“Prediction is very difficult, especially if it’s about the future,” as Nils Bohr, the Nobel laureate physicist put it. But as the end of 2016 approaches, it’s useful to look forward and try to anticipate the cybersecurity trends that lie ahead; and to reflect on what’s happened over the past year, to see how accurate previous predictions were. For 2016, our predicted security threats were:
The emergence of sophisticated and custom-designed malware designed to get past organizations’ defences. Attackers are using bespoke variants of existing malware, which can bypass traditional antivirus and sandboxing tools – our 2016 Security Report revealed that 971 unknown malware variants were downloaded to enterprise networks every hour.
Mobile attacks – we predicted these to increase as mobile devices became more commonplace in the workplace, offering hackers direct and potentially lucrative access to personal and corporate data. This too was borne out – we saw major vulnerabilities like Quadrooter emerge and new zero day threats discovered, as well as ongoing increases in mobile malware targeting vulnerabilities.
Attacks on critical infrastructure – we expected these to rise as cybercriminals seek to take advantage of both the inherent vulnerabilities in critical infrastructure computer systems and the potentially huge damage that can be wreaked. Sure enough, an attack using BlackEnergy malware struck a Ukraine power company, Warsaw’s Chopin Airport, was targeted by a DDoS attack and the SCADA systems of the Bowman Dam in Rye, New York were attacked too.
Cybercriminality taking advantage of the growing Internet of Things and targeting smart devices. This year saw one of the largest DDoS attacks ever targeting security blogger Brian Krebs’ website, which was launched from millions of IoT security cameras and similar devices.
Unfortunately, our predictions for 2016 proved to be accurate. Like most cybersecurity professionals, I would prefer that they were not realized. I would much rather organisations didn’t get infected by malware, hacked, or suffer data breaches. But by predicting the next wave of threats, we hope to help organizations stay one step ahead of cybercriminals’ exploits. So here are our five key security predictions for 2017:
Mobile: moving targets
As attacks on mobile devices continue to grow, we can expect to see enterprise breaches that originate on mobile devices becoming a more significant corporate security concern. The recent discovery of not one, but three zero-day vulnerabilities in Apple’s iOS following an attempted attack on a human rights activist’s phone highlights how rapidly the mobile surveillance and cybercrime industry is expanding – and the need for organizations to deploy protections on their mobile estates against malware, interception of communications and other vulnerabilities.
IT and OT convergence
In the coming year, we expect to see cyberattacks spreading further into the Industrial IoT. The convergence of informational technology (IT) and operational technology (OT) is making both environments more vulnerable, particularly the operational technology of SCADA environments. These environments often run legacy systems for which patches are either not available, or worse, simply not used. Many critical industrial control systems are open to the Internet – a recent report found over 188,000 systems in 170 countries were accessible this way. 91% were remotely exploitable by hackers, and over 3% had exploitable vulnerabilities. Manufacturing, as an industry, will need to extend both systems and physical security controls to the logical space and implement threat prevention solutions across both IT and OT environments.
Once again, we’re placing critical infrastructure in our predictions for the coming year – globally, it remains highly vulnerable to cyberattack. Nearly all critical infrastructure, including nuclear power plants, electricity grids and telecoms networks, was designed and built before the threat of cyberattacks. In early 2016, the first blackout caused intentionally by a cyberattack was reported. Security planners in critical infrastructure need to plan for the possibility that their networks and systems will see attack methods consistent with multiple potential threat actors: nation-state, terrorism and organized crime.
For enterprises, we predict that ransomware will become as prevalent as DDoS attacks. Like DDoS attacks, successful ransomware infections can shut down a business’s day-to-day operations, and mitigating them demands a multi-faceted prevention strategy, including advanced sandboxing and threat extraction. Businesses will also need to consider alternative ways to cope with the people who launch ransomware campaigns. Collaborative strategies like coordinated takedowns with industry peers and law enforcement will be essential. While paying a ransom is never recommended because it encourages future attacks, sometimes it is the only option for recovering data and the ability to function. As such, the establishment of financial reserves to speed up payments will become increasingly common.
We also predict more targeted attacks to influence or silence an organization, with ‘legitimate’ actors launching such attacks. The current US Presidential campaign shows this possibility and will serve as a precedent for future campaigns.
As enterprises continue to put more data on the cloud, providing a backdoor for hackers to access other enterprise systems, an attack to disrupt or take down a major cloud provider will affect all of their customers’ businesses – as we saw with the recent DDoS attack against domain directory service DynDNS. While generally disruptive, it would be used to impact a specific competitor or organization, who would be one of many affected, making it difficult to determine motive.
We expect to see a rise in ransomware attacks impacting cloud-based datacenters too. As more organizations embrace the cloud, both public and private, these types of attacks will start finding their way into this new infrastructure, through either encrypted files spreading from cloud to cloud or by hackers using the cloud as a volume multiplier.