InfoSec 2017: Top Five Trends to Watch
Information security remains a critical priority for companies as malicious actors look for new ways to circumvent network defenses, steal account credentials and hold information hostage. While malware remains a key issue — as noted by a McAfee Labs security report from 2016, more than 71 million “unwanted programs” attempted to launch or install themselves on user devices every day — hackers aren’t relying on malware alone to get the job done. Here’s a look at the top five info sec trends for 2017 and how businesses can ensure they’re ready to respond.
Ransomware of Things
Ransomware has emerged as a huge moneymaker for cybercriminals, and for good reason. With many users now storing everything from personal photos and documents to financial information and sensitive corporate information on network-connected devices, hackers can easily take the upper hand by breaking in, encrypting all relevant information and then demanding a hefty fee (often in bitcoin) for the release of this data. The problem is getting worse: A recent breach of MongoDB servers saw information deleted and ransom notes left behind — with no guarantee that paying up would mean the return of stolen data.
In 2017, expect hackers to try a new tactic: Ransomware of Things (RoT). Attackers now see the value in compromising small, Internet-connected devices and then holding their functions hostage until companies pay. While this isn’t a huge problem when you’re talking about a handful of sensors or monitoring tools, what happens if RoT attacks breach a corporation’s entire IoT network, or that of a public agency? Imagine all the closed-circuit cameras in public places suddenly going offline or key manufacturing sensors under total control of attackers. Payouts would happen quickly, and often. For companies, staying safe means always changing the default username/password combination on these devices along with monitoring tools to track any suspicious network behavior.
Companies are getting better at finding and patching vulnerabilities, right? Not so much. While the total number of vulnerabilities has been in decline since the record high of 2014, the number of critical weaknesses is going up. In October 2016, for example, the number of reported vulnerabilities listed as “critical” made up 40 percent of total vulnerabilities. And this only includes weaknesses that have been reported — if companies don’t share cybersecurity data or aren’t aware of potential flaws, both software and, by extension, corporate networks are at risk.
Addressing the problem of high-volume critical vulnerabilities requires InfoSec teams to prioritize security updates when available and keep one ear to the ground about emerging software issues.
Another key information security trend for 2017 is device targeting. While corporate devices such as routers, printers and IoT offerings are often leveraged by hackers to gain network access, attackers will start targeting specific consumer devices to compel victim action or coerce payments. Targets here could include anything “smart” — from refrigerators to televisions or even wearable devices — that could be locked until victims pay. Worst case? Attackers demand corporate login credentials in exchange for the freedom of personal devices. Given the amount and type of data now stored on many smart machines, it would be difficult for users to say no.
One advantage for InfoSec teams over hackers was the proprietary nature of malicious code: Bad actors typically had no interest in sharing their hard work. Attackers now see the value of selling their wares on Dark Web marketplaces, and are beginning to organize into enterprise-like hierarchies that offer “crime-as-a-service”. More worrisome is they’re better at sharing, collaboration and threat defense than most legitimate organizations since they have a vested interest in making sure their revenue stream never ends. As a result, these CaaS syndicates now offer superb customer service and proactively patch any holes in their malware network.
The solution? InfoSec information sharing. Companies can’t afford to pretend they don’t experience cyber issues or have never been breached if they want to avoid significant compromise in 2017.
The Coming Skills Shortage
This threat has been on the horizon for several years, and with more than one million InfoSec jobs now vacant, attacks in 2017 will result in “direct and measurable damage,” according to Network World. It makes sense: With IT pros already stretched thin just managing day-to-day corporate demands and rolling out minimum security measures, proactive response to emerging InfoSec threats is out of reach. And while programs are now being put in place to encourage more college grads to consider a career in security, smaller companies often benefit from the emerging trend of CISO-as-a-service, which sees contracted experts working with businesses to create threat-specific action plans.
Bottom line? 2017 looks to be a banner year for InfoSec threats such as Ransomware of Things, critical vulnerabilities, device targeting and crime-as-a-service, all made more worrisome by the looming skills shortage. For companies looking to shore up network defense, the new year demands a focus on proactive protection, information sharing and reliable expertise outsourcing.