Though we’re barely more than a month into 2017, news reports are already flooding in describing cyber security attacks carried out this year.
Sports Direct, for example, lost the details of 30,000 workers in a data breach. The Dark Web’s Freedom Hosting II web-hosting provider was taken down for multiple days following a cyberattack. Even the rise of fake news and its influence on the 2016 U.S. Presidential election is awakening in consumers a new awareness of the impact digital manipulation can have.
With these and other threats in mind, what cyber security issues can we expect to see more of as the year progresses? We’ve compiled the best predictions from some of today’s top analysts to help you understand what to watch out for this year.
Certainly, the world has more at risk than the five weaknesses described below. We’ll describe some of the other cyber security predictions on the table for 2017 later in this article, but at the very least, you’ll want to familiarize yourself with these specific threats:
2016’s Mirai attacks leave little doubt about the inherent risks involved in unsecured (or even marginally secured) IoT technologies. All kinds of IoT devices are interacting with central command and control apps via web services API, and these are vulnerable to being attacked. Perhaps unsurprisingly, we’ve hardly scratched the surface of what’s possible here.
A few specific predictions the experts have raised:
Security of IoT will become a life-threatening issue
Though many past attacks focused on generally-innocuous IoT tech – routers or thermostats, for instance – Shehzad Merchant of Infosec Island sees significant potential for the expansion of these crimes to the health and medical technology many patients rely on. He states:
“The IoT devices coming online today range from heart-rate monitors to insulin pumps to automobiles. Think about the potentially life-threatening challenges that can arise – especially when device security has most often been an afterthought. The whole model needs reversing – with security as the top priority.”
IoT threats on a larger scale
In a recent article for CIO, writer Sharon Florentine quotes Cyber adAPT’s Scott Millis, another expert expressing concern about the wider potential of IoT attacks:
“I’m not worried about things like, if my connected showerhead turns on hot or cold. I think there’s a fairly significant chance we’ll see a major hack on power grids or on transportation systems like rail in 2017. This is the ‘dumb’ IoT that’s still out there — the technology from the 1950s and 1960s that’s powering these critical infrastructure systems that is almost totally unsecured.”
Though most consumers don’t see power grids, railway systems, avionics platforms and other types of infrastructure as being related to household IoT devices, many are subject to the same critical weaknesses, according to Millis. In these cases, however, the impact of DDoS attacks could be significantly more catastrophic.
Related to the issue of IoT attacks is the growth and development of ransomware and ransom attacks, as hackers gain access to unsecured applications and demand payment from businesses or individuals in return for leaving their data and systems unharmed. As Rob Conant, CEO at IoT and cloud platform provider Cirrent says:
“Holding data for ransom is one thing, but shutting down the electricity grid, cars, or traffic lights is quite another. Entire cities or regions could be impacted.”
Conant referred to a 2003 blackout in the US Northeast as an example, which was partly due to a software failure and cut off electricity for more than 55 million people, caused 11 deaths and resulted in an estimated $6 billion damage.
“Most don’t attribute this sequence of events to a bad actor, just a series of bugs and bad coincidences. But a similar series of events could be caused by bad actors, and these bad actors could create these events for their own economic gain. Would electric utilities pay to prevent this kind of damage? Would politicians? Would businesses?”
In 2016, US hospitals were hit by a wave of ransomware attacks that disrupted their operations by denying them access to pertinent file systems. This year, several experts have pointed to an even more worrisome hazard for the medical industry – the potential for medical IoT devices to encounter ransom attacks.
The FDA have alerted medical device manufacturers and there have been other cyber ransom warnings justifying this prediction, which could see life-threatening attacks on individuals with implanted medical devices.
The question facing consumers is how security versus convenience should be prioritized; the risk in 2017 is that lax password usage could result in identity thefts and other data breaches that could have otherwise been prevented.
In a presentation compiled by IBM Analytics, Tyler Carbone, COO at Terbium Labs, shares what’s at stake:
“The security versus convenience debate will enter the public eye as high-profile companies suffer incidents that could have been prevented with two-factor or strong passwords.”
Matt Dircks, CEO of Bomgar, quoted in Florentine’s article, is another professional anticipating increased traction for password management services:
“What we’re talking about is credential vaults. In an ideal world, a user would never actually know what their password was – it would be automatically populated by the vault, and rotated and changed every week. Look – hackers are intrinsically lazy, and they have time on their side. If you make it harder for them, they’ll go elsewhere rather than invest the energy to chip away.”
In many ways, the question of how consumer-password security should be handled touches on a larger question facing the cyber security industry: who is responsible for keeping people safe?
Merchant expects to see a shift in responsibility in 2017, stating:
“Service providers have historically taken a relatively agnostic view towards security. But as part of the push toward regulation, they will be forced to take a more active role – especially as they are in the best position to do something about security in the world of IoT, and will likely soon be regulated to do so.”
Bob Stasio, CISSP Senior Product Manager of i2 Enterprise Insight Analysis, quoted in the IBM presentation above, believes we’ll begin to see corporations take an increasingly proactive approach to security:
“Private sector companies will increasingly participate in military style ‘wargames’ to test the readiness of their cyber security organizations.”
Beyond the challenges that lax password usage, unclear cyber security chains-of-command and unsecured, digitally-connected tech pose, mobile devices and mobile applications are increasingly being recognized as an entry point for cyber attacks. It’s hardly surprising – mobile endpoints are growing every day as we consume services from more and more applications.
This is especially worrisome, as a report by Lookout in partnership with Ponemon Institute has determined that, for an enterprise, “the economic risk of mobile data breaches can be as high as $26.4 million and 67 percent of organizations surveyed reported having had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information.”
Mobile security challenges manifest in a number of different ways:
User behavior puts mobile devices at risk
Millis points out that “Many users feel they can protect their privacy while having secure, uninterrupted access to business and personal services. And still many people subscribe to the view it is not they who are accountable for security breaches; if they can work around ‘security’ to improve their user experiences, they will.”
Delivering email and calendar data over SSL to a single, approved OS won’t be enough to circumvent this issue; as a result, those implementing enterprise security must be even more proactive about balancing safety with experience.
Mobile platform weaknesses
McAfee’s “Mobile Threat Report” raises a number of additional mobile security threats, both those driven by user behavior and those arising from exploitable vulnerabilities in mobile technology and applications:
Finally, Millis highlights the growing threat of mobile payment solutions. “Mobile payments, too, will become a liability. MasterCard’s ‘selfie pay’ and Intel’s True Key are just the tip of the iceberg. Individuals should understand that they need to treat their biometric data just as carefully as they do other financial and personal data; again, that comes down to education and training.”
It’s a scary prospect, yet it’s one that a growing number of cyber security experts feel should be put on the table in 2017. BeyondTrust, for example, leads its list of predictions with the following statement: “The first nation state cyber-attack will be conducted and acknowledged as an act of war.”
WatchGuard Technologies expands on what a “Cyber Cold War” might look like in its prediction video:
On the way that cyber warfare could create a leveling effect among nation-states, Merchant concludes:
“In a world that’s been dominated by traditional military might, cyber may become a great equalizing force. Smaller nation states, in particular, will take a more active role, investing in building cyber warfare and intelligence capabilities. No longer does it require a huge army to knock out a national power grid or inflict significant physical damage.”
Again, the threats described above aren’t the only ones we’re facing in 2017. The experts cited above, as well as others, raise a number of additional concerns, including:
Perhaps most concerning, however, is a prediction from Gartner’s Security and Risk Summit which suggests that, “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”
Cyber security risks are nothing new, and they aren’t going to stop coming in 2017. It is those companies that take a proactive approach to understanding both what’s out there already and what’s coming on the horizon that will be best positioned to protect themselves, their data and their users.
Do you have another prediction to add to our list? Share the risks you’re keeping an eye on by leaving us a comment below.
Need help securing your applications from these or other threats? Indusface is your one stop shop to fix all your security issues. Contact us to find out how we monitor, detect and protect you from security threats.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.