technologies will increase by five to 10 per cent. Consider new types of endpoint protection that employ exploit prevention techniques like Palo Alto Networks Traps Advanced Endpoint Protection or Microsoft’s Enhanced Mitigation Experience Toolkit, Forrester says. For network-based prevention consider leveraging predictive analytics offerings from vendors like OpenDNS that identify attacker infrastructure and provide protection in advance of attacks;
9. Despite the need, fewer than 50 per cent of organizations will have a chief privacy officer, says Trend Micro in its predictions.
“You need someone who understands the way privacy works, because privacy is fundamentally different than security,” explains Christopher Budd, the vendor’s global threat communications manager.
The privacy side of security incidents will be more closely scrutinized by regulators this year than before, he argues, “so having someone with the expertise to navigate that potential minefield is really important.”
10. Similar to predictions of a rise in ransomware, Trend Micro also foresees hacktivists increasingly switching from defacing Web sites and DDoS attacks to destructive attacks. The recent success of high-impact breaches, driven by a common goal of exposing incriminating information like questionable corporate practices, classified messages, and suspicious transactions will drive cybercriminals to add data breach methods to their arsenal of tactics, says Trend Micro.
“The point of Ashley Madison wasn’t to get money or sell information for identity theft, but for the express purpose of causing harm to the company,” Budd said;
11. A number of experts are certain ISIS will step up cyber attacks on the U.S., Canada and other allies aligned against it. But Hewlett Packard also thinks the so-called cyber cold war will heat up. “While the U.S. and China recently came to an agreement not to conduct cyber attacks designed to steal intellectual property, the U.S. also freely admits cyber warfare will remain in its catalog of offensive capabilities,” HP says. “We’re seeing the capacity for an accident to a degree not seen since the height of the cold war. In fact, the cyber tension is so high that Russia and the United States have a hotline in case of ‘accidents’. So far these cyber incursions haven’t risen to the threshold that would require a military response, but that day is coming;
12. Finally, HP predicts cybersecurity issues will kill a product. “In 2016, we’ll see a major product shut down due to security issues, as the product will no longer be worth producing due to the costs of fixing these vulnerabilities and brand reputation.”