Although 2014 was dubbed “Year of the Security Breach,” cyber threats continued to escalate in number and sophistication in 2015. From the attack on the Office of Personnel Management, which compromised the personal information of millions of federal employees this summer, to the hack of CIA Director John Brennan’s AOL account, the past year was a busy one for cyber criminals.
Moving forward into the new year, Stu Sjouwerman, CEO of cybersecurity firm KnowBe4, says 2016 will not see much of a change. Cyberattacks will continue to be destructive and organizations will fall victim to damaging data breaches.
Sjouwerman shared with Homeland Security Today his cybersecurity predictions for 2016:
Boards of directors will finally appreciate that information security risk management should be treated as an enterprise risk equivalent to financial, reputational, and legal risk. Too often board members see the light only after a data breach. Having understood how security risk impacts the business, in 2016 they will make sure to change corporate culture into the direction of a good security risk management program. Next year will be a very important year for cyber-insurance; boards are going to ask for this. PricewaterhouseCoopers predicts that the cyber insurance market will triple in the next five years and this will force boards to take a long, hard look at the cost of their continued insecurity.
Budget Survival Tips
The things that will get approval are projects designed to cut the cost of doing business. Smaller-scale IT security initiatives that have a quick return on investment, e.g. new school security awareness training which combines training with simulated phishing attacks, will be popular with management and boards.
CEO Fraud aka Business Email Compromise
Looking at the rapid uptrend of CEO Fraud over the past year, this will be the new scourge in 2016 following ransomware, hitting consumers, small and medium enterprise and large enterprise with competing cyber mafias specializing in verticals like financial institutions, healthcare and manufacturing.
Think Stuxnet for the Financial Industry. The data breach attacks we have seen by the hundreds are loud and obvious. They expose data which causes embarrassment, inconvenience, and financial losses. Integrity attacks are stealthy, selective, and can be much more devastating. Instead of doing damage or making off with vast amounts of sensitive data, they instead focus on carefully changing particular elements within transactions, communications, or data to gain a significant benefit. In 2016, you will see an integrity attack in the financial sector in which millions of dollars will be stolen by cyber thieves who will modify selected data in the transaction stream, resulting in a significant redirection of payment to anonymized accounts. How they’ll get in? Spear phishing.
2016 is the year that passwords will start to disappear. Biometrics like voice and face recognition go mainstream and two-factor tech like authentication code generators on mobile phones will spread exponentially. For your own infrastructure, look at containers that host similar 2FA micro-services that you can integrate in your own apps. Nation-states will continue battling for the domination of Internet backbone and infrastructure components.
Internet of Things
6.4 billion connected “things" will be in use globally by the end of 2016, but Internet of Things (IoT) standards related to security are a hodge-podge. There are literally hundreds of standards that potentially touch IoT and precious few that directly accommodate IoT. It’s early days and there is no consensus. As long as vendors’ #1 concern is "time to market" and not "security by design" you will see a flurry of attacks on IoT devices like Talking Barbie and others. Cutting edge criminal hackers will create the very first BoT – Botnet of Things. Don’t leave any kind of Wi-Fi enabled devices or toys in the master bedroom!
Malicious E-Commerce Goes Social
Many traditional social networking sites such as Pinterest, Facebook and Twitter will add “buy” buttons to their platforms in an effort to increase stickiness with their users and help monetize their user base. It’s going to be heaven for cyber criminals who will social engineer themselves into millions.
Mobile malware, specifically mobile banking Trojans, are on a trajectory to become much more prevalent for banks and financial institutions in 2016. There will be an increase in malware families that are gaining root access rights on users’ devices. These attacks will pose a significant problem for many financial institutions, which have thus far mostly ignored the threats mobile devices pose. Commercial malware authors will continue to reinvest at ever greater rates, bringing them towards the "spending power" of nation-state activity. This includes purchasing zero days. The bad guys have lots of cash and they are smart investors.
- A ransomware crime wave will surge across America.
- The use of Cryptowall 4.0 will explode, and Cryptowall V5.0 will add an actually working "feature" that TeslaCrypt only threatened with: extortion by potentially publishing private personal or business files on the Internet.
- Cyber mafias will focus on professional services firms and local government using Cryptowall as their tool and extort tens of thousands of dollars from organizations that don’t want their business disrupted or their intellectual property compromised.
- Cryptowall will be the first strain of ransomware to hit a billion dollar in damages.
- Ransomware is the new APT: "Annoying Persistent Threat", as it will be increasingly used in double payload attacks combined with other scams.
- Ransomware attacks doubled in 2015 and will double again in 2016. The UK is to some extent a bell-weather for the US as they function as a beta test site for Eastern European cyber mafias who can test malicious code in their own time zone. Well, over half (54 percent) of all malware targeting UK users in 2015 contained some form of ransomware. Buckle up.
- Ransomware-as-a-service hosted on the TOR network and using Bitcoin for ransom payment enables a new generation of cybercrime newbies to make their mark.
- A new sleeper ransomware variant will start to stealthily encrypt data, pull your critical files onto a C&C Server, and wait until a backup been made. At that point they will yank the encryption key and demand a much larger amount of ransom than the current 500 bucks.
IDG asked hundreds of high-level InfoSec pros the following question: “What will be the single biggest security threat of 2016?” The number oneanswer was: “people”. With events like the presidential election drumming up a frenzy of social media activity in 2016, you can expect attackers to use the attention given to political campaigns, platforms and candidates as an opportunity to tailor social engineering lures.
In the year ahead, Sjouwerman noted in a blog post, “What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky.But the only way to control your fate is make your organization a hard target based on a top-down, security-first culture.”