The top issues for cyber security in 2016
- Published: Wednesday, 06 January 2016 09:18
Imperva has made five predictions for what the main 2016 information security trends will be. The predictions come from an analysis of the data collected by its products in installations around the world, as well as from working closely with over 3,500 customers from across many verticals.
The 2016 predictions are:
BoT - Botnet of Things
In recent years, much as been discussed regarding the growth of IoT (Internet of Things), and its adoption in our everyday lives. With technology taking the necessary steps to minimize boards and reduce power consumption, fewer and fewer things remain that can't hook up to a WiFi network or stay connected via Bluetooth. And where some see this as progress, others see a decline. By naively connecting everything to the Internet, we also made it vulnerable. IoT is screaming, "Hey, I am a small computer in here with excellent connectivity!" For malicious actors that also means ‘Easy prey!’
The security of operating systems for PCs has gone through an agonizing process of evolution, making it harder than ever to compromise a PC running a modern OS from a remote location. Embedded devices, on the other hand, haven't done so well in securing themselves. From hard-coded default credentials, through publicly-accessible configuration panels and simple vulnerabilities, to simply non-existent patch management, IoT is an easy fish to catch for perpetrators. Even security-oriented devices such as CCTVs have been found to be completely vulnerable.
Attackers can exploit the abundance of soft targets in many ways: from running malware that participates in DDoS attacks and spreading spam, to running proxies, scanning other machines, or - in the worst case - acting as a leverage point for compromising all other devices on the local network.
Without a serious change in the security state-of-mind, it is just a matter of time until we see the first victim of a flood caused by zombie toasters and microwaves.
Rise of the insider threat
External threats, in the context of cybersecurity, are relatively well understood, and there are many products/solutions in the marketplace to address such external malicious activities/agents. While awareness towards insider threats - both of the malicious and the careless variety - is increasing, there has not been a high-profile data breach since Snowden, possibly resulting in firms maintaining status quo toward insider threats. 2016 will be the year that more data breaches will be due to insiders. Insiders have privileged access to data/databases and remain largely unmonitored even today. Encryption of data and transport does not help protect against insider threats. Data stored in the cloud is more at risk from the insider threat since IT security and controls in the cloud are still playing catch up.
While it's impossible to eliminate the risk of internal data breaches entirely, the attack surface and time to detect can be significantly reduced by monitoring data access and using solutions based on behavioral analysis.
Cyber attack on major infrastructure
Cyber attacks are increasingly sophisticated, frequent, and disruptive; critical infrastructure has not been upgraded to thwart such attacks, and an attack could be significantly disruptive or potentially devastating. Some infrastructure like electric power grids may be able to recover quickly from an attack given the redundancy in distribution and transmission. But water and natural gas supply or transportation and communication network can suffer a crippling assault. ICS/SCADA protocols with poor to no authentication, control systems in dire need of patching, lack of firewalls that are not SCADA-aware firewalls, negative employment in cyber security and lack of training are all factors that widen the gap and make critical infrastructure more vulnerable. U.S. Cyber Command is earmarking $460 Million to build lethal cyber weapons that may eventually result in casualties. The primary targets for the cyber weapons are industrial control systems, Stuxnet was the first successful use of lethal malware against nuclear facilities in Iran. It is only a matter of time before terrorists build their cyber weapons.
Luck has been on our side to date; we have not faced any serious attacks yet on SCADA/ICS. We would like for this particular prediction not to come true given the extent of the damage it can inflict.
Contractors get a cyber pat down
Major corporations will enforce cyber security assessments of the third party firms and contractors. The Target data breach happened because of a compromised HVAC contractor. The Anthem data breach occurred through a smaller insurance firm that Anthem had just acquired. JP Morgan was no different with the hackers gaining unauthorized access through a third party firm. Each of these companies had well-defined policies for the infrastructure that they directly managed, and the outside firms with privileged access became the weak links.
2016 is the year where major enterprises will require all vendors to demonstrate that their cyber security is on par or better than the standard set by the enterprise. The derivative effect will be an increase in liability/indemnity resulting in the maturity of the cyber insurance market. Similar to how high fire insurance premiums resulted in better building codes and ultimately safer buildings, the move to require increased cyber insurance coverage from the third party entities will result in stronger cyber security.
Subversion of free SSL certificates for malware
There is a revolution happening in SSL certificates handling: free SSL certificates from new Certificate Authorities. “Let’s Encrypt” is one such free, open certificate authority that issues SSL certificates and can do so in an automated fashion. Man-in-the-Middle (MITM) exploits succeed by spoofing communications using stolen/abused certificates. A free certificate issued by a CA would significantly reduce the barrier for executing MITM attacks. To appear as a trusted vendor and use the digital certificate to sign malicious code with it, greatly reduces the possibility for malware to avoid detection.
Accelerated by the adoption HTTP/2 (which requires HTTPS for all popular platforms), the day is not far away where free SSL is mainstream. While encryption helps drive better security, exploits find ways of spoofing and abuse the implicit trust within the model. The problem lies in the premise that HTTPS currently provides for security, both for end-users as well as security solutions.
For users, the reality is that most don’t distinguish between regular certs and EV, so a green lock in the address bar indicates a secure URL. Registering a fake domain allows for a better attack surface and elaborate phishing campaigns. Compromised HTTPS sites that host malware/phishing pages will go undetected for a long time defeating all browser checks.
Security solutions, especially proxies, will have to inspect higher volumes of encrypted traffic, and decrypt all HTTPS flows, which will have a severe impact on performance and exponentially increase overall setup complexity.http://www.imperva.com