Security (IT) predictions for 2017
View(s):It is the time of the year to look back at what problems the Internet faced in 2016, what issues are likely to arise during the year and how we can protect ourselves. The past year has been a turbulent one for cyber security with high profile data breaches, persistent threats from ransomware and more. Apple and the FBI wrangled over encryption. We are living through one of the most precarious moments in international relations of the last several years; threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have huge and serious consequences in the field of cybersecurity.
Ransomware
1. The first item on the list of cyber security predictions for 2017 is something called ransomware, a type of malicious software (known as malware) the attempts to lock out the user from accessing a network, files, or an application. Ransomware will begin to seep into IoT devices, and will be called ‘Ransomware of Things (RoT’. ‘In order to prevent RoT, the technical challenge is to implement security across numerous and ever-changing IoT platforms and prevent a thriving cybercriminal infrastructure’. Ransomware will continue to evolve and will target Internet of Everything. This is an extremely profitable attack. There were proof-of-concepts of hacking cars, smart home devices, medical devices, smart TVs and embedded devices. We expect to see more stories like this in the coming year. If a device can be hacked, it likely will be. In addition, where there are proof-of-concept attacks, real attacks invariably will follow. We expect to see IoT devices as the preferred route for attacking an organisation, and potentially the most difficult for incident response staff to recognise and remove.
2. Ericsson predicts there could be as many as 6.4 billion smartphone subscriptions by the end of 2020. These high-end phones and tablets have powerful processors and with 4G network, they will have high-bandwidth connectivity. These devices will contain valuable information. The mobile manufacturers are competing to manage the cards in your wallet while other mobile payment systems are following closely for their share in this space. All of this makes smartphones very attractive to criminals. Further, the speed at which end-users receive updates is dependent on their device manufacturers, and sometimes this can take longer. Tricks such as hiding malicious code inside ostensibly legitimate apps, or being disguised as something more useful, attackers will use more sophisticated techniques such as offering hotel loyalty programmes, airline frequent flyer points and gaming accounts to make money from their victims.
Whole world a target
3. All organisations irrespective whether it is a government, public or private sector undertaking, big or small, profit or not for profit are all potentially vulnerable to targeted attacks. Spear-phishing campaigns will target employees and continue to grow as attackers are motivated purely by profit and can be just as technically sophisticated and well-organised as any nation state-sponsored attackers. The world also experienced several data breaches in the past year and only a few reported exposed identities. This number hides a bigger story and several companies globally choose not to reveal the full extent of the breaches experienced. The fact that organisations are increasingly holding back critical details after a breach is a disturbing trend. Further, cybercriminals who want to reach the largest number of people electronically, email is still the favoured way to do it. The types of information the attackers potentially had access to included emails, legal documents, policy documents, training materials, product descriptions, and data harvested from specialist security systems. Stolen materials such as these were valuable for insider trading purposes. Transparency is critical to security and organisations will have aim to eliminate passwords and use strong encryption standards.
4. Whether it’s the way we shop, work, or pay our bills, trust and confidence in online services has become critical to our way of life. Website owners are still not patching and updating their websites and servers as often as they should. It is estimated that over one million web attacks take place against people each day. The cybercriminals continue to take advantage of vulnerabilities in websites to infect users as the administrators fail to secure their websites. Organisations need to think about their websites as part of an entire ecosystem that needs constant care and attention if they want to retain people’s trust and confidence. The website and server administrators should address these risks aggressively.
Social media
5. Social media will remain a favoured target of scammers, as criminals seek to leverage the trust people have in their own social circles to spread scams, fake links, and phishing. The social engineering involves convincing and we will see more progressive and ingenious tactics to dupe potential victims. Online ‘sextortion’ has turned to malicious apps which will be a growing problem in developing nations. The scammers, use an attractive avatar or profile picture, encourage the intended victim to share sexually-explicit videos. The criminals will encourage the victim to “continue the liaison” using an app, which will gather the victim’s phone number, account details, and all of their contacts. Now with an incriminating video, and a list of the victim’s friends and family, the criminal usually threatens to send the sexually explicit content to the victim’s entire contact list unless they pay up. Because of the sensitive nature of the threat, victims often find it difficult to go to the authorities and end up sending hundreds, if not thousands, of dollars to the attacker.
Vulnerable employees
Cybercriminals are not only interested in ‘who can hack’, but also ‘who can leak’. Whether data may be stolen in a data breach, accidentally leaked, or even posted online legitimately in the past, personal data has a value in the underground shadow economy. Personal data can and will be used to commit crimes, whether to conduct identity fraud, or to enhance the social engineering in phishing scams, or even as part of the reconnaissance in the prelude to a targeted attack. Taking risks with cybersecurity is not acceptable, and we should reject the misconception that privacy no longer exists. Privacy is something precious, and should be protected carefully. Organisations should approach cybersecurity in terms of education, awareness training and good digital hygiene. Every employee should be part of the effort to stay digitally healthy. CIOs and business managers should be aware of the many risks faced and should start proactively monitoring for symptoms so that they can diagnose digital diseases before putting customer data and customer confidence at risk.
We anticipate the next wave of threats and hope the organisations can use this information to stay ahead of the evolving tactics of cybercriminals.
(The writer is a Governance, Risk and Compliance professional and Director at Information Security Professional Associates (iSPA). He is the founding member and Secretary of the (ISC)2 Chennai Chapter and a board member of the (ISC)2 Colombo Chapter. He can be reached at sujit@layers-7.com)