The United Nations estimates that today’s 80% cyber-attacks come from highly organised ultra-sophisticated criminal gangs. These organised groups together represent one of the largest economies in the world, making 445 billion USD per annum. This amount is larger than GDP of 160 nation states! What would cybercriminals likely target this year to increase this amount?
Last year was marked by an increased number of phishing scams, ransomware attacks, new attack vectors and accusations of state-sponsored attacks. Some would say that 2017 was the year of the beginning of cyberwars: states against states, cyber-spies vs companies’ intellectual properties, cyber-criminals against the rest of us. This was the year in which anybody and everybody could become a ‘legitimate’ target. It was recently reported that data breaches have led mainstream businesses to spend over 93 billion USD in 2017 on stopping cybercrime. The costs of this kind of crime keep rising and are projected to reach 2 trillion USD by 2019!
What will or could happen in 2018? Many cybersecurity experts predict more of the same: breaches will be bigger and losses greater, cybercriminals will be smarter – but cybersecurity teams and budgets will not be able to keep the pace.
There are many available cybersecurity predictions with variable details and catchphrases, done by cybersecurity companies, consultants and bloggers. Since it will not be helpful or feasible to describe all of them, let us then explore a few common predictions for 2018. This exercise can be equally valuable for individuals and organisations as an opportunity to understand overall trends, to obtain free advice and hopefully help others to gain insights into possible future cyber threats and potential protection actions.
Multifactor identification is becoming compulsory against cyber attacks
The US credit bureau Equifax breach, in which 145 million customers had been compromised, the Anthem medical data breach in which more than 18,500 identification data have been exposed, and many other reported cases, confirmed that a single password-based identification is insufficient. Hence, no wonder that many participants in various 2017 surveys were more concerned about stolen identities than home break-ins.
The reported cyber breaches have caused lack of trust between businesses, such as suppliers and partners, and also companies and their customers. This shaken trust is already having a real effect on business and is likely to continue throughout 2018. Hence, it should be expected that users of digital devices and services will be faced with multi-factor authentication (MFA) and the risk-based authentication. The MFA identification is a multi-staged process that typically includes more than one form of authentication to verify the legitimacy of a transaction. For example, SA banks are already using the identification that includes something that we know (our password) and something that we possess (cell phone, which receives confirmation input).
It seems that 2018 will be a year of what Dimension Data calls ‘zero trust’ security, which means that there will be more rigorous authentication measures in place, requiring users to verify their identities through multiple layers of credentials. This also means the inclusion of biometrics authentication methods. After the success of fingerprint readers in iPhones and Android devices and the launch of Face ID, a recent Forbes’ report predicts that we will see more of consumer-ready biometric authentication capabilities. Through the maturing of technologies such as neural chips and deep learning, there are signs of significant improvements in the accuracy and reliability of a variety of biometrics, which can make authentication both safer and more convenient.
Social engineering attacks will continue to rise
Social engineering has long been a challenge to organisational and individual digital security. It is reported that, during the first nine months of 2017, there was a nine-fold increase in the number of social engineering incidents compared to the same period in 2016.
It is widely accepted that employees are the primary reason behind most cyber-attack incidents, particularly those linked to social engineering. This threat is based on the use of deceptive techniques to trick individuals into providing personal information for an unauthorised access to organisational information systems. Social engineering takes advantage of normal human impulses, such as obeying authorities, fear, greed or the desire to be helpful and kind. This technique usually uses emails, which is still one of the leading communication channels, and fake websites. The Comodo SSL Store reports that almost 1.4 million phishing websites are added every month.
Despite the emergence of more sophisticated cyber-threats, social engineering in general, and phishing, in particular, continues to be some of the simplest and most profitable cyber-attacks. Social engineering is not only becoming more efficient but is also frequently getting coupled with ransomware schemes. One of the most common examples is when cyber adversaries posing as helpdesk representatives or technical support contractors, asking employees to provide their login credentials.
Most affected by social engineering attacks thus far were professional service firms, financial institutions and higher education establishments. Although anybody can be targeted by the social engineering schemes, it seems that financial institutions will still be the major target in 2018. The Kaspersky Lab advises these organisations to stay focused on tried and tested attack techniques. In fact, the RSA 2017 cybersecurity conference demonstrated that hackers still use the same, well-established techniques.
Since human behaviour does not change easily, it is expected that random and targeted phishing attacks are still going to be a significant part of the cybersecurity reports in 2018.
Hence, organisations are advised to apply the most basic measures to lower risks of social engineering attacks. Such measures include staff training, dual-authorisation for financial transactions, the procedure to confirm payment requests and billing changes, or multi-factor authentication for remote access.
Internet of Things attacks are getting in a full swing
The network of separate uniquely identified devices that can have the ability to correspond with each other even without requiring human intervention, also known as the Internet of Things (IoT), exponentially grew in 2017. The predictions over the last years suggest that there will be at least tens of billions connected devices by 2020.
In 2017, there were massive ‘distributed denials of services’ (DDoS) attacks by using hundreds of thousands of compromised IoT devices in our homes and organisations. The Symantec Corporation, a well-known cybersecurity firm, does not expect that this trend will change in 2018. Cybercriminals will continue to exploit the poor security settings and management of home or industry IoT devices in order to gain a persistent access to a victim’s network.
The Medium portal warns that the IoT space will get even messier before it adopts a common framework. Given the difficulty of managing IoT sensors in the absence of standards, most solutions remain proprietary and geared toward solving very purpose-driven functions. According to Gartner, by 2019, IoT security incidents will make the nightly news. It is predicted that even inexperienced cyber-criminals can take over a large number of IoT devices. They have to only purchase a botnet kit from the Dark Web – and they are in business. The price of such a kit can be as little as 5 USD!
Despite Gartner’s anticipation that a third of hacker attacks by 2020 will target IoT, half of all security budgets through 2018 – 2022 will go to fault remediation, recalls, and safety failures, rather than to protection. Although it seems that most organisations do not have a budget for IoT security now, they will need to add one soonest.
The good news, as reported by the CSO portal, is that efforts against botnets are improving. For example, in December 2017, three people pleaded guilty to charges related to their creating and using the ‘Mirai botnet’ to launch a DDoS attack on the DNS service company DYN. In the same month, well-known companies ESET and Microsoft announced that they had cooperated to take down 464 botnets and more than 1,200 command and control domains.
Fileless attacks, also known as ‘zero-footprint’ or ‘non-malware’ assaults, are increasing in use and are effective. The rate of fileless malware attacks increased from 3% at the beginning of 2016 to 13% until November 2017. This trend is expected to continue in 2018.
According to the Ponemon Institute’s security risk report, 77% of compromised attacks in 2017 were file-less. The report estimates that fileless attacks are ten times more likely to succeed than the file-based attacks. These attacks usually use vulnerabilities in operating systems as well as the applications already installed on our devices, which are already on the approved lists by our IT departments.
In the early days of ransomware attacks, initial success by a few cybercriminals triggered a gold-rush-like mentality. The Symantec Corporation warns that more cybercriminals are now hurrying to use these same techniques with the fileless attacks. To detect and hopefully prevent these attacks, the behaviour-based detection systems, coupled with the endpoint protection can be helpful.
To avoid possible confusion, it should be noted that the terms ‘fileless, ’‘zero-footprint, ’or ‘non-malware’ are technically wrong as these attacks depend on users who often unknowingly download malicious files from non-secured websites. These attacks do, however, leave traces on the infected computers, which can be used for tracking and forensic purposes.
Ransomware saga to be continued
A ransomware outburst, particularly through the notion of ‘ransomware as a service’ (RaaS), can easily characterise 2018.
Ransomware attacks happening at more places, with bigger ransoms demanded, are a common prediction of major cybersecurity companies. The Trend Micro report predicts that the ransomware business model will still be a cybercrime mainstream in 2018 – and will continue to target all popular operating systems such as Android, Mac, Windows and Linux. The Forrester predicts that cybercriminals will use ransomware to shut down point of sale systems. According to the FireEye, this will particularly happen if administrators continue to be slow to patch and update their systems.
The Medium portal forecasts that the dark but lucrative trend in ransomware will continue to explode in the cloud. Moreover, according to The McAfee security, ransomware will in 2018 evolve from traditional PC extortion to IoT, high net-worth users, and corporate disruption.
Webroot International warns that backups will not be sufficient to stop ransomware attacks as hackers are finding ways to subvert this strategy. Hence, the Forester advises organisations and individuals to create strong plans for system and data recovery as soon as possible, including backing up of all systems daily.
It is common advice not to pay ransom in the case of the ransomware attacks. Many experts believe that ransomware will decrease as fewer victims are willing to pay. As this was not the common case so far, it is still to be seen how the ransomware saga will enfold.
Securing cryptocurrencies: Blockchain vs Hashgraph
The rise of the blockchain technology was instigated by the worldwide collapse of a number of banking institutions, which was known as the financial crisis in 2007-2008. This technology was seen as the vehicle for taking over the control of money transactions, heavily relying on a peer-to-peer electronic system. The blockchain quickly became the world’s leading software platform for digital transactions, which is estimated to be worth over 1 billion USD to date. Currently, 14 countries are exploring developing official cryptocurrencies.
However, the defect found in the Parity and Ethereum blockchain caused one developer to lose 300 million USD in cryptocurrency in 2017. This prompted many to rethink security of these technologies. Hence, the Medium portal predicts that automation will enable Bitcoin wallets to be hacked and remotely controlled. Most recently, on 8 January, it was reported that South Korean authorities intended to close several crypto-banks because of money laundering – one such exchange went bankrupt a few weeks ago as a result of a hacker attack.
Gartner cautions that existence of 8.4 billion connections to the cryptocurrency exchange users’ wallets and the possibility for hackers to exploit weak authentication of the system could multiply this risk. These risks prompted a search for more robust technology that will replace or at least compete, with the blockchain.
The ‘Hashgraph’ technology is a new kid on the block. Like blockchain, this technology has distributed, transparent, consensus-based, transactional and flexible attributes, but also has a data structure and consensus algorithm that is much faster, apparently fairer, and more secure than blockchain – and it consumes far less energy than the blockchain technology! Hence, it is to be expected a possible market clash between these two technologies in 2018. We are not excluding emergence of new players as things are moving very fast in this space.
Although the Symantec Corporation predicts that these technologies will find uses outside of cryptocurrencies, cybercriminals will most likely focus on coins and exchanges in 2018. Gartner predicts that by year-end 2020, the bank industry will derive 1 billion USD of business value from the use of blockchain-based cryptocurrencies. This is a sufficient invitation for all kinds of cybercriminals that will increasingly rely on the machine learning and blockchain technologies to expand their evasion techniques.
Increase of state-sponsored attacks
The cyberwar is increasingly seen as the fight for ‘new oil’ extracted by total control of corporate networks or industrial plants of other countries. An area of particular concern is critical infrastructure such as power or communications grids. Although there is no final evidence what countries can be identified as cyber adversaries, it seems that cyber-attacks on other states critical infrastructure, the innovation leading organisations, military and political instructions will continue in 2018. The low cost, stealth nature and surprise are reasons for all major military powers to already have or are developing their reconnaissance and cyber-attack capabilities.
It is now obvious that cyber-attacks will be a part of future warfare. National critical infrastructure will be a lucrative warfare or terrorist cyber-attack target. Using ‘soft power’ approach, cyber intrusions can degrade morale and the will to resist. Forbes foresees that the US tension with North Korea will escalate online, leading to a cyber war. North Korea, though, has a defensive advantage because of the tight control of their cyber network. Forbes also predicts that China and Russia could play a large part in this war because of their close relationship to North Korea.
The advanced persistent threats (APT) have traditionally been associated with nation-state players. However, the APT techniques and tools that were once used by a few, mainly state-sponsored actors have now been adopted by a number of other threat actors. These are freelance groups, allegedly hired by government agencies, and organised criminals who are using complex hacking techniques and tools for stealing intellectual property or sensitive financial data.
The danger of state-sponsored attacks is currently increasing and can be controlled only by the establishment of international norms, principles and standards through global organisations such as the United Nations. Such initiatives should be supported by direct dialogue between the leading cyber-capable states. This should, however, be preceded by currently missing definitions of what a cyber weapon is, and when does a cyber-attack become a physical attack that involves life, infrastructure, and money.
Many companies will not meet GDPR compliance by deadline
Although for some companies it will not be that important, other ones that do business with the European Union (EU) must comply with the EU General Data Protection Regulation (GDPR). The reports, however, suggest that many of these companies will not be quite ready by the deadline of 25 May 2018.
Although the EU regulators will not check the compliance with GDPR regulations in advance, the non-compliant companies will face heavy fines if found guilty upon the EU citizens file complaints. The Trend Micro report predicts that many companies will take definitive actions on the GDPR only when the first high-profile lawsuit is filed. The CSO predictions warn that the fines might amount anything between 10 and 100 million USD for serious GDPR breaches.
There is, unfortunately, no way around. Companies dealing with the EU subjects should do their best to become GDPR compliant.
Skills gap to further increase
Together with the lack of budget (45%) and a lack of security awareness among employees (40%), lack of skilled employees (45%) represent one of biggest obstacles to stronger cybersecurity, points out the LinkedIn Information Security predictions report for 2018.
Smart and beneficial use of modern information and communication technologies will not be possible without cybersecurity technical and non-technical professionals, skilled users and, at the national level, aware citizens. However, it was reported that in 2017 millions of cybersecurity jobs were available worldwide – without the possibility to be filled in the near future.Since the average ICT intensity of jobs in South Africa increased by 26% in last year, it is to expect an increased need for cybersecurity professionals, which are already in very short supply. It is almost needless to say that this skills gap will hit hard many South African organisations.
The gender cybersecurity skills gap just adds to the problem. The ObserveIT recent research, states that only 11% of the world’s information security workforce consists of women. There is a number of worldwide organisations that are dedicated to helping women succeed in cybersecurity, such as Women’s Society of Cyberjutsu (WSC) but is not known if such organisations exist in South Africa. We definitely need means to train and include SA women into cybersecurity mainstream defence.
As the cyber skills shortage continues to increase, enterprises will recognise that they need to create their own cyber talents rather than waiting for educational institutions to produce them. The SiteLock, one of the global leaders in website security, foresees that organisations will become more proactive about addressing the cyber talent gap and implement internal training.
Companies are also likely to begin promoting public dialogue towards more cyber skills education at an earlier age. Are South African secondary and tertiary institutions currently ready for this task? It does not seem so but, as old Chinese proverb says: ‘The best time to plant a tree was 20 years ago. The second best time is now’. Hence, 2018 is the right time for serious planning and action as the lack of security talent in South Africa also presents a massive opportunity to address joblessness, at least partially. For cybersecurity professionals, the job is secured for many years to come.
Growth of cybersecurity insurance
As many investors are looking for long-term growth, the realm of cybersecurity offers good opportunities due to increased spending. It is predicted that cybersecurity investment will globally expand at an exponential rate, from over USD 80 billion in 2016 to USD 170 billion in 2020. According to the Financial Time, that growth can be the magic ingredient that will attract investors in this arena.
Supported by the prediction that cyber insurance premiums will grow from USD 1.35 billion in 2016 to more than USD 20 billion by 2025, one of the South African insurance companies recently boasted that ‘cyber insurance is a growing veld fire in Durban’. Hence, it is predicted that this trend will continue throughout 2018.
Cybersecurity fatigue to be detrimental if not attended to
Cybersecurity fatigue, the phenomenon that makes computer users feel hopeless, manifests itself in much the same way in what psychologists call ‘decision fatigue’ or ‘ego depletion’. It drains our mental energy making us less resistant to real dangers and lures us to do things without real consideration for consequences.
Last year, the study of the US National Institute for Science and Technology (NIST) found that many ICT users have reached the saturation point, which desensitised them to cybersecurity. Being bombarded with numerous cybersecurity messages, advice and demands for compliance, users lose interest to listen and comply. Such users tend to avoid directives and, in order to regain control, behave irrationally by adopting a ‘head in the sand’ approach. In other words, they adopt a carefree online attitude driven by impulse and immediate gratification. The usual motivation behind this behaviour is the perception that much of the shocking impact of cyber-attacks is due mainly to the bellicose headlines that often report on these stories.
Unfortunately, if not addressed appropriately, it seems that this behaviour will continue to eat away at us in 2018. Building a proactive culture, conducting awareness campaigns and user training should be, hence, one of the main cybersecurity activities in 2018 – if we are to avoid falling into this trap.
Happy cybersecurity New Year!
The old proverb says that change is the enemy of security. Having numerous predictions that changes are imminent, the 2018 cybersecurity year will certainly not be a boring one.
The good news is that everything in this world is bipolar – nothing is entirely good or bad. It depends on our views and abilities to seize opportunities.There is a general forecast by the LinkedIn Information Security that many companies and individuals will adopt ‘security-first’ thinking and increase their cybersecurity budgets by an average 21% in 2018.
In the last year, organisations also started to grasp that security starts at the top and that responsibility then extends across the entire organisation. The DZone security, hence, expects that more organisations will realise that cybersecurity must be a component of corporate culture, and in order to make that a priority, it must come from the top down.
Finally, we should be mindful that these predictions, although not groundless, are just that: predictions. For example, it was predicted in 2016 that the drone hacking should be one of the mainstream security events in 2017 – but drone hacking was not and still is not a major concern. In any case, safeguard and alertness are always advisable.