VeriClouds recently polled a field of Cyber Security professionals to get their opinions on the predominate threat trends in 2017. Our experts are CEO’s, CISOs, Engineers, Security Architects and Consultants working in universities, private consulting firms and corporations.
Cyber Security 2017 Summary
All responses, including those persons wishing to remain anonymous, were considered in writing this summary.
Ransomware attacks were mentioned in 12 of the 20 (60%) responses. The reason for this particular attack vector increasing in 2017 is attributed to the significant profit potential.
Internet of Things (IoT)
The Internet of Things was mention in 11 of the 20 (55%) responses. IoT devices are relatively new and deployment is driven primarily by time-to-market and profit potential. Security takes time and costs money, so historically it comes to new products almost as an afterthought.
Distributed Denial of Service (DDoS)
DDoS is viewed as an effective strategy for attacking IoT devices by 7 of the 20 (35%) respondents. The reasoning is, that as IoT devices proliferate, DDoS attacks will increase.
Cyber Attacks – New Opportunities
Cloud infrastructure deployments are not actually new, but the deployments are likely to increase exponentially in the next year or two. More deployments provide more opportunities for hackers to seek out those that are vulnerable.
With so many mobile devices in use and growing, mobile malware attacks are also likely to increase. Many people store their critical information on their mobiles (bad idea), so there is a strong incentive for the attacks.
Personal Health Information (PHI) databases and the Smart Home are new opportunities for hackers to explore.
Cyber Attacks – More of the Same
Social Engineering, in its many varieties, will continue to be used as long as it is successful. Professional hacker organizations and State-sponsored hacking are seen as likely to increase because they have been so successful at targeting high-profile organizations and individuals.
Cyber Security 2017 – In The Experts’ Own Words
Below are the responses from those who chose to identify themselves (anonymous not included). Some comments have been edited for clarity.
Director Network & Computer Security
Columbia Information Security Office (CISO), Columbia University
LinkedIn profile: www.linkedin.com/in/joel-rosenblatt-3935144
My take on trends for 2017 is that the biggest threat that organizations face is email – using social engineering to convince people to click. The two biggest threats are phishing (all flavors – regular, spear and whale), and ransomware.
Assistant Professor, Computing and Software Systems,
University of Washington Bothell
LinkedIn profile: www.linkedin.com/in/gthamilarasu
The increasing number of vulnerable IoT devices on the market will provide new avenues of attacks for malicious users. The problem of default and easy to guess credentials, challenges in updating firmware and patching vulnerabilities will further worsen the cyber risks associated with IoT. DDoS attacks on compromised IoT devices will escalate resulting in large-scale consequences of service interruptions and possible complete shutdown of websites and organizations. The problem here is that IoT devices are designed and deployed without cyber security in mind and unless the device manufacturers, suppliers, and regulators pay attention to security in these devices, the cyber attacks on IoT will only continue to grow more and more.
LinkedIn profile: www.linkedin.com/in/mike-stute-947ba8a9
Secondarily, the types of cyber security technology developed and used by intelligence organizations are making their way into the “wild” and governments will need to take extra care to prevent these sophisticated technologies from getting into the hands of cyber criminals.
Vice President Business Development
LinkedIn profile: www.linkedin.com/in/ncoffing
Nathanael is a Cybersecurity visionary who’s spent the last decade laser-focused on improving the security posture of the modern enterprise via the integration of IAM with Data Security. Over the last two decades, he’s honed his product and scalability expertise at Sun, Oracle, and Imperva showcasing how these security disciplines can work together to provide a rapid orchestrated deployment and response mechanism that meets today’s emerging security needs.
Founder & CEO
Elite Security & Privacy (www.elitesecurityprivacy.com)
LinkedIn profile: www.linkedin.com/in/scott-hirnle
For devices (aka IoT), the data suggests huge growth in general for both the total number and types of devices hitting the market. Anything from home security and thermostat products to fitness and health products. There are also self-driving cars and a multitude of other products that will absolutely have huge potential impacts if their security isn’t done right out of the box. These devices have a challenge because they need to be easy to configure for the average person who isn’t thinking about security. In many instances, the security is dialed way back just so the user experience is good. This makes the devices more susceptible to DDOS and botnet takeover situations such as in October 2016. There will be lots of opportunity for this segment, as well as the security pros who keep it secure.
Phishing continues to plague businesses of all shapes, sizes, and industries. The reason – it works. It latches on to the weakest link of any organization (its people) and takes advantage of gullibility and improved techniques by the social engineer who can build out a much more realistic and believable experience. Once they’re in, they can lock up a user’s PC and demand money to unlock it. In many cases now, they don’t even do that. They’ll get their money and bail.
Ultimately, there are no easy answers for either of these scenarios. If I had a crystal ball, I’d say cyber crime for each area will increase dramatically in coming years. People are ultimately at the center of the solution for each. For the first, sound SDLC practices and design that uses extensive threat modeling and thinks through initial set-up and user-friendly security controls & settings will go a long way. For the second, training employees to really understand what to look for before they click will help dramatically reduce the risk of phishing and ransomware.
Cloud Security Architect
LinkedIn profile: www.linkedin.com/in/karunchennuri
DoS/DDoS: More and more enterprises are joining public cloud for shifting production workloads from internal data centers to Cloud that’s managed by various cloud providers. Attackers are constantly hunting for innovative ways to bring down the services. Considering the history of disruptions (5-hour outage of AWS, Dyn’s DNS infrastructure disrupting Twitter/Spotify/AWS etc) there are potential outages to happen in the next year too.
Software Defined Networking: Insecure configuration of Control and Data Plane Layers will open the doors for the attackers to disrupt your hybrid cloud, private cloud environment. Most of the time teams that configure or manage SDN are not Security folks, hence the risk is double!
Ransomware: Malicious software designed to block access to the victim’s files until the victim pays a ransom in Bitcoin is a potential threat that we can see a rise in the next year. With the advent of cloud-based services, this is going to be increasingly common threat next year.
Data Loss/Leakage: Growing volumes of sensitive data in the cloud will invite hackers. Trust no one should be the principle to adopt. Strict Key Management Systems (KMS) should be adapted for data at rest and use Transport Layer Security for data in motion.
My Top predictions for Enterprise-level:
Mobile Malware: Facing this age old problem that always surfaces with a new face is quite a daunting task! At the enterprise level – effective antivirus products and malware defenses can combat malware to a larger extent. But the problem is with mobile devices joining the corporate internal wireless network are becoming soft targets! Attacks such as memory-resident malware is an emerging trend and forensically difficult to detect. Take a note of that!
My Top predictions for Home User:
IoT (Internet of Things): With the advent of Siri and Alexa, Privacy of individuals is undoubtedly a big challenge. This “always on” feature is a bit disturbing fact, though! Though security standpoint of this product is still unclear, but few experts say the product is secure with no obvious backdoors, however, only the times to come will decide the security posture of such products till hacked or especially in cases where software updates/patching flow-in opening the back doors. IoT is next big thing to lookup and a possible source of cyber attacks!
Information Security Systems Engineer
LinkedIn profile: https://ca.linkedin.com/in/stanengelbrecht
Phishing scams, such as spear phishing and whaling, targeted attacks to a small group of executives or a specific high-ranking person in a company, would be my second trend increase. While the time an attacker has to spend on this form of attack is a significantly more than a ransomware attack, the payout is often much bigger chunk. According to the FBI, this form of attack has cost organizations $2.3 billion in the last 3 three years. CEO fraud, or whaling, has resulted in crooks walking away with tens of millions of dollars.
DDOS via the Internet of Things would be my third trend increase in 2017. With so many things interconnected and so little in terms of security built into many of these devices, it is no wonder crooks are using these to disrupt operations. The Dyn DDOS is probably the best example of where things are headed unless security is taken seriously by manufacturers. According to Dyn’s own report, the attacks involved tens of millions of IP addresses via the Mirai botnet. Incapsula has a good report on this botnet and how it is associated with everything from CCTV cameras to DVRs and routers. As our IOT world increases, this attack surface will continue to increase unless major steps are taken to safeguard our devices. Often times these “disruption services” can be sold or rented to cybercriminals who then attack the people or organizations or their choice thereby causing extensive amounts of damage to the victim’s finances and reputation.
Senior Software Security Engineer
LinkedIn profile: www.linkedin.com/in/sundar-krishnamurthy-b32b761
Breaches dominated all of 2016 – from DNC, the US Elections to Yahoo, and State Bank of India getting 600K Debit Cards breached (link here). The tragedy about the last story is that most people in India don’t use online banking, hardly check their monthly statements and a lot of renegade transactions would never be negated or reconciled. For the average Indian citizen, Debit Card Security = Armed guards outside ATM booths or kiosks.
Any website that uses 1FA is in all probability, pwned. All applications need some form of 2FA (not just Amazon, Bank of America, Google or Paypal)
With all the email addresses that can be queried on https://haveibeenpwned.com – it is very likely that any customer that is using your business application already has the same credentials available for anyone to abuse.
You can never be sure if a breached email and password are the same for a pwned site vs your own website. Even checking that makes you a willful felon if you consider Title 18 Section 1030 of the US Civil Code.
You don’t need every user of your website to possess an Authy app or have a cell phone that can receive one-time passcodes. You just need to email that user a six-digit passcode, and on successful login, send out a secure cookie with a GUID. Have the lifetime of that cookie to be 4-8 weeks, and store an SHA-256 hash of the cookie, along with the HTTP_USER_AGENT into the database table for that user row.
Whenever this user tries to log in to your website again from the same computer and browser, the cookie is available and you match up the SHA-256 hash of what you read from the HTTP headers with what was saved for this user in the database table. In addition, you check for correct login email and password to grant the user access.
The user performs 1FA, even though it is 2FA behind the scenes for that period. Even if the user’s email and password for your website are the same is in a breach dump, a hacker in Eastern Europe cannot log in to your website as the OTP sent out would be for the user’s email, not your site. If the user’s email was breached too, then all bets are off.
If you want to avoid the OTP-email thing, you can provide a set of three secret questions and answers and have one of them be answered every four to eight weeks with the login-password combination, to furnish the same secure cookie out for storage.
Assuming that the user’s email is not breached, that user receiving an email with an OTP when she had never logged in earlier would be an incident. There is someone who knows this user’s email and password and tried to log in to your site using those credentials.
What will become more bothersome for us in 2017:
Ransomware. People do naïve things and it is so easy for a software Trojan to sneak into your system. Even now. people download executable programs off the Internet, Torrent, Dark Web and never bother about the veracity of the site or program.
Anti-virus software is technically dead. Malware has grown so lethally polymorphic and stealthy, that outside of tracking actual system calls against the Operating System for resources, virus signatures make no sense when a few hundred thousand distinct pieces of bad, malicious code make it out into the world every week.
You should perhaps do what I heard about an Investment Bank in Singapore do. The laptops and workstations cannot connect to the Internet, at all, even when the laptops are carried home. They can only call methods on a proxy when VPNed in – that verifies the endpoint, works like a great firewall and only lets you connect to a small set of whitelisted company websites and Internet-facing web services. All general browsing is done via a Virtual Machine that spins up, lets you browse and connect to Facebook, Hotmail and has no visibility into the host operating system, internal company network or file structure.
IoT will open the world for botnets that can now own insecure, unpatched devices and use them to mount attacks like the DynDNS takedown late last year.
Principal Security Architect
LinkedIn profile: https://www.linkedin.com/in/mikesheward
President & CEO
In Turn Information Management Consulting
LinkedIn profile: ca.linkedin.com/in/andrew-hughes-682058a
There are fundamental flaws in legacy platforms that were designed with ‘crunchy shell, soft interior’ – where the simple fact that transactions originated from inside the ‘trusted’ network had some special validity or status. It’s the classic problem & takes lots of time and money to re-engineer.
There will be new technologies and better uptake of existing technologies for VPN endpoints, user identification & authentication, and overall recognition of trustworthy devices and users. But it will be not enough, not soon enough to avoid some big dollar value thefts in 2017.
LinkedIn profile: www.linkedin.com/in/andrewplato
State-sponsored attacks will also increase. The recent election hack has emboldened state-run hackers.
Lieberman Software Corporation
LinkedIn profile: www.linkedin.com/in/phlieberman
Perhaps this year the President may even provide safe harbor and reduction in risk from lawsuits brought by others to further damage compromised companies.
LinkedIn profile: www.linkedin.com/in/gounares
But I personally worry a lot more about the undiscovered attacks. We know that even the most expensive traditional cyber security products (e.g. firewalls, IDS, anti-virus) are easily bypassed. That means that that are attackers who are in causing harm but staying under the radar. The more things are noisy with stuff like e-mail hacks, the easier it is for those attackers to stay undetected.
Director of Security
LinkedIn profile: www.linkedin.com/in/eugenekogan
VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.
Physical Security Assessments