Cybersecurity was all over the news in 2016 – whether it was email breaches that compromised the Democrat campaign for the elections, or revelations towards the end of the year that planes were vulnerable to hacking through in-flight entertainment systems.
The British government boasted that it had the capabilities to launch cybersecurity offensives and was committing a huge chunk of its budget to developing these further. Yahoo suffered from an attack that potentially gained access to 1 billion accounts, the largest known breach of all time.
Vendors, hackers, banks, businesses, countries and shadowy state actors all seem locked in a perpetual game of cat and mouse – and highly sophisticated and organised malicious attackers seem to have the upper hand.
According to the experts, here are some of the cybersecurity nightmares organisations will have to wrangle with in 2017.
2016 saw plenty of allegations about political actors involved in assisting attacks – but the complication is when these are "state-sponsored". A state-sponsored attack could involve the government of any given country simply allowing attacks to occur with their knowledge, but doing nothing to stop them – or it could mean actively encouraging hacking groups or cybercriminals to launch attacks, but indirectly.
To complicate matters further, tracing the origin of most cyber attacks is extremely complicated – for example, the allegations against Russian president Vladimir Putin being involved in the Podesta email leaks, or other alleged interferences in the US election, are extremely difficult to prove.
For example, the list of cited evidence in proving that Russia hacked the DNC is somewhat tenuous, according to some reports.
Adam Vincent, CEO for security company ThreatConnect, believes that a precedent was set in 2016 for the open involvement in state-sponsored cyber-offensive capabilities. He thinks this will spill over into 2017 - and could very well damage any businesses holding sensitive information that could be useful to governments.
"2017 will be a period of unfettered hacking activity," Vincent says. "Organisations with any strategically useful information, whether in the public or the private sector, must prepare themselves to deal with highly sophisticated phishing, infiltration, and data leaking campaigns."
Vincent also believes the British government's £1.9 billion cybersecurity budget announcement signifies a change in how governments publicly relate to cyber threats.
"We will see governments moving to block the negative effects of these attacks more proactively in 2017," Vincent says. "[In the UK] we are likely to see not just a reinforced 'national firewall' of defence mechanisms, but also a redoubled effort in terms of retaliation and retribution. We'll also see more collaboration between public and private organisations, as government bodies and enterprises look to benefit from shared information against mutual adversaries."
"We will begin to move towards a more unified national approach to cybersecurity based on information sharing communities", Vincent says, "rather than a fragmented, secretive, organisation-by-organisation approach."
Kaspersky Labs agrees that attribution will be a central issue to cyber threats in 2017.
"The pursuit of attribution could result in the risk of more criminal dumping infrastructure or proprietary tools on the open market," says Juan Andrés Guerrero-Saade, senior security expert for the global research and analysis team. "Or, opting for open-source and commercial malware – not to mention the widespread use of misdirection, generally known as false flags, to muddy the waters of attribution."
'Internet of Threats'
The things that we typically associate with cybersecurity are changing too – it's no longer just our computers and smartphones or other devices that provide potential access points for an attacker. As cities over the world embrace the internet of things – to create smart cities or other connected infrastructure projects – there are possible access points not just on our devices but in our homes and streets, and it takes just one weak link in a chain to compromise an entire network.
According to Catalin Cosoi, chief security strategist at Bitdefender, 2017 will see a "marked rise" in attacks on the internet of things for both individuals and organisations.
"As penetration of IoT devices in industry grows, so will the threats posed to security by their uncontrolled deployment and use," Cosoi says. "Personal IoT devices will also increasingly get carried across physical and logical security boundaries by employees, compounding the issues."
A particular problem is that many IoT devices are built with affordability in mind rather than with security baked in.
"As the market penetration of smart devices grows, the population of legacy devices which remain unpatched and thus vulnerable 'forever' will only grow," Cosoi explains. "This creates the possibility of crossover threats – as 60 percent of those surveyed keep private files in their PCs or laptops, which share the home network with smart devices."
According to the CTO for data protection at security company Gemalto, Jason Hart, 'data integrity' will continue to be a serious issue for businesses. The premise behind data integrity is that information can be accessed or modified only by authorised users – so a data integrity attack involves manipulating that data for other ends.
"Data integrity attacks are nothing new," Hart says. "But they remain under the radar of businesses who have an ever-increasing reliance on data, and make huge business decisions based on its analysis.
"The first generation of cyberattacks focused on stopping access to the data, which quickly moved on to stealing it," he explains. "Today we're seeing more evidence that the stolen data is being altered before transition, affecting all elements of operations. Data integrity attacks have the power to bring down an entire company – stock markets could be poisoned and collapsed by faulty data, the power grid and other IoT systems could be severely disrupted, and perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself."
Intel Security's McAfee Threat Predictions for 2017 (PDF) notes that advances in technology are a neutral tool, and so while incredible developments in emerging technologies like machine learning should be welcomed, increasing accessibility will also make them available to cybercriminals. And for machine learning in particular,
Intel Security's Eric Peterson cites the Business Email Compromise scam – where individuals in companies are targeted through social engineering, and directed to fraudulently transfer money to bank accounts. There have been instances where the attacks have coincided with business travel dates for executives to increase the odds of the scam's success, Peterson says. Combine reams of publicly available data with already-available complex analysis tools and it is entirely possible, the company warns, that criminals could build malicious machine learning algorithms to pick targets more precisely and with greater levels of success.
"Looking to 2017 and beyond, we might even see purveyors of data theft offering 'Target Acquisition as a Service' built on machine learning algorithms," Peterson says. "We expect that the accessibility of machine learning will accelerate and sharpen social engineering attacks in 2017."
One strain of attack organisations have struggled to deal with over the last few years is ransomware – that hackers gain access to a business or individual's servers and encrypt the data. The hackers demand a ransom, typically something affordable enough for it to be less of a headache that an organisation pays, rather than going through the potentially arduous and more expensive processes of recovering the data through infrastructure safeguards.
Most security vendors say that the only way these attacks will stop is when organisations refuse to pay – but it's easy to understand from a company's perspective why coughing up the change might be the more appealing option. There are no guarantees, of course, that they will actually get the data back after the ransoms are paid – and there have been recorded incidents where law enforcement has permanently removed data dumps online, meaning it's lost forever,
Intel Security expects that ransomware will increasingly move into mobile.
"In 2017, we expect that mobile ransomware will continue to grow but the focus of malware authors will change," says Intel Security's Fernando Ruiz. "Because mobile devices are usually backed up to the cloud, the success of direct ransom payments to unlock devices is often limited."
This means that malware authors are likely to combine mobile device locks with other attacks, like credential theft. Android/Svpeng, for example, targeted banking credentials – and in 2017, trojans will probably turn towards mobile devices, mixing up device locks and other ransomware attacks with more typical man in the middle attacks, to steal primary and secondary authentication factors, Ruiz says, enabling access to bank accounts and credit cards.
A report issued by Gartner in August 2016 found that there is a tendency to throw money at security – but this does not necessarily boost the effectiveness of an organisation's security.
In 'Identifying the Real Information Security Budget', Gartner found that spending analysis was often imprecise for more mature organisations, and although CISOs might feel compelled to check their budgets against industry standards, each organisation will have very different security needs – and so will define their budgets differently.
Gartner recommends that understanding and managing risk is at the core of delivering a successful security budget – spending might dip or swell depending on these risks, and that is to be expected when the threat landscape is naturally so volatile.