When we asked 25 IT security executives this question we heard two themes: 1) the threat landscape is expanding exponentially; and, 2) more sophisticated hackers are making a lot of money.
Expanded Threat Landscape
- 1) Politically motivated attacks. Cyber warfare is driving regime change. We’ve moved from weapons to cyber warfare. 2) Ransomware. 3) IoT (e.g., Dyn attack). People don’t worry enough about security and end up keeping things on default values.
- Mobile is the most vulnerable because there’s no news about hacks; however, they are taking place. IoT and mobile will shift to cybercrime with ransomware on refrigerators. Need to test for mobile and IoT vulnerabilities. There will be watershed events on both in the coming year with ransomware being the big issue.
- IoT devices. Vendors are still deploying products with default passwords or vulnerabilities. Advanced phishing techniques download malicious apps. Google began rejecting all Symantec SSL certificates.
- Shift toward DevOps, Cloud, Mobile has changed how we monitor and respond. There are fewer system administrators and more software developers. This impacts the skillset of what’s needed. Criminals are opportunistic and will find the low hanging fruit.
- All the places where software is now that it didn’t used to be – smartphones and IoT devices as opposed to just websites, browsers, and operating systems. You need a strategy for servicing and patching bugs in the wild. Encrypt data in transit. We have webcams with default passwords and backdoors left in by intention or ignorance. Changes in the processing landscape have given hackers access to thousands of cores to conduct brute-force attacks. State actors are listening to everything. 15 years ago we worried about credit card data. Today it’s heart monitors, data streams of locations, and biometrics.
- The rise in the number of IoT devices has led to a more relaxed atmosphere with regards to secure coding. Companies want to get the devices out the door at a low cost, with a low coding expense. This results in using insecure coding calls that don’t track user bounds and leads to buffer overflows – a problem that was solved years ago. A lot of firmware development is being done overseas by self-taught developers that don’t emphasize security. Companies will take for granted that what they get is secure instead of checking the firmware for security once it’s in house. You can use Veracode or HP Verify; however, how do you know there are no vulnerabilities when you combine them with third-party applications and device drivers? You need to check the security of your devices after the compilation process.
- More cloud, IoT, open source, and open stack that lack security controls. Without standards or controls to rely on, there’s an increased risk of adoption. We are also dealing with shared security on clouds. Prevention, detection, and response alone are not enough. You need to worry about all three. You need to prevent hackers from coming back. There needs to be more sharing and automation for threat hunting so you can respond to modern hackers.
- A lot of attention is being paid to attribution, ransomware, compromise attacks, and IoT attacks. These are challenging operational capabilities since we’ll have 40 billion devices by 2020. We lack the talent and the capability to prevent breaches today. The biggest challenge is educating those who are not educated – people who don’t know what they don’t know and aren’t interested in learning. We expect vendors to take care of the security of the devices they’re selling us but they’re not. In the transportation (automobile) industry, three of four vendors are providing a key component with security controls; however, these controls are not being implemented during installation the way they were intended due to lack of CPU power or lack of LAN access. Taking old technology and bolting it on to new technology just opens us up to DDOS attacks that could stop all transportation the way BART was stopped. Tracks and trains can be hacked. Filters on flash and macros in Office 365 can be overridden and this can lead to significant unintended consequences. How do we see and act on these unintended consequences?
- The advent of cloud access security or cloud security as a service. More companies are using the cloud with Microsoft Office and Google’s G-Suite. We extend threat protection to the cloud including sandboxes and DLP.
- From attacks on endpoints to attacks on servers. In banking, we used to worry about malware and Trojan horses targeting PCs and mobile devices. Now hackers are attacking the core enterprise systems, including the ERP. They’ve moved from stealing credit card data to more valuable information like healthcare data.
- IoT devices are not being patched. Already in support and more are coming out. It's a very human-intensive process. And it's hard to sell people on patching webcams or refrigerators that need to run software updates. We need the ability to automatically update the firmware. Develop the strategy when supporting any device.
- Companies have been developing and deploying more and more apps to the cloud in the last two to three years providing new risks and new risk vectors. Security has been around for 20 years but app and IoT developers fail to follow best practices. It’s a mess that’s going to get worse.
- In the development and operations world, change is needed in application security. Application security is not keeping up with CI/CD. We have the same issues as we’ve had for the past 10 years – SQL injections and cross-eyed scripting continue to be big issues. There has not been a lot of innovation. We need new strategies with CI/CD to integrate security tools into CI.
- Perimeter defense is gone in light of mobile phones, web cameras, the internet, and Ethernet. Now you must complement the traditional perimeter defense. Design to be cloud-based first. You must be able to detect movement in space. IoT must be hardened – the security of the device and the gateway.
- 1) For the modern-day CISO, the proliferation of cloud-based mobile apps has dramatically increased the exposed surface area of the business. Each new app requires and enables access to organizational data and assets, and unless the security team was explicitly involved in the app’s creation, acquisition, and delivery, users inside and outside the organization may have access to data and the ability to expose it without the CISO even being aware. 2) This challenge of visibility is compounded by the lack of standards by which organizational data and assets are shared and exposed. Different business units may adopt their own approach to security, or perhaps not take one at all, making the CISO’s job of propagating security best practices unwieldy.
- The landscape has been changing for a while. We are seeing most attacks residing on the application level. The reasons are clear: peripheral security such as network security is already a commodity and hackers don’t need to struggle avoiding firewalls and IPS systems when they have applications that are a direct communication channel to the enterprise data. The same goes for endpoint protection; exploiting vulnerabilities in web and mobile applications is much less time consuming and achieves better and faster results. Therefore, the change we are seeing is that the hackers have figured out the code to be a weak spot in many cases because developers rarely have the skills or the proper tools to identify when they expose a vulnerability in the code.
More Sophisticated Hackers
- The threat space has changed – there are new groups and new tools. The tech space has also changed with mobile and IoT. New monetization techniques like ransomware. Liquid, easy to use currency like bitcoin has enabled a new marketplace of tools to come into the market the last two years. While black hats still go after individual users, they’re more likely to go after big money from larger organizations like hospitals, governments, and businesses, including law firms. A lot of attacks are taking place and payments being made with no reports since they are not required. It’s hard to know what’s really going on. Companies are making six figure settlements without reporting the breach because they don’t want their image tarnished. Most of these are endpoint and application security vulnerabilities.
- Based on a study from Accenture, 70% of threats are from internal sources (i.e., disgruntled employees). Cyber threats have become more organized whether they’re corporate espionage or state-sponsored threats. Attacks are more sophisticated. According to an Intel study, there’s been a 170% increase in ransomware with malicious code put on the database. There has also been a growth in advanced persistent threats. Hackers quietly siphon passwords and encryption keys maintaining a low profile with no indications of compromise. This type of activity is harder to detect. No network is 100% impenetrable. It helps to track behavior and correlate it versus threat data to proactively shut down the attack before significant damage is done. Also, make sure to profile and identify suspicious behaviors and shut them down.
- Nation-state attacks used to be the most sophisticated. Today, even middle of the road hackers are sophisticated. We’ve become more aware of zero-days on shelf malware ready to hit. We’re much more responsive than we used to be. More sophisticated attacks are happening daily. Healthcare and retail are particularly scary.
- Threats are multifaceted using well-known infrastructures. Social engineering. Most sophisticated use platforms like Dropbox, HubSpot, and other distributed techniques that are freely available. Slower cooker payload may be delivered in 50 days. Temporal difference across different application platforms (i.e., Twitter, Box, Drobox) much more complicated. Command and transport. Layer of obfuscation – not a blacklisted domain payload delivered to a CRM used as a proxy to another infrastructure. This is very complex.
- Hackers are targeting large corporations. Hackers are more sophisticated. Larger organizations have so many points of entry that are not closed. A directory with an org chart opens a company for social engineering attacks. Everything is becoming more connected – BYOD, laptops, mobile connecting to Wi-Fi.
- We see criminals making more money from the internet than any other area. Ransomware attacks on banks. The internet can generate more money. I expect this to continue and grow. Customers are more computerized. The manufacturing supply and demand chains are all connected. Vulnerabilities will increase. Organizations need to ramp up cyber security capabilities. Attackers are using second vectors to attack the target using social engineering.
- There are more distributed, scalable attacks with cloud and containers. Cybersecurity threats are distributed. There is no longer a known signature. Indicators of compromise and attack are distributed. How attack patterns change, shift from tools, gain access to reconnaissance. Leverage attributes of the environment to take advantage of them.
Have you noticed any changes that were not shared here?
Following are the executives that shared their perspectives on this question:
- Kevin Fealey, Principal Consultant and Practice Lead Automation and Integration Services, Aspect Security
- Carolyn Crandall, CMO and Joseph Salazar, Technical Marketing Engineer, Attivo
- Amit Ashbel, Director of Product Marketing & Cyber Security Evangelist, Checkmarx
- Ash Wilson, Strategic Engineering Specialist, CloudPassage
- Paul Kraus, CEO, Eastwind Networks
- Anders Wallgren, CTO, Electric Cloud
- Alexander Polyakov, CTO, ERPScan
- Patrick Dennis, President and CEO, Guidance Software, Inc.
- Craig Lurey, CTO, Keeper Security
- Boaz Shunami, CEO, Komodo Consulting
- Eric Tranle, Global CMO, Darrin Bogue, Senior Solutions Engineer, LogTrust
- David Waugh, V.P. Sales, ManagedMethods
- Mat Keep, Director of Product Marketing and Analysis, MongoDB
- Aaron Landgraf, Senior Product Marketing Manager and Kevin Paige, Head of Security, MuleSoft
- Fred Wilmot, CEO, PacketSled
- Gary Millefsky, CEO, Snoopwall
- Wei Lien Dang, V.P. of Products, StackRox
- Cody Cornell, Co-founder and CEO, Swimlane
- Terry Dunlap, Founder and CEO, Tactical Network Solutions
- Chris Wysopal, Co-Founder and CTO, Veracode
- Yitzhak Vager, V.P. Cyber Product Management and Business Development, Verint
- Prabath Siriwardena, Director of Security Architecture, WSO2