Can cyber security predictions help us prepare for attacks? Donald Trump has threatened to close the Internet to terrorists. This is an extreme example of the public outcry to regulate not only the Internet, but company networks and databases in the wake of recent data breaches. And governments are responding to the public’s mood. Predictions about possible government regulations and the kind of attacks to come can help us prepare for 2016.
1. Privacy concerns
In the trail of the various revelations that recently rocked certain intelligence agencies, the public has become aware of how much of its data is being collected, analyzed and sometimes even sold. 2016 will see continued moves by governments to protect privacy. In the European Union, it appears that the General Data Protection Regulation (GDPR) will become law. As a Regulation and not a Directive, it will have immediate effect on all 28 EU Member States after the two-year transition period and does not require any enabling legislation to be passed by governments.
2. Attempts At Regulating Zero-Day Markets Will Fail
An exploit is a method of taking advantage of a software or hardware vulnerability. A zero-day exploit is an exploit for which no patch has been issued. So keeping your devices and software updated still leaves you open to zero-day exploits.
The reason for the existence of zero-day exploits is simple. Products are not adequately tested and secured before they are put on the market. Many technology companies offer a “bug bounty” to encourage hackers to report vulnerabilities. But the zero-day exploit market is more lucrative. Even Kevin Mitnick, the famed hacker gone crusader, has gotten in on the action. There are currently efforts to regulate the sale of zero-day exploits. Dutch politician Marietje Schaake has been crusading for laws to curb the trade in what she calls “digital weapons.”
Let’s look at the facts. Most exploits occur because users do not patch their software and hardware for known vulnerabilities. Previously reported zero-day exploits have involved Internet Explorer, Microsoft Office, Adobe Flash, Java, and others. These exploits have undoubtedly been used for attacks, but their numbers pale in comparison with the overall number of patched exploits.
In 2016, the strident cries for regulation of the zero-exploit market will subside for two reasons:
Regulation of the industry would drive it underground (to the Tor network), not control it.
The real reason for this market, that products are not adequately tested and secured before marketing, will be addressed instead.
3. Variations on a theme: more dangerous crypto-ransomware
Crypto-ransomware is a large and growing business, and will infect more companies and individuals than ever in 2016. Crypto-ransomware uses strong encryption to prevent users from recovering files unless they pay a ransom. The attackers encrypt your files with a key; that is the “crypto” part. The ransomware is spread as any other malware and infects other devices on the network. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Bitcoin transactions are not anonymous but require significant effort to be accurately traced. This is because Bitcoins can be “laundered” as money is.
Crypto-ransomware groups are criminals, and you can’t trust criminals. Even if you pay the ransom, the attackers may not deliver the key to unencrypt files. The best way to protect yourself is to backup data often and be ready to recover from backup after scrubbing the ransomware from the network.
4. IoT – the perfect vector for malware!
IoT devices are surging onto the market, from refrigerators, to dolls, to rifles. Most manufacturers of IoT gear are unfamiliar with security considerations and do not make security a concern during design. By their very nature, IoT devices are out of sight and out of mind. This makes them the perfect vector for malware.
Furthermore, companies seldom involve the IT department when acquiring IoT. These devices become part of “shadow IT”, computer-like devices and cloud computing assets hiding throughout the company that are not maintained by IT. Only when users encounter a problem does IT become involved. In essence, unsecured IoT devices are possible time bombs scattered throughout the company. A good example of this problem is the Target data breach, where a smart heating and air conditioning system became the entrée to Target’s databases. Expect more of these compromises in 2016.
5. Trends in malware
Every year malware becomes more sophisticated and harder to protect against. The good guys come up with a response, leading malware writers to create even more convoluted and nefarious malware. In 2016, the cycle of escalation will continue.
Here are some predictions for 2016:
- Malware from “software updates” will increase: Attackers hide malware inside common software program updates and then post the “updates” on the Internet. When users download and install the updates, infecting their computers and spreading malware to the network.
- Microsoft Office macros will be a major vector for malware.
- Malware hidden in smartphone apps will escalate. In fact, risks to many IoT devices are exacerbated by the use of smartphones as a point of control.
Will 2016 be a better network security year?
We’ll see. In some industries companies pay hackers to look and find security weaknesses. However most companies are understandably reluctant to open their doors to hackers. Instead, why not attempt to think like a hacker and design the most secure network you possibly can.
As always, making users (including IT personnel) aware of signs of possible attacks and how to respond is critical. We can always count on malware and data breaches in planning for the New Year.