The past few months have summed up the current state of the cyber security industry.
In a matter of days at the end of November the European Commission was brought offline by a distributed denial-of-service (DDoS) attack, San Francisco’s Municipal Railway was held to ransom by ransomware in a system-wide attack and it was revealed that in September the Japanese Defence Ministry and Self-Defence Forces were hacked, which may have compromised Japan’s internal military network.
It seems almost farcical, and from these recent examples it is evident that critical infrastructure is totally unprepared for an attack and will continue to be severely vulnerable at the beginning of 2017.
It is not just the public sector that is suffering, with private organisations facing daily hacking attacks despite serious investment in cyber security strategies.
The problem is inherently twofold. The first is that cyber criminals and their tactics are constantly evolving, becoming more overwhelming and hard to detect by the day, it seems.
The ferocity of cyber attacks was illustrated last year by the Mirai botnet n(or Dyn) attacks that overran a number of systems using corrupted Internet of Things (IoT) devices.
When the malicious code was first published online in October, it gave a suspected group of teenagers the ability to shut down the likes of Twitter and Spotify.
In the preceding month, Liberia’s internet was taken offline using the same code. Improving the security of IoT devices will be crucial during 2017. This is where the most devastating cyber attacks will originate.
The second problem lies in the boardroom. Whether it is a result of attitude or ignorance, cyber security has not, until recently, been given the priority it warrants.
Cyber security is not an IT issue, it is a business-critical issue. The C-suite is starting to take note, however, and must begin preparing – if they are not doing so already – advanced prevention, detection and response systems.
This will be all the more crucial once the European General Data Protection Regulation (EU GDPR) comes into effect in May 2018. After this date, not only will reputation be on the line, but so will an organisation’s financial stability.
‘The nuts and bolts of cyber security are either still not understood or, in most cases, simply ignored by many boardrooms,’ confirms Jacob Ginsberg, senior director at Echoworx.
‘The clear majority of enterprises remain completely reactive to cyber security, waiting until their reputation is in question or legislation forces them to act. Boards are run by committees, and security still doesn’t have a chair at the table – until it does, security will never get the attention it warrants.’
Looking ahead to the 2017 cyber security predictions, it could get tumultuous to say the least. There is no doubt that the issue of cyber security was thrust into the public spotlight last year, which was highlighted throughout the controversial US presidential election campaign and the high-profile hacks of Yahoo! and LinkedIn.
The point is, in 2017 cyber attacks will continue to dominate headlines, and any proof of state-sponsored hacking could be, as BeyondTrust (an information security software company) suggests, acknowledged as an act of war. The age of cyber warfare could begin, where hacking techniques are regarded in the same breath as heavy weaponry.
This is not an exaggeration, and is why the White House’s Commission on Enhancing National Cybersecurity ordered a nine-month, 100-page study of America’s cyber security problems, which was published last December.
‘The sky’s the limit,’ says Mike Ahmadi, global director – critical systems security at Synopsys. ‘Accessing a water treatment plant and diverting sewage to municipal water systems can cause disease and death. Shutting down all power during a heat wave can cause death. Hacking combat drones can create devastating weapons. Let your imagination run wild here.’
Nathan Dornbrook, CTO at IT consultancy ECS, shares this cyber warfare prediction and suggests that ‘there will be a sharp increase in politically motivated and protest cyber crime, driven by increasing social inequality, the rise of far-right populism, Brexit, US-China-Taiwan relations and looming changes in international trade relationships’.
Cyber war may be the most extreme 2017 prediction in this feature, but it’s not beyond the realms of possibility. Moving on, what are the other, less apocalyptic, 2017 cyber security trends that we can expect?
Securing the Internet of Things
First and foremost, the Internet of Things must be secured. If Gartner is to be believed, there will be 20 billion connected devices by 2020, but ‘the current playbook for IoT development is still immature’, suggests Paul Curran, content specialist for Checkmarx.
Curran tells Information Age there is not enough attention being paid to securing IoT devices, and this is certainly evident from the already mentioned spate of DDoS attacks that originated from insecure IoT devices towards the end of 2016.
‘There is a palpable fear that a major category of IoT products embedded within a life-critical application such as health, CNI or automotive is vulnerable to a major attack through negligence in software security,’ notes Curran.
An enhancing of IoT security will therefore be a top trend during 2017. At the moment, the factory-grade security setting is not sufficient. This increased level of protection should be implemented within industry groups and by regulatory framework, similar to the GDPR but for IoT devices.
‘Organisations, and especially device vendors, need to plan for this change and start considering how to build a secure software development cycle,’ says Curran.’
The threat to the cloud
The number of organisations using the cloud – in all its forms – has surged over the past five years, and this adoption will continue to increase into 2017 as businesses look to make the best use of big data, or the ‘data revolution’.
Inevitably, this will come under threat. ‘There will be continued growth in cloud breaches,’ says Ian Kilpatrick, chairman of security specialist Wick Hill Group and EVP cyber security for Nuvias Group. ‘It’s an attack vector that contains significant vulnerabilities around identity management and mobility or off-site access.’
Indeed, there has been a sharp rise in the number of cyber attacks going through cloud service providers. Consequently, Kilpatrick suggests, ‘Cloud access security broking will experience significant growth, and there will be more interest in identity- as-a-service (IDaaS).’
Gartner’s prediction that 40% of identity and access management (IAM) purchases will use the IDaaS delivery model by 2020 (up from just 20% in 2016) confirms this.
The rise and evolution of ransomware
In December last year, a new kind of ransomware began targeting individuals. This latest malicious code was called Popcorn Time and it offered its victims a free decryption key (unlocking their device), as long as the person targeted spread it to others and those victims pay the standard one bitcoin ransom.
This is unlikely to affect large organisations, although certainly employees will be at risk, but it demonstrates the constantly evolving and sinister nature of the cyber threat. Ransomworm is the suspected next evolutionary state of ransomware moving into 2017. It will move from ‘a company’s one-time issue to a network infiltration problem’, says Nir Polak, CEO of Exabeam. These ransomworms will guarantee repeat business for the cybercriminals.
‘They not only encrypt your files until you pay up, they leave behind a little present to make sure that their malicious ways live on,’ warns Polak.
>See also: It’s war: the cyber arms race
‘Microsoft,’ he goes on, ‘warned of a ransomworm earlier this year called ZCryptor that propagated onto removable drives.’ By placing a little code on every USB drive, a company’s employees would bring more than their presentations to meetings. Expect to see nmore of this in 2017.
Other 2017 trends
There is, of course, a plethora of cyber security trends that are expected or will be uncovered in 2017. It is difficult to identify the most significant threat, and indeed prevention tools, simply because there are so many.
The death of the password may be a feature that dominates this year, as its insecurity has taken centre stage for a number of high-profile data breaches, such as Yahoo! and FriendFinder Networks.
This, in turn, will give rise to an increase in advanced biometric software that will protect devices, individuals and organisations from cybercriminals. Going further, as BeyondTrust suggests, adaptive and behaviour-based authentication will grow in importance.
Mobility, cloud deployments and increased regulation will drive innovation in identity verification.
Finally, it is evident that known vulnerabilities will continue to be exploited in 2017. The security threat born from BYOD will remain prevalent, as will phishing scams that target those who are ignorant to the security threat.
Education is key
Boardroom strategy will have to change during 2017. This should take the shape of actually coming up with a strategy and making cyber security a boardroom priority.
As part of this revised strategy, employee education should be high on the agenda. This will entail making the workforce aware of the threats, how to avoid them and what to do in the likely event that a breach does occur.
Ultimately, breaches will occur in 2017 just as regularly as they did in 2016. In order to mitigate the damage caused, the boardroom strategy needs to change with an investment in new, combative philosophies and technologies.
A new hope?
Artificial intelligence (AI) offers a chance for organisations to fight back. Not only will AI be able to automatically detect a cyber breach, but it will also be able to heal the attack almost immediately.
Unfortunately, this capability is not yet available to organisations, but John Bruce, CEO of Resilient, says that it is not far off: ‘This is the future of cyber security, and it’s not a million miles out. We’re not talking about this coming in the distant future; it is a conceivable time frame. You can expect to see some exciting developments in the foreseeable future.’
Of course, as Alex Mathews, lead security evangelist at Positive Technologies, points out, the bad guys can also use AI to their advantage. This can take the form of smart malware, which can ‘analyse the environment when it lands on a network to determine if it’s in a sandbox or honeypot, and then conceal its true intentions or delay its actual behaviour to evade detection’.
Dave Palmer, director of technology at Darktrace, also refers to ‘polymorphic malware, which changes its attributes mid-attack to evade detection’. This, he suggests, ‘has reinforced the obsoleteness of signature-based detection methods’. In the wrong hands it is evident that this technology has severe implications.
However, AI used in the right way, in a form of behaviour analyses, can help restore some form of balance to the cyber battleground. ‘Instead of old-
fashioned signature analysis, which is actually useless against unknown malware and zero-day attacks,’ suggests
Mathews, ‘we’ll see the rise of smart security apps that analyse the behaviour of a protected system by building statistical models of normal working processes (machine learning) and looking for anomalies.’ This form of protection will become increasingly popular in 2017.