Perhaps the most inherent threat to the cyber world is cybersecurity itself. Because cybersecurity threats constantly and rapidly evolve based on the nature of the latest risks, traditional security strategies have been to target resources at the most critical systems and create policy and procedures that address the most obvious threats, leaving systems less traveled and data less valued less protected.
One industry CTO recently stated that the threat is advancing quicker than we can keep up and the threats change faster than our idea of risk.
Charting the Cyber Risk
“Cyberspace has become the new battlefield for modern warfare, providing state-sponsored malicious actors with an inexpensive, highly effective and globally accessible platform to steal money and wreak havoc. Cybersecurity researchers are increasingly reporting the use of malicious activity that they suspect is state-sponsored, including ransomware attacks and threats against infrastructure,” says Anthony J. Ferrante, Senior Managing Director and Head of Cybersecurity for FTI Consulting, who adds that the CrashOverride malware used to cause the 2015 and 2016 power outages in Ukraine is another red flag that demonstrates the types of targets politically motivated malicious actors are pursuing.
Ferrante adds that private industry and businesses must be prepared for critical areas such as healthcare and other public safety systems to become targets and take steps to protect themselves.
“We expect more exploitation of information as a weapon for financial, political and other gains. As we’ve seen numerous times, including with Equifax this year, these breaches can have a huge reputational and financial impact. Cybersecurity professionals must be prepared to stay ahead of malicious actors to ensure they are not gaining entry to sensitive files and email communications,” concludes Ferrante.
As the New Year approaches, we wondered what industry experts consider the top-of-mind threats for 2018. There were myriad risks and vulnerabilities brought forth, but the specter of increased consolidation of devices and the growing interconnectivity of “things” ranked extremely high.
Internet of Things Looms as The Elephant in the Room
John Grimm, chief strategist for cloud and IoT security for Thales eSecurity says that recent vulnerabilities have been discovered that are bigger and more impactful than ever before, i.e. the Controller Area Network (CAN bus), which is found in all cars. The CAN bus is a robust vehicle bus standard designed to allow microcontrollers and devices to communicate with each other in applications without a host computer. It is a message-based protocol, designed originally for multiplex electrical wiring within automobiles to save on copper, but is also used in many other contexts. Rather than being based on specific products or specific vendors, these vulnerabilities are something bigger, and more wide-ranging. Some products that have been around for years are now facing vulnerabilities, which Grimm says are causing us to question trust in existing and new products.
“We will start to see an acceleration of consolidation. The number of IoT products and platforms is growing, as well as the number of security bodies, initiatives and standards that are coming out. It is inevitable that we’ll begin to see consolidation of standard activities, particularly around IoT platforms, with over 300-400 platform products available now. As the market matures, there won’t be nearly as many products available as there are now,” says Grimm. “As we look at the IoT, especially at OT-type environments and manufacturing plants, where there are industrial-type systems that are all connected, we’re starting to see how the operational world and the traditional IT world will come together. We will see a continued merging of traditional safety (e.g. safety of employees) and IT security. And the more connected devices we see, the more prevalent this integration will become.”
He adds that we will continue to see product manufacturers, particularly on the consumer side, with either no security or very poorly implemented security, pointing out that consumer awareness of security issues around the IoT will start to increase, but probably not enough to impact their buying behavior. He also says that consumers are interested in the features and cost of the products, and security isn’t going to stop them buying products just yet, but we will see early signs. This awareness will be driven by news coverage of breaches, hacks, and other security issues.
“The exciting tools in IoT right now are the analytics tools that try to make sense of all the data and the visualization tools that try to bring the analysis to life. Vendors of these solutions are seeing their prospects and customers ask harder questions about data protection. We can definitely predict that questions will be asked to providers of these tools, as people begin to explore the next layer down and not just focus on how the product appears. It gets particularly “sticky” in the healthcare industry when we think about IoT devices and personal data,” concludes Grimm.
Corey Nachreiner, Chief Technology Officer at WatchGuard Technologies has an even more dire prediction related to IoT infrastructure saying that IoT botnets will force some governments to regulate IoT device manufacturers, using the 2016 Mirai botnet attacks that crippled websites like Twitter, Reddit and Netflix with record-breaking DDoS interruptions as an example. He says IoT device adoption continues to skyrocket, adding billions of new network endpoints every year and that because of weak or non-existent security attackers continue to target these devices both in development and deployment.
“Attackers have already started improving on the Mirai source code, which will mean larger and stronger botnets in 2018. For example, the Reaper botnet actively exploits common vulnerabilities in IoT devices to gain access to the devices instead of relying on a hard-coded credential list. As attacks continue to grow in effectiveness, the damage they cause will grow to match until the IoT manufacturing industry is incentivized or forced to add stronger security to their products. Be on the watch for a major IoT botnet attack in 2018 that finally causes governments to address IoT security,” explains Nachreiner. “Potential IoT device regulations will most likely affect manufacturers of consumer-grade IoT devices first since the end users of these products don’t have the knowledge to secure their own devices. These regulations will likely mirror similar liability-oriented regulations in other industries, where the manufacturer is held at least partially accountable for flaws in their products.”
According to Ferrante, the industry can expect more issues related to IoT in the near future since the threat landscape is increasing at an incredible rate, with connected devices being deployed in every home, business and organization.
“Security isn’t typically built into IoT devices, autonomous vehicles and other “smart” technology, making them uniquely vulnerable to malicious threat actors, as we’ve seen with several high-profile distributed denial-of-service attacks and other incidents. With the success of prior incidents, the New Year could bring further attacks involving hijacking of connected technology, and organizations will need to work diligently to ensure they are resilient against this threat, both to protect themselves and the consumers using their products,” he concludes.
Ransomware Emerges as Something More than a Nuisance
Ransomware is another of the top expanding threats most experts predict will become an even bigger issue in 2018. There are numerous contributing factors including hackers seeking quicker payoffs, the anonymity and low risk of criminal charges as some of the drivers of the growing ransomware threat. But WatchGuard Technologies’ Nachreiner insists that the increased adoption of corporate cyber insurance will embolden potential hackers.
Nachreiner admits that cyber insurance has been around for over a decade, but says that the increasing number of publicly disclosed breaches and successful ransomware incidents has caused awareness for it to grow significantly over the last few years. In countries that require mandatory breach disclosure, cyber insurance helps cover the costs and sometimes the lawsuits that result from these breaches. More recently, insurers have promoted optional extortion insurance packages that cover the costs of ransomware and other cyber extortion. In some cases, the insurers even pay the ransom to help the victim recover their information.
“We expect SMB organizations to continue to adopt cybersecurity insurance, including optional extortion packages. Cyber insurance can help reduce the costs of security incidents and help businesses recover, especially SMBs that may otherwise be driven out of business. That said, cyber insurance does not and should not replace security controls and best practices – it should complement them,” states Nachreiner. “We predict that insurance companies will implement stronger guidelines that require companies to have strong security controls in place as a prerequisite for insurance. When combined with other layers of security, cyber insurance is a great addition to your cybersecurity strategy.
“However, there is a risk that some types of cyber insurance will actually encourage ransomware. To be frank, we find it concerning that insurers sometimes pay ransoms to recover their customers’ data. We understand the business decision. Short term, the cost of ransom may seem much smaller than the cost of recovery for victims that have no backups. However, insurers have no long-term actuarial data for cyber incidents and ransomware,” continues Nachreiner. “Does paying ransom encourage this criminal business model? Will paying ransomware eventually increase the number of incidents insurers have to handle, or the price of ransom? It’s hard to say without more data.”
So Nachreiner is predicting that ransomware criminals will target extortion insurance customers to increase their ransom payments. Compared to spam messages, which typically have less than a one percent success rate, most studies show that at least one-third of ransomware victims pay. This has caused ransom prices to go up, resulting in fewer victims paying (as WannaCry illustrated). To increase their illicit gains, ransomware criminals will target organizations that they know are more likely to pay. Since insurers will often pay if the situation demands it, smart ransomware authors will target insurers to find which organizations have extortion insurance, then target those companies directly with ransomware.
Some experts like Kevin Watson, CEO of Netsurion predict that the thirst for quick profits is also a reason for the ransomware explosion. Hackers are no longer content to wait months for hit or miss profits from POS malware breaches and exfiltrating stolen credit card data, which is barely worth more than $30 at the high end on the dark web. He says cybercriminals want a quicker fix and more money. And with the impressive success of the global WannaCry and ‘NotPetya’ outbreaks, they’re taking notice of what works.
“Ransomware is the inevitable next step. We believe that enterprising cybercriminals will target both large and small retailers with ransomware attacks to force large, immediate payments to restore operations. That’s a large profit within minutes,” says Watson.
He cites several examples:
- At big brand retailers, stolen credit card data could net $125,000
- That same retailer may have annual revenues of $1.25 billion--about $3.5 million per day
- If ransomware halts the system, that brand would bleed $3.5 million per day in actual revenue, plus more in data breach fines, brand reputation, customer loyalty loss
- They could be willing to pay a ransom of even around $10 million-- less than what they’d lose if they restored operations on their own in just 2-3 days
- That’s 80 times the revenue netted in the stolen credit card example
- Companies that are hit by ransomware attacks are in a do-or-die position because the attack will be so public and disabling. They will suffer disabled store operations and sales for the period of the attack; an inability to access much or all of critical business systems; loss of consumer trust and revenues, as shoppers take their business elsewhere; the potential that customers will never return due to fears of having their financial data compromised; and the potential total loss of customer and business data if systems are not fully restored
For BOHN Labs CEO Simon Bain, the most notorious point of the ransomware discussion is the understanding that organizations would rather pay the ransom to retrieve their data rather than concede that their security had been breached to the general public. He cites one of the most notable ransomware attacks this year was NotPetya, which resulted in a major monetary loss for many companies, including FedEx which estimates ransomware attack cost $300 million.
“In fact, the 2017 Verizon Data Breach Report states that ransomware is now the fifth most common type of cyberattack, and experts suggest this will remain a critical threat in 2018,” Bain says.
Add Tom Kemp, CEO of Centrify to list of top industry experts who expect the trend in ransomware to continue to explode in 2018.
“According to sources, between 2016 and 2017 (to date), dark web ransomware sales grew 2,500 percent to $6.2 million. According to the FBI, 2016 ransom payments totaled about $1 billion, up from $24 million in 2015. While we predicted increases in ransomware last year, this off-the-charts growth surprised even us. We expect this lucrative trend to continue for many years to come,” says Kemp.
The Mobile Threat Increases in 2018
Domingo Guerra, co-founder and president of Appthority predicts that enterprise data via mobile is the next frontier for cyber criminals. He thinks hackers will progress from small footprint ‘front door’ malware and Man-in-the-Middle attacks to attacks that access all of an app’s or a company’s data via the ‘backdoor’ – app vulnerabilities.
“The next big breach won’t happen because hackers take over a single phone—it will happen because they gain access to massive amounts of sensitive corporate data collected by the apps. Indeed, the next massive Equifax-style breach could be a mobile breach,” stresses Guerra. “The problem is that mobile apps collect a large amount of valuable data, data that may not even be necessary for the app’s use, such as specifics about the user’s physical location, all the contacts, or access to their cloud storage accounts. This data may be stored on the device, offloaded for processing to the cloud, shared with third parties, and even leaked through poor encryption and developer practices.”
So, while the focus is on breaches to corporate systems via compromised user credentials or web apps, 2018 will be the year that the public realizes what hackers already know, enterprise data is available for the taking, in massive amounts, via leaky mobile apps.
“In fact, it just happened to Uber, where hackers stole the data of almost 60 million users and drivers because they found the Uber developer’s username and password to access Uber data stored in an Amazon server. That’s why forward-thinking organizations are putting the proper mobile defenses in place—before they become the next Equifax or Uber,” adds Guerra.
Significant Increase in Phishing Attacks & Tax Scams
While the just passed tax bill certainly gave a reason for to concern to some, security experts are predicting that the 2018 tax season could be fraught with scams and digital abuse.
Christopher Skinner, CEO of technology security firm SpiderOak predicts that the 2018 tax season will see more fraudulent returns than ever – driven largely by the Equifax breach affecting 145.5 million people.
"Fake tax returns will likely explode this year given all the Social Security numbers now exposed," says Skinner. While Chinese hackers remain the prime suspects in the Equifax case, taxes are a favorite target of another state: Russia. On the eve of this year's Constitution Day in Ukraine – during which the country celebrates its independence from the Soviet Union – accountants in the former SSR were hit with a massive cyber attack, the largest in Ukraine history. The virus infected the software that businesses are required to use to file tax returns, causing havoc for both the companies and the government computers to which they are connected.
Based on what he’s seen from their own members, customers, and partners, scams related to tax fraud are significantly on the rise asserts IdentityForce CEO Steven Bearak.
“In fact, for individuals reporting identity theft due to tax fraud, we’ve seen a 30 percent increase this year. On the business side, we’ve had more than a 60 percent increase in organizations seeking identity theft protection for either their employees or customers due to compromised personal information related to tax fraud,” admits Bearak. “The CEO Phishing Scams seem to have started about two months earlier than typical. In November, we had several inbound requests from organizations because their employees’ W-2 forms were compromised because of a fraudster impersonating their CEO and requesting all employee payroll records. As a result, these organizations adopt an ‘identity theft protection coverage for all’ policy and fully pay for their employees – and sometimes their families – to have this as a core benefit. This trend has already continued in early December when typically it is the middle or end of January when these scams start to hit.”
Cyber Threats Come from all Sides
While The Internet of Things, ransomware, mobile attacks, along with phishing and tax scams top the list of possible 2018 threats, the list of risk is endless. Ranging from rising website attacks, chatbot technology threats and the need for greater cybersecurity awareness at board-level to risks with Bitcoin and cryptocurrency to the growing scramble around GDPR and evolution of cloud migration, challenges surround cybersecurity at all levels of business and government.
“The dynamics of cybersecurity make it difficult to predict the precise threats we will face tomorrow, let alone a year from now. Implementing holistic security programs that are intelligence-led and built on lessons learned from previous incidents is the most effective approach to ensuring a more secure and resilient future,” says FTI Consulting’s Ferrante.
About the Author:
Steve Lasky ([email protected]) is the Editorial Director of Southcomm Security Media, which includes SD&I, Security Technology Executive and Locksmith Ledger International – as well as the world’s top security web portal, SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 26-year member of ASIS.