It’s that time of the year when security experts from all over the world are predicting things that will make an impact in the cyber security space in 2016. Most IT security professionals don't want their predictions to come true as everyone wants their organisation to be hack free. But by anticipating the next wave of threats, it's imperative for businesses to stay on top of the evolving tactics and exploits that criminals will use to target them.
"The threats you need to worry about the most are the ones you can't predict." - Graham Cluley.
Before we move on to the upcoming predictions for 2016, let's discuss how many of the predictions for 2015 came true.
Prediction 1 - Increased Malware Attacks Over SSL
This prediction was based on companies like CloudFlare making SSL available for free for anyone with a website, no questions asked. Also known as domain-validated certificates, these are issued almost entirely via automated, challenge-response email. They are server security certificates that provide the lowest level of validation available from commercial certificate authorities. Netcraft published a blog in which they mentioned how certificate authorities have issued hundreds of SSL certificates for deceptive domain names used in phishing attacks. SSL certificates lend an additional air of authenticity to phishing sites, causing the victims' browsers to display a padlock icon to indicate a secure connection. Despite industry requirements for increased vetting of high-risk requests, many fraudsters slip through the net, obtaining SSL certificates for domain names such as banskfamerica.com(issued by Comodo), ssl-paypai-inc.com (issued by Symantec), and paypwil.com (issued by GoDaddy). They even reported that CloudFlare accounted for 40% of SSL certificates used by phishing attacks with deceptive domain names during August 2015.
Prediction 2 - IoT Wearables Were A Prime Target For Malware
The firmware/software on these wearables have two things going for them. First one is the sheer number of consumers that can be reached by hacking into one of these. Big ROI and channel for the malware authors. And secondly, they don't necessarily have all the security measures that most modern OS's have to thwart attacks - mandatory access control, process isolation, stack randomization, etc. At the Hack.Lu 2015 conference, Fortinet researcher Axelle Aprville (@cryptax) presented a proof-of-concept vulnerability in Fitbit fitness trackers. An attacker in close range only needs about 10 seconds to inject malicious code (GitHub) via Bluetooth. The code can persist and then spread to devices to which Fitbit connects.
Prediction 3 - DDoS Attacks Have Become A Mainstream Cyber-Weapon.
DDoS will be increasingly used as a foil and precursor to an actual data breach, confirming that DDoS is actually a mainstream technique favored among hacktivists, cybercriminals, and perhaps even nation states with a political agenda. The TalkTalk attack seemed to be more proof. Moreover, two studies confirmed that since 2014 DDoS attacks continued to grow not only in number but also as distractions for launching breaches. In Verizon’s 2015 Data Breaches Investigation Report, companies reported twice the number of DDoS incidents over 2014, with Verizon adding that “we saw a significant jump in the DoS threat action variety associated with malware.” Neustar’s October 2015 DDoS Attacks and Protection Report noted that half of responding companies had been attacked, with 36 percent of targets discovering malware or viruses upon further investigation.
Prediction 4 - Jumbo-Sized Cyberattacks Aren’t Needed To Inflict Damage.
Even Smaller payloads can have a big impact. For DDoS attackers especially, both the Verizon and Neustar studies showed this to be true. Verizon reported that many DDoS events measured around 15 Gbps, a mid-sized attack. 40 percent of those reporting attacks in Neustar’s study absorbed strikes of smaller than 5 Gbps. When smaller attacks disrupt without taking down networks, those networks are accessible and more vulnerable to hackers.
Prediction 5 - Rapid growth In Unknown Malware
Unknown malware were fully realised and are likely to remain a significant threat. Cyber security has become like an endless cat and mouse game, with hackers constantly finding new ways to attack networks. This year's high-profile breaches at Anthem, Experian, Carphone Warehouse, Ashley Madison and TalkTalk prove this prediction to be true.
Prediction 6 - Large Scale Compromises Of Databases
This year, hackers in their quest to earn money, caused brand damage to several top companies by stealing intellectual property as they recognized the value in those data. This not only made the company suffer but also its customers. The aftermath of a hack and its poor handling can be even more damaging than the data loss itself. Some of these large scale companies include -
- Anthem Inc. - The health insurer said the database that was penetrated in a previously disclosed hacker attack included personal information for 78.8 million people, including 60 million to 70 million of its own current and former customers and employees.
- Ashley Madison - The infamous social site that facilitated extramarital affairs was hacked in July 2015 by the Impact Team where in they leaked 37 million user records and made it available for public viewing.
- U.S Office of Personnel Management - The hack on OPM compromised the personal information of some 22 million current and former federal employees, making them a legitimate target for cyber espionage.
- Morgan Stanley - Global investment bank Morgan Stanley was hacked by cyber criminals wherein 350,000 records employee records were stolen.
Prediction 7 - Healthcare and Financial Institutions Are On The Firing Line
Your medical data and your financial information cannot afford to land in the hands of criminals and yet hackers are determined to break into computer systems storing it. 2015 is quickly becoming the year of the health insurance data breach. The latest company to let hackers pry open its grip on patients’ data: Excellus Blue Cross Blue Shield, with as many as 10 million people’s personal records exposed. The Excellus attack represents just another hacker breach in a string that’s hit the health insurance industry over the last year. Targets have included Anthem healthcare, Premera, UCLA Health System, and CareFirst.
Most of these things that are predicted by security experts may or may not come true. The only solution towards achieving a better cyber secure environment is when businesses, developers and all the people in the ecosystem work together to ensure that things like these don't happen. Because no one wants predictions like these to come true in the first place.
Be sure to check our next blogpost on the Top 7 Cyber Security Predictions for 2016.