Many companies will convince themselves they have nothing of value to hackers. Totally wrong. All data has a value and all companies have something which will interest cybercriminals.
Without cyber security measures, your business must deal with the destruction or loss caused by a vast array of cyber attacks. These attacks can harm sensitive personal and business information.
In the near future, devices will continue to grow in volume and variety. According to the McAfee Labs “2016 Threats Predictions Report”, the forecast for connected devices by 2020 is now 200 billion and climbing.
As long as there are digital valuables there will be criminals, so cybercrime will continue to thrive during the next years. Like any business, most cybercriminal operations follow the money, looking for the easiest way to steal something of value. The growing value of personal data will play a big part, as it is already more valuable than payment card information and will continue to climb.
The increasing ability of attacks to avoid traditional security systems and remain undetectable was a prediction we got years ago, but we have seen only the early stages of this phenomenon. Malware is still very popular and growing, but the past years have marked the beginnings of a significant shift toward new threats that are more difficult to detect and prevent.
Ransomware will remain a major and rapidly growing threat in 2016. With upcoming new variants and the success of the “ransomware-as-a-service” business model, attacks will continue on Microsoft Windows and we can also expect ransomware to start targeting Mac OSX during this year, due to its growing popularity.
Application vulnerabilities are an ongoing problem for software developers and their customers. Adobe Flash is perhaps the most frequently attacked product.
Some developers have called for HTML5 to replace Flash, and Google Chrome will soon handicap Flash. But any transition away from Flash will be slow. The Internet is full of legacy Flash content, at least for desktops (though not for mobile devices), so we don’t expect to see this change soon.
Vulnerabilities in Internet Explorer are less common than a few years ago. Java, PDF, and Office exploits have declined significantly in recent years.
The number of critical Office-based zero-day attacks over the past few years is not high; however, this kind of attack is very dangerous in enterprise computing environments.
We can expect to see exploits of newly discovered vulnerabilities in areas beyond Windows. Increasingly, embedded systems, the Internet of Things and infrastructure software will become the targets for advanced zero-day attacks.
Shopping used to be so simple. To buy something, all you needed was enough cash in your pocket. Today, however, the number of alternate payment methods is rather dizzying, from Bitcoins, ApplePay, credit and debit cards, to online payment services.
Most attacks approach payment card theft in the same way they have for the past 10 years, by attacking payment mechanisms or the databases containing card data. Once they have obtained the card data, they sell it as quickly as possible and pocket the profit.
Now, however, the game is changing. Given the plethora of payment methods, most of which still require usernames and passwords, credentials have become very valuable. To steal credentials, the cybercriminals are targeting the consumers directly because they are both the source of the credentials and the weakest link in the payment process.
Attacks through employee systems
High-profile attacks continue to increase in frequency. Personal information including credit cards, social security numbers, and addresses for millions of individuals has been stolen only during 2015. Unfortunately, this trend is expected to continue.
Smart organizations should spend their money not just on technology, but also on more training, awareness, and personnel.
If an organization has the latest technology installed with smart people in place to create effective policies and remain vigilant, attackers have few options. Nonetheless, attackers will:
- Try harder. No security is 100% foolproof. If attackers really want your data, they will get to it. It takes just time and effort, which ramp up almost exponentially when smart people and good technology are in place.
- Go after someone else. Those organizations that spent their budget ineffectively (maybe buying the latest tech, but not funding additional headcount to run it) will continue to be (relatively) easy targets and continue to be hacked.
- Attack employees at home or while traveling. If attackers really want to get at your data, but find themselves blocked at every attempt against the corporate data center, then the relatively insecure home systems of the employees become the next logical target.
This type of threat is extremely serious and should lead to IT organizations taking a hard look at what it means to be secure. It isn’t enough to worry about security only on your company’s network. Smart organizations need to expand their protection into the homes of their employees.
With or without IT’s consent, most businesses use low-cost or free cloud collaboration services, but security details are often not shared; the risk of hacking and data exposure is unknown.
A cloud service provider must be always alert to the emerging threat landscape and adapt its security controls to address hackers’ evolving techniques. Protecting cloud services requires taking a comprehensive approach to security controls, including addressing the potential opportunities for social-engineering capabilities used to gain access to data. Protection also requires that a strong level of encryption is implemented, with access to data only by authorized users.
Cybercriminals, nefarious competitors, vigilant justice seekers and nation-states will increasingly target hacking into cloud services platforms to exploit companies and steal valuable and confidential data, using it for competitive advantage, or financial/strategic gain.
During the past two years, we have seen tremendous growth in the Internet of Things (IoT). Recently we have seen rapid growth in the number of wearable devices, such as activity trackers, smart watches and other portables.
Most wearables collect a lot of just simple data, and then feed it to an application on a smartphone or tablet for processing. Most of these devices use Bluetooth LE (low energy) technology, which has suffered a number of very well documented security flaws and likely will produce more with each new version.
Poorly written wearable code will create a back door into your smartphone.
Wearables present a great way to motivate people to interact more with the world around them instead of staring at their phones or laptops, but they also pose a growing security risk from hackers as more people use them.
Attacks on automobile systems will increase rapidly in 2016 due to the rapid increase in connected automobile hardware built without foundational security principles. According to the Business Insider “The Connected-Car Report”, there will be 220 million connected cars on the road by 2020.
So far, current vulnerabilities have been responsibly disclosed to the manufacturers. McAfee predicts that in 2016, more automotive system vulnerabilities will be found by security researchers. It is also quite possible that zero-day vulnerabilities will be found and exploited in the wild by cybercriminals who may threaten people’s lives, impact road safety, and create transportation deadlocks.
Cyber attacks are loud, brute and obvious. They break things and expose data, causing embarrassment, inconvenience and losses.
The cyber crime industry continually evolves based upon the changes in technology, capability of attackers, value of potential targets and relevance of resulting impacts. In 2016 we will see yet another expansion of tactics.
The offering of cyberattacks as packaged goods will continue to expand accessibility to less-skilled people, enabling or boosting more personal attack objectives, such as integrity, harassment, vandalism, or just pure chaos.
RSA Conference 2015 titled: “Change is scary, but it must be done to keep up with the bad guys”. And change is truly the one constant in cyber security.
“It is not the strongest that survive, nor the most intelligent,
but the one most responsive to change.”