2018 Security Predictions (Part 8)

Given how fast technology is changing, we thought it would be interesting to ask IT executives to share their thoughts on the biggest surprises in 2017 and their predictions for 2018.

There are a lot of late arriving predictions on what's ahead for security in 2018. Here's the eighth of nine articles sharing what they told us about their predictions for security moving forward.

Dr. Richard Ford, Chief Scientist, Forcepoint

IoT is not held to ransom but instead becomes a target for mass disruption.

Disruption of Things: It’s Going to Happen

IoT security must be viewed from three vantage points: securing IoT devices, securing broader IoT systems (and devices connected to those networks), and securing the data leveraged or transmitted by IoT devices. As the number of IoT devices grows and interconnections multiply, correspondingly the viable target for cybercriminals grows. This is particularly relevant within enterprises where industrial control systems, logistical and supply chain sensors, and healthcare devices are critical parts of the infrastructure, with access to proprietary or personal data.

While ransomware of things is feasible, we believe it remains unlikely for 2018 for multiple reasons. However, one new threat which will emerge in 2018 is the disruption of things. The Internet of connected things offers access both to massive amounts of critical data and to disruptive possibilities. By way of example, it will be possible for any attacker with disruption on their mind to steal credentials or insert malware into systems and:

• Infiltrate a network of connected refrigerated trucks and raise the temperature, spoiling food and disrupting social infrastructure.

• Access connected manufacturing sensors and turn off or disrupt manufacturing processes.

• Take down a network of insecure home Internet routers.

• Build a larger and more powerful botnet of things to extract data or demand ransom.

We will also see the integration of a MiTM attack into an IoT network. As more connected devices such as home personal assistants have financial data associated with them, they become a more attractive and lucrative target for attackers.

An increasing amount of malware will become MitM-aware 

Encrypted-by-default: implications for all

The web is moving to encrypted-by-default. Seventy of the Top 100 non-Google websites, accounting for 25 percent of all website traffic worldwide, are using HTTPS by default. Major search engines, social media networks, and shopping sites are investing in the technology to make the web a safer place for everyone.

Meanwhile, to protect personal data and intellectual property, organizations are trying to keep visibility of their web and app traffic by using SSL/TLS decryption and inspection technologies, simply to understand the data which is moving from machine to machine. Such technologies use man-in-the-middle (MiTM) techniques in a legitimate manner. 

It’s, therefore, no surprise that cybercriminals and nation-state actors will adapt their tactics, techniques, and procedures accordingly. Malware creators, or those controlling botnets, will continue to take advantage of any environments that are not using SSL/TLS decryption and inspection to hide communications using encrypted communication channels. We will also see other malware attempting to detect or thwart MiTM security techniques by using non-standard cryptography, certificate pinning, and other techniques.

The only effective way to monitor the traffic for Network DLP and CASB analysis is to MiTM the streams, so we see this becoming more common. This will raise privacy challenges, and we also expect to see malware taking this MiTM into account when determining how to act by ceasing execution once it realizes it is under analysis. 

Attackers will target vulnerabilities in systems which implement blockchain technology

Cryptocurrency: Can attackers crack the golden egg?  

As cryptocurrencies grow in importance, with reports of 1.65 million computers mining Bitcoin in 2017 and threat actors using cryptocurrencies as ways of extracting revenue from cybercrime, Forcepoint predicts that during 2018, the systems surrounding such currencies will increasingly come under attack.

Blockchain technology underpins the transaction ledgers used by most cryptocurrencies. Governments around the world are seeking to legislate and therefore control the providers and users of blockchain-based technologies. The U.S. Department of Defense (DoD) was recently tasked with investigating the potential impact of blockchain compromise following the passing of a bill by the U.S. Senate; its findings will increase demand for more robust security.

We expect to see an increasing amount of malware targeting user credentials of cryptocurrency exchanges (websites that allow users to buy, sell, or exchange cryptocurrencies for other digital currency or traditional currency) in the vein of TrickBot in August 2017.

We further anticipate that cybercriminals will turn their attention to vulnerabilities that exist in various systems which rely on blockchain-based technologies. While the principle of the blockchain makes the insertion of falsified transactions into historical blocks prohibitively difficult, compromising the systems used to make the transactions – for example, the 2016 attack on the DAO which exploited a flaw in the code of the smart contract underlying the organization –  will be an attractive proposition for highly skilled attackers.

A data aggregator will be successfully breached in 2018 using multiple attack methods. 

Data Aggregators: A goldmine waiting to be tapped

The Equifax breach is a prime example of the breach of a data aggregator holding extremely valuable information. This incident caused significant concerns to consumers – and the full impact has not yet played out. We believe this will be the first of many successful attempts on hosted business applications: those that contain information on a sale's force, prospects, and customers, or those which manage global marketing campaigns, for example.

Attackers seek the path of least resistance, and if they can find a weak link in a system which has already done all the work to pull all the crown jewels of personal data together, they will be sure to exploit it. External vulnerabilities are not the only threats here – well-meaning but careless insiders can also cause accidental losses.

Modern working practices rightly allow for anytime, anywhere access to data by employees and authorized third parties (including APIs): with data aggregators offering efficient and effective ways of working which companies have wholeheartedly adopted. However, because aggregators hold huge quantities of data and have so many access points, their complexity creates security challenges, and Forcepoint is concerned that 2018 will see cybercriminals take advantage of these systems and undertake further successful attacks on these firms.

The Equifax breach is a wake-up call for businesses worldwide, which must improve systems so that attackers taking aim at these data goldmines will meet with increased resistance. Working harder is not possible, but working smarter is. Examining the flow of the data through an organization is the only scalable defense mechanism, and by looking for and spotting the misuse of account credentials on a database, malicious behaviors can be identified.

Look out for many of these successful attack vectors targeted towards a data aggregator in 2018:

• An exploit of known vulnerabilities.
• Accidental compromise via employee error.
• Third party compromise leading to a first-party breach.
• A ransomware attack.
• Social engineering attacks.
• Exploits of security misconfiguration.
• Exploits of weak authentication practices.

2018 will ignite a broad and polarizing privacy debate not just within governments, but between ordinary people.

Privacy Fights Back!

In 2015, we predicted that users’ perceptions of privacy would begin to change, as individuals struggled to understand how to live and thrive in a society that was “post-privacy,” and the last two years have seen the steady erosion of the clean line between the “personal” and “public” sphere. Furthermore, continued geopolitical uncertainty, and threats both foreign and domestic, have continued to highlight the perceived tension between individual rights and “security for all.” To date, privacy has not put up much of a fight: we predict that will change in 2018.

Our prediction is based on what we see as the perfect storm between the following four drivers: legal, technological, societal, and political. The confluence of these factors will cause a tectonic shift in the privacy landscape.

Leading the pack in terms of visibility in the security community are legal concerns – mainly under the heading of GDPR, though this is far from the only piece of legislation that impacts how companies handle personal data. With regulations set to come into effect on May 25, 2018, privacy is top of mind for many technologists: compliance is going to drive visibility through 2018 and beyond.

Regulations and guidelines protecting people’s privacy include:

• GDPR, a European-led regulation which will nevertheless affect global businesses who hold or process the personal data of any European-resident citizen.
• EU ePrivacy Regulation, which covers confidentiality of information, treatment of traffic data, spam and cookies, and which will be updated to come into line with GDPR. This will impact cloud service providers and cross-border transfers of data worldwide.
• NIST Special Publication 800-171, a requirement on suppliers to U.S. federal organizations to adequately protect controlled unclassified information (CUI) including the privacy of personal data they are responsible for.

Two other major factors are technological and societal change. Individuals are used to trading convenience for privacy as they use location-based and ID-tracking services on mobile phones and home assistants but accept this predominantly in their private lives. In the workplace, the benefits of a more human-centric approach to security will drive adoption of increased data collection – an effort that must be handled carefully if it is to remain both legally and culturally acceptable. 

Despite the importance of these first two areas, societally is where the shift is the most interesting. Here, large-scale data breaches (for example, the Equifax breach) have raised the level of awareness in the general community and shone a light on the role of data aggregators. As the Equifax breach has the potential to impact the average person on the street, privacy has moved from an abstract concept to something actionable.

Lastly, the geopolitics of 2017 cannot be ignored. The world seems less stable, and the rise of populism in the West coupled with the ongoing terrorist threat has once again highlighted the uneasy tension that exists between individual privacy and national security. This has led to the continued discussion of encryption and its role in a free society.

Each area alone could make 2018 an interesting year from a privacy perspective, but together, the stars are aligning to make 2018 the kick-off to what we’re going to call “The Privacy Wars” – pitting technologists against the ordinary person on the street, and splitting opinion in government, at work, and at home. Unfortunately, our assessment is that at least in general, these discussions will be more polarizing than unifying, making little progress toward reconciling legitimate privacy concerns with genuine security needs. 

Randy Battat, CEO, PreVeil 

1. 2018 will be the year that the employees will rise up and demand their data be protected. At first, cybersecurity was the domain of IT. Then it migrated to the Board of Directors, where it became part of the fiduciary duty to protect the company. In 2018, everyday business users will become fed up with all the attacks and will demand that their companies do a better job of protecting their data.

2. In 2018, encryption will finally become usable. Encryption used to be just for the most sensitive data. The technology improved so that encryption could be used with PCs, but it really wasn't used because it was just too cumbersome. 2017 saw encryption migrating to a handful of everyday apps, like WhatsApp. In 2018, encryption will become so easy to use and so prevalent that it will start to be incorporated into everyday business apps like email and file sharing.

3. In 2018, System Admins will be outed as a central point of attack. The dirty little secret in IT is that every system has administrators, and these admins have very broad privileges to access data. Compromising an admin is a great way to compromise an entire organization’s data, and this vulnerability has been exploited in some of the biggest breaches to date. In 2018, companies will start to address this vulnerability head-on — for example by requiring multiple admins to have to agree before privileged activities can occur.

Sanjay Beri, Founder and CEO, Netskope

• In 2018, three quarters of companies or apps will be ruled out of compliance with GDPR and at least one major corporation will be fined to the highest extent in 2018 to set an example for others. Three quarters (75.4%) of cloud services were not ready per Netskope’s September cloud report on GDPR compliance readiness. I predict little change by May’s deadline. Most companies are preparing internally by performing more security assessments and recruiting a mix of security professionals with privacy expertise, and lawyers, but with the deadline quickly approaching, it’s clear the bulk of businesses are woefully behind and may not be able to avoid these consequences.

• In the aftermath of numerous AWS S3 bucket misconfigurations, businesses will restructure their security tools to prioritize intuitive platforms that anyone can navigate. In 2018, companies will be far pickier about choosing security tools, relying on “best of breed” products that allow easy integration with their other security tools to create a holistic multi-vendor security suite. In light of the cybersecurity skills gap, business leaders will also choose tools that are easy for non-security experts to understand. Leaders without a formal cybersecurity background are increasingly just as critical to the safety of a company’s data as the Chief Security Officer, and companies will invest in tools that everyone can understand.

• In 2018, companies will prioritize the cloud to manage security. More than ever, business leaders will search for security solutions that mitigate blind spots across the cloud, including activity conducted across off-network access or on personal devices. Today’s workforce is mobile and distributed; legacy tools can’t see devices that are unattached to an enterprise network (i.e. mobile) so more businesses will turn to independent cloud security companies to more effectively connect the dots.

Sam Bisbee, CTO, Threat Stack

1. The security market pendulum is going to start swinging from detection back to prevention, and it will do so on a regular cadence. As new issues are identified, detection companies and solutions will spring up to surround them, converging capabilities to build prevention or auto-remediation tools. With these stacked prevention capabilities, risks will be remediated for a period of time, until the pendulum swings back to detection for the next issue.

2. Security teams will be continually challenged by answering the question of how to secure containers as more companies make their transition to Kubernetes. With public cloud providers making it easy to run containerized workloads, the attack vectors are entirely new. The continued movement of the shared security responsibility boundary will make this both interesting and challenging, and all eyes will be on how the community responds to secure deployment requirements.

3. Cloud adoption will increase as a means of strategic differentiation. Whereas traditionally the cloud has been adopted to save money, gain operational efficiency, the digital transformation many organizations have gone through has made this shift far more strategic. Security will, therefore, move away from being a cost center, and become a business driver.

4. Enterprises will continue to evaluate investments in automation for monitoring as part of a broader maturity strategy. With security teams hugely understaffed and underskilled, a natural shift will occur, for example, from manually watching security incidents to automated monitoring and incident management.