2018 Security Predictions (Part 9)
2018 Security Predictions (Part 9)
Greater sophistication of attacks and quicker breaches of vulnerabilities while organizations focus on securing the cloud and their apps.
Join the DZone community and get the full member experience.Join For Free
Given how fast technology is changing, we thought it would be interesting to ask IT executives to share their thoughts on the biggest surprises in 2017 and their predictions for 2018.
There are a lot of late arriving predictions on what's ahead for security in 2018. Here's the ninth of nine articles sharing what they told us about their predictions for security moving forward.
Attacks after a vulnerability disclosure will happen faster than ever. While attacks once took weeks or months to emerge after a vulnerability disclosure, today it’s been reduced to about a day. That “safe window” will get even smaller, giving organizations only a few hours to respond.
Federal breach legislation enacted, forcing companies to disclose breaches. Consumers, and thus Congress, are super sensitive to timely disclosure as a result of the recent delayed breach announcements at Uber and at Stanford GSB. Unfortunately, breach disclosure has never been a strong motivation for companies to invest in better security.
Election security will continue to be discussed, with no significant action. Despite strong evidence that our elections have been tampered with, widespread recognition that our voting infrastructure is not well-secured, and multiple ongoing investigations, it is an extremely complex and political problem that will take years to address.
Attempts to undermine encryption by law enforcement will fail. Agencies like the FBI will continue to lobby for weakening encryption to allow phones and other devices to be searched. However, companies will continue to resist these efforts to protect privacy.
Organizations aggressively embrace cloud and DevSecOps. Leading enterprises have already realized that cloud and DevOps are not a threat to security, but the best way to reduce risk. Since the threat is now continuous, companies will need continuous security to go along with continuous integration and continuous delivery. Organizations will prioritize instrumenting their entire stack and applications with best of breed security tools for real-time visibility, protection, and control.
Security budgets will increase focus on application security. Major breaches like Equifax and Uber have shone a light on organizations that are not doing nearly enough to secure their software supply chain. Today, every organization has an Equifax problem and it has created room for even more budget towards improving all aspects of application security.
Fei Huang, CEO, NeuVector
Hacking incidents will continue as an essential threat to enterprises and consumers. Security tools will advance and new techniques will emerge, but so will new hacking attacks and exploits. As enterprises embrace containers and microservices, application changes and new methods of deploying security will become increasingly necessary. The rapid pace of emerging threats will drive the adoption of security technology that features behavioral learning capabilities. At the same time, the need to detect zero-day exploits will increase the use of deep packet inspection techniques to analyze container traffic for malicious activity.
The amount of new ransomware will decrease, but there’ll be more targeted ransomware attacks against companies. 2017 saw some interesting developments in ransomware. There were more new ransomware families and variants discovered than ever before. May’s WannaCry ransomware outbreak was the biggest in history and was followed swiftly by other significant attacks.
We should see fewer new families of ransomware families and variants. But she also expects companies to face more targeted ransomware attacks.
We’ll still see cybercriminals developing new types of ransomware, but not as much as the past two years. The delivery mechanisms for attacking individuals aren’t really that effective at the moment. But ransomware’s business model is a proven money maker, so we’ll probably see cybercriminals focusing more on conducting targeted ransomware attacks against companies to get bigger paydays from fewer targets.
Biometrics as a form of identity authentication will become more mainstream. Apple rolled out their FaceID feature in the iPhone X earlier this year. Based on the company’s success in marketing new technologies to consumers (the iPhone, the iPad, etc.), more people and organizations will open themselves up to the idea of using biometrics to identify people.
Biometrics have been available for a long time, but they haven’t really been marketed in a way that’s made them seem user-friendly. But Apple’s become quite successful at getting people to start using new technologies, and I suspect that’s what we’ll see here. It’ll start with better Smart Lock features for Android (Smart Lock isn’t really designed for security at the moment), but that will spread to other applications and increased investment, which will then be more actively marketed by device manufacturers, service providers, etc.
Early adopters will begin to regret purchasing smart devices. The Internet of Things is bringing Internet-connected televisions, toasters, and other gadgets into people’s homes. And most of these “smart” devices aren’t particularly secure. In fact, Hypponen’ s Law states that if it’s smart, it’s exploitable, making the spread of these gadgets bad news for security.
Early adopters will start to realize that their smart devices aren’t so smart after all. But this won’t be driven by cyber-attacks – it’ll be a lack of service from device vendors.
Internet-enabled appliances need ongoing support to function properly, and that service aspect is a new feature for many devices. I think these services will experience some growing pains in 2018 that’ll burden both manufacturers and consumers. Vendors will want to phase out support for products that are just a couple of years old, which will result in early adopters of those products experiencing bugs and service outages. And vendors will likely respond to complaints by telling customers to upgrade or live with limited functionality, leaving early adopters feeling ripped off and let down by their smart devices and the companies that sell them.
The confusing, messy realities of the GDPR will hit home. The General Data Protection Regulation (GDPR) will come into effect in May 2018. And survey after survey shows that many companies aren’t really prepared for it. But the question of whether companies are ready for the so-called GDPR deadline oversimplifies what the GDPR is and that the real impact for companies will be much more lasting.
May 2018 will see companies introduce their minimum viable product (MVP) version of GDPR compliance. This can be deducted from recurring ‘we’re not ready by May 2018!’ cries from businesses. For example, every country needs a companion law that complements the integration of the GDPR into their national laws. And to date, Germany is the only country that’s done this.
Basically, that means Germany is the only country ready to actually implement the GDPR, so companies based in other countries still have a lot of questions about how to prepare and businesses simply have to get used to living with uncertainties while authorities iron out the practicalities of the regulation.
Companies simply have to establish valid, good faith practices to comply, and understand that some of those practices might need to change. Maybe that sounds scary, but it’ll be the only real option after May 2018. But on the positive side, the biggest causes of fines will remain consistent over time, so companies that improve how they secure data, avoid sending spam, and provide transparency and honesty with how they process people’s data will make things easy in the long term.
Ireland having a lot of US nationals provides a bonus item: how will that affect their use of enforcement powers under GDPR? And will the activities of Irish officials be enough for other data protection authorities? If not, then we’ll get to see the ‘one-stop-shop’ mechanism at work. I think the Ireland case will partially move the discussion from compliance to how the whole project is actually supposed to work.
Cyber centaurs - AI-empowered cybersecurity experts - will become state of the art in cybersecurity. Cybersecurity needs both people (cybersecurity experts) and machines (artificial intelligence) in order to keep up with today’s threats. And security providers are looking for ways to leverage the benefits of both in different ways.
A lot of AI efforts focus on increasing automation or improving traditional security methods (such as signature-based recognition of threats). AI’s potential is much more transformative when combined with human expertise, and we’ll see examples of this in 2018.
The challenge of AI approaches is that it is often hard to truly understand the problems you need to solve without having a high level of domain knowledge. We can address that by working together with cybersecurity experts, but also by using AI to augment and empower experts that have collected years or decades of data through their experiences. This coming year will see more cybersecurity applications that embody human expertise augmented through AI – people I like to think of as cyber centaurs. And perhaps most significantly, cyber centaurs will be able to use AI to improve their own speed and performance and accomplish even more complex tasks faster, leading to the application of AI in areas that many used to dismiss as too complicated or too impractical.
Mass ransomware vs. targeted ransomware. We are seeing a rapid increase in the volume of mass ransomware threats, and this trend will continue over the next 1-2 years. The growing availability of crypto-currencies provides the attacker with the possibility to remain anonymous while conducting mass attacks. By demanding a relatively small payment from a large number of victims, the attacker is able to run a ‘numbers game’ that increases the likelihood that he will earn a profit while remaining anonymous. New cryptocurrencies that are more anonymous than Bitcoin will accelerate this trend, and the small payment sizes make it more likely that victims will pay.
In contrast to the ‘numbers game,’ targeted ransomware involves a focused effort to penetrate a large and often well-protected entity. The successful targeted attack often involves several hours of research as well as trial-and-error attacks. With mass ransomware, attackers can cast a wide net and wait for victims to take the bait. The targeted attack also carries a higher risk of communications with the victim and an increased likelihood of sophisticated law-enforcement resources. Since smaller organizations continue to pay the ransom, mass ransomware has become a threat epidemic and will not slow down anytime soon.
Spear phishing to take enterprise approach. Spear phishing will continue to grow as long as it continues to be successful for cybercriminals. These highly targeted attacks that leverage impersonation of an employee or a popular web service have been on the rise, and according to the FBI, have proven to be extremely lucrative for cybercriminals.
“These attacks will continue to grow in number as well as become more sophisticated in terms of how they research and target their victims. In 2018, there will be a large increase of multi-stage spear phishing attacks that involve multiple steps, research, and reconnaissance on behalf of the attacker targeting a small number of targets for very large payouts. Cybercriminals are now taking an ‘enterprise’ approach. Similar to B2B enterprise sales, they go after a smaller number of targets, with the goal of extracting a much greater payload with highly personalized attacks. The latest iteration in social engineering involves multiple steps. The sophisticated cybercriminals don’t try to target company executives with a fake wire fraud out of the blue. Instead, they first infiltrate the organization, and then use reconnaissance and wait for the opportune time to trick their targets by launching an attack from a compromised mailbox.
Organizations will have to invest in cutting-edge tools and tactics in order to thwart spear phishing attackers. Artificial intelligence for real-time spear phishing defense offers some of the best hope in stopping these cybercriminals in their tracks.
Increased complexity of domain spoofing and brand hijacking. Domain spoofing has been rapidly increasing and will continue to grow through 2018. Spoofing is a type of impersonation attack that tricks the victim into thinking that a criminal is someone else. Criminals use domain spoofing to impersonate a company or a particular company employee. The criminals often send emails to customers or partners of the company in order to steal credentials and gain access to company accounts on behalf of a company to its customers and partners to steal credentials and gain access to their accounts. This is often the beginning of a multi-stage strategy to steal data and commit fraud.
There has been a stark increase in the volume of mass phishing attacks where cybercriminals are spoofing popular e-commerce and consumer brand names and websites aiming to steal information. The actual names of the brands these attackers impersonate are less important than the tactic, as criminals quickly change brand names with new attempts. The goal is to convince the unsuspecting to either download malicious documents or login into a fake account resulting in surrendered account credentials – which then leads to all sorts of hurtful behavior. Attackers can take user credentials and retrieve credit card information, additional personal information, and learn more about their victim’s online behavior for future social engineering attacks. They will actually build websites that mimic actual brand name websites in the hopes to siphon victims during high times of shopping. Even though these counterfeit sites are not identical to these actual sites of the impersonated big brands, attackers are counting on the fact that most consumers do not buy directly from these brands, and therefore won’t recognize what their homepage actually looks like.
Brand hijacking in both emails and spoofed websites will only continue to grow in the next year, and both companies and consumers need to be on guard, educated, and ready for these threats to come around.
Growing threat of secure bank messages. We have seen a stark increase in email attacks that impersonate secure messages from financial institutions. These fake “secure messages” carry malicious content and malware for download.
Impersonation is one of the most common tactics used in email attacks because it works very well. These impersonation threats leverage the relationship a victim has with his bank and the associated trust the victim may have in his bank’s online communication. A victim who engages in online communication with the bank is usually of high value to these criminals.
These impersonation threats carry malicious word documents that often appear harmless but include an embedded script that can be updated by attackers at a later date. This script can be modified to deploy a variety of threats including ransomware or advanced persistent threats. These attacks are very difficult to spot by end users as the email domains used in this attack are designed to look like real emails that customers might receive from an actual bank. The volume of these attacks is rapidly increasing, so plan to see more of these fake secure messages in the coming year.
2017 took us well into the cloud generation, and as we look ahead to next year we’ll continue to see growth trends around cloud automation as APIs are being leveraged more and more to help automate security controls. It will also become more critical than ever for organizations to understand public cloud environments in order to keep workloads and applications secure. There’s still a lot of confusion about security in the cloud, and much of that starts with responsibility. It’s important to understand that if your data and applications are in the cloud, it’s your responsibility to secure them. We’ve seen some great strides in public cloud functionality this year, and there’s no doubt it will continue to advance, but now it’s time for the companies using the cloud to catch up. I am optimistic that 2018 will be the year where customers begin to find their part of the shared responsibility model (SRM) more actionable and begin to accelerate the deployment of more risk-sensitive workloads into the public cloud.
If this proves to be the case, there’s no reason we shouldn’t expect to see public cloud adoption continue to spike. Especially if you consider the reasons that organizations cite for not using the cloud — security often sits at the top of that list. And the timing for a better understanding of the shared security model would be ideal as well because if there’s one thing that history tells us about cybercriminal activity, it’s that the attacks typically follow large audiences. Public cloud adoption will go on, but there will be more pressure on IT to fully understand the public cloud and hybrid deployments, as well as unauthorized SaaS adoption across the company. Due to the potentially big payoff and increasing opportunities, attackers will continue to explore public cloud deployments for weaknesses to exploit.
Opinions expressed by DZone contributors are their own.