2017 Security Surprises (Part 2)
Large-scale, high-profile security breaches paired with organizations' inability to execute a sound and thorough security program.
Join the DZone community and get the full member experience.Join For Free
Given how fast technology is changing, we thought it would be interesting to ask IT executives to share their thoughts on the biggest surprises in 2017 and their predictions for 2018.
Here's the second of two articles (you can find the first here) sharing what they told us about the biggest surprises about security. We'll cover predictions for 2018 in several other articles.
Blockchain, a game-changing technology that facilitates secure exchange of value, showed tremendous adoption progress in 2017. It went beyond Bitcoin and is seen as a new competitive weapon for many industries even outside Financial Services. Some interesting/surprising points to add include:
- Blockchain is a hyper-growth market: $1.5B venture capital Investment in Blockchain startups to date*; +59% projected growth in capital market spending in Blockchain technologies**, and $100B projected savings on key financial services, insurance, and identity fraud prevention use cases.***
- Hearing more on Cryptocurrency: The value of Bitcoin, a cryptocurrency and a payment system built on Blockchain technology is currently pegged at $8200.
- The rise of Initial Coin Offering (ICO): Pre-IPO companies in the Blockchain space raised significant money through ICOs. File Coin and Tezos each raised >$200M each via ICOs.
- Increased Regulations: Governments began aggressively setting up smart regulations on crypto assets as a new asset class.
- Pilots: Already companies such as HSBC, Visa, and Walmart are testing pilots that have business value. For example, Walmart is reducing the time to find food safety issues from 6-8 days to 3 seconds (Walmart/Visa/HSBC examples are all public info).
- Enterprise trailblazers using permissioned Blockchains are undertaking digital transformation efforts, running key proof of concepts that significantly improve time and cost, and reduce risk and fraud (e.g.: Fraud Prevention, which has the power to save $100B for Financial Services, Trade Finance, Cross-Border Payments, Food Safety Networks, Health Records).
One of the biggest security events in 2017 was ROCA (Return of Coppersmith's Attack). What happened is that the ROCA vulnerability exploited a flaw in a software library that generates RSA keys— essentially it is a practical mathematical attack that allows an adversary to reveal secret keys on certified devices, such as Infineon's Trusted Platform Module (TPM), which is used in countless computers and gadgets. The problem lies therein with how Infineon implemented the encryption on their TPMs, essentially taking a "shortcut" which now affects thousands, if not millions, of devices, such that it's possible to calculate someone's private key by just having the public key, enabling attackers to potentially gain control of computers and decipher data. The vulnerability has far-reaching ramifications. On a deeper level, crypto, as we know it, is fragile, and we should think about how to better implement crypto standards in the wake of these types of security events.
Last year’s DefCon saw new black hat tools employing machine learning and genetic algorithms to obfuscate malware and foil next-gen anti-virus solutions.
The biggest surprise in 2017 was the massive increase of new, sophisticated, large-scale, and rapidly spreading malicious cybersecurity attacks in the form of ransomware. WannaCry, Locky, Petya, and others have demonstrated the power of ransomware, and over the past year, its developed into a widespread concern for businesses and for consumers.
From a security standpoint, it would be the growing prevalence of insider attacks. There’s no doubt that organizations are getting better about combatting external threat actors, but they also need to start doing their due diligence around the PEBKAC (i.e., Problem Existing Between Keyboard and Chair) issue. A new report commissioned by Cybersecurity Insiders explores this threat further and sheds light on the fact that insider threats can be more damaging than previously thought because of the level of access to sensitive and proprietary information that insiders have. And it’s not always malicious actors who are causing the biggest problem; in fact, careless users who open doors to vulnerabilities continue to be the root cause of the most successful exploits.
Harry Picarriello, Chief Marketing Officer, GigaTrust
The number and size of the hacks (Equifax, Uber, etc.) and the yet to be determined impact on the general population.
For many, the big surprise of 2017 was the frequency and scale of ransomware and other types of cybercrime throughout the year. Between WannaCry, NotPetya, the Equifax breach and others, we saw ‘the largest attack in history’ multiple times in a span of months. Without a doubt, the biggest surprise, however, was the clear validation of the lip service paid by so many management teams when it comes to data security. 2017 saw several huge companies, some of whom boast about their security, infected or breached due to a host of management failures including what can only be described as a total inability to execute. At least two major companies were infected more than once. One of them publicly announced no changes were coming to their security investments. Management teams, and more importantly shareholders, need to wake up: cyberattacks are a “when” not an “if.” Resilient IT strategies, ones that ensure data and applications are protected and recoverable to the point just before an attack occurs, can significantly reduce the impact of attacks and perhaps even prevent the company from being flashed in headlines as next in a long line of businesses to be caught mired in old, failed approaches.
In the past two years, we’ve seen multiple cases of compromises in the “Software Supply Chain,” which delivers trusted software and updates to our systems for execution; and the impact of those compromises has continued to escalate. In 2017, attackers compromised a Ukrainian software company and distributed a destructive payload with network-worm capabilities through an update to the “MeDoc” financial software (NotPetya campaign). After infecting systems using the software, the malware spread to other hosts in the network and caused a worldwide disruption affecting many organizations.
In each case, rather than targeting an organization directly through phishing or exploitation of vulnerabilities, the attackers chose to compromise software developers directly and use the trust we place in them to access other networks. This can be effective at evading certain prevention and detection controls that have been tuned to trust well-known programs.
For me, the biggest event was absolutely the entire WannaCry mess. From the Shadow Brokers releasing pieces of the NSA’s exploitation tools (ETERNALBLUE and DoublePulsar, specifically) to those exploits being integrated into WannaCry and then the massive impact those vulnerabilities had on some major corporations. While it appears the authors behind WannaCry didn’t profit substantially from the attack, the hit on the operations of major multi-national corporations was not minor.
Without question, the degree of sophistication, scope of the attack, and pervasiveness of threat in the use of social media to influence political events has been the most concerning threat actor I observed during 2017. While on the surface, this seems like the kind of PYSOPs and propaganda of the past, the use of automation and big data has enabled relatively small numbers of adversaries to outsize influence at the national and state levels. There aren’t easy answers here on how to balance free speech, free markets, and defense against these threats, but they pose a serious existential challenge to western democracies.
What was most interesting to me about recent, high profile security breaches is that things like patch management, or lack thereof, brought to the forefront the need for companies to change how they approach security. This means a seismic shift to strategic planning and better governance practices. The knee-jerk reaction would be for organizations to just focus on patching and make that their approach…but that’s a losing battle. A strategic approach to security would consider where the organization’s assets are and the associated risks to the business if those resources were unavailable or compromised in some way. The next step is to design a patching strategy where the patches are considered thoughtfully as it relates to the risk exposure for each asset. You need to have a layered set of controls, from the perimeter of your organization all the way down to the data sitting at rest on that server. Patching is just a part of the solution.
The biggest surprise of 2017 is that most of the industry still treats iOS as if it is not a computing platform from a security perspective. Apple has done a great job vetting apps in the App Store, but 2017 has seen a record number of iOS vulnerabilities and the most frequent security updates ever. iOS is a computing platform, and like all computing platforms, it is susceptible to attacks. Over half of Zimperium’s millions of endpoints are on iOS; our customers know that every computing platform can be exploited and are taking steps to defend themselves.
The biggest surprise is that, despite the burgeoning total of security budget being spent, things are getting worse. Period. In general, attacks are getting more severe and the way to monetize information is getting more sophisticated. We’re in the age of using cyber weapons to influence the elections — what we only thought could happen in science fiction is actually happening in reality. There’s a vast underground market of attacks and those individuals are successfully stealing information, monetizing it, and becoming richer. This is not the ‘good old-fashioned crooks’ moving to digital assets — the stakes are higher, data is too easy to steal, and it’s much more valuable than it has ever been before. Earlier when the thieves broke into a bank it was just the money in the vaults that was at risk. Now, the cybercrime can cascade across multiple entities and impact millions of individuals and within a much shorter time.
We’ve had some massive security breaches unveiled this year. While they were massive, headline-grabbing events, I wouldn’t consider them to be surprising. This is a trend that isn't losing steam, especially as companies aren't adequately incentivized to protect customer and consumer data. The risk of non-compliance is viewed as nothing more than the cost of doing business, a cost solved for via little-understood cyber insurance.
Perhaps the biggest surprise is that regulatory guidelines continue to offer little more than a slap on the wrist for non-compliance with privacy, data protection, and breach notification rules. Without any changes, we're going to continue to see this kind of behavior well into 2018 and beyond. And if you think there aren't dozens of other instances just like what we’ve seen this year with companies like Uber, Yahoo!, and Equifax, then we're burying our heads in the sand and claiming ignorance is bliss.
Opinions expressed by DZone contributors are their own.