Phishing will continue to be a huge issue in 2017. In 2016, it's been another day, another email leak. Retrospectively, 2015 did not see nearly as many attacks here compared to 2016, and the problem will persist without the right security training for users in all industries. Wombat's measurement of various industries' performance in security awareness and phishing susceptibility have pointed us to telecommunications, retail and health care as the verticals that need the most improvement if they're to mitigate the volume and impact of threats.
2017 will be ransomware's biggest year yet because organizations aren't inspecting for malware in the most commonly used apps. Malware is hiding in plain sight as SSL traffic passes through uninspected (which is a huge issue in general for enterprises).
2017 is the year of the security intervention. The recent Dyn DDoS attack plus IoT plus cloud will force board-level meetings on cybersecurity at most Fortune 500 companies. This will force a doubling down on hiring and spending to quickly deal with enterprise blindspots.
With the increase in high profile data breaches in 2016 such as the Yahoo! data breach and DNC hacks, the new administration will make cybersecurity a key focus. The newly appointed federal CISO should make cloud security and safe cloud enablement a priority, as it's expected to be the biggest threat vector. Cloud adoption is only going to rise from here, and the federal CISO needs to be aware of the threat shadow IT poses to the government.
Many users that have had their credentials compromised are reusing the same passwords in multiple places and still have not implemented true multifactor auth across their apps. Enterprises will start paying closer attention to the repercussions of massive data breaches such as compromised credentials.
Since GDPR was adopted in 2016, we are now within the two year countdown for compliance which will provoke a sense of urgency for organizations in 2017. Compliance is going to play a bigger role in the cloud as organizations become savvier to the apps people are using and increasingly realize how much sensitive data they have in their environments.
Security becoming a utility, thanks to the cloud. In 2017 you will see more and more enterprise security organizations using the cloud to enable better visibility with longer retention and continuous processing of their analytics. Delivering enterprise security via the cloud will ultimately start to lower the cost and complexity of the security infrastructure as those legacy appliance systems are replaced for agile, distributed models. There is a growing call for security to be treated as a fundamentally basic utility where safety can be assumed. The cloud is the key to enabling this, with benefits like storage options, scalability, and ease of deployment.
Security presentation layer. The presentation layer of security will be evolve tremendously within the next two years, in part to fill the immense number of open security jobs with next-generation analysts and hunters that are immersed in modern, rich computing interfaces such as virtual worlds, augmented reality and gaming.
Call for interoperability. It is now vital to have a 360-view of your security environment to detect and mitigate vulnerabilities, but that requires broader interoperability between products. We have seen in 2016 the birth of response orchestration and security tooling automation, next we will see more orchestration across the entire lifecycle of security that today's point products don't address. The cloud will be used as a form factor with importance of integrations throughout the security stack.
The cloud was obviously a hot topic in 2016 and we will see that continue in 2017 – especially in terms of public cloud services being used by Wall Street companies to embrace the growing need for availability on a global scale. Due to the increased security and regulation risks, financial institutions have been slower to adopt the cloud. However, this year we will see more major Wall Street companies pushing ahead despite these challenges sooner than we expected. As more policies and technologies come out around regulations, compliance, and better security features in the cloud, more of these companies will no longer be able to ignore the benefits of the cloud and will start testing the cloud on workloads and move some services beyond just the corporate data center.
Ransomware, nation-state interference, identity theft and attacks on infrastructure will all be of considerable concern in 2017, although the relative nastiness and immediacy of impact on organizations will depend to some extent on their business model and industry sector.
For example, a residential construction company might not see attacks on its infrastructure or a nation state intrusion, but could well be targeted by ransomware and CEO email fraud. And if malicious nation state activity hits the national infrastructure, such as internet availability or power outages, then that could impact even traditionally “non-digital” industries like builders, restaurants and so on.
Anonymous and/or anti-Trump groups will launch a major cyberattack from within our own borders.
We will see ransomware on medical devices like an MRI machine or pace makers – not just hospital records.
IoT security issues threaten human health and safety like never before. Not only are medical devices connected opening them to patient data theft and patient safety impacts, security issues with smart devices such as thermostats or gas meters can cause rampant human heath and safety problems. Widespread use of IoT devices in the home dwarf the numbers of companies affected by software vulnerabilities we've seen in the past. IT security pros at firms that build smart IoT devices must take a new look at how the software on these devices are hardened, how PII data is protected and how fast fixes to any newly identified vulnerabilities can be deployed. IT Security pros at firms that operate smart IoT devices must protect sensitive data in flight to and from these devices and manage IAM robustly.
New nation-states and ideologies will emerge as threats. North Korea and Iran both continue to build capabilities for offensive purposes. These new nation-states and others along with ideologies will rise to cause havoc along with previous threats such as China and Russia. IT Security and Risk pros should prepare accordingly as these new attackers look to expose more public information on inner workings of governments and create new threats to companies with geopolitical considerations on their international presence, global customer base, third-party relationships, and business continuity.
Ransomware protection. Until this past year, companies and consumers had few solutions available to them to help detect and combat ransomware. Security researchers have been working hard to identify core characteristics of specific ransomware types so that they can effectively protect against them in the near future. However, when a ransomware descriptor is recognized, ransomware authors often tweak their attacks to avoid detection. As this cat and mouse game between security researchers and ransomware creators continues, more security vendors will debut anti-ransomware protection offerings. In fact, we predict that by the end of 2017 at least 50 percent of security companies will release some sort of ransomware detection and/or prevention software. IT professionals will need to investigate and invest in anti-ransomware security software in 2017.
Password managers will become a huge target. In 2017, password managers, digital vaults where users store passwords, credit card numbers and other authentication data, will become a huge target for cybercriminals. In fact, just last month, it was revealed that Apple's new iOS10 operating system has a potential security hole that could help hackers get access to passwords and other sensitive information. Hackers are apparently able to infiltrate Apple's Keychain password manager. For a hacker, breaking into these vaults will be incredibly fruitful. The top password managers are likely to find themselves under attack in 2017, especially those password managers that allow sharing of the vault among multiple users.
The top four threats identified by the ISF for 2017 are not mutually exclusive and can combine to create even greater threat profiles. The most prevalent threats include:
The IoT adds unmanaged risks. While the political, social and economic implications are not fully clear, gigabit connectivity represents a significant overnight leap forward. This will enable the IoT and a new class of applications to emerge that will “exploit the combination of big data, GPS location, weather, personal-health monitoring devices, industrial production and much more. Connectivity is now so affordable and prevalent that sensors are being embedded everywhere, increasing the flood of data and creating an ecosystem of embedded devices that are nearly impossible to secure. This will raise issues not just over privacy and data access, but also will expand the threat landscape exponentially, increasing the security burden for many organizations that are unaware of the scale and penetration of internet enabled devices that are deploying IoT solutions without due regard to risk management and security.
Crime syndicates take a quantum leap. Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide. Rogue governments will continue to exploit this situation and the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.
Government and regulators won't do it for you. In 2017, the number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Public opinion will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. International regulations will create new compliance headaches for organizations while doing little to deter attackers.
With reform on the horizon, organizations conducting business in Europe, or those planning to do so must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it. The demands of the incoming EU General Data Protection Regulation and the Network Information Security Directive will present significant data management challenges to the unprepared with the potential for hefty fines for those who fail to demonstrate security by design and fall victim to cyber attack or information loss.
The role of the end-user, the weakest or strongest link in the security chain. In the coming year, organizations need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a ‘wild card.' Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element' of information security. In essence, people should be an organization's strongest control.
Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior and habits that become part of an organization's information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness,' the real commercial driver should be risk, and how new behaviors can reduce that risk.
In general, we anticipate an increase in attacks on websites, as they are an extremely vulnerable gateway to organizations. We predict that 2017 will see these trends emerge and grow:
Targeting website resources. In 2016, 21 percent of hacked websites experienced traffic stolen from their sites. As companies continue to strengthen their cybersecurity, cybercriminals are becoming more strategic with the methods they use to steal intelligence. Rather than directly stealing customer or financial data, we predict cybercriminals will increasingly target website resources, such as customer data, bandwidth and traffic, to divert users to malicious sites and steal data.
Increased DDoS attacks. According to recent SiteLock data, websites experience 22 attacks per day on average. That's more than 8,000 attacks per year, per website. In 2017, we anticipate these numbers to inflate as web-based DDoS attacks increase, using resources stolen not just from traditional sources, but also the exploding market of vulnerable internet of Things (IoT) devices. Just last week, we witnessed a DDoS attack on Dyn, which brought down the websites of some of the world's biggest brands.
Hacktivism on the rise. It has become clear that cybercriminals are motivated by more than money – they are motivated to influence public opinion and perception. In 2017, we expect to see cybercriminals continue to expose government, financial and legal intellectual property to manipulate agendas and gain notoriety.
Data will continue to be weaponized in new and inventive ways. Between the ransomware attacks that plagued the health care industry in 2016, and the wave of politically motivated data leaks that occurred during the run up to the election, it's clear that the value of information now goes far beyond its sticker price on the Dark Web. Cyber-attackers have evolved beyond simply selling information, and are now opting to leverage it for far more damaging attacks, including extortion attempts and sophisticated human engineering campaigns. Data that can be easily changed, such as credit card numbers, passwords and email addresses are becoming less valuable than information that stays with a user for life, such as DOB, SSN and health care records (the crown jewel of personally identifiable information). As hackers accumulate more of this information, traditional IT activities such as authentication and access management will become far more difficult, as the likelihood that a malicious actor is impersonating a user increases drastically.
Security incidents will have a bigger impact on everyday people. By the end of 2016, most American consumers will have experienced some form of mild inconvenience due to a cybersecurity incident. Whether it's Facebook going down due to a massive DDOS attack, or replacing a credit card because of a data breach, these incidents will produce a low-impact, fixable problem for the average person. But over the next year and beyond, hackers will take the weaponization of data to create deeper, more widespread attacks on the American people that will require complex solutions and policies to fix. We will see more cyberattacks on popular internet services, more complex cybersecurity legislation proposed in Congress, and more corporate fights regarding encryption technologies prop up over the next year. We hope that consumers will use these events to educate themselves on security policies and hygiene, but it may well result in a country-wide case of ‘security fatigue'.
President Trump will set the precedent for responding to cyberattacks. The last half of 2016 saw an increase in tension between the US and various nation-states and nonstate actors over how the administration should respond to cyberattacks. So far President Obama's responses to data breaches and DDoS attacks have remained hidden from the public, but President-Elect Trump will be responsible for crafting the appropriate responses (and escalations) to any future incidents. Although the US has been reluctant to levy real-world penalties against cyber-attackers, Trump's hawkish stance on foreign and military policies will likely influence a hardline approach to cybersecurity policy. Penalties could range from indictments of individuals, extradition attempts and sanctions.
More collaboration between the private and public sector to create effective cybersecurity legislation.Much has changed in the public landscape since the passage the Cybersecurity Act of 2015, but unfortunately, the legislation hasn't done much to increase information sharing between the private sector and government organizations. Next year, we are likely to see a drastic overhaul of this intelligence sharing framework, with an increased emphasis on incentivizing participation among private parties (something that is sorely lacking from the initial draft). The government seems to be coming around to the realities that are stopping organizations from sharing threat intelligence, namely the fear of embarrassment, as well as worries surrounding the US's willingness to exploit vulnerabilities discovered through the program. Measures will need to be put in place to assure that benefits flow both ways, with companies receiving clear cut protections when collaborating with government agencies.