So by now, 2016 is just a mere memory and that means it’s time to make some predictions about what lies ahead in 2017 in the realm of cyber security. Last year, the convergence of tech, society and security were some of the central-most elements to define the year; There was the the Apple vs FBI showdown, the persistent ransomware crisis, and Russia’s involvement in just about everything – We surely haven’t seen the last of these issues, and we can be pretty sure that they, along with other key 2016 incidents, will be influencing and laying groundwork for some of the biggest security issues that will arise in 2017.
For our 2017 predictions list, we will not only be shedding light on what we see as being some of the most pressing issues that we’ll have to deal with, we will also be examining the precipitating causes behind each one of our predictions. As they say, “Great claims require great evidence”; If we’re going to go out on a limb, we have to offer at least some proof as to why. So in no particular order, here are our predictions for the security events that will define 2017:
DDoS attacks increase with a vengeance: Distributed Denial of Service attacks (DDoS), in which a perpetrator attempts to take a network offline by flooding it with traffic, are really nothing new. But in 2016, this attack vector of choice for spammers, gamers and activists took some new and more virulent turns. According to Security Firm Akamai, DDoS attacks increased in occurrence from 2015 to 2016 by 138%, mostly due to the fact that starting this past year, any ‘ol hacker could purchase a ready-to-go exploit on the dark web as a DDoS-as-a-Service.
With now famous predecessors like Mirai, which took down the network at Dyn, and therefore knocked offline the likes of CNN, Twitter, Reddit and more for over 9 hours in late October, and Icarus, which took down banks all over the world in May, it seems to be pretty clear that DDoS attacks are going to feature prominently in the security landscape in 2017. DDoSes also played important roles in multipronged attacks, where they acted as attention-diverting smoke screens, concealing the much more damaging activity taking place, as was demonstrated in the 2015 attack on Carphone Warehouse in the UK.
Based on their growing popularity, it seems likely that DDoS attacks will increase in size and damage. Attackers may use DDoS attacks as tools of extortion, by threatening to take high-traffic websites offline in exchange for exorbitant amounts of money. We also foresee that the huge amount of incredibly insecure internet-connected devices will give DDoSers new grounds from which to launch attacks.
SCADA gets scarier: If you don’t already know, SCADA networks are control systems that gather, process and monitor data for physical infrastructure, such as power grids, telecom, manufacturing and utilities. These systems, which are still in use today, are often older and were not built with the intent of being networked, nor with security in mind — and they present sophisticated attackers (often nation-state sponsored) with an incredibly potent attack venue; Remember Stuxnet, circa 2011? That was an attack against the SCADA system of the Iranian Natanz Nuclear Facility which effectively (and thankfully) wiped out one-fifth of their centrifuges.
The occurrence of attacks against SCADA networks doubled in occurrence from 2013 to 2014. In December of 2015, multiple electric companies in the Ukraine were hit by a strain of malware called BlackEnergy, via infected email links, leaving many without electricity for 6 hours. There have been reports of attacks to grids and other utilities in the UK, Italy and Malta and then there was the “runaway train” incident in Massachusetts when a train took off without the conductor. It has yet to be proven that the runaway train was the result of a hack, but that’s certainly the prevailing assumption, and regardless of whether or not it was the result of a hack, the fact is that it’s entirely plausible.
What does 2017 hold for SCADA networks? According to famed consulting firm Booz Allen Hamilton, we will witness SCADA Access-as-a-Service attacks, in which already-developed access exploits will be sold to attackers looking for access with less effort. And as industries move towards making their SCADA networks “smarter”, layering modern technology on top of legacy technology, they will inherently make their systems more patchworked and therefore less secured, so look for attacks like these to make headline news.
FinTech security to get top billing: Once upon a time, banking meant going down to your bank and interacting with a teller or banker. But recently, banking has gotten a modern facelift and has gone increasingly digital, a trend referred to as FinTech, or financial tech. These services include everything from payments made from digital wallets to banking apps, to financial robo-advisors, to social-lending and more. These services are sometimes offered as add-ons available from large established banks, but more often than not, they are stand-alone services created by startups.
The problem with FinTech is fairly straightforward: The “tech” part of it just generally isn’t built with security in mind. Got a cool new ways to get money from A to Z in an instant? Yes. Built-in measures to prevent that transaction from being intercepted and hacked? Um… no. In November, the largely-digital and mobile-focused UK bank Tesco (yes, part of the British food-chain giant) was breached, with fraudulent activity showing up in about 20000 – 40000 accounts. Tesco reimbursed all affected customers, costing them $4 million. Earlier in the year, FinTech investment startup DAO lost $60 million in a breach and Clinkle, one of the most anticipated apps to come out of the FinTech scene, was hacked before it even had the chance to come out of stealth mode.
One of two things will happen in 2017 to the FinTech revolution: More vulnerabilities and breaches will arise, causing backers and customers to lose faith and revert to more traditional banking means; or the industry will start to build better, stronger security measures right into their offerings like biometric IDs and will devise ways to make sure that any customer data is stored securely. According to Brian Costello, Chief Information Security Officer at Envestnet, FinTech providers who make it past the initial stages will adopt a “security by design” approach in which security measures are part-and-parcel of the offering itself. For the the budding industry to survive, security must become a primary concern.
The ransomware spree evolves into an RaaS spree: It’s been said before, and we’ll say it again: 2016 was the year of Ransomware. Last year, not a week went by without a new ransomware story emerging. Hackers spared no time, tweaking older variants and creating entirely new ones to cause as much widespread panic as possible. The newcomer Locky was responsible for 97% of malicious email attachments and accounting to sources, victims paid out more than $1 billion in unlock fees in 2016 alone. Ransomware targeted home users, businesses, hospitals, governments, banks and everything in between.
Clearly, ransomware means big business. Even if just a small slice of victims pay the unlock fee, attackers still pull in nice profits. And since they keep their price point relatively low, at about 1-2 BTC for home networks and 3-4 BTC for company networks, victims may choose to pay up just to avoid the hassle. All this means that, frustratingly, ransomware is here to stay.
But a new trend has been noted as of recent in the Ransomware-o-sphere: Ransomware-as-a-service, or RaaS. Cerber, a newer variation functions on what security firm CheckPoint’s Maya Horowitz calls a “Ransomware for dummies” platform – It’s a ready-to-go, all-in-one kit, that allows even complete novices to deploy devastating attacks with the click of a few buttons. It has a user-friendly management panel that provides the deployer with stats on how their “campaign” is going and how much money they are raking in and the creator gets a kickback of the profits. The AlphaLocker model is similar but different, as the purchaser buys the entire kit-and-kaboodle from the creator and collects the dividend for him or herself, all for a measly $65. The RaaS marketplace still has plenty of room for other nasty players, and we foresee that this trend will help propel ransomware to an even larger scale than was seen in 2016.
There are some other security topics that will undoubtedly help shape the year and moreover, years to come:
GDPR: In case you’re not from “across the pond”, GDPR, or the General Data Protection Regulation is a set of regulations created by the EU to strengthen and streamline data protection in all EU-member countries. The end goal is to give citizens control over their data and promises to take swift action against any companies inside and outside of the EU that violate the terms of the regulations (by storing data insecurely, or collecting unnecessary information and other similar privacy-related issues). Although GDPR doesn’t go into effect until 2018, companies and countries around the world are beginning to plan for the many implications the regulations will bring along.
IoIT (The internet of insecure things): Remember the Mirai botnet used in the attack against Dyn we mentioned above? It was deployed via vulnerabilities in internet-ready DVRs and cameras. Researchers and doomsday-sayers alike have long warned the public of the potential dangers of IoT, or the Internet of Things. Sure, it may sound a bit nutty to suggest that your coffee pot might be spying on you, phoning home that information to hackers somewhere in Russia, but as the now infamous Dyn attack proves, it’s not so far fetched after all. And IoT products will continue to be insecure so long as they are built with consumer-demand, rather than security, in mind (back to that “security by design” idea from above). And we suspect that 2017 will bring new gadgets with new IoT vulnerabilities to the fore.
New president, new perspectives: Last, but oh-so not least: Mr. President, Donald Trump. With Trump’s recent assertion that “No computer is safe” and suggestions that important messages should be sent via courier, it’s safe to say that this coming administration is a bit of a wild card when it comes to cyber security and data protection. On the topic of encryption, Trump backed the FBI, stating that Apple should have decrypted the phone as the FBI requested and called for a boycott of all Apple products, until they would agree to open the phone. On the other hand, he also said he plans on bolstering cyber security throughout the US, using more offensive tactics against terrorists and other opponents, if need be. At this point, it’s too early to predict what a Trump presidency really means for cyber security, but whatever it does amount to, it’s sure to be interesting to observe.
Do you agree with our predictions? Have we missed any potential biggies? Let us know in the comments!