Cyber security was thrust into prominence with the biggest attacks ever been seen, in 2017. The fact that so many breaches happened, in such close succession made us pause for thought and then realise that it is the new normal to have nation states wage war against each other over the world wide web. Whether it is fake news, security software laced with malicious code, ransomware or just plain simple phishing, if cyber security predictions could be summed up in one line, it would be that you should expect to see a lot more such news around data security in 2018.
While most cyber security practitioners will agree that most predictions will be the same, there are a few curveballs that we, at TEISS would like to bring to focus too.
- Internet of Things will grow and continue to be a security nightmare
“In the world of IoT you’re generating millions of small transactions that are being collected from a distributed set of sensors. It’s not feasible to operate these systems using a centralised transactional model: it’s too slow, expensive, and exclusive. To extract the true value from IoT technology you have to be able to operate in real time. Once a sensor alert is received from a control system you must react to it, meter it, and bill for it instantly – all of which negates the viability of a centralised transactional authority. The cost of the transaction has to be near-zero or free, and the cost elements of a centralised model simply don’t support the potential business model in IoT,” thinks Ettienne Reinecke, Dimension Data’s Group Chief Technology Officer.
Concludes Forrester: "It’s imperative for today’s digital businesses to balance the business benefits that IoT-connected products can deliver with the recognition that these same devices have become an attractive attack plane for hackers and cybercriminals seeking to cause disruption and exfiltrate sensitive data.”
- Ransomware, more frequent and more devastating
The feeling within the industry is that while the number of ransomware attacks will go down, the number of targeted attacks will go through the roof. “We’ll still see cyber criminals developing new types of ransomware, but not as much as the past two years,” says F-Secure Labs Researcher Päivi Tynninen. “The delivery mechanisms for attacking individuals aren’t really that effective at the moment. But ransomware’s business model is a proven money maker, so we’ll probably see cyber criminals focusing more on conducting targeted ransomware attacks against companies to get bigger paydays from fewer victims.
There is concern that cyber insurance coverage that businesses seek to keep themselves safe from the hammer blows of fines in case of data breaches will lead to a surge in ransomware attacks. This is because insurers promote optional extortion insurance packages that cover the costs of ransomware and other cyber extortion payments.
“We find it concerning that insurers sometimes pay ransoms to recover their customers’ data,” says Corey Nachreiner, CTO at WatchGuard Technologies. “While we understand the business decision, insurers currently have no long-term actuarial data for cyber incidents and ransomware. It is possible that paying ransoms will encourage this criminal business model and increase the number of incidents insurers have to handle or the cost of ransoms.”
- Cyber security is a recruitment nightmare
2018 is the year when GDPR comes into force, in turn, forcing the hand of thousands of businesses into employing DPOs. The fact that there is a crippling skills gap will get worse. Travis Farral, Director of Security Strategy at Anomali said: “Both private and state schools need strong cyber programs and academies should look to develop cyber skills in children from disadvantaged backgrounds. This will hopefully prevent talented teenagers being sucked into the dark side.
Although at the same time that industry struggles to recruit talent, university graduates are finding it hard to start their careers in cyber security. We need to improve opportunities for entry level positions including internships, apprenticeships, more cyber classes in schools, and formal cyber programs. This also requires a look beyond STEM as careers in threat intelligence can better suit analytical degrees, due to the need to be able to research, analyse and draw conclusions, which can give them the edge over those with a scientific mind-set.
There are some bright new leaders in the industry that are focusing on education and engaging young talent in the industry and this has to continue.”
- The rise of the nation state sponsored bot army
Trend Micro predicts that Fake news and cyber propaganda will press on because there has been no dependable way to detect or block manipulated content. Social media sites, most notably Google and Facebook, have already pledged a crackdown on bogus stories propagating across feeds and groups, but it has had little impact so far. That being the case, the final screening will still be dependent on the users themselves. But as long as users are not educated in flagging false news, such content will continue to permeate online and be consumed by unsuspecting and undiscerning readers.
Said David Ferbrache, chief technology officer in KPMG’s cyber security practice: “As countries invest to develop their cyber espionage and offensive capabilities, we will see more signs of their activities. Disclosures of high end techniques used by nations will continue, fuelling the opportunistic re-purposing of these vulnerabilities by less sophisticated States and organised crime groups. Expect more evidence of industrial control system attack tools being tested as States explore the potential of this new form of warfare.”
Tim Erlin, VP of Product Management and Strategy at Tripwire said: "Accurate attribution for cyber attacks is almost always a difficult task, and it’s doubly so when the evidence leading to the conclusion can’t be shared. With global public trust in the US government at a low point, it’s not surprising that there’s skepticism.
If we’re going to have national security organisations delivering these types of conclusions on attribution to the public, we need to find a way to develop trusted output. The mantra of ‘trust us’ doesn’t cut it here. This conclusion about North Korea’s culpability isn’t new. The UK discussed the very same conclusion in October, with the very same caveats about sharing the actual evidence.
You can’t arrest a nation-state, which inevitably prevents any real closure on an incident like WannaCry.
Whether North Korea is the threat actor or not doesn’t change the lessons that organizations should take from this incident. These vulnerabilities are out there, and WannaCry demonstrated what can happen when the right condition is exploited. Defensive response should be to reduce the risk as much as possible."
- It is all about that crypto!
"Another major breach on Cryptocurrency exchange will lead to substantial decline in Bitcoin value and other major cryptocurrencies, further government involvement will be seen with regulations beginning to form to remove some of the original core principles around anonymity to reduce fraudulent use. Banks will be first to create a regulated currency followed by Russia and China and possibly followed by the big 5 tech companies – Apple (augment ApplePay), Google (augment Android Pay), Amazon, Facebook and Microsoft."